[PATCH v2] scripts: bareboxtlv-generator: add engine support

[Sascha Hauer <s.hauer@pengutronix.de>]

Add a -engine option to optionally use engine e.g. to support PKCS# URIs
via engine.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 .../bareboxtlv-generator.py                   | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/scripts/bareboxtlv-generator/bareboxtlv-generator.py b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
index 806d2d8b94..b568e13a37 100755
--- a/scripts/bareboxtlv-generator/bareboxtlv-generator.py
+++ b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
@@ -47,11 +47,12 @@ class PrivateKey:
     A private key for signing TLVs, requires the cryptography module
     """
 
-    def __init__(self, path: str | None = None):
+    def __init__(self, path: str | None = None, engine: str | None = None):
         """
         Load a private key from:
         - PKCS#12 (.p12/.pfx)
         - PEM/DER private key file
+        - Engine-backed key (e.g. PKCS#11 URI with --engine pkcs11)
         """
 
         try:
@@ -65,7 +66,13 @@ class PrivateKey:
             sys.exit(127)
 
         self.inkey = path
-        self.public_key = serialization.load_pem_public_key(openssl(["pkey", "-pubout", "-in", self.inkey]));
+        if engine:
+            pkey_args = ["-engine", engine, "-inform", "engine"]
+            self.pkeyutl_args = ["-engine", engine, "-keyform", "engine"]
+        else:
+            pkey_args = []
+            self.pkeyutl_args = []
+        self.public_key = serialization.load_pem_public_key(openssl(["pkey"] + pkey_args + ["-pubout", "-in", self.inkey]));
 
     def sign(self, message: bytes) -> bytes:
         """
@@ -75,8 +82,8 @@ class PrivateKey:
         from cryptography.hazmat.primitives.asymmetric import rsa, ec
         from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
 
-        # Access private keys only via the openssl cli so that any configured provider, such as pkcs11, can be used.
-        sig = openssl(["pkeyutl", "-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
+        # Access private keys only via the openssl cli so that any configured engine/provider, such as pkcs11, can be used.
+        sig = openssl(["pkeyutl"] + self.pkeyutl_args + ["-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
 
         if isinstance(self.public_key, rsa.RSAPublicKey):
             return sig
@@ -503,7 +510,8 @@ def _main():
     parser = argparse.ArgumentParser(description="Generate a TLV dataset for the Barebox TLV parser")
     parser.add_argument("schema", help="YAML file describing the data.")
     parser.add_argument("--input-data", help="YAML file containing data to write to the binary.")
-    parser.add_argument("--sign", help=" When using --input-data: Private key to sign the TLV with.")
+    parser.add_argument("--sign", help="When using --input-data: Private key to sign the TLV with.")
+    parser.add_argument("--engine", help="OpenSSL engine to use for private key operations (e.g. pkcs11).")
     parser.add_argument("--output-data", help="YAML file where the contents of the binary will be written to.")
     parser.add_argument("--verify", help="When using --output-data: Public key to verify the signature against")
     parser.add_argument("binary", help="Path to where export data to be copied into DUT's EEPROM.")
@@ -519,7 +527,7 @@ def _main():
             data = yaml.load(d_fh, Loader=yaml.SafeLoader)
 
         if args.sign:
-            privkey = PrivateKey(path=args.sign)
+            privkey = PrivateKey(path=args.sign, engine=args.engine)
         else:
             privkey = None
         bin = eeprom.encode(data, sign=privkey)
-- 
2.47.3