diff options
| author | Fabian Pflug <f.pflug@pengutronix.de> | 2026-03-04 16:31:42 +0100 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2026-03-04 22:26:02 -0800 |
| commit | f75a2ab194ee2ea0dd7572669fa3b052f2da36f9 (patch) | |
| tree | 2832451a4dab4b052611895abfa26f85427fbc3b | |
| parent | 40a1825c95333fbf114c41966d68339e12cf208a (diff) | |
| download | meta-openembedded-f75a2ab194ee2ea0dd7572669fa3b052f2da36f9.tar.gz | |
signing.bbclass: add support for OpenSSL PKCS#11 provider
OpenSSL 4.0 will drop support for engines and use providers instead.
To access SoftHSM and other PKCS#11 modules via the provider API, we
rely on https://github.com/latchset/pkcs11-provider, which is already
available as via pkcs11-provider recipe.
We enable this provider by using a specific OpenSSL config when signing.
This means that recipes inheriting this class can decide whether they
want to use the engine or provider to access the key.
SoftHSM seems to produce broken keys when calling the C_CopyObject, so
disable caching in the provider for now.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
| -rw-r--r-- | meta-oe/classes/signing.bbclass | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index cb54b55641..70c3807a6d 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass | |||
| @@ -54,7 +54,7 @@ | |||
| 54 | SIGNING_PKCS11_URI ?= "" | 54 | SIGNING_PKCS11_URI ?= "" |
| 55 | SIGNING_PKCS11_MODULE ?= "" | 55 | SIGNING_PKCS11_MODULE ?= "" |
| 56 | 56 | ||
| 57 | DEPENDS += "softhsm-native libp11-native opensc-native openssl-native extract-cert-native" | 57 | DEPENDS += "softhsm-native pkcs11-provider-native libp11-native opensc-native openssl-native extract-cert-native" |
| 58 | 58 | ||
| 59 | def signing_class_prepare(d): | 59 | def signing_class_prepare(d): |
| 60 | import os.path | 60 | import os.path |
| @@ -338,16 +338,10 @@ signing_import_install() { | |||
| 338 | signing_prepare() { | 338 | signing_prepare() { |
| 339 | export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" | 339 | export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" |
| 340 | export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3" | 340 | export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3" |
| 341 | export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf" | 341 | export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/openssl-provider-signing.cnf" |
| 342 | export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs" | 342 | export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs" |
| 343 | export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem" | 343 | export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem" |
| 344 | 344 | ||
| 345 | if [ -f ${OPENSSL_CONF} ]; then | ||
| 346 | echo "Using '${OPENSSL_CONF}' for OpenSSL configuration" | ||
| 347 | else | ||
| 348 | echo "Missing 'openssl.cnf' at '${STAGING_ETCDIR_NATIVE}/ssl'" | ||
| 349 | return 1 | ||
| 350 | fi | ||
| 351 | if [ -d ${OPENSSL_MODULES} ]; then | 345 | if [ -d ${OPENSSL_MODULES} ]; then |
| 352 | echo "Using '${OPENSSL_MODULES}' for OpenSSL run-time modules" | 346 | echo "Using '${OPENSSL_MODULES}' for OpenSSL run-time modules" |
| 353 | else | 347 | else |
| @@ -367,6 +361,26 @@ signing_prepare() { | |||
| 367 | echo "directories.tokendir = $SOFTHSM2_DIR" > "$SOFTHSM2_CONF" | 361 | echo "directories.tokendir = $SOFTHSM2_DIR" > "$SOFTHSM2_CONF" |
| 368 | echo "objectstore.backend = db" >> "$SOFTHSM2_CONF" | 362 | echo "objectstore.backend = db" >> "$SOFTHSM2_CONF" |
| 369 | 363 | ||
| 364 | cat > "${OPENSSL_CONF}" <<EOF | ||
| 365 | openssl_conf = openssl_init | ||
| 366 | |||
| 367 | [openssl_init] | ||
| 368 | providers = provider_sect | ||
| 369 | |||
| 370 | [provider_sect] | ||
| 371 | default = default_sect | ||
| 372 | pkcs11 = pkcs11_sect | ||
| 373 | |||
| 374 | [default_sect] | ||
| 375 | activate = 1 | ||
| 376 | |||
| 377 | [pkcs11_sect] | ||
| 378 | pkcs11-module-quirks = no-operation-state no-deinit | ||
| 379 | pkcs11-module-cache-keys = false | ||
| 380 | pkcs11-module-encode-provider-uri-to-pem = true | ||
| 381 | activate = 1 | ||
| 382 | EOF | ||
| 383 | |||
| 370 | for env in $(ls "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d"); do | 384 | for env in $(ls "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d"); do |
| 371 | . "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d/$env" | 385 | . "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d/$env" |
| 372 | done | 386 | done |
| @@ -378,6 +392,8 @@ signing_use_role() { | |||
| 378 | local role="${1}" | 392 | local role="${1}" |
| 379 | 393 | ||
| 380 | export PKCS11_MODULE_PATH="$(signing_get_module $role)" | 394 | export PKCS11_MODULE_PATH="$(signing_get_module $role)" |
| 395 | export PKCS11_PROVIDER_MODULE="$PKCS11_MODULE_PATH" | ||
| 396 | # export PKCS11_PROVIDER_DEBUG="file:/dev/stderr" | ||
| 381 | export PKCS11_URI="$(signing_get_uri $role)" | 397 | export PKCS11_URI="$(signing_get_uri $role)" |
| 382 | 398 | ||
| 383 | if [ -z "$PKCS11_MODULE_PATH" ]; then | 399 | if [ -z "$PKCS11_MODULE_PATH" ]; then |