From patchwork Wed Jun 18 14:35:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schneider X-Patchwork-Id: 65261 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B60D8C71157 for ; Wed, 18 Jun 2025 14:35:23 +0000 (UTC) Received: from AM0PR83CU005.outbound.protection.outlook.com (AM0PR83CU005.outbound.protection.outlook.com [52.101.69.44]) by mx.groups.io with SMTP id smtpd.web10.355.1750257314529622136 for ; Wed, 18 Jun 2025 07:35:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=q6XtkBHn; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.69.44, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nZgL9e60V/3b9wX3AxiMtgyZWcFocl+qnN1tYBxc0Y+mzFIIBk9S9BscBRKKsuONASGuE86dLRcV8VUhD/snd49XYJ5bdlrGJqyVlGNk9sxPYfkal2BbHMl19ltft8FBRzu469Hp1yMKm79o8Xu77QeaScPPU4m4WlzROGVa2qaTVclvsjif9Jw+Y/Y1JJYikhh7WniHG9ZgPjVZ4awkWrWKOX2roD2Tle8dnJ9hQ0xCjnf/MKZehsBF/yMZ5nQ7uO1xROjXJoWUWvjRU/5ALcgP873U3odCzcTKgeuISOw279d9u6fC8sPYqz7ZR1qwbwFaRy5UW4RgpsIdF9runQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3jrlj4vitG7JS4pQgukiUBmDP0l3vLVMTSKrKVr+9q8=; b=Wyka42AzSPWruBDE5iyiazamLFGB5d0r0jnBh15A963QRZYrvui56pkrED8W96FKPpunwMOi9G9aTq1HFK5spZsrY7wEqPbeQidaAIvPMeDsi38zWo1eTxvwCWnTl4PIYnBlDkhpQiSUSRLY82oVfO8BZeaFVycbhOCfzHt9dZ3o+QSKhLq67IYkyUQATZqtoeTJmJvX5li+QqYRJpX06bGXdWLMw/1Yu3oaeudaH7KsN1ZzZ3yu/iXlPMVRWb3lveB3L2PQqHSNChp0XA2t1+zsKLqLWsjZRcWv4uRRbGPQvpKvcZGNmLhy/VYnHxeeAJ3BJVMXiSm8D3LyJZiJVw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3jrlj4vitG7JS4pQgukiUBmDP0l3vLVMTSKrKVr+9q8=; b=q6XtkBHngN8dlKu21BMnD+cBrA2X4PKdENaCtdF1nj/bZUmW11oHbYD+C5TOR0n9ono8VA+avZfWMeSnLzdRa+D6XaOW9rZ5Qa1HseXUdr1f2Y4/1mnvBWw2cI84lDpYqGWjsECKmCpkXqcoY29UMj6KzQTfqSyuzcZ6ENkmI2U= Received: from DBBPR09CA0013.eurprd09.prod.outlook.com (2603:10a6:10:c0::25) by DBAPR06MB6664.eurprd06.prod.outlook.com (2603:10a6:10:18b::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8835.25; Wed, 18 Jun 2025 14:35:10 +0000 Received: from DU2PEPF00028D10.eurprd03.prod.outlook.com (2603:10a6:10:c0:cafe::cc) by DBBPR09CA0013.outlook.office365.com (2603:10a6:10:c0::25) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8835.29 via Frontend Transport; Wed, 18 Jun 2025 14:35:10 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by DU2PEPF00028D10.mail.protection.outlook.com (10.167.242.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.21 via Frontend Transport; Wed, 18 Jun 2025 14:35:09 +0000 Received: from aherlnxbspsrv01.lgs-net.com ([10.60.34.116]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Wed, 18 Jun 2025 16:35:07 +0200 From: Johannes Schneider Date: Wed, 18 Jun 2025 16:35:04 +0200 Subject: [PATCH meta-oe v3 1/6] signing.bbclass: refactor signing_import_cert_from_* MIME-Version: 1.0 Message-Id: <20250618-signing-set-ca-v3-1-4ba014735f0e@leica-geosystems.com> References: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> In-Reply-To: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> To: openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, Johannes Schneider X-Mailer: b4 0.14.2 X-OriginalArrivalTime: 18 Jun 2025 14:35:07.0513 (UTC) FILETIME=[300AE690:01DBE05E] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU2PEPF00028D10:EE_|DBAPR06MB6664:EE_ X-MS-Office365-Filtering-Correlation-Id: ac560415-f8cb-4f0f-4b84-08ddae755376 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|376014|36860700013; X-Microsoft-Antispam-Message-Info: =?utf-8?q?uJxEioV1X0opQZboMt58B+lrbFbLb6i?= =?utf-8?q?X2iMsbLJfnwFIn4eIzDlqta+B90E6iziCtQEwv6fCjxAADoHHlhRybN0pbfRLZIPi?= =?utf-8?q?iGI5e1TG/h/2laWZzKwY5IgXggRtXg4+eEPxihpZYrOxzGimPZIRidlXnC9qgVAMN?= =?utf-8?q?5bLFxAI+DHNi+mEpu0Nv3DHInPbrujNvWtQeprLdFk1NPj5eoL2wwdjvnR/tr8XQy?= =?utf-8?q?daDxSth2ZkXy+sQTqR7vGM9IvOCAvH+x04c65ZZcVBaFsdiS3aZVtxqDZeSAmzNSL?= =?utf-8?q?Gb+AUC8U0zuMYGdNmnhrDqAS5w55jhh47v4+HVduPAqXAvcHRRldaUjgq47oGibUZ?= =?utf-8?q?u1UTSNSuzJnx9nGxzCoOdhYiSEfhaoRUtUr48KKfS/Q0869mIUgEkyvmNVrEZdkqO?= =?utf-8?q?v7Z3O0TIfJAlmFRpxVx7+X1DH9r6jVN0MuThoD/6Mj4buSkaX4IlHijTFxTEcFsy5?= =?utf-8?q?46KJ7NnGA5OLxaw6M+HvZjOM+lTsjidpJ0pey7LnhWbZ9oF3MsajaH2ALA0VQNHPi?= =?utf-8?q?lpsLdERC5BdtCojWjyi0kCATS6HvzGu59q+XCm1pQsBsSSLYVtsKeYQ8yeWaMLm+W?= =?utf-8?q?fuJGJZNlsfktupwiZOh60JyfCAlEgu9CxUR+2qZma2uqHuHTK6oJs99CQ6tkZaYrc?= =?utf-8?q?Ns59YoJBzQ2PXjHfxQ1bhoHc60X1q7TXL1QXFZ1kX0lgGuI1XE8fpDNWviTewPTFW?= =?utf-8?q?xZGqEiRkg30BzIrp6UIntc9tmSAL1AQSF/jkZ2/mHCQ02pfRp5QlQ7vihu1G2IFf8?= =?utf-8?q?Z8ZOxvZ1Ec1wSUScsE9pgAo63fyo5dMKA8naAurVNZqYPk8GQv6vUmodCLNSs8WeE?= =?utf-8?q?Vox5tKDlYwEpL9yBoxfMZ4teV4mCYDYO2fQXdFN3d/kGqX7C31ImS5IuaqBIZP+de?= =?utf-8?q?+I7zZcjDW/NtOEM1Z+QNKEtSv9pNQrSpiBOJ6qQsBpIsoSk9x0YBUudWYbGaeoo+X?= =?utf-8?q?BKzYgZY36B1R+tmk3hBdDjLHE5Eh4F7VQmbg2gdWRA4tcn0/6hrx6uQQs/LVTrASL?= =?utf-8?q?ymFux7B+FLHCZcoH3TtGJ3OKKMaeOXn512g9ZP/63GLkCXDxAzIFzUewEgzDC/oxy?= =?utf-8?q?UW4fKhMHkTPkufSEIE5HnFA9FLowNycahcm5umeoiDxdpDlB3zg7gEvKsvRkVIOQ3?= =?utf-8?q?xMeU8ZTKup1Hydg5xid4bhSe4bMqF+EIhIeNwaBFlh5SAMfcXiR/iRH3zV9RF9McH?= =?utf-8?q?Mr9U4rtRpTwLNaWgqTT0abiQltzZWF4TeiRCP7f6LNjbfbOeC8wCwXSl6QMvJYpnP?= =?utf-8?q?9Zf/jzmQxuMNmfq32tzxopiHXMEabM9zOfVZaKFayYx5SJbA2qWSiaGN74a56yCe7?= =?utf-8?q?KGSqNt3l1N8JgQnp9f20O//eoCN1fJ4YrMS9NnVlYKzYBHrbkE+lJiryBJQknPioD?= =?utf-8?q?OJnW94T1KPJK19PTCUEvpMI2AJj/+cHkrivonr+Rd44CdTI6BDOLbeQ/N3nL1+JXc?= =?utf-8?q?FZvuoGxnwX?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(376014)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jun 2025 14:35:09.0439 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ac560415-f8cb-4f0f-4b84-08ddae755376 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: DU2PEPF00028D10.