Resolves: #1955564 - [RFE] Support loading certificates from hardware

token (PKCS#11)

0003-Support-loading-cert-hardware-token-PKC.patch

@@ -0,0 +1,88 @@
+From 4e5f12d6584536ead82d20554d8f3f2ab0107b0b Mon Sep 17 00:00:00 2001
+From: Lubos Uhliarik <luhliari@redhat.com>
+Date: Fri, 30 Apr 2021 13:07:45 +0000
+Subject: [PATCH 3/3] Support loading certificates from hardware token (PKCS#11)
+
+---
+ src/event/ngx_event_openssl.c | 65 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 65 insertions(+)
+
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index d762d6b..270b200 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -617,6 +617,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
+     X509    *x509, *temp;
+     u_long   n;
+ 
++    if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) {
++
++#ifndef OPENSSL_NO_ENGINE
++
++        u_char  *p, *last;
++        ENGINE  *engine;
++
++        p = cert->data + sizeof("engine:") - 1;
++        last = (u_char *) ngx_strchr(p, ':');
++
++        if (last == NULL) {
++            *err = "invalid syntax";
++            return NULL;
++        }
++
++        *last = '\0';
++
++        engine = ENGINE_by_id((char *) p);
++
++        if (engine == NULL) {
++            *err = "ENGINE_by_id() failed";
++            return NULL;
++        }
++
++        if (!ENGINE_init(engine)) {
++            *err = "ENGINE_init() failed";
++            ENGINE_free(engine);
++            return NULL;
++        }
++
++        *last++ = ':';
++
++        struct {
++            const char *cert_id;
++            X509 *cert;
++        } params = { (char *) last, NULL };
++
++        if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &params, NULL, 1)) {
++            *err = "ENGINE_ctrl_cmd() failed - Unable to get the certificate";
++            ENGINE_free(engine);
++            return NULL;
++        }
++
++        ENGINE_finish(engine);
++        ENGINE_free(engine);
++
++        /* set chain to null */
++
++        *chain = sk_X509_new_null();
++        if (*chain == NULL) {
++           *err = "sk_X509_new_null() failed";
++           X509_free(params.cert);
++           return NULL;
++        }
++
++        return params.cert;
++
++#else
++
++        *err = "loading \"engine:...\" certificate is not supported";
++        return NULL;
++
++#endif
++    }
++
+     if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
+ 
+         bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,
+-- 
+2.26.3
+

nginx.spec

@@ -29,7 +29,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.20.0
-Release:           4%{?dist}
+Release:           5%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -62,6 +62,9 @@ Patch0:            0001-remove-Werror-in-upstream-build-scripts.patch
 # rejected upstream: https://trac.nginx.org/nginx/ticket/1897
 Patch1:            0002-fix-PIDFile-handling.patch
 
+# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=1955564
+Patch2:            0003-Support-loading-cert-hardware-token-PKC.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -501,6 +504,10 @@ fi
 
 
 %changelog
+* Fri Apr 30 2021 Lubos Uhliarik <luhliari@redhat.com> - 1:1.20.0-5
+- Resolves: #1955564 - [RFE] Support loading certificates from hardware
+  token (PKCS#11)
+
 * Fri Apr 30 2021 Lubos Uhliarik <luhliari@redhat.com> - 1:1.20.0-4
 - Resolves: #1955560 - centralizing default index.html on nginx