[ptxdist] [PATCH v2 3/3] code-signing: enable provider support

[Sascha Hauer <s.hauer@pengutronix.de>]

openssl engines have long been deprecated. Add support for provider to
the ptxdist code signing infrastructure.

We add a custom openssl-pkcs11.cnf to specify
pkcs11-module-block-operations = digest. The reason is that softhsm2
itself uses openssl for digesting. Without this option softhsm would end
up calling itself via openssl resulting in a deadlock. Now that we have
a custom config already we also use it to specify the path to the pkcs11
module.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 platforms/code-signing.in               |  1 +
 rules/host-softhsm.in                   |  1 +
 rules/host-softhsm.make                 | 27 +++++++++++++++++++++++++++
 rules/pre/010-code-signing.make         |  2 +-
 rules/pre/020-code-signing-softhsm.make |  3 ++-
 5 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/platforms/code-signing.in b/platforms/code-signing.in
index 81f9ef6f3..a20982f20 100644
--- a/platforms/code-signing.in
+++ b/platforms/code-signing.in
@@ -4,6 +4,7 @@ menuconfig CODE_SIGNING
 	bool
 	select VIRTUAL
 	select HOST_LIBP11
+	select HOST_PKCS11_PROVIDER
 	prompt "Code signing                  "
 	help
 	  This option enables the ptxdist signing infrastructure.
diff --git a/rules/host-softhsm.in b/rules/host-softhsm.in
index 160f4b598..dfa1e3c8e 100644
--- a/rules/host-softhsm.in
+++ b/rules/host-softhsm.in
@@ -4,6 +4,7 @@ config HOST_SOFTHSM
 	tristate
 	select HOST_P11_KIT
 	select HOST_OPENSSL
+	select HOST_PKCS11_PROVIDER
 	select HOST_SQLITE
 	default y if ALLYES
 	help
diff --git a/rules/host-softhsm.make b/rules/host-softhsm.make
index 67d9c5ab8..613a42b42 100644
--- a/rules/host-softhsm.make
+++ b/rules/host-softhsm.make
@@ -30,4 +30,31 @@ HOST_SOFTHSM_CONF_OPT	:= \
 HOST_SOFTHSM_CPPFLAGS := \
 	-DDEBUG_LOG_STDERR=1
 
+# ----------------------------------------------------------------------------
+# Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/host-softhsm.install:
+	@$(call targetinfo)
+	@$(call world/install, HOST_SOFTHSM)
+	@{ \
+	echo 'openssl_conf = openssl_init'; \
+	echo ''; \
+	echo '[openssl_init]'; \
+	echo 'providers = provider_sect'; \
+	echo ''; \
+	echo '[provider_sect]'; \
+	echo 'default = default_sect'; \
+	echo 'pkcs11 = pkcs11_sect'; \
+	echo ''; \
+	echo '[default_sect]'; \
+	echo 'activate = 1'; \
+	echo ''; \
+	echo '[pkcs11_sect]'; \
+	echo "module = $(PTXDIST_SYSROOT_HOST)/usr/lib/ossl-modules/pkcs11.so"; \
+	echo 'activate = 1'; \
+	echo 'pkcs11-module-block-operations = digest'; \
+	} > $(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf
+	@$(call touch)
+
 # vim: syntax=make
diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing.make
index 6141a7b19..238f37934 100644
--- a/rules/pre/010-code-signing.make
+++ b/rules/pre/010-code-signing.make
@@ -8,7 +8,7 @@
 
 CODE_SIGNING_ENV = \
 	SO_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3/pkcs11.so \
-	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl.cnf" \
+	OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf" \
 	OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3"
 
 #
diff --git a/rules/pre/020-code-signing-softhsm.make b/rules/pre/020-code-signing-softhsm.make
index 62e3ab331..3f1307ca9 100644
--- a/rules/pre/020-code-signing-softhsm.make
+++ b/rules/pre/020-code-signing-softhsm.make
@@ -9,7 +9,8 @@
 ifdef PTXCONF_HOST_SOFTHSM
 SOFTHSM_CODE_SIGNING_ENV = \
 	SOFTHSM2_CONF="$(PTXDIST_SYSROOT_HOST)/etc/softhsm2.conf" \
-	PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
+	PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so \
+	PKCS11_PROVIDER_MODULE=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
 
 CODE_SIGNING_ENV += \
 	$(SOFTHSM_CODE_SIGNING_ENV)

-- 
2.47.3