From patchwork Fri Jun 27 05:40:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43B35C8300F for ; Fri, 27 Jun 2025 05:40:34 +0000 (UTC) Received: from OSPPR02CU001.outbound.protection.outlook.com (OSPPR02CU001.outbound.protection.outlook.com [40.107.159.5]) by mx.groups.io with SMTP id smtpd.web11.6718.1751002823808913910 for ; Thu, 26 Jun 2025 22:40:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=T2LPxlYh; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 40.107.159.5, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Z38ipSNJB7eZTkiVVGRnGsNHpma3+ug/iYR2CNgWK7Q7yI48JuzeOPs7PT9ZWUmfKCmx4hxmvlfifm9fuJUdgeGUmiPp/9MzWROlqnM9wx2N1yNiR8hNWFc2rE3QtF93x06hnXc/vUiPrPKAvXTqO2XrGPDmpZ26jCtDb3PF8ZQEFSJ97mJSqFA9lgE0thUsfoZDZLfPexdgKySHdTvafhdRzgOMPrnvVzusPgbhhMr4bkaDBwQ2BJEgJd0ElBnTK14Q6ljDOgV4XtJaL/vu/hcFjSrS/Uk8W53WmtTrn4fWOgrLq7L6M95lKZxwxAh5h0w2mCMorjvN/rBO11Hvkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R+qUpTYjp0Zut5i1svfbyeUE1Pj21XrYVC+1wfocC6g=; b=A+TgnXv04nUmRdatfzFCJ0BB7gZQi/BE4s+1HHVscqDzz/OjXHoMeXklTthNl4naJmnvJptydx+stM0jxK0Mqs8W0+SbI5Kv/72mvSkDGO+X972VmCxTKiTlsfG41Z2p/jIHQxgAv3fdFmB0OkS4EoZM7+ipmw9HAXMQJOofByxkIxRKCSOzCsbGjOv6m4GVIJgRMXf9Ku+GtNZYzPwKnhEqW9PYQ48HNUEPAdfbX5tAwvAA1rpyRGvYkV8LdWFZZJ0BO5i/0/RE+i+u/KYKDn5nfk5acTPVcGRZxle6Nd5NLnJbh2gYngVHUe3fozx9nOUbzUG2xGkBGqqDlgrElw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R+qUpTYjp0Zut5i1svfbyeUE1Pj21XrYVC+1wfocC6g=; b=T2LPxlYhDapkLh9xpJHvglaHPc9BREi1tXcEgI7a5EQLZAdJv4zQkws8tWn2zoTJYdpQnqZN9/GqGjkoQ6ZsrtCfsFLGawEGP/2EoyPye22mAsKm55cUSow9atQj4nJW/xaP+8iVUmHrW6wKHcWIl++vibsSi3CYFME4b5Xn9mY= Received: from PR1P264CA0097.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2cf::12) by VI0PR06MB9229.eurprd06.prod.outlook.com (2603:10a6:800:23e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.33; Fri, 27 Jun 2025 05:40:18 +0000 Received: from AM4PEPF00025F95.EURPRD83.prod.outlook.com (2603:10a6:102:2cf:cafe::c2) by PR1P264CA0097.outlook.office365.com (2603:10a6:102:2cf::12) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.23 via Frontend Transport; Fri, 27 Jun 2025 05:40:18 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by AM4PEPF00025F95.mail.protection.outlook.com (10.167.16.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.1 via Frontend Transport; Fri, 27 Jun 2025 05:40:18 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 07:40:17 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 07:40:15 +0200 Subject: [PATCH meta-oe v3 1/6] signing.bbclass: refactor signing_import_cert_from_* MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v3-1-030812797c6a@leica-geosystems.com> References: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 05:40:17.0563 (UTC) FILETIME=[F6A8DEB0:01DBE725] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00025F95:EE_|VI0PR06MB9229:EE_ X-MS-Office365-Filtering-Correlation-Id: f713f56d-95aa-453c-9edd-08ddb53d19c9 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|36860700013|82310400026; X-Microsoft-Antispam-Message-Info: =?utf-8?q?O4cpJf4V5oypRp0zAt9EYVqScO+5zCX?= =?utf-8?q?FTjsmmqSjGWpHrZIlX4OYFkQP1SrJXYgTcuOjaaOt5/w2etJUPCQnNuYIPYFDbfV1?= =?utf-8?q?5vP5wDWVjcM/JNczwgmk9hwTSdb6JG+jbvTFJAWIVIJ9SxdUq+sF9KInegE34/HX4?= =?utf-8?q?rh6fzLnwicsBTG4HzdGHG0qO1TDbKI7JvVTRyYkXPktNKYGTrnb+Er1ECp6gVo7oR?= =?utf-8?q?M/Aw7v0oz+dEr27JBtllvj6VlO3J2mrYzsci5w7w439gh93Hm2whnBrw6FAh2VxIf?= =?utf-8?q?WHaVL9hvXetuyU6yhktDUutTEv0nD2ee8qypnB3KE1Jw2dj6f6dZrNUaM174a5av2?= =?utf-8?q?2NkGCqhE55MBFibGo6gXpd3cbCvvrpBxRwiUcZo6Oe1NcwD+jVJ2tvL+9Cnyjx0VT?