| Message ID | 20250619124641.2934463-1-ejo@pengutronix.de |
|---|---|
| State | New |
| Headers | show |
| Series | signing.bbclass: make PEM loading compatible with OpenSC 0.26.0 | expand |
Thanks for the patch, Please rebase it on master-next as it seems to not apply cleanly here. On Thu, Jun 19, 2025 at 5:47 AM Enrico Jörns via lists.openembedded.org <ejo=pengutronix.de@lists.openembedded.org> wrote: > > With https://github.com/OpenSC/OpenSC/pull/3174 which is part of 0.26.0, > OpenSC does not support reading (DER) data from stdin anymore. > > However, OpenSC/pkcs11-tool also supports reading PEM files directly. > This we can use for simply replacing and simplifying the stdin piping in > signing_import_cert_from_pem(). > > Only for password-protected files we still have to use OpenSSL for > conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism > for providing passwords. > For these cases, we store the converted PEM into a simple temporary > file. This handling is sufficient, since SoftHSM import should be used > for example keys only and SoftHSM also doesn't protect the keys in any > way. Keys which actually need to be protected are stored in HSMs and > accessed via their PKCS#11 URIs. > > Signed-off-by: Enrico Jörns <ejo@pengutronix.de> > --- > meta-oe/classes/signing.bbclass | 21 +++++++++------------ > 1 file changed, 9 insertions(+), 12 deletions(-) > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > index 8af7bbf8e0..8c7daa2391 100644 > --- a/meta-oe/classes/signing.bbclass > +++ b/meta-oe/classes/signing.bbclass > @@ -172,9 +172,7 @@ signing_import_cert_from_pem() { > local role="${1}" > local pem="${2}" > > - openssl x509 \ > - -in "${pem}" -inform pem -outform der | > - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" > + signing_pkcs11_tool --type cert --write-object ${pem} --label "${role}" > } > > # signing_import_pubkey_from_der <role> <der> > @@ -198,12 +196,12 @@ signing_import_pubkey_from_pem() { > if [ -n "${IMPORT_PASS_FILE}" ]; then > openssl pkey \ > -passin "file:${IMPORT_PASS_FILE}" \ > - -in "${pem}" -inform pem -pubout -outform der > + -in "${pem}" -inform pem -pubout -outform der -out ${B}/pubkey_out.pem > else > openssl pkey \ > - -in "${pem}" -inform pem -pubout -outform der > - fi | > - signing_pkcs11_tool --type pubkey --write-object /proc/self/fd/0 --label "${role}" > + -in "${pem}" -inform pem -pubout -outform der -out ${B}/pubkey_out.pem > + fi > + signing_pkcs11_tool --type pubkey --write-object ${B}/pubkey_out.pem --label "${role}" > } > > # signing_import_privkey_from_der <role> <der> > @@ -226,12 +224,11 @@ signing_import_privkey_from_pem() { > if [ -n "${IMPORT_PASS_FILE}" ]; then > openssl pkey \ > -passin "file:${IMPORT_PASS_FILE}" \ > - -in "${pem}" -inform pem -outform der > + -in "${pem}" -inform pem -outform der -out ${B}/privkey_out.pem > + signing_pkcs11_tool --type privkey --write-object ${B}/privkey_out.pem --label "${role}" > else > - openssl pkey \ > - -in "${pem}" -inform pem -outform der > - fi | > - signing_pkcs11_tool --type privkey --write-object /proc/self/fd/0 --label "${role}" > + signing_pkcs11_tool --type privkey --write-object ${pem} --label "${role}" > + fi > } > > # signing_import_key_from_pem <role> <pem> > -- > 2.39.5 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#117946): https://lists.openembedded.org/g/openembedded-devel/message/117946 > Mute This Topic: https://lists.openembedded.org/mt/113724395/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Thu, 2025-06-19 at 14:46 +0200, Enrico Jörns wrote: > With https://github.com/OpenSC/OpenSC/pull/3174 which is part of 0.26.0, > OpenSC does not support reading (DER) data from stdin anymore. > > However, OpenSC/pkcs11-tool also supports reading PEM files directly. > This we can use for simply replacing and simplifying the stdin piping in > signing_import_cert_from_pem(). > > Only for password-protected files we still have to use OpenSSL for > conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism > for providing passwords. > For these cases, we store the converted PEM into a simple temporary > file. This handling is sufficient, since SoftHSM import should be used > for example keys only and SoftHSM also doesn't protect the keys in any > way. Keys which actually need to be protected are stored in HSMs and > accessed via their PKCS#11 URIs. > > Signed-off-by: Enrico Jörns <ejo@pengutronix.de> > --- > meta-oe/classes/signing.bbclass | 21 +++++++++------------ > 1 file changed, 9 insertions(+), 12 deletions(-) > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > index 