[meta-oe,v2,1/6] signing.bbclass: refactor signing_import_cert_from_*

Refactor the two methods to import certificates from PEM/DER to be
usable independently from keymaterial that is linked to a role.

By having the import_cert_from methods create a storage location (aka
role) in the softhsm dynamically.  This way certificates can - but
don't have to - be linked to a key, or can stand on their own if chain
of certificates from a PKI has to be managed.

Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
---
 meta-oe/classes/signing.bbclass | 42 +++++++++++++++++++++++++--------
 1 file changed, 32 insertions(+), 10 deletions(-)

On Sat, 2025-05-31 at 13:32 +0200, Johannes Schneider via lists.openembedded.org
wrote:
> Refactor the two methods to import certificates from PEM/DER to be
> usable independently from keymaterial that is linked to a role.
> 
> By having the import_cert_from methods create a storage location (aka
> role) in the softhsm dynamically.  This way certificates can - but
> don't have to - be linked to a key, or can stand on their own if chain
> of certificates from a PKI has to be managed.
> 
> Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
> ---
>  meta-oe/classes/signing.bbclass | 42 +++++++++++++++++++++++++--------
>  1 file changed, 32 insertions(+), 10 deletions(-)
> 
> diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
> index 8af7bbf8e0..c768371151 100644
> --- a/meta-oe/classes/signing.bbclass
> +++ b/meta-oe/classes/signing.bbclass
> @@ -123,15 +123,26 @@ signing_import_define_role() {
>      echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_
>  }
>  
> -# signing_import_cert_from_der <role> <der>
> +# signing_import_cert_from_der <cert_name> <der>
>  #
> -# Import a certificate from DER file to a role. To be used
> -# with SoftHSM.
> +# Import a certificate from DER file to a cert_name.
> +# Where the <cert_name> can either be a previously setup
> +# signing_import_define_role linking the certificate to a signing key,
> +# or a new identifier when dealing with a standalone certificate.
> +#
> +# To be used with SoftHSM.
>  signing_import_cert_from_der() {
> -    local role="${1}"
> +    local cert_name="${1}"
>      local der="${2}"
>  
> -    signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}"
> +    # check wether the cert_name/role needs to be defined first,
> +    # or do so otherwise
> +    local uri=$(siging_get_uri $cert_name)
> +    if [ -z "$uri" ]; then
> +        signing_import_define_role "$cert_name"

Semantically, this isn't a 'role' any more, but we can resolve the naming of
signing_import_define_role later.

> +    fi
> +
> +    signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}"
>  }
>  
>  # signing_import_cert_chain_from_pem <role> <pem>
> @@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() {
>          done
>  }
>  
> -# signing_import_cert_from_pem <role> <pem>
> +# signing_import_cert_from_pem <cert_name> <pem>
>  #
> -# Import a certificate from PEM file to a role. To be used
> -# with SoftHSM.
> +# Import a certificate from PEM file to a cert_name.
> +# Where the <cert_name> can either be a previously setup
> +# signing_import_define_role linking the certificate to a signing key,
> +# or a new identifier when dealing with a standalone certificate.
> +#
> +# To be used with SoftHSM.
>  signing_import_cert_from_pem() {
> -    local role="${1}"
> +    local cert_name="${1}"
>      local pem="${2}"
>  
> +    # check wether the cert_name/role needs to be defined first,
> +    # or do so otherwise
> +    local uri=$(siging_get_uri $cert_name)
> +    if [ -z "$uri" ]; then
> +        signing_import_define_role "$cert_name"
> +    fi
> +
>      openssl x509 \
>          -in "${pem}" -inform pem -outform der |
> -    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}"
> +    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"

In the meantime, we found that we can also load PEMs with recent pkcs11-tool, so
Enrico will send a patch to simplify this.

