From 8b9b789542bdc76fbeb73f150ab75e4f9f7d2086 Mon Sep 17 00:00:00 2001
From: Fabian Pflug <f.pflug@pengutronix.de>
Date: Wed, 4 Mar 2026 16:31:43 +0100
Subject: [PATCH] signing.bbclass: add signing_create_uri_pem helper function

The PKCS#11 provider has a mechanism [1] to support older applications
which have not yet migrated to the OSSL_STORE API [2]. It works by
encoding the 'pkcs11:' URI into a PEM file and passing that to an
application as a file. From the application's perspective it loads the
private key from a file, but OpenSSL will transparently use select the
provider to access it via PKCS#11 instead.

Instead of upstream's Python-based tool [3] (which would pull in
asn1crypto as a dependency), we just generate the ASN.1 for the PEM
using OpenSSL's 'asn1parse -genconf'.

It has been tested with RAUC, U-Boot's mkimage (for signed FITs) and
NXP's CST.

[1] https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md#use-in-older-applications-uris-in-pem-files
[2] https://docs.openssl.org/master/man7/ossl_store/
[3] https://github.com/latchset/pkcs11-provider/blob/main/tools/uri2pem.py

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta-oe/classes/signing.bbclass | 34 +++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 70c3807a6d..a9f657feb6 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -463,6 +463,40 @@ signing_extract_cert_pem() {
     rm "${output}.tmp-der"
 }
 
+# signing_create_uri_pem <role> <pem>
+#
+# Wrap the role's pkcs11: URI in a PEM file.
+# The resulting file can be used instead of the URI returned by
+# 'signing_get_uri $role' with applications which do not yet support the
+# OSSL_STORE for native access to the PKCS#11 provider.
+signing_create_uri_pem() {
+    local role="${1}"
+    local output="${2}"
+    local conf="${output}.cnf"
+    local der="${output}.der"
+
+    local uri="$(signing_get_uri $role)"
+
+    echo "Wrapping PKCS#11 URI for role '$role' as '${output}'"
+
+    # The \# escape prevents OpenSSL's config parser treating # as a comment.
+    cat > "${conf}" <<EOF
+asn1=SEQUENCE:pkcs11_uri_seq
+
+[pkcs11_uri_seq]
+version=VISIBLESTRING:PKCS\#11 Provider URI v1.0
+uri=UTF8:${uri}
+EOF
+
+    openssl asn1parse -genconf "${conf}" -noout -out "${der}"
+
+    {
+        echo "-----BEGIN PKCS#11 PROVIDER URI-----"
+        openssl base64 -in "${der}"
+        echo "-----END PKCS#11 PROVIDER URI-----"
+    } > "${output}"
+}
+
 python () {
     signing_class_prepare(d)
 }