* [PATCH v2] scripts: bareboxtlv-generator: add engine support
@ 2026-03-19 7:20 Sascha Hauer
2026-03-19 11:03 ` Jonas Rebmann
0 siblings, 1 reply; 2+ messages in thread
From: Sascha Hauer @ 2026-03-19 7:20 UTC (permalink / raw)
To: Barebox List; +Cc: Claude Opus 4.6
Add a -engine option to optionally use engine e.g. to support PKCS# URIs
via engine.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
.../bareboxtlv-generator.py | 20 +++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/scripts/bareboxtlv-generator/bareboxtlv-generator.py b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
index 806d2d8b94..b568e13a37 100755
--- a/scripts/bareboxtlv-generator/bareboxtlv-generator.py
+++ b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
@@ -47,11 +47,12 @@ class PrivateKey:
A private key for signing TLVs, requires the cryptography module
"""
- def __init__(self, path: str | None = None):
+ def __init__(self, path: str | None = None, engine: str | None = None):
"""
Load a private key from:
- PKCS#12 (.p12/.pfx)
- PEM/DER private key file
+ - Engine-backed key (e.g. PKCS#11 URI with --engine pkcs11)
"""
try:
@@ -65,7 +66,13 @@ class PrivateKey:
sys.exit(127)
self.inkey = path
- self.public_key = serialization.load_pem_public_key(openssl(["pkey", "-pubout", "-in", self.inkey]));
+ if engine:
+ pkey_args = ["-engine", engine, "-inform", "engine"]
+ self.pkeyutl_args = ["-engine", engine, "-keyform", "engine"]
+ else:
+ pkey_args = []
+ self.pkeyutl_args = []
+ self.public_key = serialization.load_pem_public_key(openssl(["pkey"] + pkey_args + ["-pubout", "-in", self.inkey]));
def sign(self, message: bytes) -> bytes:
"""
@@ -75,8 +82,8 @@ class PrivateKey:
from cryptography.hazmat.primitives.asymmetric import rsa, ec
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
- # Access private keys only via the openssl cli so that any configured provider, such as pkcs11, can be used.
- sig = openssl(["pkeyutl", "-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
+ # Access private keys only via the openssl cli so that any configured engine/provider, such as pkcs11, can be used.
+ sig = openssl(["pkeyutl"] + self.pkeyutl_args + ["-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
if isinstance(self.public_key, rsa.RSAPublicKey):
return sig
@@ -503,7 +510,8 @@ def _main():
parser = argparse.ArgumentParser(description="Generate a TLV dataset for the Barebox TLV parser")
parser.add_argument("schema", help="YAML file describing the data.")
parser.add_argument("--input-data", help="YAML file containing data to write to the binary.")
- parser.add_argument("--sign", help=" When using --input-data: Private key to sign the TLV with.")
+ parser.add_argument("--sign", help="When using --input-data: Private key to sign the TLV with.")
+ parser.add_argument("--engine", help="OpenSSL engine to use for private key operations (e.g. pkcs11).")
parser.add_argument("--output-data", help="YAML file where the contents of the binary will be written to.")
parser.add_argument("--verify", help="When using --output-data: Public key to verify the signature against")
parser.add_argument("binary", help="Path to where export data to be copied into DUT's EEPROM.")
@@ -519,7 +527,7 @@ def _main():
data = yaml.load(d_fh, Loader=yaml.SafeLoader)
if args.sign:
- privkey = PrivateKey(path=args.sign)
+ privkey = PrivateKey(path=args.sign, engine=args.engine)
else:
privkey = None
bin = eeprom.encode(data, sign=privkey)
--
2.47.3
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH v2] scripts: bareboxtlv-generator: add engine support
2026-03-19 7:20 [PATCH v2] scripts: bareboxtlv-generator: add engine support Sascha Hauer
@ 2026-03-19 11:03 ` Jonas Rebmann
0 siblings, 0 replies; 2+ messages in thread
From: Jonas Rebmann @ 2026-03-19 11:03 UTC (permalink / raw)
To: Sascha Hauer, Barebox List
Hi Sascha,
On 2026-03-19 08:20, Sascha Hauer wrote:
> Add a -engine option to optionally use engine e.g. to support PKCS# URIs
> via engine.
I think this is a red herring.
