From patchwork Fri Jun 27 05:40:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43B35C8300F for ; Fri, 27 Jun 2025 05:40:34 +0000 (UTC) Received: from OSPPR02CU001.outbound.protection.outlook.com (OSPPR02CU001.outbound.protection.outlook.com [40.107.159.5]) by mx.groups.io with SMTP id smtpd.web11.6718.1751002823808913910 for ; Thu, 26 Jun 2025 22:40:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=T2LPxlYh; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 40.107.159.5, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Z38ipSNJB7eZTkiVVGRnGsNHpma3+ug/iYR2CNgWK7Q7yI48JuzeOPs7PT9ZWUmfKCmx4hxmvlfifm9fuJUdgeGUmiPp/9MzWROlqnM9wx2N1yNiR8hNWFc2rE3QtF93x06hnXc/vUiPrPKAvXTqO2XrGPDmpZ26jCtDb3PF8ZQEFSJ97mJSqFA9lgE0thUsfoZDZLfPexdgKySHdTvafhdRzgOMPrnvVzusPgbhhMr4bkaDBwQ2BJEgJd0ElBnTK14Q6ljDOgV4XtJaL/vu/hcFjSrS/Uk8W53WmtTrn4fWOgrLq7L6M95lKZxwxAh5h0w2mCMorjvN/rBO11Hvkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R+qUpTYjp0Zut5i1svfbyeUE1Pj21XrYVC+1wfocC6g=; b=A+TgnXv04nUmRdatfzFCJ0BB7gZQi/BE4s+1HHVscqDzz/OjXHoMeXklTthNl4naJmnvJptydx+stM0jxK0Mqs8W0+SbI5Kv/72mvSkDGO+X972VmCxTKiTlsfG41Z2p/jIHQxgAv3fdFmB0OkS4EoZM7+ipmw9HAXMQJOofByxkIxRKCSOzCsbGjOv6m4GVIJgRMXf9Ku+GtNZYzPwKnhEqW9PYQ48HNUEPAdfbX5tAwvAA1rpyRGvYkV8LdWFZZJ0BO5i/0/RE+i+u/KYKDn5nfk5acTPVcGRZxle6Nd5NLnJbh2gYngVHUe3fozx9nOUbzUG2xGkBGqqDlgrElw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R+qUpTYjp0Zut5i1svfbyeUE1Pj21XrYVC+1wfocC6g=; b=T2LPxlYhDapkLh9xpJHvglaHPc9BREi1tXcEgI7a5EQLZAdJv4zQkws8tWn2zoTJYdpQnqZN9/GqGjkoQ6ZsrtCfsFLGawEGP/2EoyPye22mAsKm55cUSow9atQj4nJW/xaP+8iVUmHrW6wKHcWIl++vibsSi3CYFME4b5Xn9mY= Received: from PR1P264CA0097.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2cf::12) by VI0PR06MB9229.eurprd06.prod.outlook.com (2603:10a6:800:23e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.33; Fri, 27 Jun 2025 05:40:18 +0000 Received: from AM4PEPF00025F95.EURPRD83.prod.outlook.com (2603:10a6:102:2cf:cafe::c2) by PR1P264CA0097.outlook.office365.com (2603:10a6:102:2cf::12) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.23 via Frontend Transport; Fri, 27 Jun 2025 05:40:18 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by AM4PEPF00025F95.mail.protection.outlook.com (10.167.16.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.1 via Frontend Transport; Fri, 27 Jun 2025 05:40:18 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 07:40:17 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 07:40:15 +0200 Subject: [PATCH meta-oe v3 1/6] signing.bbclass: refactor signing_import_cert_from_* MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v3-1-030812797c6a@leica-geosystems.com> References: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 05:40:17.0563 (UTC) FILETIME=[F6A8DEB0:01DBE725] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00025F95:EE_|VI0PR06MB9229:EE_ X-MS-Office365-Filtering-Correlation-Id: f713f56d-95aa-453c-9edd-08ddb53d19c9 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|36860700013|82310400026; X-Microsoft-Antispam-Message-Info: =?utf-8?q?O4cpJf4V5oypRp0zAt9EYVqScO+5zCX?= =?utf-8?q?FTjsmmqSjGWpHrZIlX4OYFkQP1SrJXYgTcuOjaaOt5/w2etJUPCQnNuYIPYFDbfV1?= =?utf-8?q?5vP5wDWVjcM/JNczwgmk9hwTSdb6JG+jbvTFJAWIVIJ9SxdUq+sF9KInegE34/HX4?= =?utf-8?q?rh6fzLnwicsBTG4HzdGHG0qO1TDbKI7JvVTRyYkXPktNKYGTrnb+Er1ECp6gVo7oR?= =?utf-8?q?M/Aw7v0oz+dEr27JBtllvj6VlO3J2mrYzsci5w7w439gh93Hm2whnBrw6FAh2VxIf?= =?utf-8?q?WHaVL9hvXetuyU6yhktDUutTEv0nD2ee8qypnB3KE1Jw2dj6f6dZrNUaM174a5av2?= =?utf-8?q?2NkGCqhE55MBFibGo6gXpd3cbCvvrpBxRwiUcZo6Oe1NcwD+jVJ2tvL+9Cnyjx0VT?= =?utf-8?q?w0ZfRrgNwzpy9E9lsBbqIiBK9ioWG573TZmY7dNxT9Rlt8FJKXU8akTevmAbNo/4A?= =?utf-8?q?Xk/nDmdlImt9pmJam5PKt2TBOc9a3da7yNh0vlkBlZU4lTTPq0NDL6cHJy/ATV0pi?= =?utf-8?q?Vj4D3Vg9+r1qFUmXkty7V4AjTQ+wKEz3W1mcLPUsJkGbXhqzXN3kJhOawYS4IgJnr?= =?utf-8?q?/i59uTyjviEhdfe0bswkLD9Tuq6YHTEflfLvDeYlivr1vewsbUpg3qsHZYm/jCeSj?= =?utf-8?q?vciLO9GXfomBFaLUUOArAWwgFteWQ7vt3U/31C68lnzkormVuooP8WExJ/5/Ag504?= =?utf-8?q?iQS46i5/lELpeHZ6B1aL2D020Z3ewCza4dnEdt9F0PQ7GfdT71iETFY/4XgWcy3iT?