diff options
| author | Fabian Pflug <f.pflug@pengutronix.de> | 2026-03-04 16:31:43 +0100 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2026-03-04 22:26:02 -0800 |
| commit | 8b9b789542bdc76fbeb73f150ab75e4f9f7d2086 (patch) | |
| tree | 89f71d11f5b509363e0355a58c986e6f17b9767a /meta-python/recipes-devtools/python/python3-aws-iot-device-sdk-python | |
| parent | f75a2ab194ee2ea0dd7572669fa3b052f2da36f9 (diff) | |
| download | meta-openembedded-8b9b789542bdc76fbeb73f150ab75e4f9f7d2086.tar.gz | |
signing.bbclass: add signing_create_uri_pem helper function
The PKCS#11 provider has a mechanism [1] to support older applications
which have not yet migrated to the OSSL_STORE API [2]. It works by
encoding the 'pkcs11:' URI into a PEM file and passing that to an
application as a file. From the application's perspective it loads the
private key from a file, but OpenSSL will transparently use select the
provider to access it via PKCS#11 instead.
Instead of upstream's Python-based tool [3] (which would pull in
asn1crypto as a dependency), we just generate the ASN.1 for the PEM
using OpenSSL's 'asn1parse -genconf'.
It has been tested with RAUC, U-Boot's mkimage (for signed FITs) and
NXP's CST.
[1] https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md#use-in-older-applications-uris-in-pem-files
[2] https://docs.openssl.org/master/man7/ossl_store/
[3] https://github.com/latchset/pkcs11-provider/blob/main/tools/uri2pem.py
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-aws-iot-device-sdk-python')
0 files changed, 0 insertions, 0 deletions