= =?utf-8?q?w0ZfRrgNwzpy9E9lsBbqIiBK9ioWG573TZmY7dNxT9Rlt8FJKXU8akTevmAbNo/4A?= =?utf-8?q?Xk/nDmdlImt9pmJam5PKt2TBOc9a3da7yNh0vlkBlZU4lTTPq0NDL6cHJy/ATV0pi?= =?utf-8?q?Vj4D3Vg9+r1qFUmXkty7V4AjTQ+wKEz3W1mcLPUsJkGbXhqzXN3kJhOawYS4IgJnr?= =?utf-8?q?/i59uTyjviEhdfe0bswkLD9Tuq6YHTEflfLvDeYlivr1vewsbUpg3qsHZYm/jCeSj?= =?utf-8?q?vciLO9GXfomBFaLUUOArAWwgFteWQ7vt3U/31C68lnzkormVuooP8WExJ/5/Ag504?= =?utf-8?q?iQS46i5/lELpeHZ6B1aL2D020Z3ewCza4dnEdt9F0PQ7GfdT71iETFY/4XgWcy3iT?= =?utf-8?q?o6dlxh/LbJqi4vgU0LiZN/fHOqSW88LWBpbrJncjXGzPcP4Uz8UNogkl5P5qDFyOh?= =?utf-8?q?3CQZwXVGLPE493qLTE4AwVv0w2Rj/Fpv17O85m3ZvKz4qMFC7y2mdJzb3LMQIErd6?= =?utf-8?q?R5o33XmSEuMgyacwCOqCk26koIfNua1eJZJz+g4OgRNu+QwewOcBswheiaSH7NIWH?= =?utf-8?q?M5I8iAsSU6MuKrT9rmYj+VOVm3O0hEM1IqtdMlgJGap7NTWjwVQHS5fliTzbsssou?= =?utf-8?q?Drqd4gdiGnDDqLOTCtfOQzdFKvFi131TQ7z8bcudl42kZoYNdD377+lgWkFYuuHle?= =?utf-8?q?GwhRsnFjE3BE3TQnEN+K+6TM/gsLy2AGhbZw9yuQnjWZ64aTl8YJiZ6Q9mFHfNPCY?= =?utf-8?q?bjYWLYv2k947l1kjV/iItMmw3uOCDqwPuvWPQzzPpY0LlGF8zCqhmYKDOdip7o1Ge?= =?utf-8?q?PZGrL5GgttxVnTb3SWiAxx1jGJscNcAwUMMwVbcPbXWC8QOAGZtwPxmCd3UPMtdeS?= =?utf-8?q?ap4PRzfkbf1+5qAqLBQlAOLtVhZTnlPoWWvHGJQoBYkf2WbcjuT7Z5ZrGfVdkR3g3?= =?utf-8?q?jh0OGvpX0pjPXOeepyhn2gLLJswPRgCShwo29s0sNY5fdJjVXU1YasghiV1JLqZ4M?= =?utf-8?q?EAbMr2qEZT5lOesru2FHHEjO/pWtQQalk4e1yL5sJ98Xe3JIEdKeM2Mk+WDWkTRZ/?= =?utf-8?q?9y7XeoHuGd?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(376014)(1800799024)(36860700013)(82310400026);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 05:40:18.6410 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f713f56d-95aa-453c-9edd-08ddb53d19c9 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F95.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0PR06MB9229 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 05:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118134 Refactor the two methods to import certificates from PEM/DER to be usable independently from keymaterial that is linked to a role. By having the import_cert_from methods create a storage location (aka role) in the softhsm dynamically. This way certificates can - but don't have to - be linked to a key, or can stand on their own if chain of certificates from a PKI has to be managed. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 42 +++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index 8af7bbf8e0..c768371151 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -123,15 +123,26 @@ signing_import_define_role() { echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_ } -# signing_import_cert_from_der +# signing_import_cert_from_der # -# Import a certificate from DER file to a role. To be used -# with SoftHSM. +# Import a certificate from DER file to a cert_name. +# Where the can either be a previously setup +# signing_import_define_role linking the certificate to a signing key, +# or a new identifier when dealing with a standalone certificate. +# +# To be used with SoftHSM. signing_import_cert_from_der() { - local role="${1}" + local cert_name="${1}" local der="${2}" - signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" + # check wether the cert_name/role needs to be defined first, + # or do so otherwise + local uri=$(siging_get_uri $cert_name) + if [ -z "$uri" ]; then + signing_import_define_role "$cert_name" + fi + + signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" } # signing_import_cert_chain_from_pem @@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() { done } -# signing_import_cert_from_pem +# signing_import_cert_from_pem # -# Import a certificate from PEM file to a role. To be used -# with SoftHSM. +# Import a certificate from PEM file to a cert_name. +# Where the can either be a previously setup +# signing_import_define_role linking the certificate to a signing key, +# or a new identifier when dealing with a standalone certificate. +# +# To be used with SoftHSM. signing_import_cert_from_pem() { - local role="${1}" + local cert_name="${1}" local pem="${2}" + # check wether the cert_name/role needs to be defined first, + # or do so otherwise + local uri=$(siging_get_uri $cert_name) + if [ -z "$uri" ]; then + signing_import_define_role "$cert_name" + fi + openssl x509 \ -in "${pem}" -inform pem -outform der | - signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}" + signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}" } # signing_import_pubkey_from_der From patchwork Fri Jun 27 05:40:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65694 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 438E7C7EE3A for ; Fri, 27 Jun 2025 05:40:34 +0000 (UTC) Received: from MRWPR03CU001.outbound.protection.outlook.com (MRWPR03CU001.outbound.protection.outlook.com [40.107.130.2]) by mx.groups.io with SMTP id smtpd.web10.6808.1751002825139606535 for ; Thu, 26 Jun 2025 22:40:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=beH8tGQ/; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 40.107.130.2, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NA66x3o6WNdShS66P0gUCTXXTAqOgTwDgHuvRnzJ6Qn4dGHlVdOG+yJDKI/Hs8rmeoWmdj5vzVh9/ehLvKhfgthPtgXdRsRvNqSXuLxHCc+ESw+5Y9ag26gfK9OTJJ0CXGRtIY9hXXjxMsj8Lv4pHm82i4f7PS/mlxm4tfpCWvSxXTW4Wkbq2ImEEDNsE0e6mY1MqwtVyy9nY3mN9fSqIPrN3jv1y3xOYZHDXI/6+wdNRc+nPXZyV368frMiU0xey9m5AbWJZyPxC2VB+McMkEdPruobMcMwL3Mp/O7DYDDJ5IKjRSzjIsdzN/dARmR8a1ZoQQnPccGKRrAVRf9qSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0R3NfOv3xf4/+/cAjl3TuLCsXi9tZtOOyHupojwPQf0=; b=VZ57YHigGRx3uYF1JSoceXs1//p8ApLEcBYKdU5+nhus33wuT54ejua2sgurtQ1kk1DDnLr1qL3uTWnNjidsyLBG20Q4scNbts08aZkqrReWX1A3MxjusCHWOs6l3L6eWgsywDQhKkodC9P96MAd6ZrWq8wKX5XwqHjYGwRouDz2oW4thUdyx9rk61w1Uu707j7kb6QjOlVXjYuYE1dmMxysWjMI30L+khXyndtsuR0jC4frOkKi83y9FkXPnKvCUdUZehRm7t4JRu1J+UfzTbYfZYX5agvF7NOXCJAcVTpxbEQa89aBXVuVaX2B5PnoJE2y9VRHB2ntGoyWCY7ddg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0R3NfOv3xf4/+/cAjl3TuLCsXi9tZtOOyHupojwPQf0=; b=beH8tGQ/xba2FUOy8CgzqbFiHTGmpEqxS83IW9ymtytBsYgCZo2bZgoc4PPXKIY6a72DHoKK5yQNv+pcukl3WqkxXuDRlVKCwoD5apFbcUdM7UAfyrppezbDfdzOzXBgQ3QD62OSNP+viNPjgW2s5GrPwUfZ2SJW8faX3MQRorE= Received: from PR1P264CA0103.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2cf::10) by AM9PR06MB8001.eurprd06.prod.outlook.com (2603:10a6:20b:3a4::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.30; Fri, 27 Jun 2025 05:40:19 +0000 Received: from AM4PEPF00025F95.EURPRD83.prod.outlook.com (2603:10a6:102:2cf:cafe::72) by PR1P264CA0103.outlook.office365.com (2603:10a6:102:2cf::10) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.21 via Frontend Transport; Fri, 27 Jun 2025 05:40:19 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by AM4PEPF00025F95.mail.protection.outlook.com (10.167.16.