PROTON-2594: Add OpenSSL PKCS#11 PROVIDER support to enable HSM use

.github/workflows/build.yml

@@ -9,7 +9,7 @@ jobs:
       fail-fast: false
       matrix:
         os:
-        - ubuntu-latest
+        - ubuntu-24.04
         - macOS-13
         - windows-latest
         buildType:
@@ -47,7 +47,7 @@ jobs:
     - name: Install Linux dependencies
       if: runner.os == 'Linux'
       run: |
-        sudo apt install -y swig libpython3-dev libsasl2-dev libjsoncpp-dev
+        sudo apt install -y swig libpython3-dev libsasl2-dev libjsoncpp-dev softhsm2 opensc
     - name: Install Windows dependencies
       if: runner.os == 'Windows'
       run: |
@@ -63,6 +63,10 @@ jobs:
       working-directory: ${{github.workspace}}
       run: sudo sh ./ci/otel.sh
       shell: bash
+    - name: pkcs11-provider build/install
+      if: runner.os == 'Linux'
+      run: sudo sh ./ci/pkcs11-provider.sh
+      shell: bash
     - name: cmake configure
       working-directory: ${{env.BuildDir}}
       run: cmake "${{github.workspace}}" "-DCMAKE_BUILD_TYPE=${BuildType}" "-DCMAKE_INSTALL_PREFIX=${InstallPrefix}" ${{matrix.cmake_extra}}
@@ -88,7 +92,13 @@ jobs:
     - id: ctest
       name: ctest
       working-directory: ${{env.BuildDir}}
-      run: ctest -C ${BuildType} -V -T Test --no-compress-output ${{matrix.ctest_extra}}
+      run: |
+        if [ "$RUNNER_OS" = "Linux" ]; then
+          pushd ${{github.workspace}}
+          . scripts/prep-pkcs11_test.sh
+          popd
+        fi
+        ctest -C ${BuildType} -V -T Test --no-compress-output ${{matrix.ctest_extra}}
       shell: bash
     - name: Upload Test results
       if: always() && (steps.ctest.outcome == 'failure' || steps.ctest.outcome == 'success')

c/src/ssl/openssl.c

@@ -50,6 +50,13 @@
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
+
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/store.h>
+#include <openssl/ui.h>
+#endif
+
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
@@ -607,27 +614,125 @@ void pn_ssl_domain_free( pn_ssl_domain_t *domain )
   }
 }
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int ui_read_string(UI *ui, UI_STRING *uis)
+{
+    return UI_set_result(ui, uis, UI_get0_user_data(ui));
+}
+
+static OSSL_STORE_INFO *pkcs11_provider_get_info( const char *uri, const char *pin, int type )
+{
+  UI_METHOD *ui_method = NULL;
+
+  if (pin) {
+    ui_method = UI_create_method("Pin Reader");
+    if (!ui_method) {
+      ssl_log_error("Failed to set up UI_METHOD");
+      return NULL;
+    }
+    UI_method_set_reader(ui_method, ui_read_string);
+  }
+
+  OSSL_STORE_CTX *store = OSSL_STORE_open_ex(uri, NULL, "provider=pkcs11",
+                                             ui_method, (void *)pin, NULL, NULL, NULL);
+  if (!store) {
+    ssl_log_error("Failed to open store for provider=pkcs11\n");
+    UI_destroy_method(ui_method);
+    return NULL;
+  }
+
+  for (OSSL_STORE_INFO *info = OSSL_STORE_load(store); info;
+       info = OSSL_STORE_load(store)) {
+    if (type == OSSL_STORE_INFO_get_type(info)) {
+      OSSL_STORE_close(store);
+      UI_destroy_method(ui_method);
+      return info;
+    }
+    OSSL_STORE_INFO_free(info);
+  }
+
+  OSSL_STORE_close(store);
+  UI_destroy_method(ui_method);
+  return NULL;
+}
+
+static X509 *read_certificate_pkcs11( const char *uri, const char *key_pass )
+{
+  OSSL_STORE_INFO *info = pkcs11_provider_get_info(uri, key_pass, OSSL_STORE_INFO_CERT);
+  if (!info) return NULL;
+
+  X509 *cert = OSSL_STORE_INFO_get1_CERT(info);
+  OSSL_STORE_INFO_free(info);
+  return cert;
+}
+
+static EVP_PKEY *read_private_key_pkcs11( const char *uri, const char *key_pass )
+{
+  OSSL_STORE_INFO *info = pkcs11_provider_get_info(uri, key_pass, OSSL_STORE_INFO_PKEY);
+  if (!info) return NULL;
+
+  EVP_PKEY *key = OSSL_STORE_INFO_get1_PKEY(info);
+  OSSL_STORE_INFO_free(info);
+  return key;
+}
+#else /* < OpenSSL 3.0 */
+static X509 *read_certificate_pkcs11( const char *uri, const char *key_pass ) {
+  ssl_log_error("pkcs11: URI support requires >= OpenSSL 3.0\n");
+  return NULL;
+}
+static EVP_PKEY *read_private_key_pkcs11( const char *uri, const char *key_pass ) {
+  ssl_log_error("pkcs11: URI support requires >= OpenSSL 3.0\n");
+  return NULL;
+}
+#endif
+
+static bool is_pkcs11_uri( const char *file_path )
+{
+  return strncmp(file_path, "pkcs11:", sizeof("pkcs11:") - 1) == 0;
+}
 
