From: Fabian Pflug <[email protected]> The PKCS#11 provider has a mechanism [1] to support older applications which have not yet migrated to the OSSL_STORE API [2]. It works by encoding the 'pkcs11:' URI into a PEM file and passing that to an application as a file. From the application's perspective it loads the private key from a file, but OpenSSL will transparently use select the provider to access it via PKCS#11 instead.
Instead of upstream's Python-based tool [3] (which would pull in asn1crypto as a dependency), we just generate the ASN.1 for the PEM using OpenSSL's 'asn1parse -genconf'. It has been tested with RAUC, U-Boot's mkimage (for signed FITs) and NXP's CST. [1] https://github.com/latchset/pkcs11-provider/blob/main/docs/provider-pkcs11.7.md#use-in-older-applications-uris-in-pem-files [2] https://docs.openssl.org/master/man7/ossl_store/ [3] https://github.com/latchset/pkcs11-provider/blob/main/tools/uri2pem.py Signed-off-by: Jan Luebbe <[email protected]> Signed-off-by: Fabian Pflug <[email protected]> --- meta-oe/classes/signing.bbclass | 34 +++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 70c3807a6dfd..a9f657feb6bb 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -463,6 +463,40 @@ signing_extract_cert_pem() { rm "${output}.tmp-der" } +# signing_create_uri_pem <role> <pem> +# +# Wrap the role's pkcs11: URI in a PEM file. +# The resulting file can be used instead of the URI returned by +# 'signing_get_uri $role' with applications which do not yet support the +# OSSL_STORE for native access to the PKCS#11 provider. +signing_create_uri_pem() { + local role="${1}" + local output="${2}" + local conf="${output}.cnf" + local der="${output}.der" + + local uri="$(signing_get_uri $role)" + + echo "Wrapping PKCS#11 URI for role '$role' as '${output}'" + + # The \# escape prevents OpenSSL's config parser treating # as a comment. + cat > "${conf}" <<EOF +asn1=SEQUENCE:pkcs11_uri_seq + +[pkcs11_uri_seq] +version=VISIBLESTRING:PKCS\#11 Provider URI v1.0 +uri=UTF8:${uri} +EOF + + openssl asn1parse -genconf "${conf}" -noout -out "${der}" + + { + echo "-----BEGIN PKCS#11 PROVIDER URI-----" + openssl base64 -in "${der}" + echo "-----END PKCS#11 PROVIDER URI-----" + } > "${output}" +} + python () { signing_class_prepare(d) } -- 2.47.3
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124852): https://lists.openembedded.org/g/openembedded-devel/message/124852 Mute This Topic: https://lists.openembedded.org/mt/118134261/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
