tls_wrap does not forward privateKeyEngine and privateKeyIdentifier to tls.createSecureContext() on Server opening

[BenBaratte]

• Node.js Version: 14.15.1
• OS: Linux Kali over WSL1
• Scope (install, code, runtime, meta, other?): code
• Module (and version) (if relevant): nodejs core

in the options pass to the https.createServer() functions, all parameters are forwarded to tls.createSecureContext().
the issue is that in the _tls_wrap.js, the Server.prototype.setSecureContext() explicitly log the options structure before forwarding it to tls.createSecureContext()
there is 2 options that are managed by the tls.createSecureContext() that are not forward :
privateKeyEngine, privateKeyIdentifier

The impact is that the https server can not use OpenSSL engine to manage the server private key.

here is a basic example :

var fs = require('fs')
var https = require('https')

var engine_path='/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so'

var server = https.createServer({
maxVersion: 'TLSv1.2',
minVersion: 'TLSv1.2',
privateKeyEngine: engine_path,
privateKeyIdentifier : '0',
cert: fs.readFileSync('server.pem'),
ciphers:'ECDHE-ECDSA-AES128-GCM-SHA256',
enableTrace:true,
sigalgs:'ECDSA+SHA256',
ecdhCurve:'P-256:P-384',
})
.listen(3000, function () {
console.log('Example app listening on port 3000! Go to https://localhost:3000/')
})

the output with official release is :

Example app listening on port 3000! Go to https://localhost:3000/

with a small patch to the Server.prototype.setSecureContext() I have the following output :

bad engine id
Failed to enumerate slots
Failed to enumerate slots
PKCS11_get_private_key returned NULL
_tls_common.js:182
c.context.setEngineKey(privateKeyIdentifier, privateKeyEngine);
^

Error: error:80067065:pkcs11 engine:ctx_load_privkey:object not found
at Object.createSecureContext (_tls_common.js:182:19)
at Server.setSecureContext (_tls_wrap.js:1332:27)
at Server (_tls_wrap.js:1181:8)
at new Server (https.js:66:14)
at Object.createServer (https.js:91:10)
at Object. (/home/ben/node-v14.15.1-linux-x64/testproj/express_engine.js:7:20)
at Module._compile (internal/modules/cjs/loader.js:1063:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
at Module.load (internal/modules/cjs/loader.js:928:32)
at Function.Module._load (internal/modules/cjs/loader.js:769:14) {
opensslErrorStack: [
'error:26096080:engine routines:ENGINE_load_private_key:failed loading private key'
],
library: 'pkcs11 engine',
function: 'ctx_load_privkey',
reason: 'object not found',
code: 'ERR_OSSL_USER_OBJECT_NOT_FOUND'
}

I expect this error as the engine is well called by the https.createServer() function.

I made this example so everyone can reproduce the issue.

For my testing, I'm using a proprietary OpenSSL engine and I'm able to authenticate the server thanks to the HSM private key.

Thanks,

Ben

[gireeshpunathil]

let us see if @nodejs/crypto can help

[BenBaratte]

This point has been addressed with the pull request nodejs/node#36416

We can close this discussion.

Best Regards,

Ben