 int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain,
                                    const char *certificate_file,
                                    const char *private_key_file,
                                    const char *password)
 {
+  int rc;
+
   if (!domain || !domain->ctx) return -1;
 
-  if (SSL_CTX_use_certificate_chain_file(domain->ctx, certificate_file) != 1) {
-    ssl_log_error("SSL_CTX_use_certificate_chain_file( %s ) failed", certificate_file);
+  if (is_pkcs11_uri(certificate_file)) {
+    X509 *cert = read_certificate_pkcs11(certificate_file, password);
+    if (cert)
+      rc = SSL_CTX_use_certificate(domain->ctx, cert);
+    else
+      rc = -1;
+  } else {
+    rc = SSL_CTX_use_certificate_chain_file(domain->ctx, certificate_file);
+  }
+
+  if (rc != 1) {
+    ssl_log_error("Failed to load certificate %s", certificate_file);
     return -3;
   }
 
-  if (password) {
-    domain->keyfile_pw = pn_strdup(password);  // @todo: obfuscate me!!!
-    SSL_CTX_set_default_passwd_cb(domain->ctx, keyfile_pw_cb);
-    SSL_CTX_set_default_passwd_cb_userdata(domain->ctx, domain->keyfile_pw);
+  if (is_pkcs11_uri(private_key_file)) {
+    EVP_PKEY *pkey = read_private_key_pkcs11(private_key_file, password);
+    if (pkey)
+      rc = SSL_CTX_use_PrivateKey(domain->ctx, pkey);
+    else
+      rc = -1;
+  } else {
+    if (password) {
+      domain->keyfile_pw = pn_strdup(password);  // @todo: obfuscate me!!!
+      SSL_CTX_set_default_passwd_cb(domain->ctx, keyfile_pw_cb);
+      SSL_CTX_set_default_passwd_cb_userdata(domain->ctx, domain->keyfile_pw);
+    }
+
+    rc = SSL_CTX_use_PrivateKey_file(domain->ctx, private_key_file, SSL_FILETYPE_PEM);
   }
 
-  if (SSL_CTX_use_PrivateKey_file(domain->ctx, private_key_file, SSL_FILETYPE_PEM) != 1) {
-    ssl_log_error("SSL_CTX_use_PrivateKey_file( %s ) failed", private_key_file);
+  if (rc != 1) {
+    ssl_log_error("Failed to load private key %s", private_key_file);
     return -4;
   }
 

ci/pkcs11-provider.sh

@@ -0,0 +1,38 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+# pkcs11-provider dependencies
+
+sudo apt-get install meson
+
+# Clone pkcs11-provider
+
+git clone -b v0.5 https://github.com/latchset/pkcs11-provider
+
+# Build/Install pkcs11-provider
+
+cd pkcs11-provider
+mkdir build
+
+meson setup build .
+meson compile -C build
+meson install -C build
+cd ..

