From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 23 Jun 2026 16:13:33 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wc1sb-0091Q5-23 for lore@lore.pengutronix.de; Tue, 23 Jun 2026 16:13:33 +0200 Received: from [127.0.0.1] (helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1wc1sb-0007Sk-Gn; Tue, 23 Jun 2026 16:13:33 +0200 Received: from dude04.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::ac]) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1wc1sT-0007SV-Dk; Tue, 23 Jun 2026 16:13:25 +0200 From: =?UTF-8?q?Sven=20P=C3=BCschel?= To: ptxdist@pengutronix.de Date: Tue, 23 Jun 2026 16:12:31 +0200 Message-ID: <20260623141303.1126598-1-s.pueschel@pengutronix.de> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: [ptxdist] [PATCH] ptxd_lib_code_signing: only import public key in cs_import_pubkey_from_pem X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Martin Domig , =?UTF-8?q?Sven=20P=C3=BCschel?= Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false From: Martin Domig Only import the public key in cs_import_pubkey_from_pem, as without the -pubin flag the 'openssl pkey' command tries to import a private key. This is a problem, when only the public key is available in the PEM file (e.g. production key instead of a development key). This results in the following error: Could not find private key of key from pubkey.pem 40238C2FB57F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:160:provider=default >>From the man page of `openssl pkey` the -pubin flag also works with a private key input. In this case openssl will only read the public part. Signed-off-by: Martin Domig Co-developed-by: Sven Püschel Signed-off-by: Sven Püschel --- scripts/lib/ptxd_lib_code_signing.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index c7bcfc257..aa4ef9984 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -237,7 +237,7 @@ cs_import_pubkey_from_pem() { openssl pkey \ "${openssl_keyopt[@]}" \ - -in "${pem}" -inform pem -pubout -outform der -out "/proc/self/fd/${tmpfd}" + -pubin -in "${pem}" -inform pem -pubout -outform der -out "/proc/self/fd/${tmpfd}" softhsm_pkcs11_tool --type pubkey --write-object "/proc/self/fd/${tmpfd}" --label "${role}" check_pipe_status } -- 2.47.3