Resolves: #2006420 - Broken loading certificates from hardware token (PKCS#11)

2021-09-22 16:37:10 +02:00 · 2021-09-22 16:37:10 +02:00 · 1365117847
parent 0b6d4f6992
commit 1365117847
2 changed files with 48 additions and 1 deletions
--- a/0005-Init-openssl-engine-properly.patch
+++ b/0005-Init-openssl-engine-properly.patch
@ -0,0 +1,41 @@
+From a769a35a6197c76390e1dd8f5054d426fbbbda05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Wed, 22 Sep 2021 16:12:58 +0200
+Subject: [PATCH] Init openssl engine properly
+
+---
+ src/event/ngx_event_openssl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 270b200..f813458 100644
+--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
+@@ -798,16 +798,24 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
+             return NULL;
+         }
+ 
+        if (!ENGINE_init(engine)) {
+            *err = "ENGINE_init() failed";
+            ENGINE_free(engine);
+            return NULL;
+        }
+
+         *last++ = ':';
+ 
+         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
+ 
+         if (pkey == NULL) {
+             *err = "ENGINE_load_private_key() failed";
+            ENGINE_finish(engine);
+             ENGINE_free(engine);
+             return NULL;
+         }
+ 
+        ENGINE_finish(engine);
+         ENGINE_free(engine);
+ 
+         return pkey;
+-- 
+2.31.1
+
--- a/nginx.spec
+++ b/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.20.1
-Release:           6%{?dist}
+Release:           7%{?dist}

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -82,6 +82,9 @@ Patch2:            0003-Support-loading-cert-hardware-token-PKC.patch
 # downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006822
 Patch3:            0004-Set-proper-compiler-optimalization-level-O2-for-perl.patch

+# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006420
+Patch4:            0005-Init-openssl-engine-properly.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -581,6 +584,9 @@ fi


 %changelog
+* Wed Sep 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-7
+- Resolves: #2006420 - Broken loading certificates from hardware token (PKCS#11)
+
 * Wed Sep 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-6
 - Resolves: #2006822 - Hardening tests fail for nginx