From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 10 Mar 2025 09:27:23 +0100 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1trYTr-00CAw4-2Z for lore@lore.pengutronix.de; Mon, 10 Mar 2025 09:27:23 +0100 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1trYTq-0001FY-Vk; Mon, 10 Mar 2025 09:27:22 +0100 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1trYTb-0001F8-Ox; Mon, 10 Mar 2025 09:27:07 +0100 Received: from dude05.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::54]) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1trYTb-004xnz-1s; Mon, 10 Mar 2025 09:27:07 +0100 Received: from mol by dude05.red.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1trYTb-002kzz-1i; Mon, 10 Mar 2025 09:27:07 +0100 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Mon, 10 Mar 2025 09:27:07 +0100 Message-Id: <20250310082707.657312-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250305110033.288089-1-r.czerwinski@pengutronix.de> References: <20250305110033.288089-1-r.czerwinski@pengutronix.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [ptxdist] [APPLIED] imx-cst: version bump 3.1.0 -> 3.4.1 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Rouven Czerwinski Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as 900a4e6548d9b20752cbd9d37a0bee36e5a24228. Michael [sent from post-receive hook] On Mon, 10 Mar 2025 09:27:07 +0100, Rouven Czerwinski wrote: > The CST archive from NXP now ships with a proper Makefile, all we need > to do is supply the correct host openssl library. Additionally, pkcs11 > is now supported, but has to be enabled via "-b pkcs11". > > In barebox recipes that means the the compile environment needs to > contain CST_EXTRA_CMDLINE_OPTIONS="-b pkcs11", to use the native pkcs11 > backend. > > Additionally the frontend library no longer exists. > > Signed-off-by: Rouven Czerwinski > Message-Id: <20250305110033.288089-1-r.czerwinski@pengutronix.de> > [mol: remove obsolte patch] > Signed-off-by: Michael Olbrich > > diff --git a/patches/cst-3.1.0/0001-cst-Add-pkcs11-support.patch b/patches/cst-3.1.0/0001-cst-Add-pkcs11-support.patch > deleted file mode 100644 > index 1c4cf697add7..000000000000 > --- a/patches/cst-3.1.0/0001-cst-Add-pkcs11-support.patch > +++ /dev/null > @@ -1,162 +0,0 @@ > -From d41ca6a9afdf25c19c0a7f1d9e8ad089b2eeb46b Mon Sep 17 00:00:00 2001 > -From: Sascha Hauer > -Date: Fri, 27 Sep 2019 10:04:18 +0200 > -Subject: [PATCH] cst: Add pkcs11 support > - > -This adds native pkcs11 support to cst. The pkcs11 uri must be passed in > -in environment variables. The csf file will have __ENV__foo where a > -filename is expected and then the pkcs11 uri is read from the > -environment variable "foo". This is necessary as the binary portion > -of the cst tool will mangle all characters that remotely look like > -special characters, like ':' and ';'. > -The key pass file is read from the environment variable CST_SIGN_PIN > -if exists. > - > -Signed-off-by: Sascha Hauer > ---- > - code/back_end/src/openssl_helper.c | 85 ++++++++++++++++++++++++++++++ > - code/back_end/src/pkey.c | 4 ++ > - 2 files changed, 89 insertions(+) > - > -diff --git a/code/back_end/src/openssl_helper.c b/code/back_end/src/openssl_helper.c > -index 3a54ac7..2b20a5e 100644 > ---- a/code/back_end/src/openssl_helper.c > -+++ b/code/back_end/src/openssl_helper.c > -@@ -35,6 +35,7 @@ without specific written permission from NXP. > - #include > - #include > - #include > -+#include > - #include "openssl_helper.h" > - #include "version.h" > - #include > -@@ -408,6 +409,48 @@ write_cert_file(const char *filename, const BIO *data) > - return CST_SUCCESS; > - } > - > -+static X509* > -+read_certificate_pkcs11(const char *uri) > -+{ > -+ char *key_pass; > -+ ENGINE *e; > -+ struct { > -+ const char *url; > -+ X509 *cert; > -+ } parms = { > -+ .url = uri, > -+ }; > -+ int err; > -+ > -+ ENGINE_load_builtin_engines(); > -+ e = ENGINE_by_id("pkcs11"); > -+ if (!e) > -+ { > -+ fprintf(stderr, "Cannot Load PKCS#11 ENGINE\n"); > -+ return NULL; > -+ } > -+ > -+ if (!ENGINE_init(e)) > -+ { > -+ fprintf(stderr, "Cannot ENGINE_init\n"); > -+ return NULL; > -+ } > -+ > -+ key_pass = getenv("CST_SIGN_PIN"); > -+ if (key_pass) > -+ if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) > -+ { > -+ fprintf(stderr, "Cannot Set PKCS#11 PIN\n"); > -+ return NULL; > -+ } > -+ > -+ err = ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 0); > -+ if (!err || !parms.cert) > -+ fprintf(stderr, "Cannot