Add uri2pem.py tool to create pkcs11-provider PEM key files

[space88man]

Add a cli tool to create PEM files in PKCS#11 PROVIDER URI format

[Updated] Usage:

 usage: uri2pem.py [-h] [--bypass] [--verify] [--out OUTPUT_FILE] keyuri

positional arguments:
  keyuri             the PKCS#11 key URI to encode

options:
  -h, --help         show this help message and exit
  --bypass           skip basic URI checks
  --verify           verify PEM file with OpenSSL; requires --out to be specified
  --out OUTPUT_FILE  output to PEM file, otherwise to stdout

Example run:

OPENSSL_CONF=../../softoken/openssl.cnf python uri2pem.py  \
    --verify --out something.pem \
    'pkcs11:model=NSS%203;manufacturer=Mozilla...type=private'

===== OpenSSL pkey output =====
-----BEGIN RSA PUBLIC KEY-----
MIIBigKCAYEA3BE+a2ysvJMZuccg3QU51dabXNF/XAo5/iUP0UGHLtAYolLlkz2j
s1ZQL5D3FpgPQefIfhLBclkCjHBbtl7HxA3Zci/THoUYYYd+JnhNcNvTduz07vgC
NBsVeYPkrCLr5Yu92NkMKllObFju57K4NjC8i5oNarckt38l03UgPR7tjyBBmXnt
RS1ixBGasQCKo7FxqDQoIZ7alpzoolOioszSEwBQQ+J+4FwGYBo8MS0ksJXaXPAW
313OKR6JcWmDdzMGVgDVbCskX5Y/AEVbum2sdk2aIfUVWAqc3h4NXKAvtM0XjBty
QLvEksmAIYv+6J8vYtD2WpTNW5eW+FWSCAjlfHnTbjqDzUylmHF1AyR9R62EzCRQ
CiOXMOcriExWy8rJBsxI+ODtlnfVS4Qb0Ee58lO1KIHEVmYcBnl+7cAKgq0KqJQZ
dNxBIHp5ZKryUBmb+IJ6P/dwOHFFv7cvqAcOqL0dK5NsDDk9y1bZ+Gp1s5S3JSPL
oaKHnzKVO0mFAgMBAAE=
-----END RSA PUBLIC KEY-----
===== END =====
uri2pem.py: verification of private key PEM(something.pem) OK

[simo5]

This allows to create anything, I think the tool should try to validate the URI by default (maybe by calling the openssl storeutl tool or something), and provide a bypass mode for those that "know what they are doing".

Also we'd need a test to ensure what this tool is producing actually working files, ie again use an openssl tool to import the file and see that pkcs11 provider was able to parse it.

[space88man]

This allows to create anything, I think the tool should try to validate the URI by default (maybe by calling the openssl storeutl tool or something), and provide a bypass mode for those that "know what they are doing".

Update:

• basic string checks for sane URIs
• option --out <filename> to write to PEM file
• if run online (token is available): --out <filename> --verify attempts to load the PEM file using openssl
• --bypass option to create PEM files with bogus URIs

Also we'd need a test to ensure what this tool is producing actually working files, ie again use an openssl tool to import the file and see that pkcs11 provider was able to parse it.

In tools/tests: add a few pytest tests that use the token in tests/tmp.softokn/tokens: requires that make check be run first. The test will write out the first private key it finds and then verifies that pkey can load the PEM file. The test enables pkcs11-module-encode-provider-uri-to-pem = true via tools/openssl-tools.cnf.

The tests work around a bug in asn1crypto that does not like # sign in PEM labels.

Successful test run should look like:

pip install pytest
# dnf install python3-pytest
cd tools/
pytest tests/
==== test session starts ====
platform linux -- Python 3.12.2, pytest-8.1.1, pluggy-1.4.0
rootdir: /openssl/pkcs11-provider/tools
collected 3 items                                                                                     

tests/test_softoken.py ...                                                                      [100%]

==== 3 passed in 0.18s ====

[simo5]

@space88man Can you please fix the REUSE issues?
One needs an optout in .reuse/dep5
The other needs a (C) line in the py file, see any of the tests/ scripts for an example

[space88man]

@space88man Can you please fix the REUSE issues?

• done!

[simo5]

Thanks @space88man, merging