From: Fabian Pflug <[email protected]> OpenSSL 4.0 will drop support for engines and use providers instead.
To access SoftHSM and other PKCS#11 modules via the provider API, we rely on https://github.com/latchset/pkcs11-provider, which is already available as via pkcs11-provider recipe. We enable this provider by using a specific OpenSSL config when signing. This means that recipes inheriting this class can decide whether they want to use the engine or provider to access the key. SoftHSM seems to produce broken keys when calling the C_CopyObject, so disable caching in the provider for now. Signed-off-by: Jan Luebbe <[email protected]> Signed-off-by: Fabian Pflug <[email protected]> --- meta-oe/classes/signing.bbclass | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index cb54b55641da..70c3807a6dfd 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -54,7 +54,7 @@ SIGNING_PKCS11_URI ?= "" SIGNING_PKCS11_MODULE ?= "" -DEPENDS += "softhsm-native libp11-native opensc-native openssl-native extract-cert-native" +DEPENDS += "softhsm-native pkcs11-provider-native libp11-native opensc-native openssl-native extract-cert-native" def signing_class_prepare(d): import os.path @@ -338,16 +338,10 @@ signing_import_install() { signing_prepare() { export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules" export OPENSSL_ENGINES="${STAGING_LIBDIR_NATIVE}/engines-3" - export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/ssl-3/openssl.cnf" + export OPENSSL_CONF="${STAGING_LIBDIR_NATIVE}/openssl-provider-signing.cnf" export SSL_CERT_DIR="${STAGING_LIBDIR_NATIVE}/ssl-3/certs" export SSL_CERT_FILE="${STAGING_LIBDIR_NATIVE}/ssl-3/cert.pem" - if [ -f ${OPENSSL_CONF} ]; then - echo "Using '${OPENSSL_CONF}' for OpenSSL configuration" - else - echo "Missing 'openssl.cnf' at '${STAGING_ETCDIR_NATIVE}/ssl'" - return 1 - fi if [ -d ${OPENSSL_MODULES} ]; then echo "Using '${OPENSSL_MODULES}' for OpenSSL run-time modules" else @@ -367,6 +361,26 @@ signing_prepare() { echo "directories.tokendir = $SOFTHSM2_DIR" > "$SOFTHSM2_CONF" echo "objectstore.backend = db" >> "$SOFTHSM2_CONF" + cat > "${OPENSSL_CONF}" <<EOF +openssl_conf = openssl_init + +[openssl_init] +providers = provider_sect + +[provider_sect] +default = default_sect +pkcs11 = pkcs11_sect + +[default_sect] +activate = 1 + +[pkcs11_sect] +pkcs11-module-quirks = no-operation-state no-deinit +pkcs11-module-cache-keys = false +pkcs11-module-encode-provider-uri-to-pem = true +activate = 1 +EOF + for env in $(ls "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d"); do . "${STAGING_DIR_NATIVE}/var/lib/meta-signing.env.d/$env" done @@ -378,6 +392,8 @@ signing_use_role() { local role="${1}" export PKCS11_MODULE_PATH="$(signing_get_module $role)" + export PKCS11_PROVIDER_MODULE="$PKCS11_MODULE_PATH" + # export PKCS11_PROVIDER_DEBUG="file:/dev/stderr" export PKCS11_URI="$(signing_get_uri $role)" if [ -z "$PKCS11_MODULE_PATH" ]; then -- 2.47.3
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124851): https://lists.openembedded.org/g/openembedded-devel/message/124851 Mute This Topic: https://lists.openembedded.org/mt/118134255/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