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.1 via Frontend Transport; Fri, 27 Jun 2025 05:40:19 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 07:40:17 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 07:40:16 +0200 Subject: [PATCH meta-oe v3 2/6] signing.bbclass: add set|get|has_ca functions MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v3-2-030812797c6a@leica-geosystems.com> References: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 05:40:17.0563 (UTC) FILETIME=[F6A8DEB0:01DBE725] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00025F95:EE_|AM9PR06MB8001:EE_ X-MS-Office365-Filtering-Correlation-Id: 9416bb85-7226-4b8d-5b04-08ddb53d1a54 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|36860700013|376014|1800799024; X-Microsoft-Antispam-Message-Info: =?utf-8?q?6fHGYJBfGhY3rRYEYj92jLqukFO56eD?= =?utf-8?q?V2m7rCW6EUvjHlxuJMMiLOvdDsnWZW3X9z/CZM3cTUSLXmKTQ6nj9z9XwQvX4lm8i?= =?utf-8?q?Uy2C7HFWAV6uUWXCvmUWbcu74IQUMTOukoJpV8YX6i9zVoSYNOYLxoqZ1phal/1xa?= =?utf-8?q?SP70p04rhOYfx69Be2Q/pyl+GSG9GX5VrDfQbeF2j0umfr9d6eZpxDX77DmQOC0j+?= =?utf-8?q?4vGXTcCjP66x9YQW9e4bbSXJsck6lUv5N9/j4Vv+7NcQTedw7qlQHIuUV8cqvdlv2?= =?utf-8?q?YB4x/aDmNYhvJ/UmAxsMMV+lUWXrSUv341GCfrdPPU8T6LvL5NOkYrjAxLPy+bI+9?= =?utf-8?q?Rh8thCeCbOYZ+WIB784KeftVcAYkM/fyhNhL9tqBy+x+dFLzVLKMKZVR98zvKmCFM?= =?utf-8?q?FJOkFBru4ZgYIQWtGnfjYOhhWWnsXQUoz9uIpVVhLRcKA7fPSpr6zbBFuqyM6xbhE?= =?utf-8?q?dfnxPWxUmn45cr6uU96CFXXZQ4osBHp5pbh4L2Bp3MPWK9Nw7MWL4VAFP0l28gArK?= =?utf-8?q?6wKBztexsWOpc8YN2deQ5K/DShmGCZuVJ2JL0fZkVoaSpf3E3w3lChVuzuKKOt9TH?= =?utf-8?q?eBTVQy2Ky0rQyR5BVxeeAT5sBBiAMuXOmRHc606oQdbNKdoMxsPQgQ0tUo9mVnaWF?= =?utf-8?q?2xCzxSQaCUJ/TwrrY4BcurqSpJ0MibGXGBu9H0v1WC6Ik8hDoRFpNchKw2eXKqyb0?= =?utf-8?q?MtVqFzp5Q0WDl+Lzk23ISHk76a1xHqbxbg3VkIjj8c3spwyIVHd4RVa32B4h5PyCz?= =?utf-8?q?OH44I6qUgqw++/DxtABi639jyHq6kea6DAQKcIMbniHAvfHDpopTWS+Luz5bTeaJ8?= =?utf-8?q?ZFYuXMjpHsp+T08PiTQMYgrtNghvaAdmDSQ00e4fj9QKpdFMOSiYcHJiNlUCPmyjW?= =?utf-8?q?OZCHYtmgiDhZUsLRFH61N/a6DBL+Dd6x+gMKaNw/w6fXD59JpFI0hAMpn+tuRo2j7?= =?utf-8?q?TM2dbWFbltGkKacziYGEl1iYTm1e8BnSNfe0eH6u7EtqWMAO28VPjosoNSQDN2BAG?= =?utf-8?q?znt9HjicQTGFYWUW6dYM7x3meHnI9x6Ja2yw9PEe2LyMwjaMFGv3EAEBy2+yXAt6B?= =?utf-8?q?25lrOgVk1dsDQE9bqgCLJbrJdxRWcvDND879hxaxWpfc6mmSANDnZvF6oAXLwavvb?= =?utf-8?q?Cqhklchkevq39CL1/joenX3lfQJATn2+Yf9PkOpO6z4PHgUuT7wOJOVt4Q4fuKM4r?= =?utf-8?q?ZMptI0bVKfOGmdat+XM3QLPPKw9Ab6y+zo7qxymRO7gPxk+2xntm++mFEV39QmaDg?= =?utf-8?q?+TsIU9tR3Svege2r+7UTkrD7jeXsE8yv9NpIrU7596i4x00HxRosp3rfkwEpuCLP0?= =?utf-8?q?kSUmt9oZ+WFOiRNLDoNgS3lbpB3DvoVfYl3t6TT7xY3X2w8jjP/kNxlWvPEgE7hX4?= =?utf-8?q?mpz1iDXGwDueWa19KZ1iO07fxpqj90lUPM14xcK25wOpf59RjDXPFG2TC8XUA0cKw?= =?utf-8?q?KG7JJjsH1s?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(82310400026)(36860700013)(376014)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 05:40:19.5506 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9416bb85-7226-4b8d-5b04-08ddb53d1a54 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F95.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR06MB8001 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 05:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118136 Add a mechanism to establish a (metadata) link between roles and signer certificates, in the form of a new 'ca' variable. It must point from one role or cert to the signer certificate to preserve the leaf->intermediary-> root certificate relation. With this additional mechanism, it would be now possible to import a complex PKI tree of certificates and then later during usage of one role, reconstruct the certificate chain from the leaf, through multiple intermediary, and up to the root certificate. