RFC7512 URI support

When a URI based on the RFC7512 is used, the private key should be loaded
from the engine instead of using a local file.

Author: vjardin

ext/openssl/xp_ssl.c

@@ -35,6 +35,7 @@
 #include <openssl/err.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
+#include <openssl/engine.h>
 
 #ifdef PHP_WIN32
 #include "win32/winutil.h"
@@ -950,7 +951,39 @@ static int php_openssl_set_local_cert(SSL_CTX *ctx, php_stream *stream) /* {{{ *
 			}
 			GET_VER_OPT_STRING("local_pk", private_key);
 
-			if (private_key) {
+			if (private_key && (strncmp(private_key, "pkcs11:", 7) == 0)) {
+				/* local_pk is a RFC7512 URI */
+				ENGINE *engine;
+				EVP_PKEY *pkey;
+				engine = ENGINE_by_id("pkcs11");
+				if (engine == NULL) {
+					php_error_docref(NULL, E_WARNING, "Could not bind PKCS11 engine");
+					return FAILURE;
+				}
+#if 0
+				if (!ENGINE_ctrl_cmd_string(engine, "VERBOSE", NULL, 0)) {
+					ENGINE_free(engine);
+					php_error_docref(NULL, E_WARNING, "PKCS11 engine VERBOSE error");
+					return FAILURE;
+				}
+#endif
+				if (!ENGINE_init(engine)) {
+					php_error_docref(NULL, E_WARNING, "Could not initialize PKCS11 engine");
+					return FAILURE;
+				}
+				/* ENGINE_init() returned a functional reference, so free the structural reference from ENGINE_by_id(). */
+				ENGINE_free(engine);
+				pkey = ENGINE_load_private_key(engine, private_key, 0, 0);
+				if (pkey == NULL) {
+					php_error_docref(NULL, E_WARNING, "Could not load private key %s", private_key);
+					return FAILURE;
+				}
+				ENGINE_finish(engine);
+				if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1) {
+					php_error_docref(NULL, E_WARNING, "Unable to use private key from the engines %s", private_key);
+					return FAILURE;
+				}
+			} else if (private_key) {
 				char resolved_path_buff_pk[MAXPATHLEN];
 				if (VCWD_REALPATH(private_key, resolved_path_buff_pk)) {
 					if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff_pk, SSL_FILETYPE_PEM) != 1) {