Hi Sergio,
On 2026-05-25T13:28:26, Sergio Prado <[email protected]> wrote:
> binman: x509_cert: support PKCS#11 URI in keyfile for HSM signing
>
> Allow x509 certificate entries to be signed using a key stored in an
> HSM by accepting a PKCS#11 URI (RFC 7512) as the value of the
> 'keyfile' entry argument, instead of a path to a PEM key file on
> disk. The URI is forwarded as-is to openssl '-key', which resolves it
> via the pkcs11 provider configured externally through OPENSSL_CONF.
>
> A new make variable BINMAN_X509_KEY_URI is introduced. When set, it
> overrides the 'keyfile' entry argument for all x509 certificate
> signing operations:
>
> make BINMAN_X509_KEY_URI="pkcs11:token=mytk;object=mykey;type=private" \
> OPENSSL_CONF=/path/to/openssl.cnf
>
> Two URI forms are supported on OpenSSL 3.x:
>
> - Provider path: pkcs11:token=...;object=...;type=private
> - Engine path: org.openssl.engine:pkcs11:pkcs11:token=...;...
>
> [...]
>
> Makefile | 1 +
> tools/binman/binman.rst | 55 +++++++++++++++++
> tools/binman/etype/x509_cert.py | 37 ++++++++++--
> tools/binman/ftest.py | 92
> +++++++++++++++++++++++++++++
> tools/binman/test/fit/openssl_provider.conf | 14 +++++
> 5 files changed, 194 insertions(+), 5 deletions(-)
> diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py
> @@ -88,6 +93,15 @@ class Entry_x509_cert(Entry_collection):
> + # When keyfile is a PKCS#11 URI and PKCS11_PIN is set, append the
> + # PIN to the URI so signing runs non-interactively. The preferred
> + # way to deliver a PIN is to configure pkcs11-module-token-pin in
> + # openssl.cnf; PKCS11_PIN is the convenience fallback.
> + key_fname = self.key_fname
> + pin = os.environ.get('PKCS11_PIN')
> + if pin and 'pkcs11:' in key_fname:
> + key_fname = self._build_pkcs11_key(key_fname, pin)
nit: the 'pkcs11:' substring test is loose - a filesystem path
containing that token would be treated as a URI. Please use
key_fname.startswith(('pkcs11:', 'org.openssl.engine:')) instead.
Also, the commit message says the URI is forwarded as-is to openssl
-key, which isn't quite true once PKCS11_PIN is appended. Please
reword to match the code.
> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> @@ -6905,6 +6906,97 @@ fdt fdtmap Extract the
> devicetree blob from the fdtmap
> + def testX509CertPkcs11(self):
> + """Test X509 certificate signing via a PKCS#11 URI in keyfile"""
The test only exercises the provider form; the engine prefix is
documented as supported but not covered. A small extra case in
testX509CertBuildPkcs11Key for an engine-prefixed URI would catch
regressions in the combiner without needing libengine-pkcs11-openssl
installed.
Regards,
Simon
