[PATCH v5 1/6] tools: mkeficapsule: Add support for pkcs11

[Ilias Apalodimas]

Hi Wojciech,

On Wed Jan 28, 2026 at 10:05 AM EET, Wojciech Dubowik wrote:
> With pkcs11 support it's now possible to specify keys
> with URI format. To use this feature the filename must
> begin "pkcs11:.." and have valid URI pointing to certificate
> and private key in HSM.
>
> The environment variable PKCS11_MODULE_PATH must point to the
> right pkcs11 provider i.e. with softhsm:
> export PKCS11_MODULE_PATH=<path>/libsofthsm2.so
>
>

[...]

> -	ret = read_bin_file(ctx->cert_file, &cert.data, &file_size);
> -	if (ret < 0)
> -		return -1;
> -	if (file_size > UINT_MAX)
> -		return -1;
> -	cert.size = file_size;
> +	if (!strncmp(ctx->cert_file, "pkcs11:", 7))

Can we do strlen() instead of 7 ?

> +		pkcs11_cert = true;
>
> -	ret = read_bin_file(ctx->key_file, &key.data, &file_size);
> -	if (ret < 0)
> -		return -1;
> -	if (file_size > UINT_MAX)
> -		return -1;
> -	key.size = file_size;
> +	if (!strncmp(ctx->key_file, "pkcs11:", 7))

Same

> +		pkcs11_key = true;
> +
> +	if (pkcs11_cert || pkcs11_key) {

Don't you need both the cert & key to sign the capsule?
I'd simplify the logic here. Instead of having both a pkcs_key and a pkcs_cert,
replace the variables with is_pcks and have that set to true if both the key
and cert have been found.

Then the if/else cases later will become a bit easier to read since you'll have
to load the private key & crt on a single if/else cases depending on is_pkcs.

> +		lib = getenv("PKCS11_MODULE_PATH");
> +		if (!lib) {

[...]

Thanks
/Ilias