Reviewed-by: Jan Luebbe <jlu@pengutronix.de>

>  }
>  
>  # signing_import_pubkey_from_der <role> <der>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#117687): https://lists.openembedded.org/g/openembedded-devel/message/117687
> Mute This Topic: https://lists.openembedded.org/mt/113394167/2167243
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [jlu@pengutronix.de]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Hoi Jan,


> > Refactor the two methods to import certificates from PEM/DER to be
> > usable independently from keymaterial that is linked to a role.
> >
> > By having the import_cert_from methods create a storage location (aka
> > role) in the softhsm dynamically.  This way certificates can - but
> > don't have to - be linked to a key, or can stand on their own if chain
> > of certificates from a PKI has to be managed.
> >
> > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
> > ---
> >  meta-oe/classes/signing.bbclass | 42 +++++++++++++++++++++++++--------
> >  1 file changed, 32 insertions(+), 10 deletions(-)
> >
> > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
> > index 8af7bbf8e0..c768371151 100644
> > --- a/meta-oe/classes/signing.bbclass
> > +++ b/meta-oe/classes/signing.bbclass
> > @@ -123,15 +123,26 @@ signing_import_define_role() {
> >      echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_
> >  }
> >
> > -# signing_import_cert_from_der <role> <der>
> > +# signing_import_cert_from_der <cert_name> <der>
> >  #
> > -# Import a certificate from DER file to a role. To be used
> > -# with SoftHSM.
> > +# Import a certificate from DER file to a cert_name.
> > +# Where the <cert_name> can either be a previously setup
> > +# signing_import_define_role linking the certificate to a signing key,
> > +# or a new identifier when dealing with a standalone certificate.
> > +#
> > +# To be used with SoftHSM.
> >  signing_import_cert_from_der() {
> > -    local role="${1}"
> > +    local cert_name="${1}"
> >      local der="${2}"
> >
> > -    signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}"
> > +    # check wether the cert_name/role needs to be defined first,
> > +    # or do so otherwise
> > +    local uri=$(siging_get_uri $cert_name)
> > +    if [ -z "$uri" ]; then
> > +        signing_import_define_role "$cert_name"
>
> Semantically, this isn't a 'role' any more, but we can resolve the naming of
> signing_import_define_role later.
>
> > +    fi
> > +
> > +    signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}"
> >  }
> >
> >  # signing_import_cert_chain_from_pem <role> <pem>
> > @@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() {
> >          done
> >  }
> >
> > -# signing_import_cert_from_pem <role> <pem>
> > +# signing_import_cert_from_pem <cert_name> <pem>
> >  #
> > -# Import a certificate from PEM file to a role. To be used
> > -# with SoftHSM.
> > +# Import a certificate from PEM file to a cert_name.
> > +# Where the <cert_name> can either be a previously setup
> > +# signing_import_define_role linking the certificate to a signing key,
> > +# or a new identifier when dealing with a standalone certificate.
> > +#
> > +# To be used with SoftHSM.
> >  signing_import_cert_from_pem() {
> > -    local role="${1}"
> > +    local cert_name="${1}"
> >      local pem="${2}"
> >
> > +    # check wether the cert_name/role needs to be defined first,
> > +    # or do so otherwise
> > +    local uri=$(siging_get_uri $cert_name)
> > +    if [ -z "$uri" ]; then
> > +        signing_import_define_role "$cert_name"
> > +    fi
> > +
> >      openssl x509 \
> >          -in "${pem}" -inform pem -outform der |
> > -    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}"
> > +    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
>
> In the meantime, we found that we can also load PEMs with recent pkcs11-tool, so
> Enrico will send a patch to simplify this.
>

is there already a subject to search for? or a link?

since this whole feature is motivated by the HSM limitation of one-cert-per-slot
(der), which could be sidestepped if multiple certificates in one pem file could
be handled... should we wait for the "patch to simplify this" and then drop this
series?

