| Message ID | 20250618-signing-set-ca-v3-2-4ba014735f0e@leica-geosystems.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | signing.bbclass: add certificate chain handling | expand |
On Wed, 2025-06-18 at 16:35 +0200, Johannes Schneider wrote: > Add a mechanism to establish a (metadata) link between roles and signer > certificates, in the form of a new 'ca' variable. It must point from one > role or cert to the signer certificate to preserve the leaf->intermediary-> > root certificate relation. > > With this additional mechanism, it would be now possible to import a > complex PKI tree of certificates and then later during usage of one > role, reconstruct the certificate chain from the leaf, through > multiple intermediary, and up to the root certificate. > > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > --- > meta-oe/classes/signing.bbclass | 50 ++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 49 insertions(+), 1 deletion(-) > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > index c76837115192dc2b26756a47608caf7ecca1f727..04bd92bc033e8854eac245e399126554dbaa2fea 100644 > --- a/meta-oe/classes/signing.bbclass > +++ b/meta-oe/classes/signing.bbclass > @@ -87,6 +87,11 @@ def signing_class_prepare(d): > export(role, "SIGNING_PKCS11_URI_%s_", pkcs11_uri) > export(role, "SIGNING_PKCS11_MODULE_%s_", pkcs11_module) > > + # there can be an optional CA associated with this role > + ca_cert_name = d.getVarFlag("SIGNING_CA", role) or d.getVar("SIGNING_CA") > + if ca_cert_name: > + export(role, "SIGNING_CA_%s_", ca_cert_name) > + > signing_pkcs11_tool() { > pkcs11-tool --module "${STAGING_LIBDIR_NATIVE}/softhsm/libsofthsm2.so" --login --pin 1111 $* > } > @@ -145,9 +150,52 @@ signing_import_cert_from_der() { > signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" > } > > -# signing_import_cert_chain_from_pem <role> <pem> > +# signing_import_set_ca <cert_name> <ca_cert_name> > # > +# Link the certificate from <cert_name> to its issuer stored in > +# <ca_cert_name> By walking this linked list a CA-chain can later be > +# reconstructed from the involed roles. > +signing_import_set_ca() { > + local cert_name="${1}" > + local ca_cert_name="${2}" > > + echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_ > + echo "added link from ${cert_name} to ${ca_cert_name}" > +} > + > +# signing_get_ca <cert_name> > +# > +# returns the <ca_cert_name> that has been set previously through > +# either signing_import_set_ca; > +# or a local.conf override SIGNING_CA[role] = ... > +# If none was set, the empty string is returned. > +signing_get_ca() { > + local cert_name="${1}" > + > + # prefer local configuration > + eval local ca="\$SIGNING_CA_${cert_name}_" > + if [ -n "$ca" ]; then > + echo "$ca" > + return > + fi > + > + # fall back to softhsm > + eval echo "\$_SIGNING_CA_${cert_name}_" > +} > + > +# signing_has_ca <cert_name> > +# > +# check if the cert_name links to another cert_name that is its > +# certificate authority/issuer. > +signing_has_ca() { > + local ca_cert_name="$(signing_get_ca ${1})" > + > + test -n "$ca_cert_name" > + return $? > +} > + > +# signing_import_cert_chain_from_pem <role> <pem> > +# > # Import a certificate *chain* from a PEM file to a role. > # (e.g. multiple ones concatenated in one file) > # > Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index c76837115192dc2b26756a47608caf7ecca1f727..04bd92bc033e8854eac245e399126554dbaa2fea 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -87,6 +87,11 @@ def signing_class_prepare(d): export(role, "SIGNING_PKCS11_URI_%s_", pkcs11_uri) export(role, "SIGNING_PKCS11_MODULE_%s_", pkcs11_module) + # there can be an optional CA associated with this role + ca_cert_name = d.getVarFlag("SIGNING_CA", role) or d.getVar("SIGNING_CA") + if ca_cert_name: + export(role, "SIGNING_CA_%s_", ca_cert_name) + signing_pkcs11_tool() { pkcs11-tool --module "${STAGING_LIBDIR_NATIVE}/softhsm/libsofthsm2.so" --login --pin 1111 $* } @@ -145,9 +150,52 @@ signing_import_cert_from_der() { signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" } -# signing_import_cert_chain_from_pem <role> <pem> +# signing_import_set_ca <cert_name> <ca_cert_name> # +# Link the certificate from <cert_name> to its issuer stored in +# <ca_cert_name> By walking this linked list a CA-chain can later be +# reconstructed from the involed roles. +signing_import_set_ca() { + local cert_name="${1}" + local ca_cert_name="${2}" + echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_ + echo "added link from ${cert_name} to ${ca_cert_name}" +} + +# signing_get_ca <cert_name> +# +# returns the <ca_cert_name> that has been set previously through +# either signing_import_set_ca; +# or a local.conf override SIGNING_CA[role] = ... +# If none was set, the empty string is returned. +signing_get_ca() { + local cert_name="${1}" + + # prefer local configuration + eval local ca="\$SIGNING_CA_${cert_name}_" + if [ -n "$ca" ]; then + echo "$ca" + return + fi + + # fall back to softhsm + eval echo "\$_SIGNING_CA_${cert_name}_" +} + +# signing_has_ca <cert_name> +# +# check if the cert_name links to another cert_name that is its +# certificate authority/issuer. +signing_has_ca() { + local ca_cert_name="$(signing_get_ca ${1})" + + test -n "$ca_cert_name" + return $? +} + +# signing_import_cert_chain_from_pem <role> <pem> +# # Import a certificate *chain* from a PEM file to a role. # (e.g. multiple ones concatenated in one file) #
Add a mechanism to establish a (metadata) link between roles and signer certificates, in the form of a new 'ca' variable. It must point from one role or cert to the signer certificate to preserve the leaf->intermediary-> root certificate relation. With this additional mechanism, it would be now possible to import a complex PKI tree of certificates and then later during usage of one role, reconstruct the certificate chain from the leaf, through multiple intermediary, and up to the root certificate. Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> --- meta-oe/classes/signing.bbclass | 50 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-)