| Message ID | 20250618-signing-set-ca-v3-4-4ba014735f0e@leica-geosystems.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | signing.bbclass: add certificate chain handling | expand |
On Wed, 2025-06-18 at 16:35 +0200, Johannes Schneider wrote: > Add a method that returns a list of intermediary CA roles. > > When using a complex PKI structure with for example "openssl cms", > these roles can then be iterated over adding in turn a '-certificate'. > Pseudo-code example: > for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do > signing_extract_cert_pem $intermediate $intermediate.pem > CMD+=" --certificate=$intermediate.pem" > done In my previous review [1], I meant that you should add "The typical use-case would be adding these intermediate certificates to the CMS structure so that the relying party can build the chain from the signing leaf certificate to the locally stored trusted CA certificate." (or something similar) to the commit message as a clarification. Thanks, Jan [1] https://lore.kernel.org/all/ea86ffbeb48f4f6ddff0093796ebfbcb3e9fdc21.camel@pengutronix.de/ > Reviewed-by: Jan Luebbe <jlu@pengutronix.de> > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > --- > meta-oe/classes/signing.bbclass | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass > index 2a94f5f5b376f99f521494239f7158662df4a3c6..248c6400ed720e7131e618322314be9bb24a760e 100644 > --- a/meta-oe/classes/signing.bbclass > +++ b/meta-oe/classes/signing.bbclass > @@ -194,6 +194,27 @@ signing_has_ca() { > return $? > } > > +# signing_get_intermediate_certs <cert_name> > +# > +# return a list of role/name intermediary CA certificates for a given > +# <cert_name> by walking the chain setup with signing_import_set_ca. > +# > +# The returned list will not include the the root CA, and can > +# potentially be empty. > +# > +# To be used with SoftHSM. > +signing_get_intermediate_certs() { > + local cert_name="${1}" > + local intermediary="" > + while signing_has_ca "${cert_name}"; do > + cert_name="$(signing_get_ca ${cert_name})" > + if signing_has_ca "${cert_name}"; then > + intermediary="${intermediary} ${cert_name}" > + fi > + done > + echo "${intermediary}" > +} > + > # signing_get_root_cert <cert_name> > # > # return the role/name of the CA root certificate for a given >
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 2a94f5f5b376f99f521494239f7158662df4a3c6..248c6400ed720e7131e618322314be9bb24a760e 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -194,6 +194,27 @@ signing_has_ca() { return $? } +# signing_get_intermediate_certs <cert_name> +# +# return a list of role/name intermediary CA certificates for a given +# <cert_name> by walking the chain setup with signing_import_set_ca. +# +# The returned list will not include the the root CA, and can +# potentially be empty. +# +# To be used with SoftHSM. +signing_get_intermediate_certs() { + local cert_name="${1}" + local intermediary="" + while signing_has_ca "${cert_name}"; do + cert_name="$(signing_get_ca ${cert_name})" + if signing_has_ca "${cert_name}"; then + intermediary="${intermediary} ${cert_name}" + fi + done + echo "${intermediary}" +} + # signing_get_root_cert <cert_name> # # return the role/name of the CA root certificate for a given
Add a method that returns a list of intermediary CA roles. When using a complex PKI structure with for example "openssl cms", these roles can then be iterated over adding in turn a '-certificate'. Pseudo-code example: for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do signing_extract_cert_pem $intermediate $intermediate.pem CMD+=" --certificate=$intermediate.pem" done Reviewed-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> --- meta-oe/classes/signing.bbclass | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)