1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
From: Pratik Manvar <pratik.manvar@ifm.com>
Date: Wed, 30 Jul 2025 19:21:50 +0530
Subject: Extend PKCS#11 support to handle optional slot and id parameters
The PKCS11 signing option uses `pkcs11-tool` for archive signing. This
tool supports additional argunments such as `--slot` and `--id` along
with `--module` and `--pin`.
This commit enhance the PKCS#11 signing to support up to five parameters:
- PIN argument remains mandatory.
- Add the slot and id as optional parameters along with module.
The new format for the signing option is:
`PKCS11,<pin>[,<module>,<slot>,<id>]`
Signed-off-by: Pratik Manvar <pratik.manvar@ifm.com>
Forwarded: not-needed
Origin: upstream
---
swugenerator/main.py | 17 ++++++++++-------
swugenerator/swu_sign.py | 6 +++++-
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/swugenerator/main.py b/swugenerator/main.py
index cf66a13..ed0c94f 100644
--- a/swugenerator/main.py
+++ b/swugenerator/main.py
@@ -102,7 +102,7 @@ def parse_signing_option(
CMS,<private key>,<certificate used to sign>
RSA,<private key>,<file with password>
RSA,<private key>
- PKCS11,<pin>[,<module>]
+ PKCS11,<pin>[,<module>,<slot>,<id>]
CUSTOM,<custom command>
Args:
@@ -143,12 +143,15 @@ def parse_signing_option(
# Format : RSA,<private key>
return SWUSignRSA(sign_parms[1], None)
if cmd == "PKCS11":
- # Format : PKCS11,<pin>[,<module>]
- if len(sign_parms) not in (2, 3) or not all(sign_parms[0:2]):
- raise InvalidSigningOption("PKCS11 requires pin and optional module path")
+ # Format : PKCS11,<pin>[,<module>,<slot>,<id>]
+ if len(sign_parms) not in range(2, 6) or not all(sign_parms[0:2]):
+ raise InvalidSigningOption("PKCS11 requires pin and optional parameters such as module path, slot or id")
pin = sign_parms[1]
- module = sign_parms[2] if len(sign_parms) == 3 else None
- return SWUSignPKCS11(pin, module)
+ module = sign_parms[2] if len(sign_parms) > 2 else None
+ slot = sign_parms[3] if len(sign_parms) > 3 else None
+ obj_id = sign_parms[4] if len(sign_parms) > 4 else None
+
+ return SWUSignPKCS11(pin, module, slot, obj_id)
if cmd == "CUSTOM":
# Format : CUSTOM,<custom command>
if len(sign_parms) < 2 or not all(sign_parms):
@@ -271,7 +274,7 @@ def parse_args(args: List[str]) -> None:
-g, --engine ENGINE OpenSSL engine to use for signing (e.g., pkcs11)
-f, --keyform KEYFORM Key format to use for signing (e.g., engine)
RSA,<private key>,<file with password if any>
- PKCS11,<pin>[,<module>]
+ PKCS11,<pin>[,<module>,<slot>,<id>]
CUSTOM,<custom command> """
),
)
diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py
index 9d5b6c8..53b6727 100644
--- a/swugenerator/swu_sign.py
+++ b/swugenerator/swu_sign.py
@@ -113,12 +113,16 @@ class SWUSignCustom(SWUSign):
# Note: tested with Nitrokey HSM
class SWUSignPKCS11(SWUSign):
- def __init__(self, pin, module=None):
+ def __init__(self, pin, module=None, slot=None, obj_id=None):
super().__init__()
self.type = "PKCS11"
self.custom = []
if module:
self.custom.extend(["--module", module])
+ if slot:
+ self.custom.extend(["--slot", slot])
+ if obj_id:
+ self.custom.extend(["--id", obj_id])
self.custom.extend(["--pin", pin])
def prepare_cmd(self, sw_desc_in, sw_desc_sig):
|
