FROM nginx:latest

RUN apt-get update \
 && apt-get install -y --no-install-recommends \
    libengine-pkcs11-openssl \
    libpcsclite-dev \
    libsofthsm2 \
    libssl-dev \
    opensc-pkcs11 \
    opensc \
    pcsc-tools \
    softhsm2 \
 && rm -rf /var/lib/apt/lists

COPY openssl.cnf /etc/ssl/openssl.cnf

RUN softhsm2-util --init-token --free --label "softHSM" --so-pin abcabc --pin abcabc  
RUN pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --pin abcabc --keypairgen --key-type RSA:2048 --id 1
RUN openssl req -new -x509 -subj "/CN=root" -sha256 -config \
    /etc/ssl/openssl.cnf -engine pkcs11 -keyform engine -key 1 \
    -extensions v3_ca \
    -out /var/lib/softhsm/root.crt

RUN pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --pin abcabc --type cert \
  --id 1 \
  --write-object /var/lib/softhsm/root.crt 

RUN pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --pin abcabc --keypairgen --key-type RSA:2048 --id 2
RUN openssl req -new -subj "/CN=inter" -sha256 -config \
    /etc/ssl/openssl.cnf -engine pkcs11 -keyform engine -key 2 \
    -extensions v3_ca \
    -out /var/lib/softhsm/inter.csr

RUN openssl x509 -req -sha256 -days 10000 -engine pkcs11 -CAkeyform engine -set_serial 1 -extfile /etc/ssl/openssl.cnf \
  -CAkey 1 \
  -extensions v3_ca \
  -CA /var/lib/softhsm/root.crt \
  -in /var/lib/softhsm/inter.csr \ 
  -out /var/lib/softhsm/inter.crt

RUN pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --pin abcabc --type cert \
  --id 2 \
  --write-object /var/lib/softhsm/inter.crt 


RUN pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --pin abcabc --keypairgen --key-type RSA:2048 --id 3
RUN openssl req -new -subj "/CN=leaf" -sha256 -config \
    /etc/ssl/openssl.cnf -engine pkcs11 -keyform engine -key 3 \
    -out /var/lib/softhsm/leaf.csr

RUN openssl x509 -req -sha256 -days 365 -engine pkcs11 -CAkeyform engine -set_serial 1 -extfile /etc/ssl/openssl.cnf \
  -CAkey 2 \
  -extensions v3_server \
  -CA /var/lib/softhsm/inter.crt \
  -in /var/lib/softhsm/leaf.csr \ 
  -out /var/lib/softhsm/leaf.crt

RUN pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --pin abcabc --type cert \
  --id 3 \
  --write-object /var/lib/softhsm/leaf.crt 

RUN usermod -a -G softhsm nginx
RUN chown -R nginx:nginx /var/lib/softhsm

COPY nginx.conf /etc/nginx/
COPY tls.conf /etc/nginx/conf.d/

COPY openssl.cnf.nginx /etc/ssl/openssl.cnf
