| Message ID | 20250627-signing-set-ca-v3-1-030812797c6a@leica-geosystems.com |
|---|---|
| State | New |
| Headers | show |
| Series | signing.bbclass: add certificate chain handling | expand |
Please rebase this on top of latest master or master-next and resend, it does not apply cleanly. On Thu, Jun 26, 2025 at 10:40 PM Johannes Schneider <johannes.schneider@leica-geosystems.com> wrote: > > Refactor the two methods to import certificates from PEM/DER to be > usable independently from keymaterial that is linked to a role. > > By having the import_cert_from methods create a storage location (aka > role) in the softhsm dynamically. This way certificates can - but > don't have to - be linked to a key, or can stand on their own if chain > of certificates from a PKI has to be managed. > > Reviewed-by: Jan Luebbe <jlu@pengutronix.de> > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > --- > meta-oe/classes/signing.bbclass | 42 +++++++++++++++++++++++++++++++---------- > 1 file changed, 32 insertions(+), 10 deletions(-) > > diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass > index 8af7bbf8e0..c768371151 100644 > --- meta-oe/classes/signing.bbclass > +++ meta-oe/classes/signing.bbclass > @@ -123,15 +123,26 @@ signing_import_define_role() { > echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_ > } > > -# signing_import_cert_from_der <role> <der> > +# signing_import_cert_from_der <cert_name> <der> > # > -# Import a certificate from DER file to a role. To be used > -# with SoftHSM. > +# Import a certificate from DER file to a cert_name. > +# Where the <cert_name> can either be a previously setup > +# signing_import_define_role linking the certificate to a signing key, > +# or a new identifier when dealing with a standalone certificate. > +# > +# To be used with SoftHSM. > signing_import_cert_from_der() { > - local role="${1}" > + local cert_name="${1}" > local der="${2}" > > - signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" > + # check wether the cert_name/role needs to be defined first, > + # or do so otherwise > + local uri=$(siging_get_uri $cert_name) > + if [ -z "$uri" ]; then > + signing_import_define_role "$cert_name" > + fi > + > + signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" > } > > # signing_import_cert_chain_from_pem <role> <pem> > @@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() { > done > } > > -# signing_import_cert_from_pem <role> <pem> > +# signing_import_cert_from_pem <cert_name> <pem> > # > -# Import a certificate from PEM file to a role. To be used > -# with SoftHSM. > +# Import a certificate from PEM file to a cert_name. > +# Where the <cert_name> can either be a previously setup > +# signing_import_define_role linking the certificate to a signing key, > +# or a new identifier when dealing with a standalone certificate. > +# > +# To be used with SoftHSM. > signing_import_cert_from_pem() { > - local role="${1}" > + local cert_name="${1}" > local pem="${2}" > > + # check wether the cert_name/role needs to be defined first, > + # or do so otherwise > + local uri=$(siging_get_uri $cert_name) > + if [ -z "$uri" ]; then > + signing_import_define_role "$cert_name" > + fi > + > openssl x509 \ > -in "${pem}" -inform pem -outform der | > - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" > + signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}" > } > > # signing_import_pubkey_from_der <role> <der> > > -- > 2.43.0 >
Hoi, > Please rebase this on top of latest master or master-next and resend, it does not apply cleanly. ACK @Jan: v3 added the comment/use-case you pointed out and i missed - anything else that should be fixed for v4? (-: gruß Johannes ________________________________________ From: Khem Raj <raj.khem@gmail.com> Sent: Friday, June 27, 2025 10:01 To: SCHNEIDER Johannes Cc: jlu@pengutronix.de; GEO-CHHER-bsp-development; openembedded-devel@lists.openembedded.org Subject: Re: [PATCH meta-oe v3 1/6] signing.bbclass: refactor signing_import_cert_from_* [Some people who received this message don't often get email from raj.khem@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] This email is not from Hexagon’s Office 365 instance. Please be careful while clicking links, opening attachments, or replying to this email. Please rebase this on top of latest master or master-next and resend, it does not apply cleanly. On Thu, Jun 26, 2025 at 10:40 PM Johannes Schneider <johannes.schneider@leica-geosystems.com> wrote: > > Refactor the two methods to import certificates from PEM/DER to be > usable independently from keymaterial that is linked to a role. > > By having the import_cert_from methods create a storage location (aka > role) in the softhsm dynamically. This