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 50 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index c768371151..04bd92bc03 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -87,6 +87,11 @@ def signing_class_prepare(d): export(role, "SIGNING_PKCS11_URI_%s_", pkcs11_uri) export(role, "SIGNING_PKCS11_MODULE_%s_", pkcs11_module) + # there can be an optional CA associated with this role + ca_cert_name = d.getVarFlag("SIGNING_CA", role) or d.getVar("SIGNING_CA") + if ca_cert_name: + export(role, "SIGNING_CA_%s_", ca_cert_name) + signing_pkcs11_tool() { pkcs11-tool --module "${STAGING_LIBDIR_NATIVE}/softhsm/libsofthsm2.so" --login --pin 1111 $* } @@ -145,9 +150,52 @@ signing_import_cert_from_der() { signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" } -# signing_import_cert_chain_from_pem +# signing_import_set_ca # +# Link the certificate from to its issuer stored in +# By walking this linked list a CA-chain can later be +# reconstructed from the involed roles. +signing_import_set_ca() { + local cert_name="${1}" + local ca_cert_name="${2}" + echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_ + echo "added link from ${cert_name} to ${ca_cert_name}" +} + +# signing_get_ca +# +# returns the that has been set previously through +# either signing_import_set_ca; +# or a local.conf override SIGNING_CA[role] = ... +# If none was set, the empty string is returned. +signing_get_ca() { + local cert_name="${1}" + + # prefer local configuration + eval local ca="\$SIGNING_CA_${cert_name}_" + if [ -n "$ca" ]; then + echo "$ca" + return + fi + + # fall back to softhsm + eval echo "\$_SIGNING_CA_${cert_name}_" +} + +# signing_has_ca +# +# check if the cert_name links to another cert_name that is its +# certificate authority/issuer. +signing_has_ca() { + local ca_cert_name="$(signing_get_ca ${1})" + + test -n "$ca_cert_name" + return $? +} + +# signing_import_cert_chain_from_pem +# # Import a certificate *chain* from a PEM file to a role. # (e.g. multiple ones concatenated in one file) # From patchwork Fri Jun 27 05:40:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65692 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37F72C7EE2A for ; Fri, 27 Jun 2025 05:40:34 +0000 (UTC) Received: from PA4PR04CU001.outbound.protection.outlook.com (PA4PR04CU001.outbound.protection.outlook.com [40.107.162.62]) by mx.groups.io with SMTP id smtpd.web11.6721.1751002829133965053 for ; Thu, 26 Jun 2025 22:40:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=SeBMHjeU; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 40.107.162.62, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QZwe6KkEFOleg5VILPl0SmSkrTCIXGHutNJMqRPwn3c6XFZ0TJXPvteF2/MwadInXltYflG9mNhl7+64WiHDmBSH1VT5qtRFy38N6L7l/GsNvFY61T7VlmTh5f+99b/GfJAvmXDPOsRhMzX5CPL3fLAh0zWlcuHBPj7dvzegyi62UCwxw2Sn4XGNghF4uJfcuoq1gRKM4Pf8iLsPPKWHA4/iv4JuuRMruIkc1/l1JrskAk5Qd522N8FcRowYSxW94H2imt/0WTVLmV/AZb9oEIAsb4M7r5wtdhIlMAxRdD3G10OuAJue8TL35Lca+t/wB61GOu9t89wHr9Xf49KoXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RBBUI3xJQGpOGlhig8qCUo0IIL52X7R1MSFGQEudruY=; b=J6prx5u4vv6lhbXfuD8QqH5M9NlxwxYOMaHRtsQX9aEVl00zfpgc2ynbbV5svXg/PkRN2Q34b2VSpoRyfzGaL/4QWQQ4/zicA5mR8PHfsam/83cmnOTkSMde1wQLDLIylx1dPTDsMHFx7TqSV9n154tRm1x/6R5tpx+XbUGZvnhe7nL/GhqzQi92YA9hpGjn2VBkGwAfQliLCS8DYi6PPJuk9ShRbdoCHCaOkEogs6zc9xUGROlJywnKeyxmVwM0tWTL0dnNDJ+XR+lK1TI1gdIkNMOujzvdgCDZksvl8s3ZDVCd1dNQLWdGrECaMXxtv8+BW7ffoVUAlaCVubS4xQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RBBUI3xJQGpOGlhig8qCUo0IIL52X7R1MSFGQEudruY=; b=SeBMHjeUMsopsXwrVn5EteT4/TqAQxSkcYxliS/Kb9TvejOXeNTeRfBxtfcUmELvBJLtPCtyGbmMlL7XiJC9AXVS+FS65NZ9iy2TXBdd1FZCIRAIcw5rlS/HfaY1wRqV1IO1xA2+ffPRlizpFOxS1j23OZnaNswElmsSnNKlo94= Received: from PR1P264CA0103.