From 2d1d128a41abb698874e2d0b8e59cb5ae0416937 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Enrico=20J=C3=B6rns?= <ejo@pengutronix.de>
Date: Wed, 2 Jul 2025 08:09:55 +0200
Subject: [PATCH] signing.bbclass: make PEM loading compatible with OpenSC
 0.26.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With https://github.com/OpenSC/OpenSC/pull/3174 which is part of 0.26.0,
OpenSC does not support reading the (DER-converted) object data from
stdin anymore.

However, OpenSC/pkcs11-tool also supports reading PEM files directly.
This we can use for simply replacing and simplifying the stdin piping in
signing_import_cert_from_pem().

Only for password-protected files we still have to use OpenSSL for
conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism
for providing passwords.
For these cases, we store the converted PEM into a simple temporary
file. This handling is sufficient, since SoftHSM import should be used
for example keys only and SoftHSM also doesn't protect the keys in any
way. Keys which actually need to be protected are stored in HSMs and
accessed via their PKCS#11 URIs.

Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta-oe/classes/signing.bbclass | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 5068360ca7..26d1b592e3 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -250,9 +250,7 @@ signing_import_cert_from_pem() {
         signing_import_define_role "$cert_name"
     fi
 
-    openssl x509 \
-        -in "${pem}" -inform pem -outform der |
-    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
+    signing_pkcs11_tool --type cert --write-object ${pem} --label "${cert_name}"
 }
 
 # signing_import_pubkey_from_der <role> <der>
@@ -276,12 +274,12 @@ signing_import_pubkey_from_pem() {
     if [ -n "${IMPORT_PASS_FILE}" ]; then
         openssl pkey \
             -passin "file:${IMPORT_PASS_FILE}" \
-            -in "${pem}" -inform pem -pubout -outform der
+            -in "${pem}" -inform pem -pubout -outform pem -out ${B}/pubkey_out.pem
     else
         openssl pkey \
-            -in "${pem}" -inform pem -pubout -outform der
-    fi |
-    signing_pkcs11_tool --type pubkey --write-object /proc/self/fd/0 --label "${role}"
+            -in "${pem}" -inform pem -pubout -outform pem -out ${B}/pubkey_out.pem
+    fi
+    signing_pkcs11_tool --type pubkey --write-object ${B}/pubkey_out.pem --label "${role}"
 }
 
 # signing_import_privkey_from_der <role> <der>
@@ -304,12 +302,12 @@ signing_import_privkey_from_pem() {
     if [ -n "${IMPORT_PASS_FILE}" ]; then
         openssl pkey \
             -passin "file:${IMPORT_PASS_FILE}" \
-            -in "${pem}" -inform pem -outform der
+            -in "${pem}" -inform pem -outform dem -out ${B}/privkey_out.pem
+        signing_pkcs11_tool --type privkey --write-object ${B}/privkey_out.pem --label "${role}"
     else
-        openssl pkey \
-            -in "${pem}" -inform pem -outform der
-    fi |
-    signing_pkcs11_tool --type privkey --write-object /proc/self/fd/0 --label "${role}"
+        signing_pkcs11_tool --type privkey --write-object ${pem} --label "${role}"
+    fi
+
 }
 
 # signing_import_key_from_pem <role> <pem>