cpp/src/connect_config_test.cpp

@@ -24,9 +24,6 @@
 #include "proton/connection_options.hpp"
 #include "proton/container.hpp"
 #include "proton/error_condition.hpp"
-#include "proton/listener.hpp"
-#include "proton/listen_handler.hpp"
-#include "proton/messaging_handler.hpp"
 #include "proton/transport.hpp"
 #include "proton/ssl.hpp"
 #include "proton/sasl.hpp"
@@ -35,6 +32,8 @@
 #include "proton/sasl.h"
 #include "proton/ssl.h"
 
+#include "test_handler.hpp"
+
 #include <sstream>
 #include <fstream>
 #include <cstdio>
@@ -78,12 +77,6 @@ namespace {
 
 using namespace std;
 using namespace proton;
-using proton::error_condition;
-
-string configure(connection_options& opts, const string& config) {
-    istringstream is(config);
-    return connect_config::parse(is, opts);
-}
 
 void test_default_file() {
     // Default file locations in order of preference.
@@ -146,86 +139,6 @@ void test_invalid_json() {
   }
 }
 
-// Extra classes to resolve clash of on_error in both messaging_handler and listen_handler
-class messaging_handler : public proton::messaging_handler {
-    virtual void on_messaging_error(const error_condition&) = 0;
-
-    void on_error(const error_condition& c) override {
-        on_messaging_error(c);
-    }
-};
-
-class listen_handler : public proton::listen_handler {
-    virtual void on_listen_error(listener& , const string&) = 0;
-
-    void on_error(listener& l, const string& s) override {
-        on_listen_error(l, s);
-    }
-};
-
-class test_handler : public messaging_handler,  public listen_handler {
-    bool opened_;
-    connection_options connection_options_;
-    listener listener_;
-
-    void on_open(listener& l) override {
-        on_listener_start(l.container());
-    }
-
-    connection_options on_accept(listener& l) override {
-        return connection_options_;
-    }
-
-    void on_container_start(container& c) override {
-        listener_ = c.listen("//:0", *this);
-    }
-
-    void on_connection_open(connection& c) override {
-        if (!c.active()) {      // Server side
-            opened_ = true;
-            check_connection(c);
-            listener_.stop();
-            c.close();
-        }
-    }
-
-    void on_messaging_error(const error_condition& e) override {
-        FAIL("unexpected error " << e);
-    }
-
-    void on_listen_error(listener&, const string& s) override {
-        FAIL("unexpected listen error " << s);
-    }
-
-    virtual void check_connection(connection& c) {}
-    virtual void on_listener_start(container& c) = 0;
-
-  protected:
-    string config_with_port(const string& bare_config) {
-        ostringstream ss;
-        ss << "{" << "\"port\":" << listener_.port() << ", " << bare_config << "}";
-        return ss.str();
-    }
-
-    void connect(container& c, const string& bare_config) {
-        connection_options opts;
-        c.connect(configure(opts, config_with_port(bare_config)), opts);
-    }
-
-    void stop_listener() {
-        listener_.stop();
-    }
-
-  public:
-    test_handler(const connection_options& listen_opts = connection_options()) :
-        opened_(false), connection_options_(listen_opts) {}
-
-    void run() {
-        container(*this).run();
-        ASSERT(opened_);
-    }
-};
-
 class test_almost_default_connect : public test_handler {
   public:
 
@@ -241,15 +154,6 @@ class test_almost_default_connect : public test_handler {
     }
 };
 
-// Hack to use protected pn_object member of proton::object
-template <class P, class T>
-class internal_access_of: public P {
-
-public:
-    internal_access_of(const P& t) : P(t) {}
-    T* pn_object() { return proton::internal::object<T>::pn_object(); }
-};
-
 class test_default_connect : public test_handler {
   public: