diff options
| -rw-r--r-- | meta-oe/classes/signing.bbclass | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index cb54b55641..70c3807a6d 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass | |||
| @@ -54,7 +54,7 @@ | |||
| 54 | SIGNING_PKCS11_URI ?= "" | 54 | SIGNING_PKCS11_URI ?= "" |
| 55 | SIGNING_PKCS11_MODULE ?= "" | 55 | SIGNING_PKCS11_MODULE ?= "" |
| 56 | 56 | ||
| 57 | DEPENDS += "softhsm-native libp11-native opensc-native openssl-native extract-cert-native" | 57 | DEPENDS += "softhsm-native pkcs11-provider-native libp11-native opensc-native openssl-native extract-cert-native" |
| 58 | 58 | ||
| 59 | def signing_class_prepare(d): | 59 | def signing_class_prepare(d): |
| 60 | import os.path | 60 | import os.path |
| @@ -338,16 +338,10 @@ signing_import_install() { | |||
| 338 | signing_prepare() { | 338 | signing_prepare() { |
| 339 | export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" | 339 | export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" |
| 340 | export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3" | 340 | export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3" |
| 341 | export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf" | 341 | export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/openssl-provider-signing.cnf" |
| 342 | export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs" | 342 | export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs" |
| 343 | export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem" | 343 | export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem" |
| 344 | 344 | ||
| 345 | if [ -f ${OPENSSL_CONF} ]; then | ||
| 346 | echo "Using '${OPENSSL_CONF}' for OpenSSL configuration" | ||
| 347 | else | ||
| 348 | echo "Missing 'openssl.cnf' at '${STAGING_ETCDIR_NATIVE}/ssl'" | ||
| 349 | return 1 | ||
| 350 | fi | ||
| 351 | if [ -d ${OPENSSL_MODULES} ]; then | 345 | if [ -d ${OPENSSL_MODULES} ]; then |
| 352 | echo "Using '${OPENSSL_MODULES}' for OpenSSL run-time modules" | 346 | echo "Using '${OPENSSL_MODULES}' for OpenSSL run-time modules" |
| 353 | else | 347 | else |
| @@ -367,6 +361,26 @@ signing_prepare() { | |||
| 367 | echo "directories.tokendir = $SOFTHSM2_DIR" > "$SOFTHSM2_CONF" | 361 | echo "directories.tokendir = $SOFTHSM2_DIR" > "$SOFTHSM2_CONF" |
| 368 | echo "objectstore.backend = db" >> "$SOFTHSM2_CONF" | 362 | echo "objectstore.backend = db" >> "$SOFTHSM2_CONF" |
| 369 | 363 | ||
| 364 | cat > "${OPENSSL_CONF}" <<EOF | ||
| 365 | openssl_conf = openssl_init | ||
| 366 | |||
| 367 | [openssl_init] | ||
| 368 | providers = provider_sect | ||
| 369 | |||
| 370 | [provider_sect] | ||
| 371 | default = default_sect | ||
| 372 | pkcs11 = pkcs11_sect | ||
| 373 | |||
| 374 | [default_sect] | ||
| 375 | activate = 1 | ||
| 376 | |||
| 377 | [pkcs11_sect] | ||
| 378 | pkcs11-module-quirks = no-operation-state no-deinit | ||
| 379 | pkcs11-module-cache-keys = false | ||
| 380 | pkcs11-module-encode-provider-uri-to-pem = true | ||
| 381 | activate = 1 | ||
| 382 | EOF | ||
| 383 | |||
| 370 | for env in $(ls "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d"); do | 384 | for env in $(ls "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d"); do |
| 371 | . "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d/$env" | 385 | . "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d/$env" |
| 372 | done | 386 | done |
| @@ -378,6 +392,8 @@ signing_use_role() { | |||
| 378 | local role="${1}" | 392 | local role="${1}" |
| 379 | 393 | ||
| 380 | export PKCS11_MODULE_PATH="$(signing_get_module $role)" | 394 | export PKCS11_MODULE_PATH="$(signing_get_module $role)" |
| 395 | export PKCS11_PROVIDER_MODULE="$PKCS11_MODULE_PATH" | ||
| 396 | # export PKCS11_PROVIDER_DEBUG="file:/dev/stderr" | ||
| 381 | export PKCS11_URI="$(signing_get_uri $role)" | 397 | export PKCS11_URI="$(signing_get_uri $role)" |
| 382 | 398 | ||
| 383 | if [ -z "$PKCS11_MODULE_PATH" ]; then | 399 | if [ -z "$PKCS11_MODULE_PATH" ]; then |