From patchwork Fri Jun 27 05:40:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65694 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 438E7C7EE3A for ; Fri, 27 Jun 2025 05:40:34 +0000 (UTC) Received: from MRWPR03CU001.outbound.protection.outlook.com (MRWPR03CU001.outbound.protection.outlook.com [40.107.130.2]) by mx.groups.io with SMTP id smtpd.web10.6808.1751002825139606535 for ; Thu, 26 Jun 2025 22:40:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=beH8tGQ/; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 40.107.130.2, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NA66x3o6WNdShS66P0gUCTXXTAqOgTwDgHuvRnzJ6Qn4dGHlVdOG+yJDKI/Hs8rmeoWmdj5vzVh9/ehLvKhfgthPtgXdRsRvNqSXuLxHCc+ESw+5Y9ag26gfK9OTJJ0CXGRtIY9hXXjxMsj8Lv4pHm82i4f7PS/mlxm4tfpCWvSxXTW4Wkbq2ImEEDNsE0e6mY1MqwtVyy9nY3mN9fSqIPrN3jv1y3xOYZHDXI/6+wdNRc+nPXZyV368frMiU0xey9m5AbWJZyPxC2VB+McMkEdPruobMcMwL3Mp/O7DYDDJ5IKjRSzjIsdzN/dARmR8a1ZoQQnPccGKRrAVRf9qSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0R3NfOv3xf4/+/cAjl3TuLCsXi9tZtOOyHupojwPQf0=; b=VZ57YHigGRx3uYF1JSoceXs1//p8ApLEcBYKdU5+nhus33wuT54ejua2sgurtQ1kk1DDnLr1qL3uTWnNjidsyLBG20Q4scNbts08aZkqrReWX1A3MxjusCHWOs6l3L6eWgsywDQhKkodC9P96MAd6ZrWq8wKX5XwqHjYGwRouDz2oW4thUdyx9rk61w1Uu707j7kb6QjOlVXjYuYE1dmMxysWjMI30L+khXyndtsuR0jC4frOkKi83y9FkXPnKvCUdUZehRm7t4JRu1J+UfzTbYfZYX5agvF7NOXCJAcVTpxbEQa89aBXVuVaX2B5PnoJE2y9VRHB2ntGoyWCY7ddg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0R3NfOv3xf4/+/cAjl3TuLCsXi9tZtOOyHupojwPQf0=; b=beH8tGQ/xba2FUOy8CgzqbFiHTGmpEqxS83IW9ymtytBsYgCZo2bZgoc4PPXKIY6a72DHoKK5yQNv+pcukl3WqkxXuDRlVKCwoD5apFbcUdM7UAfyrppezbDfdzOzXBgQ3QD62OSNP+viNPjgW2s5GrPwUfZ2SJW8faX3MQRorE= Received: from PR1P264CA0103.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2cf::10) by AM9PR06MB8001.eurprd06.prod.outlook.com (2603:10a6:20b:3a4::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.30; Fri, 27 Jun 2025 05:40:19 +0000 Received: from AM4PEPF00025F95.EURPRD83.prod.outlook.com (2603:10a6:102:2cf:cafe::72) by PR1P264CA0103.outlook.office365.com (2603:10a6:102:2cf::10) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.21 via Frontend Transport; Fri, 27 Jun 2025 05:40:19 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by AM4PEPF00025F95.mail.protection.outlook.com (10.167.16.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.1 via Frontend Transport; Fri, 27 Jun 2025 05:40:19 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 07:40:17 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 07:40:16 +0200 Subject: [PATCH meta-oe v3 2/6] signing.bbclass: add set|get|has_ca functions MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v3-2-030812797c6a@leica-geosystems.com> References: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 05:40:17.0563 (UTC) FILETIME=[F6A8DEB0:01DBE725] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00025F95:EE_|AM9PR06MB8001:EE_ X-MS-Office365-Filtering-Correlation-Id: 9416bb85-7226-4b8d-5b04-08ddb53d1a54 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|36860700013|376014|1800799024; X-Microsoft-Antispam-Message-Info: =?utf-8?q?6fHGYJBfGhY3rRYEYj92jLqukFO56eD?= =?utf-8?q?V2m7rCW6EUvjHlxuJMMiLOvdDsnWZW3X9z/CZM3cTUSLXmKTQ6nj9z9XwQvX4lm8i?= =?utf-8?q?Uy2C7HFWAV6uUWXCvmUWbcu74IQUMTOukoJpV8YX6i9zVoSYNOYLxoqZ1phal/1xa?= =?utf-8?q?SP70p04rhOYfx69Be2Q/pyl+GSG9GX5VrDfQbeF2j0umfr9d6eZpxDX77DmQOC0j+?= =?utf-8?q?4vGXTcCjP66x9YQW9e4bbSXJsck6lUv5N9/j4Vv+7NcQTedw7qlQHIuUV8cqvdlv2?= =?utf-8?q?YB4x/aDmNYhvJ/UmAxsMMV+lUWXrSUv341GCfrdPPU8T6LvL5NOkYrjAxLPy+bI+9?= =?utf-8?q?Rh8thCeCbOYZ+WIB784KeftVcAYkM/fyhNhL9tqBy+x+dFLzVLKMKZVR98zvKmCFM?= =?utf-8?q?FJOkFBru4ZgYIQWtGnfjYOhhWWnsXQUoz9uIpVVhLRcKA7fPSpr6zbBFuqyM6xbhE?= =?utf-8?q?dfnxPWxUmn45cr6uU96CFXXZQ4osBHp5pbh4L2Bp3MPWK9Nw7MWL4VAFP0l28gArK?= =?utf-8?q?6wKBztexsWOpc8YN2deQ5K/DShmGCZuVJ2JL0fZkVoaSpf3E3w3lChVuzuKKOt9TH?= =?utf-8?q?eBTVQy2Ky0rQyR5BVxeeAT5sBBiAMuXOmRHc606oQdbNKdoMxsPQgQ0tUo9mVnaWF?= =?utf-8?q?2xCzxSQaCUJ/TwrrY4BcurqSpJ0MibGXGBu9H0v1WC6Ik8hDoRFpNchKw2eXKqyb0?