TLS: keys from engines?

[OYTIS]

As far as I can see NodeJS TLS does support OpenSSL engines. But it looks like it only supports them for certificates.

My use-case is a private key managed inside an engine. What I would do, e.g. with libcurl is

// load the engine
curl_easy_setopt(curl, CURLOPT_SSLENGINE, "mycoolengine");

// set it as a default engine
curl_easy_setopt(curl, CURLOPT_SSLENGINE_DEFAULT, 1L);

// tell libcurl that private key is managed by the engine
curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, "ENG");

// set key name (arbitrary string, interpreted by the engine)
curl_easy_setopt(curl, CURLOPT_SSLKEY, "myenginekeyname");

With nodejs it goes like:

> tls_ctx = tls.createSecureContext({"clientCertEngine":"mycoolengine", "key":"myenginekeyname"})

Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
    at Object.createSecureContext (_tls_common.js:104:17)

So looks like it tries to interpret "myenginekeyname" as PEM. Am I doing something wrong, or is this use-case not supported at all?

Thanks!

[bnoordhuis]

Your custom engine needs to call ENGINE_set_load_privkey_function() (and implement the appropriate callback, of course.)

[OYTIS]

@bnoordhuis load_privkey callback is there, but I can't see how it would be used by tls package.

tls uses SecureContext and SecureContext::SetKey always interprets key as PEM: https://github.com/nodejs/node/blob/master/src/node_crypto.cc#L696

[OYTIS]

@bnoordhuis Thank you for getting to me by the way :)

[bnoordhuis]

Ah, I think I misunderstood your example. 'key' is always interpreted as a PEM key right now and I don't think overloading it is a good idea (or could even work because of ambiguity.)

A new option that tells Node.js to load the key with ENGINE_ctrl_cmd("LOAD_CERT_CTRL") is probably acceptable. PR welcome. I might take a stab at it if you don't.

[OYTIS]

@bnoordhuis Cool, thank you for confirming. I've added a PR with a possible implementation, not sure how well it fits the existing code base.

[OYTIS]

Fixed by #28973