helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

signing.bbclass: add signing_create_uri_pem helper function

Browse Source 
The PKCS#11 provider has a mechanism [1] to support older applications
which have not yet migrated to the OSSL_STORE API [2]. It works by
encoding the 'pkcs11:' URI into a PEM file and passing that to an
application as a file. From the application's perspective it loads the
private key from a file, but OpenSSL will transparently use select the
provider to access it via PKCS#11 instead.

Instead of upstream's Python-based tool [3] (which would pull in
asn1crypto as a dependency), we just generate the ASN.1 for the PEM
using OpenSSL's 'asn1parse -genconf'.

It has been tested with RAUC, U-Boot's mkimage (for signed FITs) and
NXP's CST.

[1] https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md#use-in-older-applications-uris-in-pem-files
[2] https://docs.openssl.org/master/man7/ossl_store/
[3] https://github.com/latchset/pkcs11-provider/blob/main/tools/uri2pem.py

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Fabian Pflug 2026-03-04 16:31:43 +01:00 committed by Khem Raj
parent f75a2ab194
commit 8b9b789542
No known key found for this signature in database
GPG Key ID: BB053355919D3314
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
meta-oe/classes/signing.bbclass
View File

@ -463,6 +463,40 @@ signing_extract_cert_pem() {
rm "${output}.tmp-der" rm "${output}.tmp-der"
} }
# signing_create_uri_pem <role> <pem>
#
# Wrap the role's pkcs11: URI in a PEM file.
# The resulting file can be used instead of the URI returned by
# 'signing_get_uri $role' with applications which do not yet support the
# OSSL_STORE for native access to the PKCS#11 provider.
signing_create_uri_pem() {
local role="${1}"
local output="${2}"
local conf="${output}.cnf"
local der="${output}.der"
local uri="$(signing_get_uri $role)"
echo "Wrapping PKCS#11 URI for role '$role' as '${output}'"
# The \# escape prevents OpenSSL's config parser treating # as a comment.
cat > "${conf}" <<EOF
asn1=SEQUENCE:pkcs11_uri_seq
[pkcs11_uri_seq]
version=VISIBLESTRING:PKCS\#11 Provider URI v1.0
uri=UTF8:${uri}
EOF
openssl asn1parse -genconf "${conf}" -noout -out "${der}"
{
echo "-----BEGIN PKCS#11 PROVIDER URI-----"
openssl base64 -in "${der}"
echo "-----END PKCS#11 PROVIDER URI-----"
} > "${output}"
}
python () { python () {
signing_class_prepare(d) signing_class_prepare(d)
} }