= =?utf-8?q?MtVqFzp5Q0WDl+Lzk23ISHk76a1xHqbxbg3VkIjj8c3spwyIVHd4RVa32B4h5PyCz?= =?utf-8?q?OH44I6qUgqw++/DxtABi639jyHq6kea6DAQKcIMbniHAvfHDpopTWS+Luz5bTeaJ8?= =?utf-8?q?ZFYuXMjpHsp+T08PiTQMYgrtNghvaAdmDSQ00e4fj9QKpdFMOSiYcHJiNlUCPmyjW?= =?utf-8?q?OZCHYtmgiDhZUsLRFH61N/a6DBL+Dd6x+gMKaNw/w6fXD59JpFI0hAMpn+tuRo2j7?= =?utf-8?q?TM2dbWFbltGkKacziYGEl1iYTm1e8BnSNfe0eH6u7EtqWMAO28VPjosoNSQDN2BAG?= =?utf-8?q?znt9HjicQTGFYWUW6dYM7x3meHnI9x6Ja2yw9PEe2LyMwjaMFGv3EAEBy2+yXAt6B?= =?utf-8?q?25lrOgVk1dsDQE9bqgCLJbrJdxRWcvDND879hxaxWpfc6mmSANDnZvF6oAXLwavvb?= =?utf-8?q?Cqhklchkevq39CL1/joenX3lfQJATn2+Yf9PkOpO6z4PHgUuT7wOJOVt4Q4fuKM4r?= =?utf-8?q?ZMptI0bVKfOGmdat+XM3QLPPKw9Ab6y+zo7qxymRO7gPxk+2xntm++mFEV39QmaDg?= =?utf-8?q?+TsIU9tR3Svege2r+7UTkrD7jeXsE8yv9NpIrU7596i4x00HxRosp3rfkwEpuCLP0?= =?utf-8?q?kSUmt9oZ+WFOiRNLDoNgS3lbpB3DvoVfYl3t6TT7xY3X2w8jjP/kNxlWvPEgE7hX4?= =?utf-8?q?mpz1iDXGwDueWa19KZ1iO07fxpqj90lUPM14xcK25wOpf59RjDXPFG2TC8XUA0cKw?= =?utf-8?q?KG7JJjsH1s?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(82310400026)(36860700013)(376014)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 05:40:19.5506 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9416bb85-7226-4b8d-5b04-08ddb53d1a54 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F95.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR06MB8001 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 05:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118136 Add a mechanism to establish a (metadata) link between roles and signer certificates, in the form of a new 'ca' variable. It must point from one role or cert to the signer certificate to preserve the leaf->intermediary-> root certificate relation. With this additional mechanism, it would be now possible to import a complex PKI tree of certificates and then later during usage of one role, reconstruct the certificate chain from the leaf, through multiple intermediary, and up to the root certificate. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 50 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index c768371151..04bd92bc03 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -87,6 +87,11 @@ def signing_class_prepare(d): export(role, "SIGNING_PKCS11_URI_%s_", pkcs11_uri) export(role, "SIGNING_PKCS11_MODULE_%s_", pkcs11_module) + # there can be an optional CA associated with this role + ca_cert_name = d.getVarFlag("SIGNING_CA", role) or d.getVar("SIGNING_CA") + if ca_cert_name: + export(role, "SIGNING_CA_%s_", ca_cert_name) + signing_pkcs11_tool() { pkcs11-tool --module "${STAGING_LIBDIR_NATIVE}/softhsm/libsofthsm2.so" --login --pin 1111 $* } @@ -145,9 +150,52 @@ signing_import_cert_from_der() { signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" } -# signing_import_cert_chain_from_pem +# signing_import_set_ca # +# Link the certificate from to its issuer stored in +# By walking this linked list a CA-chain can later be +# reconstructed from the involed roles. +signing_import_set_ca() { + local cert_name="${1}" + local ca_cert_name="${2}" + echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_ + echo "added link from ${cert_name} to ${ca_cert_name}" +} + +# signing_get_ca +# +# returns the that has been set previously through +# either signing_import_set_ca; +# or a local.conf override SIGNING_CA[role] = ... +# If none was set, the empty string is returned. +signing_get_ca() { + local cert_name="${1}" + + # prefer local configuration + eval local ca="\$SIGNING_CA_${cert_name}_" + if [ -n "$ca" ]; then + echo "$ca" + return + fi + + # fall back to softhsm + eval echo "\$_SIGNING_CA_${cert_name}_" +} + +# signing_has_ca +# +# check if the cert_name links to another cert_name that is its +# certificate authority/issuer. +signing_has_ca() { + local ca_cert_name="$(signing_get_ca ${1})" + + test -n "$ca_cert_name" + return $? +} + +# signing_import_cert_chain_from_pem +# # Import a certificate *chain* from a PEM file to a role. # (e.g. multiple ones concatenated in one file) #