From patchwork Fri Jun 27 05:40:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65691 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F98EC7EE31 for ; Fri, 27 Jun 2025 05:40:24 +0000 (UTC) Received: from AM0PR83CU005.outbound.protection.outlook.com (AM0PR83CU005.outbound.protection.outlook.com [52.101.69.52]) by mx.groups.io with SMTP id smtpd.web10.6807.1751002823170584814 for ; Thu, 26 Jun 2025 22:40:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=hmqbwlYk; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.69.52, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dS9eajhLesaVNV7FDCGYcb/afalYkabVvLrQSoZBZ+2NSfaCQNOwOoxTovVzvYp2jD/nrg2o8EkMwztwiDU0tCcyb9FjMBYGGfIc3arWpSbv79Z0r/oWFP3E1M+GhF5/8WoSfVEDngNFkF81GOeSLgj8yiKK+ykUP0kEVvl2IUsFpt+WzSVDSs/LxrJXCE7z4Ffvdx+IsUw7dOEMNk6LLBPE7ba1ysV697I5zqU7bmiihYuPbVCuCZQ8LbdgGJh3S/GVC6i1cvSA7kO5Rnaa67DKCIvEBIWj9H0oXUHOQEe+RXmptOjQ1Dg1d6Gkl/oSRZhmtE0ulU/yukfcDJL7UQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=McXBW71QelBenXG7niF8IzZULndSUTMtfH22RlLb9ec=; b=a++TTp8qTBZaMWDE4f+njxQmcM8mYekHE/BV8bYAmm50mLWpOks13AJuZb3ix2U/Oy2WEXmZw0wl700W+9TphtsXBswdqJcDzNuzbbPMCsy01yKmzqpzfi7GyVULB26uV5+LFKXb6E6QWnEeF2mjWyY1P5uFXoK1s8b8glJdBYoehHSu96vXLGf+dob2UGCl3+kO0j1QPhEaAB11RA0yAbL4YfmWzPUwKzrWiPp+9CpDYCxmJ9FEbz4qAn2zpR6xgPvNoc6lplNkBUMx6q8RjJs47qaYXivsRJlo4wBiYtPD6TD5GoCx64e4xoJ8+v9eEKfVmiZiqfcUi68uRVu4iw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=McXBW71QelBenXG7niF8IzZULndSUTMtfH22RlLb9ec=; b=hmqbwlYkRP9ZjIZgq6F5UN1XNw6ufQLg/HEG6eDv49JHLopHTYUdvkNPr2t9PcUvYtT1OYkjrvnoVtoFSgdGo2PY961zibMhBvVvZ0Yt2GCnS1Ra3OFkRQlQKB/gbNpW3p64mlCyTtYbmU4Ui5jTTB6Jh+suUmQtaiOwFmKOl5Y= Received: from PR1P264CA0098.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2cf::7) by PAWPR06MB8932.eurprd06.prod.outlook.com (2603:10a6:102:38e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.27; Fri, 27 Jun 2025 05:40:20 +0000 Received: from AM4PEPF00025F95.EURPRD83.prod.outlook.com (2603:10a6:102:2cf:cafe::c0) by PR1P264CA0098.outlook.office365.com (2603:10a6:102:2cf::7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.23 via Frontend Transport; Fri, 27 Jun 2025 05:40:20 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by AM4PEPF00025F95.mail.protection.outlook.com (10.167.16.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.1 via Frontend Transport; Fri, 27 Jun 2025 05:40:20 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 07:40:17 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 07:40:18 +0200 Subject: [PATCH meta-oe v3 4/6] signing.bbclass: add signing_get_intermediate_certs MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v3-4-030812797c6a@leica-geosystems.com> References: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 05:40:17.0578 (UTC) FILETIME=[F6AB28A0:01DBE725] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00025F95:EE_|PAWPR06MB8932:EE_ X-MS-Office365-Filtering-Correlation-Id: a45b28ce-4400-45c0-45a0-08ddb53d1acb X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700013|82310400026|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?IJuauRcnXRlefDdMwtQQxCrQOtFkaNr?= =?utf-8?q?exETmfi9u2pQ+52EOyLCUud+Zv5cTP1dTli3ulNwZU9K2nsxX9Xh0Gg7W9IyJysGq?= =?utf-8?q?mjEQUOzmFF3O/yzhIetpiE4ySmvDxu00WXLT20TcerNVc4eyxpdBwdznwQ/9yigmi?= =?utf-8?q?R1oe7Z0jtnecC1ZtaKBDqOMKUluAoC9oQLRYtmeC4j9G6GXqxT+DDHezLBup/oy+q?= =?utf-8?q?EZbOkM3rwmyRzNXGQW2sLSvd5DJbR/b5xf+nTuQZycaW8ie3BZ88Nym1xToYhuOY0?