| Message ID | 20250531113252.3889951-7-johannes.schneider@leica-geosystems.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | signing.bbclass: add certificate chain handling | expand |
On Sat, 2025-05-31 at 13:32 +0200, Johannes Schneider via lists.openembedded.org wrote: > With the now available set|get|has_ca functions to establish a CA link > between roles during their import, the > signing_import_cert_chain_from_pem can now be removed. As it had the > shortcoming of dynamically creating roles, which are harder to handle > then the manually/specifically setup CA roles. > > This effectively reverts: > a825b853634 signing.bbclass: add certificate ca-chain handling > > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > --- > meta-oe/classes/signing.bbclass | 29 ----------------------------- > 1 file changed, 29 deletions(-) > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > index 1f50e89d1e..c9759e9198 100644 > --- a/meta-oe/classes/signing.bbclass > +++ b/meta-oe/classes/signing.bbclass > @@ -217,35 +217,6 @@ signing_get_root_cert() { > echo "${cert_name}" > } > > -# signing_import_cert_chain_from_pem <role> <pem> > -# > -# Import a certificate *chain* from a PEM file to a role. > -# (e.g. multiple ones concatenated in one file) > -# > -# Due to limitations in the toolchain: > -# signing class -> softhsm -> 'extract-cert' > -# the input certificate is split into a sequentially numbered list of roles, > -# starting at <role>_1 > -# > -# (The limitations are the conversion step from x509 to a plain .der, and > -# extract-cert expecting a x509 and then producing only plain .der again) > -signing_import_cert_chain_from_pem() { > - local role="${1}" > - local pem="${2}" > - local i=1 > - > - cat "${pem}" | \ > - while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do > - signing_import_define_role "${role}_${i}" > - signing_pkcs11_tool --type cert \ > - --write-object ${B}/temp_${i}.der \ > - --label "${role}_${i}" > - rm ${B}/temp_${i}.der > - echo "imported ${pem} under role: ${role}_${i}" > - i=$(awk "BEGIN {print $i+1}") > - done > -} > - > # signing_import_cert_from_pem <cert_name> <pem> > # > # Import a certificate from PEM file to a cert_name. Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 1f50e89d1e..c9759e9198 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -217,35 +217,6 @@ signing_get_root_cert() { echo "${cert_name}" } -# signing_import_cert_chain_from_pem <role> <pem> -# -# Import a certificate *chain* from a PEM file to a role. -# (e.g. multiple ones concatenated in one file) -# -# Due to limitations in the toolchain: -# signing class -> softhsm -> 'extract-cert' -# the input certificate is split into a sequentially numbered list of roles, -# starting at <role>_1 -# -# (The limitations are the conversion step from x509 to a plain .der, and -# extract-cert expecting a x509 and then producing only plain .der again) -signing_import_cert_chain_from_pem() { - local role="${1}" - local pem="${2}" - local i=1 - - cat "${pem}" | \ - while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do - signing_import_define_role "${role}_${i}" - signing_pkcs11_tool --type cert \ - --write-object ${B}/temp_${i}.der \ - --label "${role}_${i}" - rm ${B}/temp_${i}.der - echo "imported ${pem} under role: ${role}_${i}" - i=$(awk "BEGIN {print $i+1}") - done -} - # signing_import_cert_from_pem <cert_name> <pem> # # Import a certificate from PEM file to a cert_name.
With the now available set|get|has_ca functions to establish a CA link between roles during their import, the signing_import_cert_chain_from_pem can now be removed. As it had the shortcoming of dynamically creating roles, which are harder to handle then the manually/specifically setup CA roles. This effectively reverts: a825b853634 signing.bbclass: add certificate ca-chain handling Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> --- meta-oe/classes/signing.bbclass | 29 ----------------------------- 1 file changed, 29 deletions(-)