mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-04-02 02:49:12 +00:00
8b9b789542
The PKCS#11 provider has a mechanism [1] to support older applications which have not yet migrated to the OSSL_STORE API [2]. It works by encoding the 'pkcs11:' URI into a PEM file and passing that to an application as a file. From the application's perspective it loads the private key from a file, but OpenSSL will transparently use select the provider to access it via PKCS#11 instead. Instead of upstream's Python-based tool [3] (which would pull in asn1crypto as a dependency), we just generate the ASN.1 for the PEM using OpenSSL's 'asn1parse -genconf'. It has been tested with RAUC, U-Boot's mkimage (for signed FITs) and NXP's CST. [1] https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md#use-in-older-applications-uris-in-pem-files [2] https://docs.openssl.org/master/man7/ossl_store/ [3] https://github.com/latchset/pkcs11-provider/blob/main/tools/uri2pem.py Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de> Signed-off-by: Khem Raj <raj.khem@gmail.com>