On Fri, 2015-05-15 at 13:35 +0100, David Howells wrote: > Note that David Woodhouse is looking at making > sign-file work with PKCS#11, so bringing back -s might not be > necessary.
I actually already *had* it working with PKCS#11, at http://git.infradead.org/users/dwmw2/modsign-pkcs11.git Then you went and rewrote it in C, so I'm still refactoring it. WIP at http://git.infradead.org/users/dwmw2/modsign-pkcs11-c.git just needs me to add the ENGINE_by_id("pkcs11")... bits to scripts/sign-file.c. I'm also vacillating about whether to allow an external *cert* to be specified separately from the key. Do we... 1. Just require the X.509 DER cert in $(topdir)/signing_key.x509, 2. Automatically extract it from $CONFIG_MODULE_SIG_EXTERNAL_KEY which shall be a file (or PKCS#11 URI) containing *both* key and cert, or 3. Add a separate CONFIG_MODULE_SIG_EXTERNAL_CERT option. I'm probably inclined towards #2. I'll need to script something to automatically extract the key from a PEM file or PKCS#11 and drop it in DER form in $(topdir)/signing_key.x509 where needed. Using basically the same make rules we already *have* for creating a new key+cert on demand anyway. -- David Woodhouse Open Source Technology Centre [email protected] Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
