| Message ID | 20250531113252.3889951-5-johannes.schneider@leica-geosystems.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | signing.bbclass: add certificate chain handling | expand |
On Sat, 2025-05-31 at 13:32 +0200, Johannes Schneider via lists.openembedded.org wrote: > Add a method that returns a list of intermediary CA roles. > > When using a complex PKI structure with for example "openssl cms", > these roles can then be iterated over adding in turn a '-certificate'. > Pseudo-code example: > for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do > signing_extract_cert_pem $intermediate $intermediate.pem > CMD+=" --certificate=$intermediate.pem" > done + The typical use-case would be adding these intermediate certificates to the CMS structure so that the relying party can build the chain from the signing leaf certificate to the locally stored trusted CA certificate. > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > --- > meta-oe/classes/signing.bbclass | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > index ee32cc12f7..7bc3e7cb12 100644 > --- a/meta-oe/classes/signing.bbclass > +++ b/meta-oe/classes/signing.bbclass > @@ -180,6 +180,27 @@ signing_has_ca() { > return $? > } > > +# signing_get_intermediate_certs <cert_name> > +# > +# return a list of role/name intermediary CA certificates for a given > +# <cert_name> by walking the chain setup with signing_import_set_ca. > +# > +# The returned list will not include the the root CA, and can > +# potentially be empty. > +# > +# To be used with SoftHSM. > +signing_get_intermediate_certs() { > + local cert_name="${1}" > + local intermediary="" > + while signing_has_ca "${cert_name}"; do > + cert_name="$(signing_get_ca ${cert_name})" > + if signing_has_ca "${cert_name}"; then > + intermediary="${intermediary} ${cert_name}" > + fi > + done > + echo "${intermediary}" > +} > + > # signing_get_root_cert <cert_name> > # > # return the role/name of the CA root certificate for a given Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index ee32cc12f7..7bc3e7cb12 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -180,6 +180,27 @@ signing_has_ca() { return $? } +# signing_get_intermediate_certs <cert_name> +# +# return a list of role/name intermediary CA certificates for a given +# <cert_name> by walking the chain setup with signing_import_set_ca. +# +# The returned list will not include the the root CA, and can +# potentially be empty. +# +# To be used with SoftHSM. +signing_get_intermediate_certs() { + local cert_name="${1}" + local intermediary="" + while signing_has_ca "${cert_name}"; do + cert_name="$(signing_get_ca ${cert_name})" + if signing_has_ca "${cert_name}"; then + intermediary="${intermediary} ${cert_name}" + fi + done + echo "${intermediary}" +} + # signing_get_root_cert <cert_name> # # return the role/name of the CA root certificate for a given
Add a method that returns a list of intermediary CA roles. When using a complex PKI structure with for example "openssl cms", these roles can then be iterated over adding in turn a '-certificate'. Pseudo-code example: for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do signing_extract_cert_pem $intermediate $intermediate.pem CMD+=" --certificate=$intermediate.pem" done Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> --- meta-oe/classes/signing.bbclass | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)