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2cf::10) by AS5PR06MB8625.eurprd06.prod.outlook.com (2603:10a6:20b:672::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8835.28; Fri, 27 Jun 2025 05:40:20 +0000 Received: from AM4PEPF00025F95.EURPRD83.prod.outlook.com (2603:10a6:102:2cf:cafe::61) by PR1P264CA0103.outlook.office365.com (2603:10a6:102:2cf::10) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.21 via Frontend Transport; Fri, 27 Jun 2025 05:40:20 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by AM4PEPF00025F95.mail.protection.outlook.com (10.167.16.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.1 via Frontend Transport; Fri, 27 Jun 2025 05:40:19 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 07:40:17 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 07:40:17 +0200 Subject: [PATCH meta-oe v3 3/6] signing.bbclass: add get_root_cert MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v3-3-030812797c6a@leica-geosystems.com> References: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 05:40:17.0578 (UTC) FILETIME=[F6AB28A0:01DBE725] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00025F95:EE_|AS5PR06MB8625:EE_ X-MS-Office365-Filtering-Correlation-Id: 6de88151-be29-4b9d-c762-08ddb53d1a98 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|36860700013|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?GEishCwlOio2HLZlOJ0Tz+MxtMEQ14P?= =?utf-8?q?F9KvTqR1I6rMkIkq3tfRRA4osNnKghASyEFZyRLPOnw1M4V6ByAiVQcghdXZujwaN?= =?utf-8?q?lkstEw3Ngenbic2uVDD90CX0MRJV3jP3I5fSApbyTAsGQYWXmdkY+yD+JoDw8So0a?= =?utf-8?q?A7txrD/tFvxkNeTLtGdEAfrI92ED2L4j+Qy4D7hyChtaVGYjF434+JB+z3UNIoBN9?= =?utf-8?q?r2czJp+Yg0/jnLNYSOE22NrRpErqpSi6ZwE4MzmLUTI/+iSxDUQIRsxs8kqhvYEL+?= =?utf-8?q?INaxx7noyvSjzRfzb+9j1NcyLab1gq/zzYe1Zb+olJh4t4vFQQBwG5IVVnOyPt+Lk?= =?utf-8?q?RD/WlLw3OlMA4BatFIOnEJ0VfeFupkVbpAste86kTBf7TYLeolfp3jbWmMI6dbPga?= =?utf-8?q?e4suOaeXiNqZBvpoTGw/UHrIsPdO9+RlWYPiTCWlFQQjf7WmJP9cU773fyPn3iCiW?= =?utf-8?q?xWZDV/Ns2dCewgs/bEunNt6Dwr1LgW3zKLiZnvqdmR9v50zR6wuGkKRtrLZeJ+KFc?= =?utf-8?q?4bWLX6WcyopUPTuG8StSlpmaFHsYdPKRpj9qKJ8rMM2F8ouWRvl5IV9hFa14svdYw?= =?utf-8?q?irLmDX0SHJzQyaFUqfVXVcMLjnOAQsnXxtCCgoXMwqYKpAqMxpAuKGUEv9pRHxBGY?= =?utf-8?q?GcJUIjbmP/oCh//rj+HcF1gH6c/A+x1Q3Kh/sHrUGTcz1+wcP8nyavy5riJFiwJ7i?= =?utf-8?q?rlTlq0oeN7Kkr8JogCFfMAvqj3IRB3OyM/H0m8jBPdw174UXuqmIuN8FFYZq/VJCr?= =?utf-8?q?YgCSRoGrh0mIFxnqnn3ARkMHrC/UfqT6gRYUrYYu2PlwpQ9uFt22ycEL/FYKd3lVn?= =?utf-8?q?+nl0GmBtjjjyfis5FapYufhzuXyFhTqK8VLEKSRI3MW4cv12aZLtbLpQI5p7EbrLM?= =?utf-8?q?WmIrecoXJZoSpsPw2tOeeoTPEZZOfnCr+yMnAvQouVrpYTDeOpNmn/Lz/nubpRrZG?= =?utf-8?q?NJBkCbupZC2RYA26pkPuBU50L7YGXMsjJ1DtBdNGyf5xACmVX4/gB4Iauk15dwN/B?= =?utf-8?q?+qvXmt7p7L1a5g+cSNZA94/IRSXE18cXIdH551hZ51eU8dp1vAuM2kH6wsp7SRmvR?= =?utf-8?q?AgCwDhgCQpJcpRE1hLbWcWN2S3Dnf/7EgEgWBrlht3Y89cP4uvPNj+vKwtge/wxnr?= =?utf-8?q?OwLpw2Q1csK53pn+29rb8W/eULlXMXgXwxiSJ5BDA+K7zHnpNkoo1g5RzYvg/I7UV?= =?utf-8?q?wBJj7ltO4+Eg4+Bj/B5riJxPQ5QY61ap7xHWNO41clcPvBkTLbKN9IXp+xTXVocDH?= =?utf-8?q?NTkGfrXoZLacrEVmuNKf+pyPUFRkuwnsJzENjs6LQTpx30H1bjh5oZ0YGvXzoGSug?= =?utf-8?q?yrdz2rKefSGEf8GdOo0NaII3KG8UN8/ulOuIuoi7dhjrHxyRulibYIsgRBl/QQ0Mw?= =?utf-8?q?y89gJ9h1mDSeqN5NDHvE69xCweHduiTz7OI9nl/t1294ildxdr1DwcxyaESO54eP3?= =?utf-8?q?Ef9bCdOcRc?