CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

signing.bbclass: make PEM loading compatible with OpenSC 0.26.0

Browse Source 
With https://github.com/OpenSC/OpenSC/pull/3174 which is part of 0.26.0,
OpenSC does not support reading the (DER-converted) object data from
stdin anymore.

However, OpenSC/pkcs11-tool also supports reading PEM files directly.
This we can use for simply replacing and simplifying the stdin piping in
signing_import_cert_from_pem().

Only for password-protected files we still have to use OpenSSL for
conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism
for providing passwords.
For these cases, we store the converted PEM into a simple temporary
file. This handling is sufficient, since SoftHSM import should be used
for example keys only and SoftHSM also doesn't protect the keys in any
way. Keys which actually need to be protected are stored in HSMs and
accessed via their PKCS#11 URIs.

Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Enrico Jörns 2025-07-02 08:09:55 +02:00 committed by Khem Raj
parent 7d23c8e09c
commit 2d1d128a41
No known key found for this signature in database
GPG Key ID: BB053355919D3314
1 changed files with 10 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
meta-oe/classes/signing.bbclass
View File

@ -250,9 +250,7 @@ signing_import_cert_from_pem() {
signing_import_define_role "$cert_name"
fi
openssl x509 \
-in "${pem}" -inform pem -outform der |
signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
signing_pkcs11_tool --type cert --write-object ${pem} --label "${cert_name}"
}
# signing_import_pubkey_from_der <role> <der>
@ -276,12 +274,12 @@ signing_import_pubkey_from_pem() {
if [ -n "${IMPORT_PASS_FILE}" ]; then
openssl pkey \
-passin "file:${IMPORT_PASS_FILE}" \
-in "${pem}" -inform pem -pubout -outform der
-in "${pem}" -inform pem -pubout -outform pem -out ${B}/pubkey_out.pem
else
openssl pkey \
-in "${pem}" -inform pem -pubout -outform der
fi |
signing_pkcs11_tool --type pubkey --write-object /proc/self/fd/0 --label "${role}"
-in "${pem}" -inform pem -pubout -outform pem -out ${B}/pubkey_out.pem
fi
signing_pkcs11_tool --type pubkey --write-object ${B}/pubkey_out.pem --label "${role}"
}
# signing_import_privkey_from_der <role> <der>
@ -304,12 +302,12 @@ signing_import_privkey_from_pem() {
if [ -n "${IMPORT_PASS_FILE}" ]; then
openssl pkey \
-passin "file:${IMPORT_PASS_FILE}" \
-in "${pem}" -inform pem -outform der
-in "${pem}" -inform pem -outform dem -out ${B}/privkey_out.pem
signing_pkcs11_tool --type privkey --write-object ${B}/privkey_out.pem --label "${role}"
else
openssl pkey \
-in "${pem}" -inform pem -outform der
fi |
signing_pkcs11_tool --type privkey --write-object /proc/self/fd/0 --label "${role}"
signing_pkcs11_tool --type privkey --write-object ${pem} --label "${role}"
fi
}
# signing_import_key_from_pem <role> <pem>