From patchwork Fri Jun 27 12:18:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65731 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E57ACC7EE3A for ; Fri, 27 Jun 2025 12:18:46 +0000 (UTC) Received: from DB3PR0202CU003.outbound.protection.outlook.com (DB3PR0202CU003.outbound.protection.outlook.com [52.101.84.4]) by mx.groups.io with SMTP id smtpd.web11.12142.1751026719533623902 for ; Fri, 27 Jun 2025 05:18:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=kiuxV+Fz; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.84.4, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NeThv+zeN0TGbFs/7Q1nxJreeljhPEBChIRNJVPj5W0Uc/BQ0kU8vYBctPWJqT2PLv3xAKKhT10o75hwO4yLfOcJBd4qcu4WpXt5pzpB5Tgkte4Yd4vpbOUOLVui+DsNDNMRo1unWzma1lcy+QKuUKfOBj5hWoV4YHK+hwA59NeV2/4owFFBxYEGzAp48ISt+bZEQV0cH5Fvvc6y3x5VV750gHg2+9GFfWhn2u99zKA3d6irjtpiZykrTJNs3BNxZzkRyIzGR1aIwbcO/MNPdfZKGDEPXxJjEogvv0Tx43pn+lDMxrfAGQ3xvUrOxfEuztqT6kKgd+Pu2kBNP01H+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=McXBW71QelBenXG7niF8IzZULndSUTMtfH22RlLb9ec=; b=RlfLOf0CjjVnkBElBHU26IqsppIIGM3ZkuKoVMa9/2WJHwOy+OgXfb3tqyQMS7OfkCO/Vxd7/tiegn8IpCKb9iQsQTFBe0uVY/QOtRJK6e9bcVHqW9mc8tFuGoTsZcMXh+96DUd8y3TaUuGsIkDxB7zd7mUAL/VU8lTXj2AWlBMaiVDi/F57vs0ml+oStOpsOdmwY0A3wAeTygbHG1xXoXvf4PoLDXqz30BOyVEdEhzQaus35RAwk3Jr4nLuGOUYDqY31mqRsDkbMmDGht1ABhm43Cum2WZ2gW2C+B4jfyC1w9A+cvBgV5lIeThvE7yypjqvxvuWikAFY8B15ab6wQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=McXBW71QelBenXG7niF8IzZULndSUTMtfH22RlLb9ec=; b=kiuxV+FzY5wUORagkDAdaxjKTckJGkzSsz8pVMxQxMz9Sb9lKd9rFLGp107+6PxIREieMpQ9YPxRkOzQxH37dfXGRf2aIrtOcaM1Y3GmgX1vWel30oJtSG2utzEynooKiatmN3uauO82cuoggpARVFPnkWTzEZEfc+M8UrViJQ0= Received: from ZR0P278CA0001.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:16::11) by AM7PR06MB6673.eurprd06.prod.outlook.com (2603:10a6:20b:1ad::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.27; Fri, 27 Jun 2025 12:18:36 +0000 Received: from DU6PEPF0000B620.eurprd02.prod.outlook.com (2603:10a6:910:16:cafe::b1) by ZR0P278CA0001.outlook.office365.com (2603:10a6:910:16::11) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.23 via Frontend Transport; Fri, 27 Jun 2025 12:18:36 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by DU6PEPF0000B620.mail.protection.outlook.com (10.167.8.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8880.14 via Frontend Transport; Fri, 27 Jun 2025 12:18:36 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 14:18:31 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 14:18:20 +0200 Subject: [PATCH meta-oe v4 4/6] signing.bbclass: add signing_get_intermediate_certs MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v4-4-b8fe358664c6@leica-geosystems.com> References: <20250627-signing-set-ca-v4-0-b8fe358664c6@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v4-0-b8fe358664c6@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 12:18:31.0458 (UTC) FILETIME=[9887E820:01DBE75D] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU6PEPF0000B620:EE_|AM7PR06MB6673:EE_ X-MS-Office365-Filtering-Correlation-Id: ab104e62-53ba-4b06-f3ed-08ddb574bdc3 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|82310400026|376014|1800799024; X-Microsoft-Antispam-Message-Info: =?utf-8?q?cwT8nGk+pbpc+36OvDtfwse4AjcoNQ1?= =?utf-8?q?Ob2mQD5K+tv6CnIoJB89H+eGFFQZhhfS/SsMrFntpLQonjR6jTNQkbqMIPT9k5c3F?= =?utf-8?q?nR6RdSEOQlPppsKSTo+r/l4fipn7CRHUmVx4EdEosp0CpvTshKXrldISgSZAk10cJ?= =?utf-8?q?R/aDu3k/84hOGqxm9tA2i16u8dYRiALfbV63BVRRvAkZ3AUq3zyjiOwCJOhMqnHq+?= =?utf-8?q?6I4j16OnNMG09tWxtE0kCpBO+FiKFGXmy8JXbMriSxLhqwQxoNVJNvk48dZi63v+d?= =?utf-8?q?NQlUUw/43B9oRhZBpFwEy2/v1NbukJVfWxsSR8ErL4SBBwrqBtcLlOysXR1SgkI6s?= =?utf-8?q?HWb2Jhp6BNtz5e4THA79EkCTH5M9zmky2CGP3P6w/ct4DFXxI73O412Hd/3r9iR5u?= =?utf-8?q?LCzQJ1AM2SzZOjz4RcoE2pFbgpJQR3dZRsQSs1F41kXYx50T17fnu+zSnHZYyzqdc?= =?utf-8?q?1b4KIMEX0ePJByt63yyA3mqQkvGo56TpKiJpiDYEYQn5yYFzYweE7fAtWCaACRkKJ?= =?utf-8?q?KoJyc9VRcLiOi+t3Eb0043EZFfUrDeFpE5aq/wPm2M87i9iboS1ClZjrXRPbW8HoF?= =?utf-8?q?Mxcjd36p+GIol0ooXhaTBpR7gF4uvgPWE2PLLfbeRaf9sjV9EsaODtDWMg3foKkXx?= =?utf-8?q?Q1sVKYXFxcz5AKS9a3vSvs8MBFEjOKltgCO5vevF5RcTex9Y0q1piJuHYfuyQyTQN?= =?utf-8?q?NVoK9YHXUom8uxIgcxYVP3b8DexHE4yplZqLEmmhdAKIY1WKhHr5RhwmNws9FoS5x?= =?utf-8?q?yBo0nPjxF5xt9XTbHr5//M9R0f/+pDSCYoQSbkJXuGtLIv2kqqQuSDjPCk2BdbS6a?= =?utf-8?q?6SiVKd+bXF/z5Xh9vbRqKNavhVBkH7IacYh1j1vAdhUJ1/dabRseP/8NUZBveaBv4?= =?utf-8?q?55s9SKSI8C5pj+5vRWuU7uAS3aa4kcN6YhU1ngr8uUFUEqPGHYrGUjtmWw9tQ9i2L?= =?utf-8?q?vATWLe9FFiummf0YRwI/TLpHAQpW/gs838ipeyipKf+13KD9IDAGmifj04cRIBRCD?= =?utf-8?q?5VgFF7YdtfZd/Qx8IeXh85UWWpchc9GPtUVCk4x3nOtLwiBpt4/kmK77C48nAkkly?= =?utf-8?q?Re8H404oftzGi+PZIhm2TgG/mHcAsa2rGPaLLwH3/w20ODImZchUqm27kRDR89Y9g?= =?utf-8?q?0j7LfDhNfjsyvv0M0Kv/Sy3bj9VH2zvOtW/uEM7DOsSMvm+amRO5V5R7/krG9nfO5?= =?utf-8?q?lK01pACNDLVWUOzUqAc6E99MSQdcphuc1k0K25ancxW7BteFoJcwJR+T9UtfZHyoK?= =?utf-8?q?hliFA9jsJGsTn/9jdh2XjT3zA+SQssAimDb2zkqHtFp6rtOiQMP6Wk6IS50pDyRL3?= =?utf-8?q?ABniQr+iWcmhn7wTjTHHCCmrsq7Xrt/fps2MqPRUt2JCWUxAfbuXQHlFr5WHPMas3?= =?utf-8?q?a02OTTIRzezy//PHCWy5vi7r+oLut6dKc4HilpmP4R/Bb1qDroN1BASoNZV5MiDjL?= =?utf-8?q?5RKO3KNT2X?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(36860700013)(82310400026)(376014)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 12:18:36.0413 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ab104e62-53ba-4b06-f3ed-08ddb574bdc3 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: DU6PEPF0000B620.eurprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR06MB6673 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 12:18:46 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118152 Add a method that returns a list of intermediary CA roles. When using a complex PKI structure with for example "openssl cms", these roles can then be iterated over adding in turn a '-certificate'. Pseudo-code example: for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do signing_extract_cert_pem $intermediate $intermediate.pem CMD+=" --certificate=$intermediate.pem" done The typical use-case would be adding these intermediate certificates to the CMS structure so that the relying party can build the chain from the signing leaf certificate to the locally stored trusted CA certificate. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index 2a94f5f5b3..248c6400ed 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -194,6 +194,27 @@ signing_has_ca() { return $? } +# signing_get_intermediate_certs +# +# return a list of role/name intermediary CA certificates for a given +# by walking the chain setup with signing_import_set_ca. +# +# The returned list will not include the the root CA, and can +# potentially be empty. +# +# To be used with SoftHSM. +signing_get_intermediate_certs() { + local cert_name="${1}" + local intermediary="" + while signing_has_ca "${cert_name}"; do + cert_name="$(signing_get_ca ${cert_name})" + if signing_has_ca "${cert_name}"; then + intermediary="${intermediary} ${cert_name}" + fi + done + echo "${intermediary}" +} + # signing_get_root_cert # # return the role/name of the CA root certificate for a given