= =?utf-8?q?o6dlxh/LbJqi4vgU0LiZN/fHOqSW88LWBpbrJncjXGzPcP4Uz8UNogkl5P5qDFyOh?= =?utf-8?q?3CQZwXVGLPE493qLTE4AwVv0w2Rj/Fpv17O85m3ZvKz4qMFC7y2mdJzb3LMQIErd6?= =?utf-8?q?R5o33XmSEuMgyacwCOqCk26koIfNua1eJZJz+g4OgRNu+QwewOcBswheiaSH7NIWH?= =?utf-8?q?M5I8iAsSU6MuKrT9rmYj+VOVm3O0hEM1IqtdMlgJGap7NTWjwVQHS5fliTzbsssou?= =?utf-8?q?Drqd4gdiGnDDqLOTCtfOQzdFKvFi131TQ7z8bcudl42kZoYNdD377+lgWkFYuuHle?= =?utf-8?q?GwhRsnFjE3BE3TQnEN+K+6TM/gsLy2AGhbZw9yuQnjWZ64aTl8YJiZ6Q9mFHfNPCY?= =?utf-8?q?bjYWLYv2k947l1kjV/iItMmw3uOCDqwPuvWPQzzPpY0LlGF8zCqhmYKDOdip7o1Ge?= =?utf-8?q?PZGrL5GgttxVnTb3SWiAxx1jGJscNcAwUMMwVbcPbXWC8QOAGZtwPxmCd3UPMtdeS?= =?utf-8?q?ap4PRzfkbf1+5qAqLBQlAOLtVhZTnlPoWWvHGJQoBYkf2WbcjuT7Z5ZrGfVdkR3g3?= =?utf-8?q?jh0OGvpX0pjPXOeepyhn2gLLJswPRgCShwo29s0sNY5fdJjVXU1YasghiV1JLqZ4M?= =?utf-8?q?EAbMr2qEZT5lOesru2FHHEjO/pWtQQalk4e1yL5sJ98Xe3JIEdKeM2Mk+WDWkTRZ/?= =?utf-8?q?9y7XeoHuGd?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(376014)(1800799024)(36860700013)(82310400026);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 05:40:18.6410 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f713f56d-95aa-453c-9edd-08ddb53d19c9 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F95.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0PR06MB9229 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 05:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118134 Refactor the two methods to import certificates from PEM/DER to be usable independently from keymaterial that is linked to a role. By having the import_cert_from methods create a storage location (aka role) in the softhsm dynamically. This way certificates can - but don't have to - be linked to a key, or can stand on their own if chain of certificates from a PKI has to be managed. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 42 +++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index 8af7bbf8e0..c768371151 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -123,15 +123,26 @@ signing_import_define_role() { echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_ } -# signing_import_cert_from_der +# signing_import_cert_from_der # -# Import a certificate from DER file to a role. To be used -# with SoftHSM. +# Import a certificate from DER file to a cert_name. +# Where the can either be a previously setup +# signing_import_define_role linking the certificate to a signing key, +# or a new identifier when dealing with a standalone certificate. +# +# To be used with SoftHSM. signing_import_cert_from_der() { - local role="${1}" + local cert_name="${1}" local der="${2}" - signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" + # check wether the cert_name/role needs to be defined first, + # or do so otherwise + local uri=$(siging_get_uri $cert_name) + if [ -z "$uri" ]; then + signing_import_define_role "$cert_name" + fi + + signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" } # signing_import_cert_chain_from_pem @@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() { done } -# signing_import_cert_from_pem +# signing_import_cert_from_pem # -# Import a certificate from PEM file to a role. To be used -# with SoftHSM. +# Import a certificate from PEM file to a cert_name. +# Where the can either be a previously setup +# signing_import_define_role linking the certificate to a signing key, +# or a new identifier when dealing with a standalone certificate. +# +# To be used with SoftHSM. signing_import_cert_from_pem() { - local role="${1}" + local cert_name="${1}" local pem="${2}" + # check wether the cert_name/role needs to be defined first, + # or do so otherwise + local uri=$(siging_get_uri $cert_name) + if [ -z "$uri" ]; then + signing_import_define_role "$cert_name" + fi + openssl x509 \ -in "${pem}" -inform pem -outform der | - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" + signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}" } # signing_import_pubkey_from_der