Encrypt httpd key stored on disk

This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

install/tools/Makefile.am

@@ -36,5 +36,6 @@ dist_app_SCRIPTS =		\
 	ipa-custodia		\
 	ipa-custodia-check	\
 	ipa-httpd-kdcproxy	\
+	ipa-httpd-pwdreader	\
 	ipa-pki-retrieve-key	\
 	$(NULL)

install/tools/ipa-httpd-pwdreader

@@ -0,0 +1,36 @@
+#!/bin/bash
+# This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
+#
+# If you'd like to write your custom binary providing passwords to mod_ssl,
+# see the documentation of the aforementioned directive of the mod_ssl module.
+
+USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
+ERR_UNKNOWN_KEY="\
+ERROR: You seem to be running a non-standard IPA installation.
+Please extend the /var/libexec/ipa/ipa-pwdreader script to cover your case."
+
+if [ ! "$#" -eq 2 ]; then
+    echo "Wrong number of arguments!" 1>&2
+    echo "$USAGE" 1>&2
+    exit 1
+fi
+
+
+case "$1" in
+    "${HOSTNAME}:443" )
+        # Read IPA password
+        # IPA expects the password filename format to be
+        # <hostname>-<port>-<ecryption_algorithm>
+        IPA_PASSWD_PATH="/var/lib/ipa/passwds/${1/:/-}-$2"
+        cat $IPA_PASSWD_PATH
+        ;;
+# ================
+# Extend for more virtual hosts with
+#    <vhostname>:<vhost_port> )
+#        your_code
+#        ;;
+# ================
+    *)
+        echo "$ERR_UNKNOWN_KEY" 1>&2
+        exit 1
+esac