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(82310400026)(36860700013)(1800799024)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 05:40:19.9987 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6de88151-be29-4b9d-c762-08ddb53d1a98 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F95.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS5PR06MB8625 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 05:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118138 Add a helper method to retrieve the root CA certificate for a given role, by walking the chain that has been setup with signing_import_set_ca up to the last element - which is the root. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index 04bd92bc03..2a94f5f5b3 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -194,6 +194,22 @@ signing_has_ca() { return $? } +# signing_get_root_cert +# +# return the role/name of the CA root certificate for a given +# , by walking the chain setup with signing_import_set_ca +# all the way to the last in line that doesn't have a CA set - which +# would be the root. +# +# To be used with SoftHSM. +signing_get_root_cert() { + local cert_name="${1}" + while signing_has_ca "${cert_name}"; do + cert_name="$(signing_get_ca ${cert_name})" + done + echo "${cert_name}" +} + # signing_import_cert_chain_from_pem # # Import a certificate *chain* from a PEM file to a role. From patchwork Fri Jun 27 05:40:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65691 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F98EC7EE31 for ; Fri, 27 Jun 2025 05:40:24 +0000 (UTC) Received: from AM0PR83CU005.outbound.protection.outlook.com (AM0PR83CU005.outbound.protection.outlook.com [52.101.69.52]) by mx.groups.io with SMTP id smtpd.web10.6807.1751002823170584814 for ; Thu, 26 Jun 2025 22:40:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=hmqbwlYk; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.69.52, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dS9eajhLesaVNV7FDCGYcb/afalYkabVvLrQSoZBZ+2NSfaCQNOwOoxTovVzvYp2jD/nrg2o8EkMwztwiDU0tCcyb9FjMBYGGfIc3arWpSbv79Z0r/oWFP3E1M+GhF5/8WoSfVEDngNFkF81GOeSLgj8yiKK+ykUP0kEVvl2IUsFpt+WzSVDSs/LxrJXCE7z4Ffvdx+IsUw7dOEMNk6LLBPE7ba1ysV697I5zqU7bmiihYuPbVCuCZQ8LbdgGJh3S/GVC6i1cvSA7kO5Rnaa67DKCIvEBIWj9H0oXUHOQEe+RXmptOjQ1Dg1d6Gkl/oSRZhmtE0ulU/yukfcDJL7UQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=McXBW71QelBenXG7niF8IzZULndSUTMtfH22RlLb9ec=; b=a++TTp8qTBZaMWDE4f+njxQmcM8mYekHE/BV8bYAmm50mLWpOks13AJuZb3ix2U/Oy2WEXmZw0wl700W+9TphtsXBswdqJcDzNuzbbPMCsy01yKmzqpzfi7GyVULB26uV5+LFKXb6E6QWnEeF2mjWyY1P5uFXoK1s8b8glJdBYoehHSu96vXLGf+dob2UGCl3+kO0j1QPhEaAB11RA0yAbL4YfmWzPUwKzrWiPp+9CpDYCxmJ9FEbz4qAn2zpR6xgPvNoc6lplNkBUMx6q8RjJs47qaYXivsRJlo4wBiYtPD6TD5GoCx64e4xoJ8+v9eEKfVmiZiqfcUi68uRVu4iw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=McXBW71QelBenXG7niF8IzZULndSUTMtfH22RlLb9ec=; b=hmqbwlYkRP9ZjIZgq6F5UN1XNw6ufQLg/HEG6eDv49JHLopHTYUdvkNPr2t9PcUvYtT1OYkjrvnoVtoFSgdGo2PY961zibMhBvVvZ0Yt2GCnS1Ra3OFkRQlQKB/gbNpW3p64mlCyTtYbmU4Ui5jTTB6Jh+suUmQtaiOwFmKOl5Y= Received: from PR1P264CA0098.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2cf::7) by PAWPR06MB8932.eurprd06.prod.outlook.com (2603:10a6:102:38e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.27; Fri, 27 Jun 2025 05:40:20 +0000 Received: from AM4PEPF00025F95.EURPRD83.prod.outlook.com (2603:10a6:102:2cf:cafe::c0) by PR1P264CA0098.outlook.office365.com (2603:10a6:102:2cf::7) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.23 via Frontend Transport; Fri, 27 Jun 2025 05:40:20 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by AM4PEPF00025F95.mail.protection.outlook.com (10.167.16.