diff options
| author | Fabian Pflug <f.pflug@pengutronix.de> | 2026-03-04 16:31:43 +0100 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2026-03-04 22:26:02 -0800 |
| commit | 8b9b789542bdc76fbeb73f150ab75e4f9f7d2086 (patch) | |
| tree | 89f71d11f5b509363e0355a58c986e6f17b9767a /meta-oe/classes | |
| parent | f75a2ab194ee2ea0dd7572669fa3b052f2da36f9 (diff) | |
| download | meta-openembedded-8b9b789542bdc76fbeb73f150ab75e4f9f7d2086.tar.gz | |
signing.bbclass: add signing_create_uri_pem helper function
The PKCS#11 provider has a mechanism [1] to support older applications
which have not yet migrated to the OSSL_STORE API [2]. It works by
encoding the 'pkcs11:' URI into a PEM file and passing that to an
application as a file. From the application's perspective it loads the
private key from a file, but OpenSSL will transparently use select the
provider to access it via PKCS#11 instead.
Instead of upstream's Python-based tool [3] (which would pull in
asn1crypto as a dependency), we just generate the ASN.1 for the PEM
using OpenSSL's 'asn1parse -genconf'.
It has been tested with RAUC, U-Boot's mkimage (for signed FITs) and
NXP's CST.
[1] https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md#use-in-older-applications-uris-in-pem-files
[2] https://docs.openssl.org/master/man7/ossl_store/
[3] https://github.com/latchset/pkcs11-provider/blob/main/tools/uri2pem.py
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/classes')
| -rw-r--r-- | meta-oe/classes/signing.bbclass | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 70c3807a6d..a9f657feb6 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass | |||
| @@ -463,6 +463,40 @@ signing_extract_cert_pem() { | |||
| 463 | rm "${output}.tmp-der" | 463 | rm "${output}.tmp-der" |
| 464 | } | 464 | } |
| 465 | 465 | ||
| 466 | # signing_create_uri_pem <role> <pem> | ||
| 467 | # | ||
| 468 | # Wrap the role's pkcs11: URI in a PEM file. | ||
| 469 | # The resulting file can be used instead of the URI returned by | ||
| 470 | # 'signing_get_uri $role' with applications which do not yet support the | ||
| 471 | # OSSL_STORE for native access to the PKCS#11 provider. | ||
| 472 | signing_create_uri_pem() { | ||
| 473 | local role="${1}" | ||
| 474 | local output="${2}" | ||
| 475 | local conf="${output}.cnf" | ||
| 476 | local der="${output}.der" | ||
| 477 | |||
| 478 | local uri="$(signing_get_uri $role)" | ||
| 479 | |||
| 480 | echo "Wrapping PKCS#11 URI for role '$role' as '${output}'" | ||
| 481 | |||
| 482 | # The \# escape prevents OpenSSL's config parser treating # as a comment. | ||
| 483 | cat > "${conf}" <<EOF | ||
| 484 | asn1=SEQUENCE:pkcs11_uri_seq | ||
| 485 | |||
| 486 | [pkcs11_uri_seq] | ||
| 487 | version=VISIBLESTRING:PKCS\#11 Provider URI v1.0 | ||
| 488 | uri=UTF8:${uri} | ||
| 489 | EOF | ||
| 490 | |||
| 491 | openssl asn1parse -genconf "${conf}" -noout -out "${der}" | ||
| 492 | |||
| 493 | { | ||
| 494 | echo "-----BEGIN PKCS#11 PROVIDER URI-----" | ||
| 495 | openssl base64 -in "${der}" | ||
| 496 | echo "-----END PKCS#11 PROVIDER URI-----" | ||
| 497 | } > "${output}" | ||
| 498 | } | ||
| 499 | |||
| 466 | python () { | 500 | python () { |
| 467 | signing_class_prepare(d) | 501 | signing_class_prepare(d) |
| 468 | } | 502 | } |