Azure · walterchris · Mar 16, 2026 · Mar 16, 2026
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -93,7 +93,7 @@ jobs:
       run: |
         sudo apt-get update
         sudo apt-get install -y --no-install-recommends \
-          build-essential cmake pkg-config libssl-dev libbsd-dev
+          build-essential cmake pkg-config libssl-dev libbsd-dev ca-certificates curl gnupg
 
     - name: Restore Cargo cache
       uses: actions/cache/restore@v5
@@ -120,9 +120,11 @@ jobs:
           | tar xz -C /tmp
         cd /tmp/openssl-3.0.3
         ./Configure --prefix=/opt/openssl-3.0.3 --libdir=lib \
-          no-shared -fvisibility=hidden -fPIC
+          no-shared no-dso -fvisibility=hidden -fPIC
         make -j"$(nproc)"
         sudo make install_sw
+        sudo mkdir -p /opt/openssl-3.0.3/ssl
+        sudo touch /opt/openssl-3.0.3/ssl/openssl.cnf
 
     - name: Build azihsm with static OpenSSL
       env:
@@ -134,8 +136,9 @@ jobs:
 
     - name: Install provider
       run: |
-        sudo mkdir -p /usr/lib/ossl-modules
-        sudo cp target/debug/azihsm_provider.so /usr/lib/ossl-modules/
+        sudo mkdir -p /usr/lib/x86_64-linux-gnu/ossl-modules /var/lib/azihsm
+        sudo chown "$USER" /var/lib/azihsm
+        sudo cp target/debug/azihsm_provider.so /usr/lib/x86_64-linux-gnu/ossl-modules/
         sudo cp target/debug/libazihsm_api_native.so /usr/lib/
         sudo ldconfig
 
@@ -151,28 +154,116 @@ jobs:
         openssl ec -in pota_private_key.der -inform DER -pubout -outform DER -out pota_public_key.der 2>/dev/null
         chmod 600 credentials_id.bin credentials_pin.bin obk.bin pota_private_key.der pota_public_key.der
 
+    - name: Install config files
+      run: |
+        sudo mkdir -p /etc/azihsm
+        sudo cp plugins/ossl_prov/nginx-example/openssl-provider.cnf /etc/azihsm/
+        sudo cp plugins/ossl_prov/nginx-example/openssl-cli.cnf /etc/azihsm/
+        sudo cp plugins/ossl_prov/nginx-example/nginx.conf.template /etc/azihsm/
+        sudo chown -R "$USER" /etc/azihsm
+        # Replace the system-wide OpenSSL config so that the provider is
+        # loaded automatically by every process that uses system libcrypto.
+        # This avoids OPENSSL_CONF env-var, which the statically-linked
+        # OpenSSL inside libazihsm_api_native.so would also read – causing
+        # recursive provider loading and a deadlock.
+        sudo cp plugins/ossl_prov/nginx-example/openssl-cli.cnf /etc/ssl/openssl.cnf
+
     - name: Smoke test provider
       env:
         AZIHSM_CREDENTIALS_ID: "70fcf730b8764238b8358010ce8a3f76"
         AZIHSM_CREDENTIALS_PIN: "db3dc77fc22e430080d41b31b6f04800"
       run: |
-        /opt/openssl-3.0.3/bin/openssl genpkey \
-          -provider-path /usr/lib/ossl-modules \
-          -provider default -provider azihsm_provider \
-          -propquery "?provider=azihsm" \
+        openssl genpkey \
           -algorithm EC -pkeyopt group:P-384 \
           -outform DER -out /dev/null -text
 
     - name: Run integration tests
       env:
-        OPENSSL_BIN: /opt/openssl-3.0.3/bin/openssl
+        OPENSSL_BIN: /usr/bin/openssl
         OPENSSL_LIB: ""
-        PROVIDER_PATH: /usr/lib/ossl-modules
+        PROVIDER_PATH: /usr/lib/x86_64-linux-gnu/ossl-modules
         PROPQUERY: "?provider=azihsm"
         AZIHSM_CREDENTIALS_ID: "70fcf730b8764238b8358010ce8a3f76"
         AZIHSM_CREDENTIALS_PIN: "db3dc77fc22e430080d41b31b6f04800"
       run: cargo xtask precheck --nextest --package integration-tests --features integration --profile ci-provider-integration
 