way certificates can - but > don't have to - be linked to a key, or can stand on their own if chain > of certificates from a PKI has to be managed. > > Reviewed-by: Jan Luebbe <jlu@pengutronix.de> > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > --- > meta-oe/classes/signing.bbclass | 42 +++++++++++++++++++++++++++++++---------- > 1 file changed, 32 insertions(+), 10 deletions(-) > > diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass > index 8af7bbf8e0..c768371151 100644 > --- meta-oe/classes/signing.bbclass > +++ meta-oe/classes/signing.bbclass > @@ -123,15 +123,26 @@ signing_import_define_role() { > echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_ > } > > -# signing_import_cert_from_der <role> <der> > +# signing_import_cert_from_der <cert_name> <der> > # > -# Import a certificate from DER file to a role. To be used > -# with SoftHSM. > +# Import a certificate from DER file to a cert_name. > +# Where the <cert_name> can either be a previously setup > +# signing_import_define_role linking the certificate to a signing key, > +# or a new identifier when dealing with a standalone certificate. > +# > +# To be used with SoftHSM. > signing_import_cert_from_der() { > - local role="${1}" > + local cert_name="${1}" > local der="${2}" > > - signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" > + # check wether the cert_name/role needs to be defined first, > + # or do so otherwise > + local uri=$(siging_get_uri $cert_name) > + if [ -z "$uri" ]; then > + signing_import_define_role "$cert_name" > + fi > + > + signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" > } > > # signing_import_cert_chain_from_pem <role> <pem> > @@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() { > done > } > > -# signing_import_cert_from_pem <role> <pem> > +# signing_import_cert_from_pem <cert_name> <pem> > # > -# Import a certificate from PEM file to a role. To be used > -# with SoftHSM. > +# Import a certificate from PEM file to a cert_name. > +# Where the <cert_name> can either be a previously setup > +# signing_import_define_role linking the certificate to a signing key, > +# or a new identifier when dealing with a standalone certificate. > +# > +# To be used with SoftHSM. > signing_import_cert_from_pem() { > - local role="${1}" > + local cert_name="${1}" > local pem="${2}" > > + # check wether the cert_name/role needs to be defined first, > + # or do so otherwise > + local uri=$(siging_get_uri $cert_name) > + if [ -z "$uri" ]; then > + signing_import_define_role "$cert_name" > + fi > + > openssl x509 \ > -in "${pem}" -inform pem -outform der | > - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" > + signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}" > } > > # signing_import_pubkey_from_der <role> <der> > > -- > 2.43.0 >
On Fri, 2025-06-27 at 10:35 +0000, SCHNEIDER Johannes wrote: > Hoi, > > > > Please rebase this on top of latest master or master-next and resend, > it does not apply cleanly. > > ACK > > @Jan: v3 added the comment/use-case you pointed out and i missed - anything else that should be fixed for v4? (-: Nothing else from my side. Thanks, Jan > gruß > Johannes > > ________________________________________ > From: Khem Raj <raj.khem@gmail.com> > Sent: Friday, June 27, 2025 10:01 > To: SCHNEIDER Johannes > Cc: jlu@pengutronix.de; GEO-CHHER-bsp-development; openembedded-devel@lists.openembedded.org > Subject: Re: [PATCH meta-oe v3 1/6] signing.bbclass: refactor signing_import_cert_from_* > > [Some people who received this message don't often get email from raj.khem@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > This email is not from Hexagon’s Office 365 instance. Please be careful while clicking links, opening attachments, or replying to this email. > > > Please rebase this on top of latest master or master-next and resend, > it does not apply cleanly. > > On Thu, Jun 26, 2025 at 10:40 PM Johannes Schneider > <johannes.schneider@leica-geosystems.com> wrote: > > > > Refactor the two methods to import certificates from PEM/DER to be > > usable independently from keymaterial that is linked to a role. > > > > By having the import_cert_from methods create a storage location (aka > > role) in the softhsm dynamically. This way certificates can - but > > don't have to - be linked to a key, or can stand on their own if chain > > of certificates from a PKI has to be managed. > > > > Reviewed-by: Jan Luebbe <jlu@pengutronix.de> > > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > > --- > > meta-oe/classes/signing.bbclass | 42 +++++++++++++++++++++++++++++++---------- > > 1 file changed, 32 insertions(+), 10 deletions(-) > > > > diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass > > index 8af7bbf8e0..c768371151 100644 > > --- meta-oe/classes/signing.bbclass > > +++ meta-oe/classes/signing.bbclass > > @@ -123,15 +123,26 @@ signing_import_define_role() { > > echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_ > > } > > > > -# signing_import_cert_from_der <role> <der> > > +# signing_import_cert_from_der <cert_name> <der> > > # > > -# Import a certificate from DER file to a role. To be used > > -# with SoftHSM. > > +# Import a certificate from DER file to a cert_name. > > +# Where the <cert_name> can either be a previously setup > > +# signing_import_define_role linking the certificate to a signing key, > > +# or a new identifier when dealing with a standalone certificate. > > +# > > +# To be used with SoftHSM. > > signing_import_cert_from_der() { > > - local role="${1}" > > + local cert_name="${1}" > > local der="${2}" > > > > - signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" > > + # check wether the cert_name/role needs to be defined first, > > + # or do so otherwise > > + local uri=$(siging_get_uri $cert_name) > > + if [ -z "$uri" ]; then > > + signing_import_define_role "$cert_name" > > + fi > > + > > + signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" > > } > > > > # signing_import_cert_chain_from_pem <role> <pem> > > @@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() { > > done > > } > > > > -# signing_import_cert_from_pem <role> <pem> > > +# signing_import_cert_from_pem <cert_name> <pem> > > # > > -# Import a certificate from PEM file to a role. To be used > > -# with SoftHSM. > > +# Import a certificate from PEM file to a cert_name. > > +# Where the <cert_name> can either be a previously setup > > +# signing_import_define_role linking the certificate to a signing key, > > +# or a new identifier when dealing with a standalone certificate. > > +# > > +# To be used with SoftHSM. > > signing_import_cert_from_pem() { > > - local role="${1}" > > + local cert_name="${1}" > > local pem="${2}" > > > > + # check wether the cert_name/role needs to be defined first, > > + # or do so otherwise > > + local uri=$(siging_get_uri $cert_name) > > + if [ -z "$uri" ]; then > > + signing_import_define_role "$cert_name" > > + fi > > + > > openssl x509 \ > > -in "${pem}" -inform pem -outform der | > > - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" > > + signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}" > > } > > > > # signing_import_pubkey_from_der <role> <der> > > > > -- > > 2.43.0 > >
diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index 8af7bbf8e0..c768371151 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -123,15 +123,26 @@ signing_import_define_role() { echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_ } -# signing_import_cert_from_der <role> <der> +# signing_import_cert_from_der <cert_name> <der> # -# Import a certificate from DER file to a role. To be used -# with SoftHSM. +# Import a certificate from DER file to a cert_name. +# Where the <cert_name> can either be a previously setup +# signing_import_define_role linking the certificate to a signing key, +# or a new identifier when dealing with a standalone certificate. +# +# To be used with SoftHSM. signing_import_cert_from_der() { - local role="${1}" + local cert_name="${1}" local der="${2}" - signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" + # check wether the cert_name/role needs to be defined first, + # or do so otherwise + local uri=$(siging_get_uri $cert_name) + if [ -z "$uri" ]; then + signing_import_define_role "$cert_name" + fi + + signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" } # signing_import_cert_chain_from_pem <role> <pem> @@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() { done } -# signing_import_cert_from_pem <role> <pem> +# signing_import_cert_from_pem <cert_name> <pem> # -# Import a certificate from PEM file to a role. To be used -# with SoftHSM. +# Import a certificate from PEM file to a cert_name. +# Where the <cert_name> can either be a previously setup +# signing_import_define_role linking the certificate to a signing key, +# or a new identifier when dealing with a standalone certificate. +# +# To be used with SoftHSM. signing_import_cert_from_pem() { - local role="${1}" + local cert_name="${1}" local pem="${2}" + # check wether the cert_name/role needs to be defined first, + # or do so otherwise + local uri=$(siging_get_uri $cert_name) + if [ -z "$uri" ]; then + signing_import_define_role "$cert_name" + fi + openssl x509 \ -in "${pem}" -inform pem -outform der | - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" + signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}" } # signing_import_pubkey_from_der <role> <der>