>
> Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
>

saw you placed a 'Reviewed-by' on the other patches too; should i already send
out a v3 that pick up your suggested comment- and documentation changes, or wait
(for whom/what)?

sidequestions: what tooling do you usually use to juggle patches?
and how should the Reviewed-by tags be handled?


gruß
Johannes

> >  }
> >
> >  # signing_import_pubkey_from_der <role> <der>
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#117687): https://lists.openembedded.org/g/openembedded-devel/message/117687
> > Mute This Topic: https://lists.openembedded.org/mt/113394167/2167243
> > Group Owner: openembedded-devel+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [jlu@pengutronix.de]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
>

On Mon, Jun 16, 2025 at 6:54 AM Johannes Schneider via
lists.openembedded.org
<johannes.schneider=leica-geosystems.com@lists.openembedded.org>
wrote:
>
> sidequestions: what tooling do you usually use to juggle patches?
> and how should the Reviewed-by tags be handled?
>

Try b4 - https://b4.docs.kernel.org/en/latest/

Reviewed-by - add these to subsequent revisions if you're making minor
changes, if there's wholesale changes which merit re-review, drop
them.


--
Alex Kiernan

Hi Johannes,

On Mon, 2025-06-16 at 05:54 +0000, Johannes Schneider via lists.openembedded.org wrote:
> > > -# signing_import_cert_from_pem <role> <pem>
> > > +# signing_import_cert_from_pem <cert_name> <pem>
> > >  #
> > > -# Import a certificate from PEM file to a role. To be used
> > > -# with SoftHSM.
> > > +# Import a certificate from PEM file to a cert_name.
> > > +# Where the <cert_name> can either be a previously setup
> > > +# signing_import_define_role linking the certificate to a signing key,
> > > +# or a new identifier when dealing with a standalone certificate.
> > > +#
> > > +# To be used with SoftHSM.
> > >  signing_import_cert_from_pem() {
> > > -    local role="${1}"
> > > +    local cert_name="${1}"
> > >      local pem="${2}"
> > > 
> > > +    # check wether the cert_name/role needs to be defined first,
> > > +    # or do so otherwise
> > > +    local uri=$(siging_get_uri $cert_name)
> > > +    if [ -z "$uri" ]; then
> > > +        signing_import_define_role "$cert_name"
> > > +    fi
> > > +
> > >      openssl x509 \
> > >          -in "${pem}" -inform pem -outform der |
> > > -    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}"
> > > +    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
> > 
> > In the meantime, we found that we can also load PEMs with recent pkcs11-tool, so
> > Enrico will send a patch to simplify this.
> > 
> 
> is there already a subject to search for? or a link?

I don't think Enrico has sent it yet. CCed.

> since this whole feature is motivated by the HSM limitation of one-cert-per-slot
> (der), which could be sidestepped if multiple certificates in one pem file could
> be handled... should we wait for the "patch to simplify this" and then drop this
> series?

HSMs can still only store certificate individually (one per label), as this is
just how PKCS#11 works. Enrico's patch only lets us avoid the call to OpenSSL
for PEM-to-DER conversion.

So this series is still needed. :)

> > 
> > Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
> > 
> 
> saw you placed a 'Reviewed-by' on the other patches too; should i already send
> out a v3 that pick up your suggested comment- and documentation changes, or wait
> (for whom/what)?

You can pick up my Reviewed-bys for any unchanged patch when you send a v3.

I'd say go ahead a send a v3, as I wouldn't expect new comments on the v2 by
now.

> sidequestions: what tooling do you usually use to juggle patches?
> and how should the Reviewed-by tags be handled?

As Alex, I'd also suggest b4.