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR06MB6664 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 14:35:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117938 Refactor the two methods to import certificates from PEM/DER to be usable independently from keymaterial that is linked to a role. By having the import_cert_from methods create a storage location (aka role) in the softhsm dynamically. This way certificates can - but don't have to - be linked to a key, or can stand on their own if chain of certificates from a PKI has to be managed. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 42 +++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 8af7bbf8e0190767175250aa8132f182a677ce09..c76837115192dc2b26756a47608caf7ecca1f727 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -123,15 +123,26 @@ signing_import_define_role() { echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_ } -# signing_import_cert_from_der +# signing_import_cert_from_der # -# Import a certificate from DER file to a role. To be used -# with SoftHSM. +# Import a certificate from DER file to a cert_name. +# Where the can either be a previously setup +# signing_import_define_role linking the certificate to a signing key, +# or a new identifier when dealing with a standalone certificate. +# +# To be used with SoftHSM. signing_import_cert_from_der() { - local role="${1}" + local cert_name="${1}" local der="${2}" - signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" + # check wether the cert_name/role needs to be defined first, + # or do so otherwise + local uri=$(siging_get_uri $cert_name) + if [ -z "$uri" ]; then + signing_import_define_role "$cert_name" + fi + + signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" } # signing_import_cert_chain_from_pem @@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() { done } -# signing_import_cert_from_pem +# signing_import_cert_from_pem # -# Import a certificate from PEM file to a role. To be used -# with SoftHSM. +# Import a certificate from PEM file to a cert_name. +# Where the can either be a previously setup +# signing_import_define_role linking the certificate to a signing key, +# or a new identifier when dealing with a standalone certificate. +# +# To be used with SoftHSM. signing_import_cert_from_pem() { - local role="${1}" + local cert_name="${1}" local pem="${2}" + # check wether the cert_name/role needs to be defined first, + # or do so otherwise + local uri=$(siging_get_uri $cert_name) + if [ -z "$uri" ]; then + signing_import_define_role "$cert_name" + fi + openssl x509 \ -in "${pem}" -inform pem -outform der | - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" + signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}" } # signing_import_pubkey_from_der From patchwork Wed Jun 18 14:35:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schneider X-Patchwork-Id: 65263 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA556C7115B for ; Wed, 18 Jun 2025 14:35:23 +0000 (UTC) Received: from OSPPR02CU001.outbound.protection.outlook.com (OSPPR02CU001.outbound.protection.outlook.com [40.107.159.59]) by mx.groups.io with SMTP id smtpd.web11.336.1750257314231910936 for ; Wed, 18 Jun 2025 07:35:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=LhpM5kS/; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 40.107.159.59, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HZaPlOj3vgpiXjnKN3rSP47wHqAV4DlrCdLFKDSIW4nCFyKWDaLpNeR8pJkqCSYpFSSsK7JgHwSb94PWI85o9rcdddybushBjOumOrtlf9FWDEHP6WDiDD6ZR2VmAchEBcoGkrFzQsZI0+fb0S9yhF46WBh5r6qh/kqsfqziGmRuANB3BWfc9yGPJJToUcAS9rVU1keAbJDzre9lLvmZ0iB84zu8pRa40JnqspHLvzGfHYnyzfLsiOtljlrrLLgWTVD/lVqTaINmikSnjqyREmWTu+CFzu66xd55wUDAtlTRToB7IC/uZ4ebjhHoTrY4qROvpa0GnhU1cpRJgvVP5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MofWRj+NLACeYFuDYDhsSoPt2JcWogIP8AmI+i943lM=; b=wdLoqoVTnfDbtRuIrNLlZkhLJ0np0n+gI7/6zVdkCIvkJgIDRyZ4jkZ6SpC0nGDu2cQrpKlAukcdVC1oi2AsRjQ+dhocJWI6ydD12h6llBUhI0Xb99KnF1bi7YEcMyH+1aqpd1d00AVYvEqQfEzCzRYypMNbcS9JL12mayjhvvWx6Ail4qS3rQKBCi8xbNCz7BmkvznAHepCUsPc5CFrtrn0zrRZyH4hJeLIhHbAS4A79aLD12ZzT+tsgGmNdWJsu+NwTnz3bg6fBtukiB6b6bxtlduJC47/oMLHDfZ07wxZzji/k1CraCajze0lGkdfIStpH0k1iY/tn3LPFnWlGw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MofWRj+NLACeYFuDYDhsSoPt2JcWogIP8AmI+i943lM=; b=LhpM5kS/29HdTDHHwxYSl/RMs1iPhXsUWufpGkepKCTyJdDJnolZq6jCwsaXEL2T0Aqgex5NqWlbwrvOfN0vh1k/8IQdYKd0ma67Mq1G/q6Kf1+e4Qj1DUxNp/sIO6o01uRGn5zjMZ6w7Fq0UKMnheOHhpCaJuWzvqhPqAqKcjo= Received: from DBBPR09CA0007.eurprd09.prod.outlook.com (2603:10a6:10:c0::19) by DB9PR06MB8462.eurprd06.prod.outlook.com (2603:10a6:10:371::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8835.29; Wed, 18 Jun 2025 14:35:10 +0000 Received: from DU2PEPF00028D10.eurprd03.prod.outlook.com (2603:10a6:10:c0:cafe::de) by DBBPR09CA0007.outlook.office365.com (2603:10a6:10:c0::19) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8835.34 via Frontend Transport; Wed, 18 Jun 2025 14:35:10 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by DU2PEPF00028D10.mail.protection.outlook.com (10.167.242.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.21 via Frontend Transport; Wed, 18 Jun 2025 14:35:10 +0000 Received: from aherlnxbspsrv01.lgs-net.com ([10.60.34.116]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Wed, 18 Jun 2025 16:35:07 +0200 From: Johannes Schneider Date: Wed, 18 Jun 2025 16:35:05 +0200 Subject: [PATCH meta-oe v3 2/6] signing.bbclass: add set|get|has_ca functions MIME-Version: 1.0 Message-Id: <20250618-signing-set-ca-v3-2-4ba014735f0e@leica-geosystems.com> References: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> In-Reply-To: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> To: openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, Johannes Schneider X-Mailer: b4 0.14.2 X-OriginalArrivalTime: 18 Jun 2025 14:35:07.0513 (UTC) FILETIME=[300AE690:01DBE05E] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU2PEPF00028D10:EE_|DB9PR06MB8462:EE_ X-MS-Office365-Filtering-Correlation-Id: 288bf30b-1825-49fb-6222-08ddae75548c X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|36860700013|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?3KQVYiPG3Qm2tK08N+zdq7z5QswNvn4?