From 979ffa13b528676435f6d08e470f33412b5a081e Mon Sep 17 00:00:00 2001 From: toinux <26522723+itzwam@users.noreply.github.com> Date: Mon, 23 Mar 2026 20:34:46 +0100 Subject: [PATCH 1/8] feat: openssl tls.key_file pkcs11: --- src/tls/openssl.c | 56 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 47 insertions(+), 9 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index cb8c2749561..8fdb3a9d7ae 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #ifdef FLB_SYSTEM_MACOS @@ -914,16 +915,53 @@ static void *tls_context_create(int verify, /* key_file */ if (key_file) { - if (key_passwd) { - SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, - (void *) key_passwd); + if (strncmp(key_file, "pkcs11:", 7) == 0) { + /* PKCS#11 URI detected */ + if (!key_passwd || strlen(key_passwd) == 0) { + flb_error("[tls] PKCS#11 URI requires a PIN/password (tls_key_passwd)"); + goto error; + } + ENGINE *e = ENGINE_by_id("pkcs11"); + if (!e) { + flb_error("[tls] failed to load pkcs11 engine"); + goto error; + } + if (!ENGINE_init(e)) { + flb_error("[tls] failed to initialize pkcs11 engine"); + ENGINE_free(e); + goto error; + } + EVP_PKEY *pkey = ENGINE_load_private_key(e, key_file, NULL, (void *)key_passwd); + if (!pkey) { + flb_error("[tls] failed to load private key from pkcs11 uri: %s", key_file); + ENGINE_finish(e); + ENGINE_free(e); + goto error; + } + if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { + flb_error("[tls] failed to use pkcs11 private key: %s", key_file); + EVP_PKEY_free(pkey); + ENGINE_finish(e); + ENGINE_free(e); + goto error; + } + EVP_PKEY_free(pkey); + ENGINE_finish(e); + ENGINE_free(e); } - ret = SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, - SSL_FILETYPE_PEM); - if (ret != 1) { - ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); - flb_error("[tls] key_file '%s' %lu: %s", - key_file, ERR_get_error(), err_buf); + else + { + if (key_passwd) { + SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, + (void *) key_passwd); + } + ret = SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, + SSL_FILETYPE_PEM); + if (ret != 1) { + ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); + flb_error("[tls] key_file '%s' %lu: %s", + key_file, ERR_get_error(), err_buf); + } } /* Make sure the key and certificate file match */ From 4d7de5b3aac363acf743e5a76ef0b0a0e70801f3 Mon Sep 17 00:00:00 2001 From: toinux <26522723+itzwam@users.noreply.github.com> Date: Mon, 23 Mar 2026 20:44:09 +0100 Subject: [PATCH 2/8] fix: warn on empty key_password --- src/tls/openssl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index 8fdb3a9d7ae..7c7ffbdfc48 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -918,8 +918,7 @@ static void *tls_context_create(int verify, if (strncmp(key_file, "pkcs11:", 7) == 0) { /* PKCS#11 URI detected */ if (!key_passwd || strlen(key_passwd) == 0) { - flb_error("[tls] PKCS#11 URI requires a PIN/password (tls_key_passwd)"); - goto error; + flb_warn("[tls] PKCS#11 URI may fail without a PIN/password (tls_key_passwd)"); } ENGINE *e = ENGINE_by_id("pkcs11"); if (!e) { From e539b413f6412f2f07f5e81a35e1336dcc681e09 Mon Sep 17 00:00:00 2001 From: toinux <26522723+itzwam@users.noreply.github.com> Date: Mon, 23 Mar 2026 20:55:05 +0100 Subject: [PATCH 3/8] fix: openssl engine support error --- src/tls/openssl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index 7c7ffbdfc48..bab0088e0e9 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -916,6 +916,11 @@ static void *tls_context_create(int verify, /* key_file */ if (key_file) { if (strncmp(key_file, "pkcs11:", 7) == 0) { +#ifdef OPENSSL_NO_ENGINE + flb_error("[tls] pkcs11_key_file '%s': requires OpenSSL ENGINE support", + key_file); + goto error; +#endif /* PKCS#11 URI detected */ if (!key_passwd || strlen(key_passwd) == 0) { flb_warn("[tls] PKCS#11 URI may fail without a PIN/password (tls_key_passwd)"); From 956963f69ee3277abd66ab3387566b11cb7d230a Mon Sep 17 00:00:00 2001 From: toinux <26522723+itzwam@users.noreply.github.com> Date: Mon, 23 Mar 2026 20:57:53 +0100 Subject: [PATCH 4/8] Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: toinux <26522723+itzwam@users.noreply.github.com> --- src/tls/openssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index bab0088e0e9..e55ed6a2332 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -965,6 +965,7 @@ static void *tls_context_create(int verify, ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); flb_error("[tls] key_file '%s' %lu: %s", key_file, ERR_get_error(), err_buf); + goto error; } } From 9f377b3ca5adc38f3fbc53ad3a59cdcce9c30f88 Mon Sep 17 00:00:00 2001 From: toinux <26522723+itzwam@users.noreply.github.com> Date: Mon, 23 Mar 2026 21:00:15 +0100 Subject: [PATCH 5/8] fix: openssl engine support error --- src/tls/openssl.