diff --git a/apache2-load-certificates-from-pkcs11.patch b/apache2-load-certificates-from-pkcs11.patch new file mode 100644 index 0000000..db5a7b4 --- /dev/null +++ b/apache2-load-certificates-from-pkcs11.patch @@ -0,0 +1,178 @@ +Index: httpd-2.4.41/modules/ssl/ssl_util.c +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_util.c 2019-10-21 21:29:44.081536735 +0200 ++++ httpd-2.4.41/modules/ssl/ssl_util.c 2019-10-21 21:29:44.093536806 +0200 +@@ -481,7 +481,7 @@ void ssl_util_thread_id_setup(apr_pool_t + + #endif /* #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API */ + +-int modssl_is_engine_key(const char *name) ++int modssl_is_engine_id(const char *name) + { + #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) + /* ### Can handle any other special ENGINE key names here? */ +Index: httpd-2.4.41/modules/ssl/ssl_engine_config.c +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_engine_config.c 2019-10-21 21:29:44.081536735 +0200 ++++ httpd-2.4.41/modules/ssl/ssl_engine_config.c 2019-10-21 21:31:14.970078134 +0200 +@@ -916,7 +916,9 @@ const char *ssl_cmd_SSLCertificateFile(c + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + +- if ((err = ssl_cmd_check_file(cmd, &arg))) { ++ /* Only check for non-ENGINE based certs. */ ++ if (!modssl_is_engine_id(arg) ++ && (err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } + +@@ -933,7 +935,7 @@ const char *ssl_cmd_SSLCertificateKeyFil + const char *err; + + /* Check keyfile exists for non-ENGINE keys. */ +- if (!modssl_is_engine_key(arg) ++ if (!modssl_is_engine_id(arg) + && (err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } +Index: httpd-2.4.41/modules/ssl/ssl_engine_init.c +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_engine_init.c 2019-10-21 21:29:44.081536735 +0200 ++++ httpd-2.4.41/modules/ssl/ssl_engine_init.c 2019-10-21 21:29:44.097536830 +0200 +@@ -1248,13 +1248,17 @@ static apr_status_t ssl_init_server_cert + const char *)); + i++) { + EVP_PKEY *pkey; ++ const char *engine_certfile = NULL; + + key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i); + + ERR_clear_error(); + + /* first the certificate (public key) */ +- if (mctx->cert_chain) { ++ if (modssl_is_engine_id(certfile)) { ++ engine_certfile = certfile; ++ } ++ else if (mctx->cert_chain) { + if ((SSL_CTX_use_certificate_file(mctx->ssl_ctx, certfile, + SSL_FILETYPE_PEM) < 1)) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02561) +@@ -1283,13 +1287,28 @@ static apr_status_t ssl_init_server_cert + + ERR_clear_error(); + +- if (modssl_is_engine_key(keyfile)) { ++ if (modssl_is_engine_id(keyfile)) { + apr_status_t rv; + +- if ((rv = modssl_load_engine_pkey(s, ptemp, keyfile, &pkey))) { ++ cert = NULL; ++ if ((rv = modssl_load_engine_keypair(s, ptemp, engine_certfile, ++ keyfile, &cert, &pkey))) { + return rv; + } + ++ if (cert) { ++ if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO() ++ "Failed to configure engine certificate %s, check %s", ++ key_id, certfile); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); ++ return APR_EGENERAL; ++ } ++ ++ /* SSL_CTX now owns the cert. */ ++ X509_free(cert); ++ } ++ + if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130) + "Failed to configure private key %s from engine", +Index: httpd-2.4.41/modules/ssl/ssl_engine_pphrase.c +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_engine_pphrase.c 2019-10-21 21:29:44.081536735 +0200 ++++ httpd-2.4.41/modules/ssl/ssl_engine_pphrase.c 2019-10-21 21:29:44.097536830 +0200 +@@ -616,11 +616,11 @@ int ssl_pphrase_Handle_CB(char *buf, int + } + + #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) +-apr_status_t modssl_load_engine_pkey(server_rec *s, apr_pool_t *p, +- const char *keyid, EVP_PKEY **ppkey) ++apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, ++ const char *certid, const char *keyid, ++ X509 **pubkey, EVP_PKEY **privkey) + { + SSLModConfigRec *mc = myModConfig(s); +- EVP_PKEY *pPrivateKey = NULL; + ENGINE *e; + UI_METHOD *ui_method; + +@@ -648,16 +648,30 @@ apr_status_t modssl_load_engine_pkey(ser + ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0); + } + +- pPrivateKey = ENGINE_load_private_key(e, keyid, ui_method, NULL); +- if (pPrivateKey == NULL) { ++ if (certid) { ++ struct { ++ const char *cert_id; ++ X509 *cert; ++ } params = { certid, NULL }; ++ ++ if (!ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, ¶ms, NULL, 1)) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10136) ++ "Init: Unable to get the certificate"); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); ++ return ssl_die(s); ++ } ++ ++ *pubkey = params.cert; ++ } ++ ++ *privkey = ENGINE_load_private_key(e, keyid, ui_method, NULL); ++ if (*privkey == NULL) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10133) + "Init: Unable to get the private key"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + return ssl_die(s); + } + +- *ppkey = pPrivateKey; +- + ENGINE_free(e); + + return APR_SUCCESS; +Index: httpd-2.4.41/modules/ssl/ssl_private.h +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_private.h 2019-10-21 21:29:44.081536735 +0200 ++++ httpd-2.4.41/modules/ssl/ssl_private.h 2019-10-21 21:29:44.097536830 +0200 +@@ -1001,10 +1001,13 @@ BOOL ssl_util_vhost_matches(cons + /** Pass Phrase Support */ + apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int, + const char *, apr_array_header_t **); +-/* Load private key from the configured ENGINE, returned as **pkey. +- * Errors logged on failure. */ +-apr_status_t modssl_load_engine_pkey(server_rec *s, apr_pool_t *p, +- const char *keyid, EVP_PKEY **ppkey); ++ ++/* Load public and/or private key from the configured ENGINE. Private ++ * key returned as *pkey. certid can be NULL, in which case *pubkey ++ * is not altered. Errors logged on failure. */ ++apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, ++ const char *certid, const char *keyid, ++ X509 **pubkey, EVP_PKEY **privkey); + + /** Diffie-Hellman Parameter Support */ + DH *ssl_dh_GetParamFromFile(const char *); +@@ -1111,8 +1114,8 @@ DH *modssl_get_dh_params(unsigned keylen + int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn); + + /* Returns non-zero if the cert/key filename should be handled through +- * the configure ENGINE. */ +-int modssl_is_engine_key(const char *name); ++ * the configured ENGINE. */ ++int modssl_is_engine_id(const char *name); + + int ssl_is_challenge(conn_rec *c, const char *servername, + X509 **pcert, EVP_PKEY **pkey); diff --git a/apache2-load-private-keys-from-pkcs11.patch b/apache2-load-private-keys-from-pkcs11.patch new file mode 100644 index 0000000..051052b --- /dev/null +++ b/apache2-load-private-keys-from-pkcs11.patch @@ -0,0 +1,161 @@ +Index: httpd-2.4.41/modules/ssl/ssl_engine_config.c +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_engine_config.c 2018-10-18 12:06:37.000000000 +0200 ++++ httpd-2.4.41/modules/ssl/ssl_engine_config.c 2019-10-21 21:20:32.102340905 +0200 +@@ -932,7 +932,9 @@ const char *ssl_cmd_SSLCertificateKeyFil + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *err; + +- if ((err = ssl_cmd_check_file(cmd, &arg))) { ++ /* Check keyfile exists for non-ENGINE keys. */ ++ if (!modssl_is_engine_key(arg) ++ && (err = ssl_cmd_check_file(cmd, &arg))) { + return err; + } + +Index: httpd-2.4.41/modules/ssl/ssl_engine_init.c +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_engine_init.c 2019-08-06 14:16:14.000000000 +0200 ++++ httpd-2.4.41/modules/ssl/ssl_engine_init.c 2019-10-21 21:20:32.102340905 +0200 +@@ -1247,6 +1247,8 @@ static apr_status_t ssl_init_server_cert + (certfile = APR_ARRAY_IDX(mctx->pks->cert_files, i, + const char *)); + i++) { ++ EVP_PKEY *pkey; ++ + key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i); + + ERR_clear_error(); +@@ -1281,12 +1283,26 @@ static apr_status_t ssl_init_server_cert + + ERR_clear_error(); + +- if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, +- SSL_FILETYPE_PEM) < 1) && +- (ERR_GET_FUNC(ERR_peek_last_error()) +- != X509_F_X509_CHECK_PRIVATE_KEY)) { ++ if (modssl_is_engine_key(keyfile)) { ++ apr_status_t rv; ++ ++ if ((rv = modssl_load_engine_pkey(s, ptemp, keyfile, &pkey))) { ++ return rv; ++ } ++ ++ if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130) ++ "Failed to configure private key %s from engine", ++ keyfile); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); ++ return APR_EGENERAL; ++ } ++ } ++ else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, ++ SSL_FILETYPE_PEM) < 1) ++ && (ERR_GET_FUNC(ERR_peek_last_error()) ++ != X509_F_X509_CHECK_PRIVATE_KEY)) { + ssl_asn1_t *asn1; +- EVP_PKEY *pkey; + const unsigned char *ptr; + + ERR_clear_error(); +Index: httpd-2.4.41/modules/ssl/ssl_engine_pphrase.c +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_engine_pphrase.c 2018-12-11 15:14:40.000000000 +0100 ++++ httpd-2.4.41/modules/ssl/ssl_engine_pphrase.c 2019-10-21 21:20:32.102340905 +0200 +@@ -614,3 +614,52 @@ int ssl_pphrase_Handle_CB(char *buf, int + */ + return (len); + } ++ ++#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) ++apr_status_t modssl_load_engine_pkey(server_rec *s, apr_pool_t *p, ++ const char *keyid, EVP_PKEY **ppkey) ++{ ++ SSLModConfigRec *mc = myModConfig(s); ++ EVP_PKEY *pPrivateKey = NULL; ++ ENGINE *e; ++ UI_METHOD *ui_method; ++ ++ if (!mc->szCryptoDevice) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) ++ "Init: Cannot load private key `%s' without engine", ++ keyid); ++ return ssl_die(s); ++ } ++ ++ /* ++ * Using the builtin OpenSSL UI only, for now... ++ */ ++ ui_method = UI_OpenSSL(); ++ ++ if (!