+    - name: Install nginx mainline
+      env:
+        OPENSSL_CONF: /dev/null
+      run: |
+        curl -fsSL https://nginx.org/keys/nginx_signing.key \
+          | sudo gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg
+        echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+          http://nginx.org/packages/mainline/ubuntu noble nginx" \
+          | sudo tee /etc/apt/sources.list.d/nginx.list
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends nginx
+
+    - name: Generate key and certificate
+      env:
+        AZIHSM_CREDENTIALS_ID: "70fcf730b8764238b8358010ce8a3f76"
+        AZIHSM_CREDENTIALS_PIN: "db3dc77fc22e430080d41b31b6f04800"
+      run: |
+        openssl genpkey \
+          -algorithm EC \
+          -pkeyopt group:P-384 \
+          -pkeyopt "azihsm.masked_key:/etc/azihsm/masked_key_p384.bin" \
+          -outform DER -out /dev/null
+
+        openssl req -new -x509 \
+          -key "azihsm:///etc/azihsm/masked_key_p384.bin;type=ec" \
+          -subj "/CN=localhost" \
+          -days 365 -sha384 \
+          -out /etc/azihsm/server.crt
+
+    - name: Validate nginx config (provider load test)
+      env:
+        AZIHSM_CREDENTIALS_ID: "70fcf730b8764238b8358010ce8a3f76"
+        AZIHSM_CREDENTIALS_PIN: "db3dc77fc22e430080d41b31b6f04800"
+      run: |
+        # Switch to the provider-only config (no default_properties) so
+        # nginx's own TLS cipher lookups are not routed through azihsm.
+        sudo cp plugins/ossl_prov/nginx-example/openssl-provider.cnf /etc/ssl/openssl.cnf
+        sudo cp /etc/azihsm/nginx.conf.template /etc/nginx/nginx.conf
+        sudo -E nginx -t -c /etc/nginx/nginx.conf
+
+    - name: Start nginx
+      env:
+        AZIHSM_CREDENTIALS_ID: "70fcf730b8764238b8358010ce8a3f76"
+        AZIHSM_CREDENTIALS_PIN: "db3dc77fc22e430080d41b31b6f04800"
+      run: |
+        sudo -E nginx -c /etc/nginx/nginx.conf
+        sleep 2
+        ps aux | grep nginx || true
+
+    - name: Verify TLS endpoint
+      env:
+        OPENSSL_CONF: /dev/null
+      run: |
+        curl -fsk https://localhost:8443/ | grep "azihsm"
+        curl -fsk https://localhost:8443/health | grep "healthy"
+
+    - name: Verify certificate properties
+      env:
+        OPENSSL_CONF: /dev/null
+      run: |
+        CERT=$(echo | openssl s_client -connect localhost:8443 -servername localhost 2>/dev/null \
+          | openssl x509 -noout -text)
+        echo "$CERT"
+        echo "$CERT" | grep -q "Signature Algorithm: ecdsa-with-SHA384"
+        echo "$CERT" | grep -q "NIST CURVE: P-384"
+        echo "$CERT" | grep -q "ASN1 OID: secp384r1"
+        echo "$CERT" | grep -q "Subject: CN.*=.*localhost"
+
+    - name: Negative test — provider required
+      env:
+        OPENSSL_CONF: /dev/null
+      run: |
+        sudo nginx -s stop || true
+        sudo rm /usr/lib/x86_64-linux-gnu/ossl-modules/azihsm_provider.so
+        nginx -t -c /etc/nginx/nginx.conf 2>&1 \
+          | grep -q "unregistered scheme"
+
   build_windows:
 
     runs-on: windows-latest

diff --git a/integration-tests/testfiles/env.sh b/integration-tests/testfiles/env.sh
@@ -44,6 +44,13 @@ fi
 
 export LD_LIBRARY_PATH="$OPENSSL_LIB"
 
+# Suppress the system-wide openssl.cnf.  When the CI installs the azihsm
+# provider config as /etc/ssl/openssl.cnf the provider would be loaded
+# automatically *and* again by the explicit -provider flags each script
+# passes, causing a double-load error.  The tests are self-contained:
+# they supply -provider-path / -provider / -propquery on every command.
+export OPENSSL_CONF=/dev/null
+
 # --- Credentials via hex env vars (preferred) ---
 # The provider reads credentials from these env vars first, falling back to
 # default files in CWD if unset.  Values match the mock HSM's test credentials.