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index e55ed6a2332..4bbe2d316c2 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -927,23 +927,27 @@ static void *tls_context_create(int verify, } ENGINE *e = ENGINE_by_id("pkcs11"); if (!e) { - flb_error("[tls] failed to load pkcs11 engine"); + ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); + flb_error("[tls] failed to load pkcs11 engine: %s", err_buf); goto error; } if (!ENGINE_init(e)) { - flb_error("[tls] failed to initialize pkcs11 engine"); + ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); + flb_error("[tls] failed to initialize pkcs11 engine: %s", err_buf); ENGINE_free(e); goto error; } EVP_PKEY *pkey = ENGINE_load_private_key(e, key_file, NULL, (void *)key_passwd); if (!pkey) { - flb_error("[tls] failed to load private key from pkcs11 uri: %s", key_file); + ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); + flb_error("[tls] failed to load private key from pkcs11 uri '%s': %s", key_file, err_buf); ENGINE_finish(e); ENGINE_free(e); goto error; } if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { - flb_error("[tls] failed to use pkcs11 private key: %s", key_file); + ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); + flb_error("[tls] failed to use pkcs11 private key '%s': %s", key_file, err_buf); EVP_PKEY_free(pkey); ENGINE_finish(e); ENGINE_free(e); From f6ca4b02f4d84dae4aef17eea11f9b176b9558bb Mon Sep 17 00:00:00 2001 From: toinux <26522723+itzwam@users.noreply.github.com> Date: Mon, 23 Mar 2026 21:04:49 +0100 Subject: [PATCH 6/8] fix: Broken OPENSSL_NO_ENGINE guard causes compilation failure. --- src/tls/openssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index 4bbe2d316c2..1039ce938d2 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -920,7 +920,7 @@ static void *tls_context_create(int verify, flb_error("[tls] pkcs11_key_file '%s': requires OpenSSL ENGINE support", key_file); goto error; -#endif +#else /* PKCS#11 URI detected */ if (!key_passwd || strlen(key_passwd) == 0) { flb_warn("[tls] PKCS#11 URI may fail without a PIN/password (tls_key_passwd)"); @@ -956,6 +956,7 @@ static void *tls_context_create(int verify, EVP_PKEY_free(pkey); ENGINE_finish(e); ENGINE_free(e); +#endif } else { From d623d92fe683e2bc719c46392c8fa4184e7aa6b1 Mon Sep 17 00:00:00 2001 From: toinux <26522723+itzwam@users.noreply.github.com> Date: Mon, 23 Mar 2026 21:24:03 +0100 Subject: [PATCH 7/8] fix: err handling --- src/tls/openssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index 1039ce938d2..a8e779bcf6f 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -907,8 +907,8 @@ static void *tls_context_create(int verify, ret = SSL_CTX_use_certificate_chain_file(ssl_ctx, crt_file); if (ret != 1) { ERR_error_string_n(ERR_get_error(), err_buf, sizeof(err_buf)-1); - flb_error("[tls] crt_file '%s' %lu: %s", - crt_file, ERR_get_error(), err_buf); + flb_error("[tls] crt_file '%s' error: %s", + crt_file, err_buf); goto error; } } From b1861d188649110cfce10af255cae9002d4b6fc6 Mon Sep 17 00:00:00 2001 From: toinux <26522723+itzwam@users.noreply.github.com> Date: Mon, 23 Mar 2026 21:28:34 +0100 Subject: [PATCH 8/8] fix: redacted pkcs11URI --- src/tls/openssl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index a8e779bcf6f..5ba8567d00d 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -917,8 +917,7 @@ static void *tls_context_create(int verify, if (key_file) { if (strncmp(key_file, "pkcs11:", 7) == 0) { #ifdef OPENSSL_NO_ENGINE - flb_error("[tls] pkcs11_key_file '%s': requires OpenSSL ENGINE support", - key_file); + flb_error("[tls] key_file 'pkcs11:': requires OpenSSL ENGINE support"); goto error; #else /* PKCS#11 URI detected */