summaryrefslogtreecommitdiffstats
path: root/meta-oe/classes
diff options
context:
space:
mode:
authorEnrico Jörns <ejo@pengutronix.de>2025-07-02 08:09:55 +0200
committerKhem Raj <raj.khem@gmail.com>2025-07-02 09:48:26 -0700
commit2d1d128a41abb698874e2d0b8e59cb5ae0416937 (patch)
tree54aade442e2054d8cd60efa65f4be951daddcc59 /meta-oe/classes
parent7d23c8e09c4fc546b5424bec863ccbcac68b4f85 (diff)
downloadmeta-openembedded-2d1d128a41abb698874e2d0b8e59cb5ae0416937.tar.gz
signing.bbclass: make PEM loading compatible with OpenSC 0.26.0
With https://github.com/OpenSC/OpenSC/pull/3174 which is part of 0.26.0, OpenSC does not support reading the (DER-converted) object data from stdin anymore. However, OpenSC/pkcs11-tool also supports reading PEM files directly. This we can use for simply replacing and simplifying the stdin piping in signing_import_cert_from_pem(). Only for password-protected files we still have to use OpenSSL for conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism for providing passwords. For these cases, we store the converted PEM into a simple temporary file. This handling is sufficient, since SoftHSM import should be used for example keys only and SoftHSM also doesn't protect the keys in any way. Keys which actually need to be protected are stored in HSMs and accessed via their PKCS#11 URIs. Signed-off-by: Enrico Jörns <ejo@pengutronix.de> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/classes')
-rw-r--r--meta-oe/classes/signing.bbclass22
1 files changed, 10 insertions, 12 deletions
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 5068360ca7..26d1b592e3 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -250,9 +250,7 @@ signing_import_cert_from_pem() {
250 signing_import_define_role "$cert_name" 250 signing_import_define_role "$cert_name"
251 fi 251 fi
252 252
253 openssl x509 \ 253 signing_pkcs11_tool --type cert --write-object ${pem} --label "${cert_name}"
254 -in "${pem}" -inform pem -outform der |
255 signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
256} 254}
257 255
258# signing_import_pubkey_from_der <role> <der> 256# signing_import_pubkey_from_der <role> <der>
@@ -276,12 +274,12 @@ signing_import_pubkey_from_pem() {
276 if [ -n "${IMPORT_PASS_FILE}" ]; then 274 if [ -n "${IMPORT_PASS_FILE}" ]; then
277 openssl pkey \ 275 openssl pkey \
278 -passin "file:${IMPORT_PASS_FILE}" \ 276 -passin "file:${IMPORT_PASS_FILE}" \
279 -in "${pem}" -inform pem -pubout -outform der 277 -in "${pem}" -inform pem -pubout -outform pem -out ${B}/pubkey_out.pem
280 else 278 else
281 openssl pkey \ 279 openssl pkey \
282 -in "${pem}" -inform pem -pubout -outform der 280 -in "${pem}" -inform pem -pubout -outform pem -out ${B}/pubkey_out.pem
283 fi | 281 fi
284 signing_pkcs11_tool --type pubkey --write-object /proc/self/fd/0 --label "${role}" 282 signing_pkcs11_tool --type pubkey --write-object ${B}/pubkey_out.pem --label "${role}"
285} 283}
286 284
287# signing_import_privkey_from_der <role> <der> 285# signing_import_privkey_from_der <role> <der>
@@ -304,12 +302,12 @@ signing_import_privkey_from_pem() {
304 if [ -n "${IMPORT_PASS_FILE}" ]; then 302 if [ -n "${IMPORT_PASS_FILE}" ]; then
305 openssl pkey \ 303 openssl pkey \
306 -passin "file:${IMPORT_PASS_FILE}" \ 304 -passin "file:${IMPORT_PASS_FILE}" \
307 -in "${pem}" -inform pem -outform der 305 -in "${pem}" -inform pem -outform dem -out ${B}/privkey_out.pem
306 signing_pkcs11_tool --type privkey --write-object ${B}/privkey_out.pem --label "${role}"
308 else 307 else
309 openssl pkey \ 308 signing_pkcs11_tool --type privkey --write-object ${pem} --label "${role}"
310 -in "${pem}" -inform pem -outform der 309 fi
311 fi | 310
312 signing_pkcs11_tool --type privkey --write-object /proc/self/fd/0 --label "${role}"
313} 311}
314 312
315# signing_import_key_from_pem <role> <pem> 313# signing_import_key_from_pem <role> <pem>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-03-20 18:19:41 +0000