= =?utf-8?q?nO8nmARQ4x+ixCGk+1mJa31I8heOgXOBNAmLlx/ytJGlUa1DFr/s+Gtept2SPv6qB?= =?utf-8?q?4UnkQL8yDc5e4faak8+N/UZ0OhINNEQX1b1tm9N//2raFTyFP/fGjSXR20IH8/W6m?= =?utf-8?q?sHRRv0cIDSg3kYdtjBNm9mSPI0K3M1sh5e+zfy2zWQy9qmqSZAT4OFg1fFieTCFW3?= =?utf-8?q?hGfYwUkqUzO/42P7R5tXr2B0wVlm+JcT7YU3u7i6SNV7nOp14e5emPCZFx1E1GcKj?= =?utf-8?q?CY2Arw0e4XtGSab+OUnnb85lIcq5EeyhGDjzOf5nmeu8w8qEqJLrv04Io1vfT6fAp?= =?utf-8?q?nzK9KETwcaUOlk64dYKjTJn4ctIXagycUI8bz3NC1cP/qTI36g8vfobn4VMpJALfs?= =?utf-8?q?txknP5KDtLbex4PEEA6u5BNwXy73V8pEGf6bvJKs9Niy0qEeJIqhEeEd9SpY+e2cY?= =?utf-8?q?/xCz8tAcpVOwqHIswAjYs4AKmMnPZvw15MP6f8+6Dr5AM6vdHNga7EHnuLQPslv2p?= =?utf-8?q?CPtFvqwjW+Pv02u4EVtFGXZykXo9KoXpfhan+Js4WAVg3qbIsBJUrYdE5dFy+A23v?= =?utf-8?q?s/AB+3Yj95GRnA9u3F61Y064sVnFIwI32jtLbHGXHif54/sVEHX2UsLTrsV3BlMdL?= =?utf-8?q?1GOiX0wGeT89p928vaY1Ql0QYRsYwFd0EV/7oxbCoQgu5Idq4JE7dblcPa+TIU3lw?= =?utf-8?q?kQbIGXcRw8x4zEjz1ZhLgmmqNDrngSOxjeHwNe9VhlaDtcu2a2eVl+GU9SGg63oSm?= =?utf-8?q?rHhFmhZTThGJvPS+3XbW7tn7yPoJSKm3kjJJI4vyHnIb5lXSH90ew+FXahRe3bnac?= =?utf-8?q?g82DzzjQfP7zZAmtvTxsd9ZqlzdcWOnUyoiECfZByOC9mOkAKDzNPChG9gOcKs0Ar?= =?utf-8?q?QBCzxH8llG5Yfzdkdz47jaVL7MJ0QEP4ww4yjLeDYik2LLnAhKh4/lA4kHLXTBjS6?= =?utf-8?q?KaLQtRiwu+GoR03zfUVLIPTcbtvr93lTFptTPOnvSEJhvHxPqDWNKP6CcFSE02JUh?= =?utf-8?q?GNftwR5GpKxJTD2carOygXmmNTJjyaJfzSCn8i31yFuggHVPdtFclPPwG1QyWonKD?= =?utf-8?q?apypvSSlet2YQh8RJFghjW7wnct1Cuq1tUbNQ8HBO8jkb/G0a0UAi5zFRa6oN7JBg?= =?utf-8?q?LRkTkpVZd56KWu+UN4g9kogNO1w8wNidt2vvVE6iFmDcdbSJ3jxFenc354kv2ZON7?= =?utf-8?q?kRlmFxv+u9Z4z+TIyODSjOww/r+WkfTGs4b8ZU3wDV5Xg09yuwxD86ggrtSPHC5Bp?= =?utf-8?q?6RUsFzSEwFHnvXHVJ25W3f9YIPHBQz7zQfY3++sNt10/uqIlFmy9Cr1qMMpV2Oz/j?= =?utf-8?q?mU2v7mGnVQSsUDdHRMqgUqXdxk1utO5RCeS5KndVrEN/GszoaMqdCfxxDwTQoIZur?= =?utf-8?q?TeBc2iEZ/Wo4P2EokUzocTZaquy/zQ7maV410EbnNimEuRWApYRWcE5P/9dnLgFt8?= =?utf-8?q?JC2aaKXxb2?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(82310400026)(36860700013)(1800799024)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jun 2025 14:35:10.8734 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 288bf30b-1825-49fb-6222-08ddae75548c X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: DU2PEPF00028D10.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR06MB8462 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 14:35:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117937 Add a mechanism to establish a (metadata) link between roles and signer certificates, in the form of a new 'ca' variable. It must point from one role or cert to the signer certificate to preserve the leaf->intermediary-> root certificate relation. With this additional mechanism, it would be now possible to import a complex PKI tree of certificates and then later during usage of one role, reconstruct the certificate chain from the leaf, through multiple intermediary, and up to the root certificate. Signed-off-by: Johannes Schneider Reviewed-by: Jan Luebbe --- meta-oe/classes/signing.bbclass | 50 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index c76837115192dc2b26756a47608caf7ecca1f727..04bd92bc033e8854eac245e399126554dbaa2fea 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -87,6 +87,11 @@ def signing_class_prepare(d): export(role, "SIGNING_PKCS11_URI_%s_", pkcs11_uri) export(role, "SIGNING_PKCS11_MODULE_%s_", pkcs11_module) + # there can be an optional CA associated with this role + ca_cert_name = d.getVarFlag("SIGNING_CA", role) or d.getVar("SIGNING_CA") + if ca_cert_name: + export(role, "SIGNING_CA_%s_", ca_cert_name) + signing_pkcs11_tool() { pkcs11-tool --module "${STAGING_LIBDIR_NATIVE}/softhsm/libsofthsm2.so" --login --pin 1111 $* } @@ -145,9 +150,52 @@ signing_import_cert_from_der() { signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" } -# signing_import_cert_chain_from_pem +# signing_import_set_ca # +# Link the certificate from to its issuer stored in +# By walking this linked list a CA-chain can later be +# reconstructed from the involed roles. +signing_import_set_ca() { + local cert_name="${1}" + local ca_cert_name="${2}" + echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_ + echo "added link from ${cert_name} to ${ca_cert_name}" +} + +# signing_get_ca +# +# returns the that has been set previously through +# either signing_import_set_ca; +# or a local.conf override SIGNING_CA[role] = ... +# If none was set, the empty string is returned. +signing_get_ca() { + local cert_name="${1}" + + # prefer local configuration + eval local ca="\$SIGNING_CA_${cert_name}_" + if [ -n "$ca" ]; then + echo "$ca" + return + fi + + # fall back to softhsm + eval echo "\$_SIGNING_CA_${cert_name}_" +} + +# signing_has_ca +# +# check if the cert_name links to another cert_name that is its +# certificate authority/issuer. +signing_has_ca() { + local ca_cert_name="$(signing_get_ca ${1})" + + test -n "$ca_cert_name" + return $? +} + +# signing_import_cert_chain_from_pem +# # Import a certificate *chain* from a PEM file to a role. # (e.g. multiple ones concatenated in one file) # From patchwork Wed Jun 18 14:35:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schneider X-Patchwork-Id: 65264 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D69BFC7115F for ; Wed, 18 Jun 2025 14:35:23 +0000 (UTC) Received: from DU2PR03CU002.outbound.protection.outlook.com (DU2PR03CU002.outbound.protection.outlook.com [52.101.65.26]) by mx.groups.io with SMTP id smtpd.web11.338.1750257316205101331 for ; Wed, 18 Jun 2025 07:35:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=EMwEB7qS; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.65.26, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=xvQ+WAAzsEm6F47z/5ETbsWcsqUjqtYJ0s1VKyxGbBhsioYXuqaG0A0NoPTDYdfitLmPoW9V6fwyw5CpHS6Dm6uSMVLLRXX9al0aOAOnAtzCjuJIilP+ru6obLYQpRFNbk/wsW56jcFpxO8UKEjvEPVU+tV7QKnX/OLn2NoD3yvuRANTeFYbS4UfNM+KoctNG54n3gS/C7V/wjX9eMpiphzn3ZugGyK5GDkUrbxJFhpojd9UnMMpzx1tByKIVnGAWUIe97vqxpjrlnzNKZIM//KjnLb+/oCf1HuT1ElUT3+93HasuFoa/QlFy+hdJxSgD8SXcNRLeiTkWvQuhKHmFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6AAPL/Flr7AP83QOEtreHvKyrOM8SY1rjGOOe033gIc=; b=TXrqNRJz+zc/X9+6rlPgYudGfQBIwEBClDfAGm09dDb4zo/G8mAutp+MrHwCVnnFvwj7453kOiPU9E7iLRwQ1vAFKR3gFg5M12K4xbbgU5dTezM9P1+V5ZLKjDOzyR5slwt1AsqPTyIQAiwx0+RHGfISl2Y/U9pWgXacoSpY9o9h8WUr5J343kTdYAbUT1lM07gYFbYBNVm+tS7RaY+XY+DG4sdi3+ICFOrDcSCtZWVUbHqRIuDFhyUQQqo5KJn5yKm2Q+29rEGfP0I4Ehk+NQSGZ6vTy/IMmWCNoiANSrGDifNQM1POQKFOXA1Lep4tVy2FSxM6FGqs4ERQR3ppwg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6AAPL/Flr7AP83QOEtreHvKyrOM8SY1rjGOOe033gIc=; b=EMwEB7qS7bVLsE8ettzoxqXaHvSYz/+faVfhGGFjITn73kMO5sZ78REo+Bjm3Zf/UtEgAnV1VCBOJzcIHl+5Ma/SBY5CWj4++R12kpKGmhY+xOYF+uVGkLSGkOf4oqIdI796gRtdrH2MfCKOnAWleZlL+3iFrpMlKAixskmQ9dw= Received: from DBBPR09CA0007.eurprd09.prod.outlook.com (2603:10a6:10:c0::19) by AM8PR06MB7634.eurprd06.prod.outlook.com (2603:10a6:20b:317::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8835.29; Wed, 18 Jun 2025 14:35:11 +0000 Received: from DU2PEPF00028D10.eurprd03.prod.outlook.com (2603:10a6:10:c0:cafe::a0) by DBBPR09CA0007.outlook.office365.com (2603:10a6:10:c0::19) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8835.34 via Frontend Transport; Wed, 18 Jun 2025 14:35:11 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by DU2PEPF00028D10.mail.protection.outlook.com (10.167.242.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.21 via Frontend Transport; Wed, 18 Jun 2025 14:35:11 +0000 Received: from aherlnxbspsrv01.lgs-net.com ([10.60.34.116]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Wed, 18 Jun 2025 16:35:07 +0200 From: Johannes Schneider Date: Wed, 18 Jun 2025 16:35:06 +0200 Subject: [PATCH meta-oe v3 3/6] signing.bbclass: add get_root_cert MIME-Version: 1.0 Message-Id: <20250618-signing-set-ca-v3-3-4ba014735f0e@leica-geosystems.com> References: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> In-Reply-To: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> To: openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, Johannes Schneider X-Mailer: b4 0.14.2 X-OriginalArrivalTime: 18 Jun 2025 14:35:07.0529 (UTC) FILETIME=[300D5790:01DBE05E] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU2PEPF00028D10:EE_|AM8PR06MB7634:EE_ X-MS-Office365-Filtering-Correlation-Id: f1535934-d23f-4cd6-f6ad-08ddae7554bb X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|82310400026|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?sQV6pYLhlDv6W2EhaIElHMNXeKOhwSj?= =?utf-8?q?m0XnMI+HXKL7SicR786kcl/U5dIg+z/mdenLah0sJ+3u8WpKWwbCjO1ANnStOe5f1?= =?utf-8?q?IquGMDEJA53Jj4q+cuP5jcN+TS/H6dB+1Ev80lAnSUZSa4lMIHc0kpgdhwBEcoAfr?= =?utf-8?q?FWGWSLTqIncmgakYBZ8lQ5bo/HQt9yza6SuIMFbqcXwgil3QJF+gxUWq2s+l4+okY?= =?utf-8?q?M3Dm4udbOBB9TmQDyntb/1bfUhFk81cGprdkeFQHRjKZH/zV4KZwXuk+3vWU5CURy?= =?utf-8?q?LMJzccZyD1LI8psS1rcJhIX6DvanLgfYaWzg03TYwNAg6FONF6i679/1/PQjv9uGU?= =?utf-8?q?uAXnUBCekYN+pIm1wHjDpmUFU0+PCkBX3q1fWIzqrf6mDbJ6fawoPWlEAeFh9FoGI?= =?utf-8?q?eeS+SnVxzLMHdmdDOzn05sIOtccItCQbZtYrULTcoj5H6WuAz2ncNZ7SQNGj1Wn9M?= =?utf-8?q?O+3mRzSVJKHtuBbSJl7OZ2wbnRdwUno6lFVQqwE1ZqwsgZilb0kZ4ntKtm850lUt9?= =?utf-8?q?NLo8jLepKvpiI4iPOuZuQsseBl/9A3lfPLNTzig84Siwa0Mwx3KfRrk2NDwZqzK0h?= =?utf-8?q?p8Ry8LaKs9bTWJMkrc4EG8hZgnQay2ruxFThnB4AYtFAa76bbhQMXV0xgJ2Rgcmk3?= =?utf-8?q?pNCEtfMcPLArqFLE8u+D+SBKp+okCG38uz6bmHEL4Ng2IEv0tuz9xZgfvgNi/ngZ5?= =?utf-8?q?9dfeWwsPbjONPDPt23W3Jzi2Wv/vWNuUj111Z+/O3jeWajoBk+h5GZVCdHGCS3124?= =?utf-8?q?HBKxnKQUMBtaqjf7HcwbBECEN7JQp/r4XY8egAMVdKoONbYR/lsiuc/YPc4WN2EZ0?= =?utf-8?q?M7UX+/VcyQn9leeLWH8SNHcRpRKxNNq+pOliyPPwNFUNnRfpcoSVgT2BOIMcM6269?= =?utf-8?q?aaSBWxvjBc+7ahPRUyYAMhfFIwYfOS1BHfRrD595VBOKtMchWBN/assw7yNG0B1cU?= =?utf-8?q?g1awfVVx/9mYsB/BhTMi3El3NAshqJPV2qTGG09yqQ+l+kpI07UHeN5d1d6EZM0Kk?= =?utf-8?q?5Qz6E+t3M6/5mLRQBbn1BkpBZT99l9chCkGmkgVLAuxAbN83unrPJTdJwZngzUg/d?= =?utf-8?q?N2V1NoBIUjVdo7nSFFrvG40RAxIpIsyE4yyVPRfT1lgCqQ+lZn8K3OSPBKQ+rNtPf?= =?utf-8?q?Mp3i+GsA3LHybIVFC6CDfbUzgwOjI0Z7Md33/23DYpeh7t+qDajCmbNLjrfbqcQhb?= =?utf-8?q?Giewlj/cIY2meot3yKB94q3sTvmlOUZKtJL95XchYltG2AroYXWIRC/uS/CtAT+QS?= =?utf-8?q?6rVSKlw2b9hDCKiiNksaQlm/dc9MfpmJPhEfndNkOaZB7YrWkKSheVIFctX43M6+Y?= =?utf-8?q?KiqebPcHXG7Dy9TL0u1txOBAA1gFR1L9YUIyYMWpNp5vijj08LWE+ILMNP2nFC3kj?= =?utf-8?q?JMbOF3RBHKJHOTjwGxiugH0BCmOz+WCCat6NECpGDq2Rk0zWiu6lovIbl/+l9P0d2?= =?utf-8?q?ayrVPm5nFX?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(36860700013)(82310400026)(1800799024)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jun 2025 14:35:11.1855 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f1535934-d23f-4cd6-f6ad-08ddae7554bb X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: DU2PEPF00028D10.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR06MB7634 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 14:35:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117940 Add a helper method to retrieve the root CA certificate for a given role, by walking the chain that has been setup with signing_import_set_ca up to the last element - which is the root. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 04bd92bc033e8854eac245e399126554dbaa2fea..2a94f5f5b376f99f521494239f7158662df4a3c6 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -194,6 +194,22 @@ signing_has_ca() { return $? } +# signing_get_root_cert +# +# return the role/name of the CA root certificate for a given +# , by walking the chain setup with signing_import_set_ca +# all the way to the last in line that doesn't have a CA set - which +# would be the root. +# +# To be used with SoftHSM. +signing_get_root_cert() { + local cert_name="${1}" + while signing_has_ca "${cert_name}"; do + cert_name="$(signing_get_ca ${cert_name})" + done + echo "${cert_name}" +} + # signing_import_cert_chain_from_pem # # Import a certificate *chain* from a PEM file to a role. From patchwork Wed Jun 18 14:35:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schneider X-Patchwork-Id: 65260 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA4F3C7115D for ; Wed, 18 Jun 2025 14:35:23 +0000 (UTC) Received: from AM0PR83CU005.outbound.protection.outlook.com (AM0PR83CU005.outbound.protection.outlook.com [52.101.69.52]) by mx.groups.io with SMTP id smtpd.web10.356.1750257314749972093 for ; Wed, 18 Jun 2025 07:35:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=GQovfcV2; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.69.52, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=lDPSIA30nNioU13tX1EsU3A5YwJ+diug1qPYuonra2hUPKh4ebXX8t21jikn4OJkSqFAScXYbIj8TQBnw2BGRt1drrZXQiuWsvrJ52W539ekxpAyvXjm0XNx34ZmFAS7JzZLYt8+ancYM1W/6khwuaDMoUgJik1VdmzlKzfW4Iqws4T3bS4od1lhMLrxJpNmsss+24aBZ+23rT+lWHn0a2yT+ApsyZAwm998i7iK9iqNjJ2hu+GjebqlDEOO9gErjRvxCB5IHnLu4rWoSe1LyOJjz2AJ/hObdZ1DfCJtz8utjKCP/fY0hGLsqIvi7NhhjmVkz+e9AG6TFy8hqLMVgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0KcaYK+5nYPQt/GKQh2LBqVelypDtCfhFVvtUbPe4ok=; b=NNMlqzLs5cSoOMph+TjTqFIotF+PHPTWombdx1/cPcYN9a1OFHtyFHJgiwGasjiv1BZXF5JP4/umeLXc7M+f7ypUtoox39L+sqEHSOLDBYlpk50+7PVox1atCJXeYoD9puZDKb0Ji4RyoRZ01U+50sdtQwg+5EhPDi5MwfAfACwHLPHMBGWZP1kFDtl0/CqWgSmPgIk3O0OBOnH8p4bsEv1apV6l0gzJyIHlHSL/QASsfjMc/ZPLJNE1x86r9+8jCOyIQODMU/877pEYKLsjrUqDzwPpGKPseIjbItKpMUzUrquv1+auwPXcTka1YdwxVqiqZnrIPdN+nsCFbqn1ZQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0KcaYK+5nYPQt/GKQh2LBqVelypDtCfhFVvtUbPe4ok=; b=GQovfcV2SXDAn+Bcs0WtlJaY7LO7UmhujTLPUjWdr6BVxHYevptwNQDMAl4zAFb76OGKy6b7JCQnK3NqsnRirPunOuNnyeokpRki+oKN7YIb+eHuSiDn9DbBx2sN3rWZiXZ8ZlRWGY+44agN1pQG1buVuMHlys8+eDp6X+EPdWM= Received: from DBBPR09CA0011.eurprd09.prod.outlook.com (2603:10a6:10:c0::23) by VE1PR06MB6848.eurprd06.prod.outlook.com (2603:10a6:800:1b1::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.20; Wed, 18 Jun 2025 14:35:11 +0000 Received: from DU2PEPF00028D10.eurprd03.prod.outlook.com (2603:10a6:10:c0:cafe::da) by DBBPR09CA0011.outlook.office365.com (2603:10a6:10:c0::23) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8835.33 via Frontend Transport; Wed, 18 Jun 2025 14:35:11 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by DU2PEPF00028D10.mail.protection.outlook.com (10.167.242.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.21 via Frontend Transport; Wed, 18 Jun 2025 14:35:11 +0000 Received: from aherlnxbspsrv01.lgs-net.com ([10.60.34.116]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Wed, 18 Jun 2025 16:35:07 +0200 From: Johannes Schneider Date: Wed, 18 Jun 2025 16:35:07 +0200 Subject: [PATCH meta-oe v3 4/6] signing.bbclass: add signing_get_intermediate_certs MIME-Version: 1.0 Message-Id: <20250618-signing-set-ca-v3-4-4ba014735f0e@leica-geosystems.com> References: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> In-Reply-To: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> To: openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, Johannes Schneider X-Mailer: b4 0.14.2 X-OriginalArrivalTime: 18 Jun 2025 14:35:07.0544 (UTC) FILETIME=[300FA180:01DBE05E] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU2PEPF00028D10:EE_|VE1PR06MB6848:EE_ X-MS-Office365-Filtering-Correlation-Id: 05eb98a4-8f60-4388-ff7b-08ddae7554f9 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|36860700013|376014|1800799024; X-Microsoft-Antispam-Message-Info: =?utf-8?q?QHqnsPsu6jXRYPvHNPVnfxTtwQbW3oa?= =?utf-8?q?+GiLZxb6edM6zgyMsnx8j/zukMMHFTwcBS1g/2HBys1+U7YHc7hBPTtfbYenjJKLh?= =?utf-8?q?cHsGdu5pkLWYlyCSs2eFQC7i3mhb6eaP+W1ZCPXa8fLn/UxTS2V6LWpPyr9LCQ5za?= =?utf-8?q?4Xseu1r2tYiskgdVq22m75RVbbMq+eHJCbV/tz/GSQ7kZJIEqgOWLDEh59BCF1Nti?= =?utf-8?q?yf+KvDQOMhIZ7FJa8s8jKNAbiOBMTX9EUKRRBL7qpT2HS/eZ9yJu7AvpK49cc1lKy?= =?utf-8?q?Ubkr3BaXJeSnnYNgdHjWPWRG3GXlbRiT1yX4q5X25VWO8Kl6qkxCee4YvwUBQtGbU?= =?utf-8?q?DR4q2flU+cC3c8jtp0VmqP03k9A1aMB9RCbmj/5mTMf1/KucjlaFqbEwv1HhrKvaa?= =?utf-8?q?aaDNuNFQE0t086Zsu4ZmqTcPrHtEDql4pcmixlvM7RfnuTftBYQNZ0xhPk5SR79+L?= =?utf-8?q?hy0+hElgfoaCGnH3RQu2Ybn2PqgJIeyT06dmkxe0E/Sko+O0lTwcqF+O3OhRfCisP?= =?utf-8?q?NZ/VmmSdqZ9j+OmwXXcSEnE46K3CYMe7DHxtvsS98IQ9g0A4BSa1q5NNihGP6AMnW?= =?utf-8?q?Bmqpa9psSmEfw37JZRMblzfhj4kSVsfKEfGUqrAZ4xBr3XZcF5bsIXk8BzYfY61Qj?= =?utf-8?q?gklQbOWOn1Sno1AFbksHQVUUTDB5kpitkCR/hVxAPi9g0NWJTllmxMiTKnd8dtenJ?= =?utf-8?q?7NgqmtCOtLb2zp0A2jjPcAtmcq6UZ1pJddqYLxYA79HZOhKowi+mMpgN5DDv9OcMa?= =?utf-8?q?a7ellz9BMPSzmZcA2pycNcpzM1u8LHy9oLvQdfA/yaRIp08kwHi+3I5P9oRgKZEU1?= =?utf-8?q?r/laXG0el3krdSJkSvYBs6nfTIzxFyhLJ1GOwyai+6najSRtKo74yBvQ26I91jRwG?= =?utf-8?q?dNBTjvWOSUschr9+xBGYUOBvF2sPS9ycmXniw1gRQvQ2EaJTZl6F4sLqSVGazNPzq?= =?utf-8?q?VIVT+IM27jsUuLSz36NZ0b3zbckhQI5XQI2H3W5ONbSVsfsNdK7iNhKclIqzB545y?= =?utf-8?q?JXySANe+NphflxwkG19msyvrfUbNDsoEsglXSbXLcYmDNAjdj0zaylc/z6abNUqxl?= =?utf-8?q?oaItLcsAhaxnu4yqdqVB2kr0KAxriB50dL7EcanNie4QQohKa34wQoH/Ivcx11Qfd?= =?utf-8?q?X5KkDutS5f5bw6OHXXT80A2065dd8WMLVowGEScZXQyz0VWijOpVZXHVvhax5Lwm7?= =?utf-8?q?lRImokpUqpYmAudY14z0yW3tcEmULW5tMUnNAAc52fGyX4gQrY9L2JMLy79bGAJT3?= =?utf-8?q?JVqMlIUqA/rjsQszmQQ4f0MM0olnAZxb+23m3XW+nV9h9CeNfkR9YQNPPc09/flGe?= =?utf-8?q?sV3EqneTGiBd7Dllpp2hA/Z125iSAAblLOCUMUQotiunOjPRu9OSkZG7iKKo942Rz?= =?utf-8?q?yvrQCQHXtHDlA5GJH2QeHX0t4rnQlSp0Umi0qYEuNlxv+6pYghToi00lWrOoVutpq?= =?utf-8?q?6vv361lXfM?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(82310400026)(36860700013)(376014)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jun 2025 14:35:11.5919 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 05eb98a4-8f60-4388-ff7b-08ddae7554f9 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: DU2PEPF00028D10.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR06MB6848 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 14:35:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117939 Add a method that returns a list of intermediary CA roles. When using a complex PKI structure with for example "openssl cms", these roles can then be iterated over adding in turn a '-certificate'. Pseudo-code example: for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do signing_extract_cert_pem $intermediate $intermediate.pem CMD+=" --certificate=$intermediate.pem" done Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 2a94f5f5b376f99f521494239f7158662df4a3c6..248c6400ed720e7131e618322314be9bb24a760e 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -194,6 +194,27 @@ signing_has_ca() { return $? } +# signing_get_intermediate_certs +# +# return a list of role/name intermediary CA certificates for a given +# by walking the chain setup with signing_import_set_ca. +# +# The returned list will not include the the root CA, and can +# potentially be empty. +# +# To be used with SoftHSM. +signing_get_intermediate_certs() { + local cert_name="${1}" + local intermediary="" + while signing_has_ca "${cert_name}"; do + cert_name="$(signing_get_ca ${cert_name})" + if signing_has_ca "${cert_name}"; then + intermediary="${intermediary} ${cert_name}" + fi + done + echo "${intermediary}" +} + # signing_get_root_cert # # return the role/name of the CA root certificate for a given From patchwork Wed Jun 18 14:35:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schneider X-Patchwork-Id: 65262 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA530C73C66 for ; Wed, 18 Jun 2025 14:35:23 +0000 (UTC) Received: from AS8PR04CU009.outbound.protection.outlook.com (AS8PR04CU009.outbound.protection.outlook.com [52.101.70.2]) by mx.groups.io with SMTP id smtpd.web11.339.1750257316700452018 for ; Wed, 18 Jun 2025 07:35:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=bxH54GEZ; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.70.2, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=hc3EHuAcFbTrkeXdDsxXziMZ16Gu0gVv6Ev+STlsOM+clg5PwVpTyf8f68HIYx3Tih/iEOQxWrgitTX0myYQ5Zhf3aOEmTzbcjGynksQlC9PVJioEYsxXG+bAQ/+/wOBVTyPllUePfjW/lAWK9bw9Ylw59JY1gPUNZzK2Op6xPhCAgEmezfAV1LuVQK656esW8WYnUv6/6QfdZT9OqbvGdWjE3r24uSPNNHZFX+UkwrtkvMU/zkZU2NbVcLC9CxkIC+OIuqljTPu4YRynQDRsLK6YADc9uVPpPv2B3IrqkrOREpJwBWo0wAbsYSGIZW7VCu/76xRM92zSa6YNIvRig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yVHzrN34J+HoaOP1g5ukbkRqVPlQabutZYClk/u1Ytw=; b=UmtE9UnQvyzY6NkLL9Lal8fz469JWZr1Fn4VKHQSEs85POcp2InAm6EqbNEtajwHSGgz/qBNbVnPXsZPYEtA2zdr72dU0Lrg509XlZhzWW4hhP52K5PzAbt+k08hk12NmvBaOZSAF7zcIXRSOSSNdxZOS9jKlfoAHR/zARSQcdA4xoDP5xI+bYtOOnyodqz9aXGvsI9hMqNuifKI19XAU15EPMs0PwTwxsO0mocYxvbW61aRUFc1yxGrplA/rmZ+q1tuEX+59qKjTpw+40XMRCZ+jS8GSIlm0TssyJBdL8MsbH0cQct4lnVofCb6pvarh9M4T6mVHf2w7Vj9UYaxfw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yVHzrN34J+HoaOP1g5ukbkRqVPlQabutZYClk/u1Ytw=; b=bxH54GEZ91e+RNRpxgkkwRVl8YEvTgyqoo4vHqKoyoLXcmu4TY/6RHt6cBWVT2IvjIfkVQRaSGXqvtwSQyy4PU/5kHAGhOp5Gj/L08zn9xUkDAl8S5U480+f/XkAcJub5Hta+D4h5x8Ov92+UwWC1qUmSPWilnaY+P8GWNxqKLs= Received: from DBBPR09CA0017.eurprd09.prod.outlook.com (2603:10a6:10:c0::29) by PAXPR06MB7472.eurprd06.prod.outlook.com (2603:10a6:102:154::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8835.29; Wed, 18 Jun 2025 14:35:12 +0000 Received: from DU2PEPF00028D10.eurprd03.prod.outlook.com (2603:10a6:10:c0:cafe::6) by DBBPR09CA0017.outlook.office365.com (2603:10a6:10:c0::29) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8835.32 via Frontend Transport; Wed, 18 Jun 2025 14:35:12 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by DU2PEPF00028D10.mail.protection.outlook.com (10.167.242.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.21 via Frontend Transport; Wed, 18 Jun 2025 14:35:12 +0000 Received: from aherlnxbspsrv01.lgs-net.com ([10.60.34.116]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Wed, 18 Jun 2025 16:35:07 +0200 From: Johannes Schneider Date: Wed, 18 Jun 2025 16:35:08 +0200 Subject: [PATCH meta-oe v3 5/6] signing.bbclass: add signing_extract_cert helpers MIME-Version: 1.0 Message-Id: <20250618-signing-set-ca-v3-5-4ba014735f0e@leica-geosystems.com> References: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> In-Reply-To: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> To: openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, Johannes Schneider X-Mailer: b4 0.14.2 X-OriginalArrivalTime: 18 Jun 2025 14:35:07.0544 (UTC) FILETIME=[300FA180:01DBE05E] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU2PEPF00028D10:EE_|PAXPR06MB7472:EE_ X-MS-Office365-Filtering-Correlation-Id: 2eb3f394-6b5e-4eeb-5a12-08ddae755545 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|82310400026|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?nYM2wy/+Whc6PPaQAD7RJDsCakc2npW?= =?utf-8?q?jEKc3+WERECO94w06dFuBTFMfSo+6IwknAOpjeaq7Av8FBt9pobWBHNSrnBVmKQDQ?= =?utf-8?q?rNcN2Dv9sqy5kqthI/XINs+yZw2neyjF2xOszXYWIvE3vv9Od0W0FttGlmY+qTca+?= =?utf-8?q?8jCdrCvodza1vsuxOly8guxNsIrLyg+8vtVL+taiFFRKkgl1BsIpfm8P1gB95QbGR?= =?utf-8?q?YC9WWt5FqkcvxeevMt9xgQPNi9xjVmxQYB6wD1sNyk8mpp+0IMbfEgVHWFmG7s44s?= =?utf-8?q?iUiNmDa7rJ0M4hOcg5NRPqDfaWHAfKYgYlPaWRDoz1AeilCZQgftxNxWfA0qm+MfZ?= =?utf-8?q?XEwSJft0usfKk4ikMDhW52kC5T6R2buzJkXNASkOXs26mjZMukA0E3JtGOOwYIudS?= =?utf-8?q?E5njnJ8afxLDcpArmUyJkhnYEiKe63G9KdQX1A6jnJihuXk2CIvxZbcFeizEyfQfm?= =?utf-8?q?hlMYcWDJMXp+9b/tJFqGaKzPqcrBFx2mix/2JJMikIYAK6l4QilW8JSKx+57BuUsn?= =?utf-8?q?VOizHLtDAOggQzUt2Mx2vkQ8rbWVXcJbetyCTduF35GO6rt0XvyXZAk7q2T9vGP1Y?= =?utf-8?q?4Kdva0hyGA4xYbJ4XcVWJ40JBd+yhsPowqdnJFQM0q6F/3/5KY4uDv4p+6rQdAem4?= =?utf-8?q?vhXmtQui97xrmfitfWBmivLoMTCxyrnNnMLR24oSn8CogkaSlv2bizx4xuxcU27uq?= =?utf-8?q?3Kucm08Pg3ApDAOPfjM+qt1i9xUEdl9XNhU59ED45GbcbQ03+zFKsCJg8X2QG0YjW?= =?utf-8?q?CU7drTReYS1vY5qEQqKpET76WxPXaUlynLvJGioCv7H2qXRairMAAaytfE01BmG1h?= =?utf-8?q?VGNc/c22+SLE1LBOo7IQz2D0jV/ywCcNOkLnqtPZWmqL5BQ/r1xRTc/gPgXCL7J4K?= =?utf-8?q?UOB/f88142orioOmwDxuVMt3XmjLiN6FqEMBL4Xg4o/HRuHRW4mtQ0hDA/4OoS/34?= =?utf-8?q?6FNJgYHHPSazKkMn1IMgM3e3E4ca1LNoaW62cceLFR0VCLoLMkrZXLhLo0vI8ZLo3?= =?utf-8?q?svLkNL4jiXCsobVHC3qDkEdvfAFyWXUUe9E1GYlS/S0WOlmCUvsdNs4s4419NSXNn?= =?utf-8?q?Ln9aU1OSx1PZPH0rJRzoBWrImYjnw2YdHPZ7XTc3y61TGbFlCSehU7S/akSaPA0k3?= =?utf-8?q?gnslTXT9U/nVBXCtmINL4PUdEKLNIzQAibzui2S3C7VUtRMKsX0ZYZLweZC/GCOAC?= =?utf-8?q?kCZbdoSNQEvzqXc4iK0nhM2PplzFuFHEZZYdDv5T6KxRuBtGz2OFr9MlI6cfSSFFL?= =?utf-8?q?cO6ya70LWHdA9Akp5bi1nbm8L5w3Au3tASxk7+v6X/xpU54Yxby7JR5lKEnnyEX6B?= =?utf-8?q?kSdJz9wwaOdAE3w4vMGymVlrPM0jxmkat5csXMJ3wJt8XDEu6GLsKG6PFrKMdrJZs?= =?utf-8?q?NMC0Qlt5qEYGgSDoA1QK8YUi9+dJwnd7zzygJDS3sQfxOecBAXKTcb4/4X2Sqh/M7?= =?utf-8?q?udCuphDcnC?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(36860700013)(82310400026)(1800799024)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jun 2025 14:35:12.0853 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2eb3f394-6b5e-4eeb-5a12-08ddae755545 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: DU2PEPF00028D10.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR06MB7472 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 14:35:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117941 Add extract-cert wrapping helper functions, to easily extract certificates again that had been previously imported into the softhsm. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 248c6400ed720e7131e618322314be9bb24a760e..6fde22bf22ace34ba720d7564caba176f4de4d39 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -54,7 +54,7 @@ SIGNING_PKCS11_URI ?= "" SIGNING_PKCS11_MODULE ?= "" -DEPENDS += "softhsm-native libp11-native opensc-native openssl-native" +DEPENDS += "softhsm-native libp11-native opensc-native openssl-native extract-cert-native" def signing_class_prepare(d): import os.path @@ -453,6 +453,30 @@ signing_get_module() { fi } +# signing_extract_cert_der +# +# Export a certificate attached to a role into a DER file. +# To be used with SoftHSM. +signing_extract_cert_der() { + local role="${1}" + local output="${2}" + + extract-cert "$(signing_get_uri $role)" "${output}" +} + +# signing_extract_cert_pem +# +# Export a certificate attached to a role into a PEM file. +# To be used with SoftHSM. +signing_extract_cert_pem() { + local role="${1}" + local output="${2}" + + extract-cert "$(signing_get_uri $role)" "${output}.tmp-der" + openssl x509 -inform der -in "${output}.tmp-der" -out "${output}" + rm "${output}.tmp-der" +} + python () { signing_class_prepare(d) } From patchwork Wed Jun 18 14:35:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Schneider X-Patchwork-Id: 65265 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3F8EC761AE for ; Wed, 18 Jun 2025 14:35:23 +0000 (UTC) Received: from AS8PR04CU009.outbound.protection.outlook.com (AS8PR04CU009.outbound.protection.outlook.com [52.101.70.0]) by mx.groups.io with SMTP id smtpd.web10.363.1750257319344590877 for ; Wed, 18 Jun 2025 07:35:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=br775Fxa; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.70.0, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=r60W2owM0T283NjDKb3nkVbNyTRDnLzTHL6JbQ6WB1Lu6+Sh6cZlj6E6DBIpwBOmhuRfSXC6nLA0KC+ds1DjtpyRK5JRZ6zb7BA1YP1IP+g+TrVlbi7WxPnVUGCiuqob6iYq6ldeMJiKzqnTiQVkok4ZsZFjGEbCZ1kp2Hz6GbGVpJ/Hxmrgl+dZfCStvR2kCWLAJQTenoO4miU87wJ9UlBq4GC0IAJrHfFTdYT6PI85MFcnde9iZ8rG/0diVnpJ9+ReUWbHUXeVbLSDCnvMgkHQP2yjhxM3efxek/AV7HtVYFhvKNRmcmoeH93bgDGWWrJgDfQ2QSoeW2RfuazcIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YgN+U2oyyBnEaXr20sIIgqDb7Qfcr6JvUcr9iNaZzaw=; b=Y3T+KQDJHErPZ+vFkAi7HBlQ8vva1bpybSRbMCsJ5OJU8J3C7u49HLU6aSnjNqeCthSWrwhDMLzy9TxsNvN4DXKDV1gkdfQZTHmWv543Gqu3u0BqJC5pi4TROLp82vO/7MikUf58Ogn8JdpC5f7ZB7gbUqAgCi7RT9NpAETgkkUwkG7/2FqJxKsgpTGQ3kUnnmCfb4w39K9foz7c/OE+w31MbR+8QU6mtcYf5hKKt9T+n34j8W9GlzOLFar/upg1/2XbNDZ6A4w3Xp4fxZOpgdbC2RCjbP4fkaI84ZQg0BjOu8jV9kQeoqYwPXrd9mCdr6Zh5U10PJB5c87IcinM6g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YgN+U2oyyBnEaXr20sIIgqDb7Qfcr6JvUcr9iNaZzaw=; b=br775FxaF9ix+RbZdwtzgbt81TtKk4o0VRCo/uhE6GeMbjl9V0JYOWGUqk2pLRav2WdrZ61UWYNS2gFW60ByB1+U4Pf9CcmcR2WmCJSxy0ei90zRa7auInLRSqlxGPhQdHU4qliKzVwodQZR7rHTk6QfW67czyCJoKVJhz91XR0= Received: from DBBPR09CA0009.eurprd09.prod.outlook.com (2603:10a6:10:c0::21) by VI1PR06MB8615.eurprd06.prod.outlook.com (2603:10a6:800:1dc::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8835.28; Wed, 18 Jun 2025 14:35:14 +0000 Received: from DU2PEPF00028D10.eurprd03.prod.outlook.com (2603:10a6:10:c0:cafe::99) by DBBPR09CA0009.outlook.office365.com (2603:10a6:10:c0::21) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8835.29 via Frontend Transport; Wed, 18 Jun 2025 14:35:12 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by DU2PEPF00028D10.mail.protection.outlook.com (10.167.242.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.21 via Frontend Transport; Wed, 18 Jun 2025 14:35:12 +0000 Received: from aherlnxbspsrv01.lgs-net.com ([10.60.34.116]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Wed, 18 Jun 2025 16:35:07 +0200 From: Johannes Schneider Date: Wed, 18 Jun 2025 16:35:09 +0200 Subject: [PATCH meta-oe v3 6/6] signing.bbclass: remove signing_import_cert_chain_from_pem MIME-Version: 1.0 Message-Id: <20250618-signing-set-ca-v3-6-4ba014735f0e@leica-geosystems.com> References: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> In-Reply-To: <20250618-signing-set-ca-v3-0-4ba014735f0e@leica-geosystems.com> To: openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, Johannes Schneider X-Mailer: b4 0.14.2 X-OriginalArrivalTime: 18 Jun 2025 14:35:07.0560 (UTC) FILETIME=[30121280:01DBE05E] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU2PEPF00028D10:EE_|VI1PR06MB8615:EE_ X-MS-Office365-Filtering-Correlation-Id: 4b286f3c-c5d6-43e9-82e8-08ddae7555bd X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|376014|36860700013; X-Microsoft-Antispam-Message-Info: =?utf-8?q?DedtxB9UnPaWeFcgDOBmpD+luEMfmX5?= =?utf-8?q?6K1t2Mq8OkRNDf+iBSs1WBeHtrMSlBkrhGo8Y6vO8k4KgYGYX8hIvkKz/QHD7qzde?= =?utf-8?q?x7zCzxMvta0ZlxAk8l3j3Yr8oj+hh2jRk8BTPLq3NtJ7K6bXpZ5UyRcTR877v3kvT?= =?utf-8?q?6WBXn/BpxdljG6HgBepgekVHwh+vL/865F8KJt9KdEu2QDJNHN6F4X6UJ32rTEOrl?= =?utf-8?q?Q1Jg+d4yUI0xNyjg61t/nU21d44ClGmoYl6vcTNyKg75Ku+l/nHnYolaOHZb+6QuI?= =?utf-8?q?jGnoZWlmatVZzoZVo8w9ZJCYTmhsJdBZd4BGAEnNej3m1hoQB0CKOC5dmjwnB+x8i?= =?utf-8?q?G3Z0shzCS1Q8vLVTel+7Re3CU3wApWUoJ3+p6ZWSEr6SlzMIkwhvMRu22vQlBYu2J?= =?utf-8?q?24ePInW6K4uofDXN2YGaeovrf64YWBQaVE2Fjbj4DwNlHcM0vU9tgchdr8DgQILsr?= =?utf-8?q?kw6AgUvFih4qyZH1LWkMH3DjfBiec2NrwjUZYVnljGzewd2QQdbJMzoI0cy71MSr5?= =?utf-8?q?dZYn100orhaIjYI21jQ93XbARqTm8CBqYOQZpIyMjBz+SQVITtY0YNwSHh2ZQRT4R?= =?utf-8?q?XtzfsSjd9MT4GqL8OrLMdqRaQ5p27gaTUB6hB66gXG8VcSkavYjCi4c3nZV5cudV+?= =?utf-8?q?OwpQioy/5SzsUzEmOPAbYaAkfnNM+ox0R6lrlYzlYgR5rnNr75siWrfYs53k/+Si/?= =?utf-8?q?lE4RlDFoCheMD6d+8VhPHw7soMw9RUcLcCEMAiQ7cp50m1CwhyOCOBN8oVwrgFQG3?= =?utf-8?q?okISDlbWzVZFSCKKyeOgu1iRainP+wITOqPHol9d1ZYCA1MXAWMUJ9Jxim2uYHqJZ?= =?utf-8?q?T4pzFZGOw5SmiupBqVJvzphKbDUhha8SUaf0lxS9w+kWERJ4/1eCmqPOIlugf4RGW?= =?utf-8?q?UVIPp3QMT55NBAmY1vmZ2fXH+tCeBA3Dcj29FX4Xv6zDYKSjSLvyHuqo6AHyLEmVq?= =?utf-8?q?3IZZ3mkaTKorb/CJrbe9izSfq11ZW8T5msdHayPzp21dnWeoLbgOQhnQpyJAF446+?= =?utf-8?q?U9b3wMT+1qSYAzXLD6IME7oeZ7XU0hP0GMaApo3zfGWCruw7d4UEdb4TZMlggIBTW?= =?utf-8?q?gdRqwFKG9tAU2WQHEr5jzONq81YWe0EHXrDdjmxhOi9KbUO9mgh3hvYTNXQtm9AFA?= =?utf-8?q?7FWGm2zQCCPUc4fQoEIIJHI4SYakiKPLB+pw9sfSBAQ5bLPiSVbsuuw6oQ0RpAtm/?= =?utf-8?q?9xX2GGdF9yuF9hFH+KaWgPWqkfubRBjEiYdF0Bxxr9R/+O8yeuefiTXNpZcuyjT30?= =?utf-8?q?Z/7pxNm6CciORIhAwXH6wpTA5J+c5MeqNiTFEOMSjoAmM1IB1u1qChjDqsOBZrIm0?= =?utf-8?q?WhopUmSkvh7pQu2ywFyL3QWZ9DqGHdHaKd9F4fcKxc1J5PDgfERfDxtcYTkaDgHUD?= =?utf-8?q?uYB6fCsLIY7MNptweVKTFyvLlmhFnVCO4N8UJpvOXzDsBym5MHlcXwzd01QcWcR6M?= =?utf-8?q?8yVHKUS7L1?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(376014)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jun 2025 14:35:12.8730 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4b286f3c-c5d6-43e9-82e8-08ddae7555bd X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: DU2PEPF00028D10.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB8615 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 Jun 2025 14:35:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/117942 With the now available set|get|has_ca functions to establish a CA link between roles during their import, the signing_import_cert_chain_from_pem can now be removed. As it had the shortcoming of dynamically creating roles, which are harder to handle then the manually/specifically setup CA roles. This effectively reverts: a825b853634 signing.bbclass: add certificate ca-chain handling Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 6fde22bf22ace34ba720d7564caba176f4de4d39..5068360ca74d766c5d28da12219840bb560164a1 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -231,35 +231,6 @@ signing_get_root_cert() { echo "${cert_name}" } -# signing_import_cert_chain_from_pem -# -# Import a certificate *chain* from a PEM file to a role. -# (e.g. multiple ones concatenated in one file) -# -# Due to limitations in the toolchain: -# signing class -> softhsm -> 'extract-cert' -# the input certificate is split into a sequentially numbered list of roles, -# starting at _1 -# -# (The limitations are the conversion step from x509 to a plain .der, and -# extract-cert expecting a x509 and then producing only plain .der again) -signing_import_cert_chain_from_pem() { - local role="${1}" - local pem="${2}" - local i=1 - - cat "${pem}" | \ - while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do - signing_import_define_role "${role}_${i}" - signing_pkcs11_tool --type cert \ - --write-object ${B}/temp_${i}.der \ - --label "${role}_${i}" - rm ${B}/temp_${i}.der - echo "imported ${pem} under role: ${role}_${i}" - i=$(awk "BEGIN {print $i+1}") - done -} - # signing_import_cert_from_pem # # Import a certificate from PEM file to a cert_name.