(e = ENGINE_by_id(mc->szCryptoDevice))) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132) ++ "Init: Failed to load Crypto Device API `%s'", ++ mc->szCryptoDevice); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); ++ return ssl_die(s); ++ } ++ ++ if (APLOGdebug(s)) { ++ ENGINE_ctrl_cmd_string(e, "VERBOSE", NULL, 0); ++ } ++ ++ pPrivateKey = ENGINE_load_private_key(e, keyid, ui_method, NULL); ++ if (pPrivateKey == NULL) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10133) ++ "Init: Unable to get the private key"); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); ++ return ssl_die(s); ++ } ++ ++ *ppkey = pPrivateKey; ++ ++ ENGINE_free(e); ++ ++ return APR_SUCCESS; ++} ++#endif +Index: httpd-2.4.41/modules/ssl/ssl_private.h +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_private.h 2018-11-23 16:10:24.000000000 +0100 ++++ httpd-2.4.41/modules/ssl/ssl_private.h 2019-10-21 21:20:32.102340905 +0200 +@@ -1001,6 +1001,10 @@ BOOL ssl_util_vhost_matches(cons + /** Pass Phrase Support */ + apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int, + const char *, apr_array_header_t **); ++/* Load private key from the configured ENGINE, returned as **pkey. ++ * Errors logged on failure. */ ++apr_status_t modssl_load_engine_pkey(server_rec *s, apr_pool_t *p, ++ const char *keyid, EVP_PKEY **ppkey); + + /** Diffie-Hellman Parameter Support */ + DH *ssl_dh_GetParamFromFile(const char *); +@@ -1106,6 +1110,10 @@ DH *modssl_get_dh_params(unsigned keylen + * corresponding SSLConnRec structure for the connection. */ + int modssl_request_is_tls(const request_rec *r, SSLConnRec **sslconn); + ++/* Returns non-zero if the cert/key filename should be handled through ++ * the configure ENGINE. */ ++int modssl_is_engine_key(const char *name); ++ + int ssl_is_challenge(conn_rec *c, const char *servername, + X509 **pcert, EVP_PKEY **pkey); + +Index: httpd-2.4.41/modules/ssl/ssl_util.c +=================================================================== +--- httpd-2.4.41.orig/modules/ssl/ssl_util.c 2018-11-23 16:10:24.000000000 +0100 ++++ httpd-2.4.41/modules/ssl/ssl_util.c 2019-10-21 21:20:32.106340927 +0200 +@@ -480,3 +480,13 @@ void ssl_util_thread_id_setup(apr_pool_t + } + + #endif /* #if APR_HAS_THREADS && MODSSL_USE_OPENSSL_PRE_1_1_API */ ++ ++int modssl_is_engine_key(const char *name) ++{ ++#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) ++ /* ### Can handle any other special ENGINE key names here? */ ++ return strncmp(name, "pkcs11:", 7) == 0; ++#else ++ return 0; ++#endif ++} diff --git a/apache2.changes b/apache2.changes index d603541..ff1ab15 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Oct 22 07:01:23 UTC 2019 - pgajdos@suse.com + +- load private keys and certificates from pkcs11 token [SLE-7653] +- added patches + load certificates from openssl engine + + apache2-load-certificates-from-pkcs11.patch + load private keys from openssl engine + + apache2-load-private-keys-from-pkcs11.patch + ------------------------------------------------------------------- Sat Oct 5 14:03:54 UTC 2019 - Yunhe Guo diff --git a/apache2.spec b/apache2.spec index f5c50fe..4d4e5b6 100644 --- a/apache2.spec +++ b/apache2.spec @@ -146,6 +146,10 @@ Patch111: httpd-visibility.patch # PATCH-FEATURE-UPSTREAM kstreitova@suse.com -- backport of HttpContentLengthHeadZero and HttpExpectStrict Patch115: httpd-2.4.x-fate317766-config-control-two-protocol-options.diff Patch116: deprecated-scripts-arch.patch +# load private keys from openssl engine +Patch117: apache2-load-private-keys-from-pkcs11.patch +# load certificates from openssl engine +Patch118: apache2-load-certificates-from-pkcs11.patch BuildRequires: apache-rpm-macros-control BuildRequires: apr-util-devel #Since 2.4.7 the event MPM requires apr 1.5.0 or later. @@ -337,6 +341,8 @@ to administrators of web servers in general. %patch115 -p1 %if 0%{?suse_version} == 1110 %patch116 -p1 +%patch117 -p1 +%patch118 -p1 %endif cat %{_sourcedir}/SUSE-NOTICE >> NOTICE # install READMEs