[PATCH v2] scripts: bareboxtlv-generator: add engine support

Jonas Rebmann jre at pengutronix.de
Thu Mar 19 04:03:16 PDT 2026 

Hi Sascha,

On 2026-03-19 08:20, Sascha Hauer wrote:
> Add a -engine option to optionally use engine e.g. to support PKCS# URIs
> via engine.

I think this is a red herring.

PKCS#11 URIs are already supported by bareboxtlv-generator.py as-is via
pkcs11-provider, and I tested that when I implemented signature.

https://manpages.debian.org/testing/pkcs11-provider/provider-pkcs11.7.en.html

Maybe we need to document this clearly for bareboxtlv-generator.py in
particular?

The engine model is deprecated in OpenSSL 3.0 released in 2021, in favor
of providers. Earlier versions are by now unsupported. Even if for some
reason someone needed to use PKCS#11 URIs with unsupported OpenSSL 1.x
versions, I believe that Engine configuration could and should be
performed in openssl.cnf and/or via the Environment but not via the
bareboxtlv-generator.py/openssl CLI.

Regards,
Jonas

> Co-Authored-By: Claude Opus 4.6 <noreply at anthropic.com>
> Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
> ---
>   .../bareboxtlv-generator.py                   | 20 +++++++++++++------
>   1 file changed, 14 insertions(+), 6 deletions(-)
> 
> diff --git a/scripts/bareboxtlv-generator/bareboxtlv-generator.py b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
> index 806d2d8b94..b568e13a37 100755
> --- a/scripts/bareboxtlv-generator/bareboxtlv-generator.py
> +++ b/scripts/bareboxtlv-generator/bareboxtlv-generator.py
> @@ -47,11 +47,12 @@ class PrivateKey:
>       A private key for signing TLVs, requires the cryptography module
>       """
>   
> -    def __init__(self, path: str | None = None):
> +    def __init__(self, path: str | None = None, engine: str | None = None):
>           """
>           Load a private key from:
>           - PKCS#12 (.p12/.pfx)
>           - PEM/DER private key file
> +        - Engine-backed key (e.g. PKCS#11 URI with --engine pkcs11)
>           """
>   
>           try:
> @@ -65,7 +66,13 @@ class PrivateKey:
>               sys.exit(127)
>   
>           self.inkey = path
> -        self.public_key = serialization.load_pem_public_key(openssl(["pkey", "-pubout", "-in", self.inkey]));
> +        if engine:
> +            pkey_args = ["-engine", engine, "-inform", "engine"]
> +            self.pkeyutl_args = ["-engine", engine, "-keyform", "engine"]
> +        else:
> +            pkey_args = []
> +            self.pkeyutl_args = []
> +        self.public_key = serialization.load_pem_public_key(openssl(["pkey"] + pkey_args + ["-pubout", "-in", self.inkey]));
>   
>       def sign(self, message: bytes) -> bytes:
>           """
> @@ -75,8 +82,8 @@ class PrivateKey:
>           from cryptography.hazmat.primitives.asymmetric import rsa, ec
>           from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
>   
> -        # Access private keys only via the openssl cli so that any configured provider, such as pkcs11, can be used.
> -        sig = openssl(["pkeyutl", "-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
> +        # Access private keys only via the openssl cli so that any configured engine/provider, such as pkcs11, can be used.
> +        sig = openssl(["pkeyutl"] + self.pkeyutl_args + ["-sign", "-rawin", "-digest", "sha256", "-inkey", self.inkey], stdin = message)
>   
>           if isinstance(self.public_key, rsa.RSAPublicKey):
>               return sig
> @@ -503,7 +510,8 @@ def _main():
>       parser = argparse.ArgumentParser(description="Generate a TLV dataset for the Barebox TLV parser")
>       parser.add_argument("schema", help="YAML file describing the data.")
>       parser.add_argument("--input-data", help="YAML file containing data to write to the binary.")
> -    parser.add_argument("--sign", help=" When using --input-data: Private key to sign the TLV with.")
> +    parser.add_argument("--sign", help="When using --input-data: Private key to sign the TLV with.")
> +    parser.add_argument("--engine", help="OpenSSL engine to use for private key operations (e.g. pkcs11).")
>       parser.add_argument("--output-data", help="YAML file where the contents of the binary will be written to.")
>       parser.add_argument("--verify", help="When using --output-data: Public key to verify the signature against")
>       parser.add_argument("binary", help="Path to where export data to be copied into DUT's EEPROM.")
> @@ -519,7 +527,7 @@ def _main():
>               data = yaml.load(d_fh, Loader=yaml.SafeLoader)
>   
>           if args.sign:
> -            privkey = PrivateKey(path=args.sign)
> +            privkey = PrivateKey(path=args.sign, engine=args.engine)
>           else:
>               privkey = None
>           bin = eeprom.encode(data, sign=privkey)

-- 
Pengutronix e.K.                           | Jonas Rebmann               |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-9    |

More information about the barebox mailing list