PKCS#11 URIs are already supported by bareboxtlv-generator.py as-is via
pkcs11-provider, and I tested that when I implemented signature.
https://manpages.debian.org/testing/pkcs11-provider/provider-pkcs11.7.en.html
Maybe we need to document this clearly for bareboxtlv-generator.py in
particular?
The engine model is deprecated in OpenSSL 3.0 released in 2021, in favor
of providers. Earlier versions are by now unsupported. Even if for some
reason someone needed to use PKCS#11 URIs with unsupported OpenSSL 1.x
versions, I believe that Engine configuration could and should be
performed in openssl.cnf and/or via the Environment but not via the
bareboxtlv-generator.py/openssl CLI.
Regards,
Jonas
> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
> .../bareboxtlv-generator.py | 20 +++++++++++++------
> 1 file changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/scripts/bareboxtlv-generator/bareboxtlv-generator.py b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
> index 806d2d8b94..b568e13a37 100755
> --- a/scripts/bareboxtlv-generator/bareboxtlv-generator.py
> +++ b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
> @@ -47,11 +47,12 @@ class PrivateKey:
> A private key for signing TLVs, requires the cryptography module
> """
>
> - def __init__(self, path: str | None = None):
> + def __init__(self, path: str | None = None, engine: str | None = None):
> """
> Load a private key from:
> - PKCS#12 (.p12/.pfx)
> - PEM/DER private key file
> + - Engine-backed key (e.g. PKCS#11 URI with --engine pkcs11)
> """
>
> try:
> @@ -65,7 +66,13 @@ class PrivateKey:
> sys.exit(127)
>
> self.inkey = path
> - self.public_key = serialization.load_pem_public_key(openssl(["pkey", "-pubout", "-in", self.inkey]));
> + if engine:
> + pkey_args = ["-engine", engine, "-inform", "engine"]
> + self.pkeyutl_args = ["-engine", engine, "-keyform", "engine"]
> + else:
> + pkey_args = []
> + self.pkeyutl_args = []
> + self.public_key = serialization.load_pem_public_key(openssl(["pkey"] + pkey_args + ["-pubout", "-in", self.inkey]));
>
> def sign(self, message: bytes) -> bytes:
> """
> @@ -75,8 +82,8 @@ class PrivateKey:
> from cryptography.hazmat.primitives.asymmetric import rsa, ec
> from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
>
> - # Access private keys only via the openssl cli so that any configured provider, such as pkcs11, can be used.
> - sig = openssl(["pkeyutl", "-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
> + # Access private keys only via the openssl cli so that any configured engine/provider, such as pkcs11, can be used.
> + sig = openssl(["pkeyutl"] + self.pkeyutl_args + ["-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
>
> if isinstance(self.public_key, rsa.RSAPublicKey):
> return sig
> @@ -503,7 +510,8 @@ def _main():
> parser = argparse.ArgumentParser(description="Generate a TLV dataset for the Barebox TLV parser")
> parser.add_argument("schema", help="YAML file describing the data.")
> parser.add_argument("--input-data", help="YAML file containing data to write to the binary.")
> - parser.add_argument("--sign", help=" When using --input-data: Private key to sign the TLV with.")
> + parser.add_argument("--sign", help="When using --input-data: Private key to sign the TLV with.")
> + parser.add_argument("--engine", help="OpenSSL engine to use for private key operations (e.g. pkcs11).")
> parser.add_argument("--output-data", help="YAML file where the contents of the binary will be written to.")
> parser.add_argument("--verify", help="When using --output-data: Public key to verify the signature against")
> parser.add_argument("binary", help="Path to where export data to be copied into DUT's EEPROM.")
> @@ -519,7 +527,7 @@ def _main():
> data = yaml.load(d_fh, Loader=yaml.SafeLoader)
>
> if args.sign:
> - privkey = PrivateKey(path=args.sign)
> + privkey = PrivateKey(path=args.sign, engine=args.engine)
> else:
> privkey = None
> bin = eeprom.encode(data, sign=privkey)
--
Pengutronix e.K. | Jonas Rebmann |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-9 |
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-03-19 11:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-03-19 7:20 [PATCH v2] scripts: bareboxtlv-generator: add engine support Sascha Hauer
2026-03-19 11:03 ` Jonas Rebmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox