diff mbox series

[v2] signing.bbclass: make PEM loading compatible with OpenSC 0.26.0

Message ID 20250702060955.2542666-1-ejo@pengutronix.de
State Accepted
Headers show
Series [v2] signing.bbclass: make PEM loading compatible with OpenSC 0.26.0 | expand

Commit Message

Enrico Jörns July 2, 2025, 6:09 a.m. UTC 
With https://github.com/OpenSC/OpenSC/pull/3174 which is part of 0.26.0,
OpenSC does not support reading the (DER-converted) object data from
stdin anymore.

However, OpenSC/pkcs11-tool also supports reading PEM files directly.
This we can use for simply replacing and simplifying the stdin piping in
signing_import_cert_from_pem().

Only for password-protected files we still have to use OpenSSL for
conversion, since OpenSC/pkcs11-tool currently doesn't have a mechanism
for providing passwords.
For these cases, we store the converted PEM into a simple temporary
file. This handling is sufficient, since SoftHSM import should be used
for example keys only and SoftHSM also doesn't protect the keys in any
way. Keys which actually need to be protected are stored in HSMs and
accessed via their PKCS#11 URIs.

Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
---
 meta-oe/classes/signing.bbclass | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)
diff mbox series

Patch

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 5068360ca7..26d1b592e3 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -250,9 +250,7 @@  signing_import_cert_from_pem() {
         signing_import_define_role "$cert_name"
     fi
 
-    openssl x509 \
-        -in "${pem}" -inform pem -outform der |
-    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
+    signing_pkcs11_tool --type cert --write-object ${pem} --label "${cert_name}"
 }
 
 # signing_import_pubkey_from_der <role> <der>
@@ -276,12 +274,12 @@  signing_import_pubkey_from_pem() {
     if [ -n "${IMPORT_PASS_FILE}" ]; then
         openssl pkey \
             -passin "file:${IMPORT_PASS_FILE}" \
-            -in "${pem}" -inform pem -pubout -outform der
+            -in "${pem}" -inform pem -pubout -outform pem -out ${B}/pubkey_out.pem
     else
         openssl pkey \
-            -in "${pem}" -inform pem -pubout -outform der
-    fi |
-    signing_pkcs11_tool --type pubkey --write-object /proc/self/fd/0 --label "${role}"
+            -in "${pem}" -inform pem -pubout -outform pem -out ${B}/pubkey_out.pem
+    fi
+    signing_pkcs11_tool --type pubkey --write-object ${B}/pubkey_out.pem --label "${role}"
 }
 
 # signing_import_privkey_from_der <role> <der>
@@ -304,12 +302,12 @@  signing_import_privkey_from_pem() {
     if [ -n "${IMPORT_PASS_FILE}" ]; then
         openssl pkey \
             -passin "file:${IMPORT_PASS_FILE}" \
-            -in "${pem}" -inform pem -outform der
+            -in "${pem}" -inform pem -outform dem -out ${B}/privkey_out.pem
+        signing_pkcs11_tool --type privkey --write-object ${B}/privkey_out.pem --label "${role}"
     else
-        openssl pkey \
-            -in "${pem}" -inform pem -outform der
-    fi |
-    signing_pkcs11_tool --type privkey --write-object /proc/self/fd/0 --label "${role}"
+        signing_pkcs11_tool --type privkey --write-object ${pem} --label "${role}"
+    fi
+
 }
 
 # signing_import_key_from_pem <role> <pem>