Load certificate\n"); > -+ > -+ return parms.cert; > -+} > -+ > - /*-------------------------- > - read_certificate > - ---------------------------*/ > -@@ -427,6 +470,13 @@ read_certificate(const char* filename) > - return NULL; > - } > - > -+ if (!strncmp(filename, "__ENV__", 7)) > -+ filename = getenv(filename + 7); > -+ > -+ if (!strncmp(filename, "pkcs11:", 7)) > -+ { > -+ return read_certificate_pkcs11(filename); > -+ } else > - /* PEM encoded */ > - if (!strncasecmp(temp, PEM_FILE_EXTENSION, PEM_FILE_EXTENSION_BYTES)) > - { > -@@ -482,6 +532,36 @@ int32_t get_der_encoded_certificate_data(const char* filename, > - return ret_val; > - } > - > -+static EVP_PKEY *read_private_key_pkcs11(const char *uri) > -+{ > -+ char *key_pass; > -+ ENGINE *e; > -+ > -+ ENGINE_load_builtin_engines(); > -+ e = ENGINE_by_id("pkcs11"); > -+ if (!e) > -+ { > -+ fprintf(stderr, "Cannot Load PKCS#11 ENGINE\n"); > -+ return NULL; > -+ } > -+ > -+ if (!ENGINE_init(e)) > -+ { > -+ fprintf(stderr, "Cannot ENGINE_init\n"); > -+ return NULL; > -+ } > -+ > -+ key_pass = getenv("CST_SIGN_PIN"); > -+ if (key_pass) > -+ if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) > -+ { > -+ fprintf(stderr, "Cannot Set PKCS#11 PIN\n"); > -+ return NULL; > -+ } > -+ > -+ return ENGINE_load_private_key(e, uri, NULL, NULL); > -+} > -+ > - /*-------------------------- > - read_private_key > - ---------------------------*/ > -@@ -495,6 +575,11 @@ read_private_key(const char *filename, pem_password_cb *password_cb, > - const char *temp = filename + strlen(filename) - > - PEM_FILE_EXTENSION_BYTES; > - > -+ if (!strncmp(filename, "__ENV__", 7)) > -+ filename = getenv(filename + 7); > -+ if (!strncmp(filename, "pkcs11:", 7)) > -+ return read_private_key_pkcs11(filename); > -+ > - /* Read Private key */ > - private_key = BIO_new(BIO_s_file( )); > - if (!private_key) > -diff --git a/code/back_end/src/pkey.c b/code/back_end/src/pkey.c > -index 9ee5049..033954b 100644 > ---- a/code/back_end/src/pkey.c > -+++ b/code/back_end/src/pkey.c > -@@ -144,6 +144,10 @@ int32_t get_key_file(const char* cert_file, char* key_file) > - to filename length */ > - > - strcpy(key_file, cert_file); > -+ > -+ if (!strncmp(cert_file, "__ENV__", 7)) > -+ return CAL_SUCCESS; > -+ > - key_file[i] = 0; > - > - key_file[i-5] = 'y'; > --- > -2.23.0 > - > diff --git a/patches/cst-3.1.0/series b/patches/cst-3.1.0/series > deleted file mode 100644 > index 78398c0d722c..000000000000 > --- a/patches/cst-3.1.0/series > +++ /dev/null > @@ -1 +0,0 @@ > -0001-cst-Add-pkcs11-support.patch > diff --git a/rules/host-imx-cst.make b/rules/host-imx-cst.make > index 42d6f667b821..3850f7200628 100644 > --- a/rules/host-imx-cst.make > +++ b/rules/host-imx-cst.make > @@ -14,8 +14,8 @@ HOST_PACKAGES-$(PTXCONF_HOST_IMX_CST) += host-imx-cst > # > # Paths and names > # > -HOST_IMX_CST_VERSION := 3.1.0 > -HOST_IMX_CST_MD5 := 89a2d6c05253c4de9a1bf9d5710bb7ae > +HOST_IMX_CST_VERSION := 3.4.1 > +HOST_IMX_CST_MD5 := b23ed5983734d4812fcf1da33eac8f31 > HOST_IMX_CST := cst-$(HOST_IMX_CST_VERSION) > HOST_IMX_CST_SUFFIX := tgz > HOST_IMX_CST_SOURCE := $(SRCDIR)/$(HOST_IMX_CST).$(HOST_IMX_CST_SUFFIX) > @@ -56,13 +56,9 @@ HOST_IMX_CST_CONF := NO > HOST_IMX_CST_ARCH := \ > linux$(call ptx/ifeq, GNU_BUILD, x86_64-%, 64, 32) > > -$(STATEDIR)/host-imx-cst.compile: > - @$(call targetinfo) > - cd $(HOST_IMX_CST_DIR)/code/back_end/src && \ > - $(HOSTCC) \ > - -Wall -O2 -g3 -o ../../../$(HOST_IMX_CST_ARCH)/bin/cst \ > - -I ../hdr -L ../../../$(HOST_IMX_CST_ARCH)/lib *.c -lfrontend -lcrypto > - @$(call touch) > +HOST_IMX_CST_MAKE_ENV := \ > + $(HOST_ENV) \ > + OPENSSL_PATH="$(PTXDIST_SYSROOT_HOST)/usr/lib/" > > # ---------------------------------------------------------------------------- > # Install > @@ -71,19 +67,13 @@ $(STATEDIR)/host-imx-cst.compile: > HOST_IMX_CST_PROGS := \ > cst \ > srktool \ > - x5092wtls > - > -HOST_IMX_CST_LIBS := \ > - libfrontend.a > + mac_dump > > $(STATEDIR)/host-imx-cst.install: > @$(call targetinfo) > @$(foreach prog, $(HOST_IMX_CST_PROGS), \ > - install -v -m0755 -D $(HOST_IMX_CST_DIR)/$(HOST_IMX_CST_ARCH)/bin/$(prog) \ > + install -v -m0755 -D $(HOST_IMX_CST_DIR)/build/$(HOST_IMX_CST_ARCH)/bin/$(prog) \ > $(HOST_IMX_CST_PKGDIR)/usr/bin/$(prog)$(ptx/nl)) > - @$(foreach lib, $(HOST_IMX_CST_LIBS), \ > - install -v -m0644 -D $(HOST_IMX_CST_DIR)/$(HOST_IMX_CST_ARCH)/lib/$(lib) \ > - $(HOST_IMX_CST_PKGDIR)/usr/lib/imx-cst/$(lib)$(ptx/nl)) > @$(call touch) > > # vim: syntax=make