diff --git a/0003-Support-loading-cert-hardware-token-PKC.patch b/0003-Support-loading-cert-hardware-token-PKC.patch new file mode 100644 index 0000000..2d09c16 --- /dev/null +++ b/0003-Support-loading-cert-hardware-token-PKC.patch @@ -0,0 +1,88 @@ +From 4e5f12d6584536ead82d20554d8f3f2ab0107b0b Mon Sep 17 00:00:00 2001 +From: Lubos Uhliarik +Date: Fri, 30 Apr 2021 13:07:45 +0000 +Subject: [PATCH 3/3] Support loading certificates from hardware token (PKCS#11) + +--- + src/event/ngx_event_openssl.c | 65 +++++++++++++++++++++++++++++++++++ + 1 file changed, 65 insertions(+) + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index d762d6b..270b200 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -617,6 +617,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + X509 *x509, *temp; + u_long n; + ++ if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) { ++ ++#ifndef OPENSSL_NO_ENGINE ++ ++ u_char *p, *last; ++ ENGINE *engine; ++ ++ p = cert->data + sizeof("engine:") - 1; ++ last = (u_char *) ngx_strchr(p, ':'); ++ ++ if (last == NULL) { ++ *err = "invalid syntax"; ++ return NULL; ++ } ++ ++ *last = '\0'; ++ ++ engine = ENGINE_by_id((char *) p); ++ ++ if (engine == NULL) { ++ *err = "ENGINE_by_id() failed"; ++ return NULL; ++ } ++ ++ if (!ENGINE_init(engine)) { ++ *err = "ENGINE_init() failed"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ *last++ = ':'; ++ ++ struct { ++ const char *cert_id; ++ X509 *cert; ++ } params = { (char *) last, NULL }; ++ ++ if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, ¶ms, NULL, 1)) { ++ *err = "ENGINE_ctrl_cmd() failed - Unable to get the certificate"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ ENGINE_finish(engine); ++ ENGINE_free(engine); ++ ++ /* set chain to null */ ++ ++ *chain = sk_X509_new_null(); ++ if (*chain == NULL) { ++ *err = "sk_X509_new_null() failed"; ++ X509_free(params.cert); ++ return NULL; ++ } ++ ++ return params.cert; ++ ++#else ++ ++ *err = "loading \"engine:...\" certificate is not supported"; ++ return NULL; ++ ++#endif ++ } ++ + if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { + + bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, +-- +2.26.3 + diff --git a/nginx.spec b/nginx.spec index d6a0fbf..540d0cd 100644 --- a/nginx.spec +++ b/nginx.spec @@ -29,7 +29,7 @@ Name: nginx Epoch: 1 Version: 1.20.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -62,6 +62,9 @@ Patch0: 0001-remove-Werror-in-upstream-build-scripts.patch # rejected upstream: https://trac.nginx.org/nginx/ticket/1897 Patch1: 0002-fix-PIDFile-handling.patch +# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=1955564 +Patch2: 0003-Support-loading-cert-hardware-token-PKC.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -501,6 +504,10 @@ fi %changelog +* Fri Apr 30 2021 Lubos Uhliarik - 1:1.20.0-5 +- Resolves: #1955564 - [RFE] Support loading certificates from hardware + token (PKCS#11) + * Fri Apr 30 2021 Lubos Uhliarik - 1:1.20.0-4 - Resolves: #1955560 - centralizing default index.html on nginx