diff --git a/plugins/ossl_prov/nginx-example/entrypoint.sh b/plugins/ossl_prov/nginx-example/entrypoint.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+set -euo pipefail
+
+AZIHSM_DIR="/etc/azihsm"
+MASKED_KEY="${AZIHSM_DIR}/masked_key_p384.bin"
+CERT="${AZIHSM_DIR}/server.crt"
+NGINX_CONF="/etc/nginx/nginx.conf"
+
+mkdir -p "${AZIHSM_DIR}"
+
+export OPENSSL_CONF="/etc/azihsm/openssl-cli.cnf"
+
+echo "==> Generating EC P-384 key pair in mock HSM ..."
+openssl genpkey \
+    -algorithm EC \
+    -pkeyopt group:P-384 \
+    -pkeyopt "azihsm.masked_key:${MASKED_KEY}" \
+    -outform DER \
+    -out /dev/null
+
+echo "==> Generating self-signed certificate ..."
+openssl req -new -x509 \
+    -key "azihsm://${MASKED_KEY};type=ec" \
+    -subj "/CN=localhost" \
+    -days 365 \
+    -sha384 \
+    -out "${CERT}"
+
+echo "==> Installing nginx configuration ..."
+cp /etc/azihsm/nginx.conf.template "${NGINX_CONF}"
+
+# nginx config: loads the provider without default_properties so that
+# TLS-internal algorithms (HKDF, etc.) use the default provider.
+export OPENSSL_CONF="/etc/azihsm/openssl-provider.cnf"
+
+echo "==> Starting nginx on port 8443 ..."
+exec nginx -g 'daemon off;' -c "${NGINX_CONF}"
diff --git a/plugins/ossl_prov/nginx-example/nginx.conf.template b/plugins/ossl_prov/nginx-example/nginx.conf.template
@@ -0,0 +1,38 @@
+worker_processes 1;
+
+# Pass OPENSSL_CONF into the nginx worker so the provider is loaded.
+env OPENSSL_CONF;
+
+# Docker entrypoint passes -g 'daemon off;' to keep nginx in the foreground.
+
+error_log /var/log/nginx/error.log info;
+pid       /run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache   shared:SSL:10m;
+    ssl_session_tickets off;
+
+    server {
+        listen      8443 ssl;
+        server_name localhost;
+
+        ssl_certificate     /etc/azihsm/server.crt;
+        ssl_certificate_key "store:azihsm:///etc/azihsm/masked_key_p384.bin;type=ec";
+
+        location / {
+            default_type text/plain;
+            return 200 'nginx + azihsm provider\n';
+        }
+
+        location /health {
+            default_type application/json;
+            return 200 '{"status":"healthy","provider":"azihsm"}\n';
+        }
+    }
+}
diff --git a/plugins/ossl_prov/nginx-example/openssl-cli.cnf b/plugins/ossl_prov/nginx-example/openssl-cli.cnf
@@ -0,0 +1,29 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+# Used by the CLI commands (genpkey, req) to load the provider and route
+# algorithm lookups to azihsm via default_properties.
+
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+alg_section = algorithm_sect
+
+[provider_sect]
+default = default_sect
+base = base_sect
+azihsm_provider = azihsm_provider_sect
+
+[default_sect]
+activate = 1
+
+[base_sect]
+activate = 1
+
+[azihsm_provider_sect]
+module = /usr/lib/x86_64-linux-gnu/ossl-modules/azihsm_provider.so
+activate = 1
+
+[algorithm_sect]
+default_properties = ?provider=azihsm
diff --git a/plugins/ossl_prov/nginx-example/openssl-provider.cnf b/plugins/ossl_prov/nginx-example/openssl-provider.cnf
@@ -0,0 +1,25 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+# Used by nginx (via OPENSSL_CONF) to load the provider so that the
+# store:azihsm:// URI in ssl_certificate_key resolves automatically.
+
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+base = base_sect
+azihsm_provider = azihsm_provider_sect
+
+[default_sect]
+activate = 1
+
+[base_sect]
+activate = 1
+
+[azihsm_provider_sect]
+module = /usr/lib/x86_64-linux-gnu/ossl-modules/azihsm_provider.so
+activate = 1