| Message ID | 20241130124846.232284-1-johannes.schneider@leica-geosystems.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [meta-oe,v1] signing.bbclass: add set|get|has_ca functions | expand |
On Sat, 2024-11-30 at 13:48 +0100, Johannes Schneider wrote: > Add a mechanism to establish a (metadata) link between roles, in the > form of a new 'ca' variable. Which is intended to point from one role > to another, to preserve the leaf->intermediary certificate relation. > > With this additional mechanism, it would be now possible to import a > complex PKI tree of certificates (either just the certificates, or > both cert+key where available); and then later during usage of one > role, reconstruct the verification chain from the leaf, through > multiple intermediary, and up to the root role. > > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> No, as explained in the other thread, CA certificates are *not* roles. A possible extension would be that roles refer to a CA certificate. We should continue to discuss this in the thread "signing.bbclass: add set|get|has_ca functions" Khem: This should not be merged in the current form. Jan > --- > meta-oe/classes/signing.bbclass | 34 +++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > index 8af7bbf8e..f1765e96b 100644 > --- a/meta-oe/classes/signing.bbclass > +++ b/meta-oe/classes/signing.bbclass > @@ -246,6 +246,18 @@ signing_import_key_from_pem() { > signing_import_privkey_from_pem "${role}" "${pem}" > } > > +# signing_import_set_ca <role> <role_ca> > +# > +# Link the certificate from <role> to its issuer stored in <ca_role> > +# By walking this linked list a CA-chain can later be reconstructed from the > +# involed roles. > +signing_import_set_ca() { > + local role="${1}" > + local ca_role="${2}" > + > + echo "_SIGNING_CA_${role}_=\"${ca_role}\"" >> $_SIGNING_ENV_FILE_ > +} > + > signing_import_finish() { > echo "loaded objects:" > signing_pkcs11_tool --list-objects > @@ -346,6 +358,28 @@ signing_get_module() { > fi > } > > +# signing_get_ca <role> > +# > +# returns the <ca_role> that has been set previously through > +# signing_import_set_ca; or the empty string if none was set > +signing_get_ca() { > + local role="${1}" > + > + eval local ca_role="\$_SIGNING_CA_${role}_" > + echo "$ca_role" > +} > + > +# signing_has_ca <role> > +# > +# check if the role links to another role that is its certificate > +# authority/issuer. > +signing_has_ca() { > + local ca_role="$(signing_get_ca ${1})" > + > + test -n "$ca_role" > + return $? > +} > + > python () { > signing_class_prepare(d) > }
On Tue, Dec 3, 2024 at 8:45 AM Jan Lübbe <jlu@pengutronix.de> wrote: > > On Sat, 2024-11-30 at 13:48 +0100, Johannes Schneider wrote: > > Add a mechanism to establish a (metadata) link between roles, in the > > form of a new 'ca' variable. Which is intended to point from one role > > to another, to preserve the leaf->intermediary certificate relation. > > > > With this additional mechanism, it would be now possible to import a > > complex PKI tree of certificates (either just the certificates, or > > both cert+key where available); and then later during usage of one > > role, reconstruct the verification chain from the leaf, through > > multiple intermediary, and up to the root role. > > > > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > > No, as explained in the other thread, CA certificates are *not* roles. > A possible extension would be that roles refer to a CA certificate. We > should continue to discuss this in the thread "signing.bbclass: add > set|get|has_ca functions" perhaps a plugin sort ? > > Khem: This should not be merged in the current form. yeah thanks > > Jan > > > --- > > meta-oe/classes/signing.bbclass | 34 +++++++++++++++++++++++++++++++++ > > 1 file changed, 34 insertions(+) > > > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > > index 8af7bbf8e..f1765e96b 100644 > > --- a/meta-oe/classes/signing.bbclass > > +++ b/meta-oe/classes/signing.bbclass > > @@ -246,6 +246,18 @@ signing_import_key_from_pem() { > > signing_import_privkey_from_pem "${role}" "${pem}" > > } > > > > +# signing_import_set_ca <role> <role_ca> > > +# > > +# Link the certificate from <role> to its issuer stored in <ca_role> > > +# By walking this linked list a CA-chain can later be reconstructed from the > > +# involed roles. > > +signing_import_set_ca() { > > + local role="${1}" > > + local ca_role="${2}" > > + > > + echo "_SIGNING_CA_${role}_=\"${ca_role}\"" >> $_SIGNING_ENV_FILE_ > > +} > > + > > signing_import_finish() { > > echo "loaded objects:" > > signing_pkcs11_tool --list-objects > > @@ -346,6 +358,28 @@ signing_get_module() { > > fi > > } > > > > +# signing_get_ca <role> > > +# > > +# returns the <ca_role> that has been set previously through > > +# signing_import_set_ca; or the empty string if none was set > > +signing_get_ca() { > > + local role="${1}" > > + > > + eval local ca_role="\$_SIGNING_CA_${role}_" > > + echo "$ca_role" > > +} > > + > > +# signing_has_ca <role> > > +# > > +# check if the role links to another role that is its certificate > > +# authority/issuer. > > +signing_has_ca() { > > + local ca_role="$(signing_get_ca ${1})" > > + > > + test -n "$ca_role" > > + return $? > > +} > > + > > python () { > > signing_class_prepare(d) > > } > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | https://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > >
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 8af7bbf8e..f1765e96b 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -246,6 +246,18 @@ signing_import_key_from_pem() { signing_import_privkey_from_pem "${role}" "${pem}" } +# signing_import_set_ca <role> <role_ca> +# +# Link the certificate from <role> to its issuer stored in <ca_role> +# By walking this linked list a CA-chain can later be reconstructed from the +# involed roles. +signing_import_set_ca() { + local role="${1}" + local ca_role="${2}" + + echo "_SIGNING_CA_${role}_=\"${ca_role}\"" >> $_SIGNING_ENV_FILE_ +} + signing_import_finish() { echo "loaded objects:" signing_pkcs11_tool --list-objects @@ -346,6 +358,28 @@ signing_get_module() { fi } +# signing_get_ca <role> +# +# returns the <ca_role> that has been set previously through +# signing_import_set_ca; or the empty string if none was set +signing_get_ca() { + local role="${1}" + + eval local ca_role="\$_SIGNING_CA_${role}_" + echo "$ca_role" +} + +# signing_has_ca <role> +# +# check if the role links to another role that is its certificate +# authority/issuer. +signing_has_ca() { + local ca_role="$(signing_get_ca ${1})" + + test -n "$ca_role" + return $? +} + python () { signing_class_prepare(d) }
Add a mechanism to establish a (metadata) link between roles, in the form of a new 'ca' variable. Which is intended to point from one role to another, to preserve the leaf->intermediary certificate relation. With this additional mechanism, it would be now possible to import a complex PKI tree of certificates (either just the certificates, or both cert+key where available); and then later during usage of one role, reconstruct the verification chain from the leaf, through multiple intermediary, and up to the root role. Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> --- meta-oe/classes/signing.bbclass | 34 +++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)