= =?utf-8?q?r4IEEaZT2mgWZG62+6PXd2p7k1n+x4TkGp+VsMr6tprtBE0TR9whhOVy+t2r25pKT?= =?utf-8?q?G2PWVHDAGvAxf7hvUmTSteq9tCSVe/TGxgmxOM/BjZkMmF/Th98OMW38zvpmLinNl?= =?utf-8?q?7eETvtpighCCdJWEPsPfjJ/9yuVeOU5fyYQfYx1GEM++dnmStwHPcEnWPGfpnjlDs?= =?utf-8?q?/uMTG1sq4Bi668d+Rwj/Vc8oCLFF+ZfAcVWJb1TRn4raI5tZLCM1dnxWwaV/81iX1?= =?utf-8?q?Nxbl5cIYapmcgleMcdVmDwHoqMiLN93HeGbryo7AHm8n2xniwZGaS55jiV1kPVn5s?= =?utf-8?q?EHLwn+lH95nhlhXunB8MLSnP9PUN3nNUFXJ6+JPj29N7zOuFg+MDq1mbQYL39/qYG?= =?utf-8?q?NHRZ/C/U2bR3sLdD2vZdO2dwa1EAxpn8FQwsvjGpAWQZKRn+ROGV0NU3UiZIgVM0k?= =?utf-8?q?wN/UWUHA0rBuQzY+yhoEhpOS/xshcvpJod43a2Vu+eYQ8dy/Y9dK3CtvJ8Om0gLVH?= =?utf-8?q?kc5/3Ys7aRUeXZyrp3OsRPs8EqD7UAjFiuJV/VhmQKnTu9+oqzL0y9k9jPYRjn+M6?= =?utf-8?q?PAna+aWNN+zDlkUvClVG72mVQBrPdTYIlnkOJuyOXVnA7GM+gVqblkagLnb1Vc5TC?= =?utf-8?q?RHbb8Z3VEn/ISiM8DhDDZeFNaUFzkSCQIRmL8k6Bef09xo8/lxGNvl+S9jZk1i+EW?= =?utf-8?q?/1HwTJT4QbUesKjXYRY0CQKZnEN5/nVtr6aM6CArZYwt+OoM/2PpbUVkt0p3QOpvy?= =?utf-8?q?JJ/mDuXMvro0BRHluT4ium2Ztt8575F959Gr0k90CIWhnlo+hdzVmiPNPZZEqPClM?= =?utf-8?q?ux3iQrHhpks7ziABhKvWehV0KNgt2jR8N50UoMo2Wl5svvFFrbCdHQ+wJNVZzfjoo?= =?utf-8?q?crSZ7TOwAs93xq6pa8WSE8rXQGB7PsW94YzO8b0GlizYr+FrgjCMdwNTIbegLXqkt?= =?utf-8?q?+PWDIqCK/oY7Kn25y34p5vJ/pt4Y04cszZN3u3VA+RBvC2/7N6hXwtn8D728HGBVH?= =?utf-8?q?Dqd5pSveLvokWAj3CJXErsC24YiZ+t/6f/BQmHrnyGo5flPhE2/Ow61EH9jDrY+7X?= =?utf-8?q?5tqxmkbZYR0i7HobASao6Dj1+ZjUi+H2bvx1ilrJEX55mZ8YmYhjWwNeyFF04oK9j?= =?utf-8?q?Ok3DJRWmv2Eqspk6PTsDnbo6bbGQqT6CZDIntu4PrvDGTt84hRAMlp+Rrek58BW0H?= =?utf-8?q?OoGDyKjIiB?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(82310400026)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 05:40:20.3298 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a45b28ce-4400-45c0-45a0-08ddb53d1acb X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F95.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR06MB8932 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 05:40:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118132 Add a method that returns a list of intermediary CA roles. When using a complex PKI structure with for example "openssl cms", these roles can then be iterated over adding in turn a '-certificate'. Pseudo-code example: for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do signing_extract_cert_pem $intermediate $intermediate.pem CMD+=" --certificate=$intermediate.pem" done The typical use-case would be adding these intermediate certificates to the CMS structure so that the relying party can build the chain from the signing leaf certificate to the locally stored trusted CA certificate. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index 2a94f5f5b3..248c6400ed 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -194,6 +194,27 @@ signing_has_ca() { return $? } +# signing_get_intermediate_certs +# +# return a list of role/name intermediary CA certificates for a given +# by walking the chain setup with signing_import_set_ca. +# +# The returned list will not include the the root CA, and can +# potentially be empty. +# +# To be used with SoftHSM. +signing_get_intermediate_certs() { + local cert_name="${1}" + local intermediary="" + while signing_has_ca "${cert_name}"; do + cert_name="$(signing_get_ca ${cert_name})" + if signing_has_ca "${cert_name}"; then + intermediary="${intermediary} ${cert_name}" + fi + done + echo "${intermediary}" +} + # signing_get_root_cert # # return the role/name of the CA root certificate for a given