[PATCH v2] scripts: bareboxtlv-generator: add engine support
Sascha Hauer
s.hauer at pengutronix.de
Thu Mar 19 00:20:35 PDT 2026
Add a -engine option to optionally use engine e.g. to support PKCS# URIs
via engine.
Co-Authored-By: Claude Opus 4.6 <noreply at anthropic.com>
Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
.../bareboxtlv-generator.py | 20 +++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/scripts/bareboxtlv-generator/bareboxtlv-generator.py b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
index 806d2d8b94..b568e13a37 100755
--- a/scripts/bareboxtlv-generator/bareboxtlv-generator.py
+++ b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
@@ -47,11 +47,12 @@ class PrivateKey:
A private key for signing TLVs, requires the cryptography module
"""
- def __init__(self, path: str | None = None):
+ def __init__(self, path: str | None = None, engine: str | None = None):
"""
Load a private key from:
- PKCS#12 (.p12/.pfx)
- PEM/DER private key file
+ - Engine-backed key (e.g. PKCS#11 URI with --engine pkcs11)
"""
try:
@@ -65,7 +66,13 @@ class PrivateKey:
sys.exit(127)
self.inkey = path
- self.public_key = serialization.load_pem_public_key(openssl(["pkey", "-pubout", "-in", self.inkey]));
+ if engine:
+ pkey_args = ["-engine", engine, "-inform", "engine"]
+ self.pkeyutl_args = ["-engine", engine, "-keyform", "engine"]
+ else:
+ pkey_args = []
+ self.pkeyutl_args = []
+ self.public_key = serialization.load_pem_public_key(openssl(["pkey"] + pkey_args + ["-pubout", "-in", self.inkey]));
def sign(self, message: bytes) -> bytes:
"""
@@ -75,8 +82,8 @@ class PrivateKey:
from cryptography.hazmat.primitives.asymmetric import rsa, ec
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
- # Access private keys only via the openssl cli so that any configured provider, such as pkcs11, can be used.
- sig = openssl(["pkeyutl", "-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
+ # Access private keys only via the openssl cli so that any configured engine/provider, such as pkcs11, can be used.
+ sig = openssl(["pkeyutl"] + self.pkeyutl_args + ["-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
if isinstance(self.public_key, rsa.RSAPublicKey):
return sig
@@ -503,7 +510,8 @@ def _main():
parser = argparse.ArgumentParser(description="Generate a TLV dataset for the Barebox TLV parser")
parser.add_argument("schema", help="YAML file describing the data.")
parser.add_argument("--input-data", help="YAML file containing data to write to the binary.")
- parser.add_argument("--sign", help=" When using --input-data: Private key to sign the TLV with.")
+ parser.add_argument("--sign", help="When using --input-data: Private key to sign the TLV with.")
+ parser.add_argument("--engine", help="OpenSSL engine to use for private key operations (e.g. pkcs11).")
parser.add_argument("--output-data", help="YAML file where the contents of the binary will be written to.")
parser.add_argument("--verify", help="When using --output-data: Public key to verify the signature against")
parser.add_argument("binary", help="Path to where export data to be copied into DUT's EEPROM.")
@@ -519,7 +527,7 @@ def _main():
data = yaml.load(d_fh, Loader=yaml.SafeLoader)
if args.sign:
- privkey = PrivateKey(path=args.sign)
+ privkey = PrivateKey(path=args.sign, engine=args.engine)
else:
privkey = None
bin = eeprom.encode(data, sign=privkey)
--
2.47.3
More information about the barebox
mailing list