Support loading TLS keys from a PKCS11 keystore

[pedroigor]

Closes #17098

• Allow using PKCS#11 to load key material from a PKCs#11 compliant cryptographic device
• Added a pkcs11-config-file build option to make it easier to configure the SunPKCS11 security provider and avoid users statically/manually setting the provider configuration in the Java security properties.
• Customize Quarkus HttpServerOptions to enable HTTPS even though no key store file is provided.
• For now, we assume the PIN provided via https-key-store-password is the same for any key alias in the keystore.

I'm not sure yet how to test this because we are going to need something SoftHSM installed in the CI/CD env.

We can also use a custom docker file in our test suite to run tests using a container where SoftHSM is pre-installed. I did not manage to achieve that because I'm not able to install SoftHSM using our container image as a base image (even after executing microdnf as root). Any help is appreciated.

[mposolda]

I am not sure if to announce this in the official documentation if we don't test this.

Is it possible to at least add some warning at the beginning of this docs section like This is not officially supported and is only experimental ... or something like that? We can consider removing if we have automated tests for this.

Also the option pkcs11-config-file should be likely hidden from the kc.sh --help until we figure this (but looks like it is already).

For the context of testing with FIPS, we can/should likely test with NSS. That's for example what EAP also supports in their docs as NSS is fips-approved stuff. But I don't consider this as a big priority TBH.

Overally, I don't see PKCS11 as a "must have" for RHBK 22.

[pedroigor]

Hold