Regards,
Jan

> gruß
> Johannes
> 
> > >  }
> > > 
> > >  # signing_import_pubkey_from_der <role> <der>
> > > 
> > > 
> > 
> > --
> > Pengutronix e.K.                           |                             |
> > Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> > 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> > Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> > 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#117913): https://lists.openembedded.org/g/openembedded-devel/message/117913
> Mute This Topic: https://lists.openembedded.org/mt/113394167/2167243
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [jlu@pengutronix.de]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Am Dienstag, dem 17.06.2025 um 16:45 +0200 schrieb Jan Lübbe:
> Hi Johannes,
> 
> On Mon, 2025-06-16 at 05:54 +0000, Johannes Schneider via lists.openembedded.org wrote:
> > > > -# signing_import_cert_from_pem <role> <pem>
> > > > +# signing_import_cert_from_pem <cert_name> <pem>
> > > >  #
> > > > -# Import a certificate from PEM file to a role. To be used
> > > > -# with SoftHSM.
> > > > +# Import a certificate from PEM file to a cert_name.
> > > > +# Where the <cert_name> can either be a previously setup
> > > > +# signing_import_define_role linking the certificate to a signing key,
> > > > +# or a new identifier when dealing with a standalone certificate.
> > > > +#
> > > > +# To be used with SoftHSM.
> > > >  signing_import_cert_from_pem() {
> > > > -    local role="${1}"
> > > > +    local cert_name="${1}"
> > > >      local pem="${2}"
> > > > 
> > > > +    # check wether the cert_name/role needs to be defined first,
> > > > +    # or do so otherwise
> > > > +    local uri=$(siging_get_uri $cert_name)
> > > > +    if [ -z "$uri" ]; then
> > > > +        signing_import_define_role "$cert_name"
> > > > +    fi
> > > > +
> > > >      openssl x509 \
> > > >          -in "${pem}" -inform pem -outform der |
> > > > -    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}"
> > > > +    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
> > > 
> > > In the meantime, we found that we can also load PEMs with recent pkcs11-tool, so
> > > Enrico will send a patch to simplify this.
> > > 
> > 
> > is there already a subject to search for? or a link?
> 
> I don't think Enrico has sent it yet. CCed.

Haven't sent it yet since I assumed it'll conflict with this series that made it to the list a day
before mine 

On Thu, Jun 19, 2025 at 5:44 AM Enrico Jörns <ejo@pengutronix.de> wrote:
>
> Am Dienstag, dem 17.06.2025 um 16:45 +0200 schrieb Jan Lübbe:
> > Hi Johannes,
> >
> > On Mon, 2025-06-16 at 05:54 +0000, Johannes Schneider via lists.openembedded.org wrote:
> > > > > -# signing_import_cert_from_pem <role> <pem>
> > > > > +# signing_import_cert_from_pem <cert_name> <pem>
> > > > >  #
> > > > > -# Import a certificate from PEM file to a role. To be used
> > > > > -# with SoftHSM.
> > > > > +# Import a certificate from PEM file to a cert_name.
> > > > > +# Where the <cert_name> can either be a previously setup
> > > > > +# signing_import_define_role linking the certificate to a signing key,
> > > > > +# or a new identifier when dealing with a standalone certificate.
> > > > > +#
> > > > > +# To be used with SoftHSM.
> > > > >  signing_import_cert_from_pem() {
> > > > > -    local role="${1}"
> > > > > +    local cert_name="${1}"
> > > > >      local pem="${2}"
> > > > >
> > > > > +    # check wether the cert_name/role needs to be defined first,
> > > > > +    # or do so otherwise
> > > > > +    local uri=$(siging_get_uri $cert_name)
> > > > > +    if [ -z "$uri" ]; then
> > > > > +        signing_import_define_role "$cert_name"
> > > > > +    fi
> > > > > +
> > > > >      openssl x509 \
> > > > >          -in "${pem}" -inform pem -outform der |
> > > > > -    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}"
> > > > > +    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
> > > >
> > > > In the meantime, we found that we can also load PEMs with recent pkcs11-tool, so
> > > > Enrico will send a patch to simplify this.
> > > >
> > >
> > > is there already a subject to search for? or a link?
> >
> > I don't think Enrico has sent it yet. CCed.
>
> Haven't sent it yet since I assumed it'll conflict with this series that made it to the list a day
> before mine