8af7bbf8e0..8c7daa2391 100644 > --- a/meta-oe/classes/signing.bbclass > +++ b/meta-oe/classes/signing.bbclass > @@ -172,9 +172,7 @@ signing_import_cert_from_pem() { > local role="${1}" > local pem="${2}" > > - openssl x509 \ > - -in "${pem}" -inform pem -outform der | > - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" > + signing_pkcs11_tool --type cert --write-object ${pem} --label "${role}" > } > > # signing_import_pubkey_from_der <role> <der> > @@ -198,12 +196,12 @@ signing_import_pubkey_from_pem() { > if [ -n "${IMPORT_PASS_FILE}" ]; then > openssl pkey \ > -passin "file:${IMPORT_PASS_FILE}" \ > - -in "${pem}" -inform pem -pubout -outform der > + -in "${pem}" -inform pem -pubout -outform der -out ${B}/pubkey_out.pem This should either be '-outform pem' or use a '.der' suffix for the filename. Below as well. > else > openssl pkey \ > - -in "${pem}" -inform pem -pubout -outform der > - fi | > - signing_pkcs11_tool --type pubkey --write-object /proc/self/fd/0 --label "${role}" > + -in "${pem}" -inform pem -pubout -outform der -out ${B}/pubkey_out.pem > + fi > + signing_pkcs11_tool --type pubkey --write-object ${B}/pubkey_out.pem --label "${role}" > } > > # signing_import_privkey_from_der <role> <der> > @@ -226,12 +224,11 @@ signing_import_privkey_from_pem() { > if [ -n "${IMPORT_PASS_FILE}" ]; then > openssl pkey \ > -passin "file:${IMPORT_PASS_FILE}" \ > - -in "${pem}" -inform pem -outform der > + -in "${pem}" -inform pem -outform der -out ${B}/privkey_out.pem > + signing_pkcs11_tool --type privkey --write-object ${B}/privkey_out.pem --label "${role}" > else > - openssl pkey \ > - -in "${pem}" -inform pem -outform der > - fi | > - signing_pkcs11_tool --type privkey --write-object /proc/self/fd/0 --label "${role}" > + signing_pkcs11_tool --type privkey --write-object ${pem} --label "${role}" > + fi > } > > # signing_import_key_from_pem <role> <pem>
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 8af7bbf8e0..8c7daa2391 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -172,9 +172,7 @@ signing_import_cert_from_pem() { local role="${1}" local pem="${2}" - openssl x509 \ - -in "${pem}" -inform pem -outform der | - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" + signing_pkcs11_tool --type cert --write-object ${pem} --label "${role}" } # signing_import_pubkey_from_der <role> <der> @@ -198,12 +196,12 @@ signing_import_pubkey_from_pem() { if [ -n "${IMPORT_PASS_FILE}" ]; then openssl pkey \ -passin "file:${IMPORT_PASS_FILE}" \ - -in "${pem}" -inform pem -pubout -outform der + -in "${pem}" -inform pem -pubout -outform der -out ${B}/pubkey_out.pem else openssl pkey \ - -in "${pem}" -inform pem -pubout -outform der - fi | - signing_pkcs11_tool --type pubkey --write-object /proc/self/fd/0 --label "${role}" + -in "${pem}" -inform pem -pubout -outform der -out ${B}/pubkey_out.pem + fi + signing_pkcs11_tool --type pubkey --write-object ${B}/pubkey_out.pem --label "${role}" } # signing_import_privkey_from_der <role> <der> @@ -226,12 +224,11 @@ signing_import_privkey_from_pem() { if [ -n "${IMPORT_PASS_FILE}" ]; then openssl pkey \ -passin "file:${IMPORT_PASS_FILE}" \ - -in "${pem}" -inform pem -outform der + -in "${pem}" -inform pem -outform der -out ${B}/privkey_out.pem + signing_pkcs11_tool --type privkey --write-object ${B}/privkey_out.pem --label "${role}" else - openssl pkey \ - -in "${pem}" -inform pem -outform der - fi | - signing_pkcs11_tool --type privkey --write-object /proc/self/fd/0 --label "${role}" + signing_pkcs11_tool --type privkey --write-object ${pem} --label "${role}" + fi } # signing_import_key_from_pem <role> <pem>
With https://github.com/OpenSC/OpenSC/pull/3174 which is part of 0.26.0, OpenSC does not support reading (DER) data from stdin anymore. However, OpenSC/pkcs11-tool also supports reading PEM files directly. This we can use for simply replacing and simplifying the stdin piping in signing_import_cert_from_pem(). Only for password-protected files we still have to use OpenSSL for conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism for providing passwords. For these cases, we store the converted PEM into a simple temporary file. This handling is sufficient, since SoftHSM import should be used for example keys only and SoftHSM also doesn't protect the keys in any way. Keys which actually need to be protected are stored in HSMs and accessed via their PKCS#11 URIs. Signed-off-by: Enrico Jörns <ejo@pengutronix.de> --- meta-oe/classes/signing.bbclass | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-)