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.1 via Frontend Transport; Fri, 27 Jun 2025 05:40:20 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 07:40:17 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 07:40:18 +0200 Subject: [PATCH meta-oe v3 4/6] signing.bbclass: add signing_get_intermediate_certs MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v3-4-030812797c6a@leica-geosystems.com> References: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 05:40:17.0578 (UTC) FILETIME=[F6AB28A0:01DBE725] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00025F95:EE_|PAWPR06MB8932:EE_ X-MS-Office365-Filtering-Correlation-Id: a45b28ce-4400-45c0-45a0-08ddb53d1acb X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700013|82310400026|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?IJuauRcnXRlefDdMwtQQxCrQOtFkaNr?= =?utf-8?q?exETmfi9u2pQ+52EOyLCUud+Zv5cTP1dTli3ulNwZU9K2nsxX9Xh0Gg7W9IyJysGq?= =?utf-8?q?mjEQUOzmFF3O/yzhIetpiE4ySmvDxu00WXLT20TcerNVc4eyxpdBwdznwQ/9yigmi?= =?utf-8?q?R1oe7Z0jtnecC1ZtaKBDqOMKUluAoC9oQLRYtmeC4j9G6GXqxT+DDHezLBup/oy+q?= =?utf-8?q?EZbOkM3rwmyRzNXGQW2sLSvd5DJbR/b5xf+nTuQZycaW8ie3BZ88Nym1xToYhuOY0?= =?utf-8?q?r4IEEaZT2mgWZG62+6PXd2p7k1n+x4TkGp+VsMr6tprtBE0TR9whhOVy+t2r25pKT?= =?utf-8?q?G2PWVHDAGvAxf7hvUmTSteq9tCSVe/TGxgmxOM/BjZkMmF/Th98OMW38zvpmLinNl?= =?utf-8?q?7eETvtpighCCdJWEPsPfjJ/9yuVeOU5fyYQfYx1GEM++dnmStwHPcEnWPGfpnjlDs?= =?utf-8?q?/uMTG1sq4Bi668d+Rwj/Vc8oCLFF+ZfAcVWJb1TRn4raI5tZLCM1dnxWwaV/81iX1?= =?utf-8?q?Nxbl5cIYapmcgleMcdVmDwHoqMiLN93HeGbryo7AHm8n2xniwZGaS55jiV1kPVn5s?= =?utf-8?q?EHLwn+lH95nhlhXunB8MLSnP9PUN3nNUFXJ6+JPj29N7zOuFg+MDq1mbQYL39/qYG?= =?utf-8?q?NHRZ/C/U2bR3sLdD2vZdO2dwa1EAxpn8FQwsvjGpAWQZKRn+ROGV0NU3UiZIgVM0k?= =?utf-8?q?wN/UWUHA0rBuQzY+yhoEhpOS/xshcvpJod43a2Vu+eYQ8dy/Y9dK3CtvJ8Om0gLVH?= =?utf-8?q?kc5/3Ys7aRUeXZyrp3OsRPs8EqD7UAjFiuJV/VhmQKnTu9+oqzL0y9k9jPYRjn+M6?= =?utf-8?q?PAna+aWNN+zDlkUvClVG72mVQBrPdTYIlnkOJuyOXVnA7GM+gVqblkagLnb1Vc5TC?= =?utf-8?q?RHbb8Z3VEn/ISiM8DhDDZeFNaUFzkSCQIRmL8k6Bef09xo8/lxGNvl+S9jZk1i+EW?= =?utf-8?q?/1HwTJT4QbUesKjXYRY0CQKZnEN5/nVtr6aM6CArZYwt+OoM/2PpbUVkt0p3QOpvy?= =?utf-8?q?JJ/mDuXMvro0BRHluT4ium2Ztt8575F959Gr0k90CIWhnlo+hdzVmiPNPZZEqPClM?= =?utf-8?q?ux3iQrHhpks7ziABhKvWehV0KNgt2jR8N50UoMo2Wl5svvFFrbCdHQ+wJNVZzfjoo?= =?utf-8?q?crSZ7TOwAs93xq6pa8WSE8rXQGB7PsW94YzO8b0GlizYr+FrgjCMdwNTIbegLXqkt?= =?utf-8?q?+PWDIqCK/oY7Kn25y34p5vJ/pt4Y04cszZN3u3VA+RBvC2/7N6hXwtn8D728HGBVH?= =?utf-8?q?Dqd5pSveLvokWAj3CJXErsC24YiZ+t/6f/BQmHrnyGo5flPhE2/Ow61EH9jDrY+7X?= =?utf-8?q?5tqxmkbZYR0i7HobASao6Dj1+ZjUi+H2bvx1ilrJEX55mZ8YmYhjWwNeyFF04oK9j?= =?utf-8?q?Ok3DJRWmv2Eqspk6PTsDnbo6bbGQqT6CZDIntu4PrvDGTt84hRAMlp+Rrek58BW0H?= =?utf-8?q?OoGDyKjIiB?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(82310400026)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 05:40:20.3298 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a45b28ce-4400-45c0-45a0-08ddb53d1acb X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F95.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR06MB8932 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 05:40:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118132 Add a method that returns a list of intermediary CA roles. When using a complex PKI structure with for example "openssl cms", these roles can then be iterated over adding in turn a '-certificate'. Pseudo-code example: for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do signing_extract_cert_pem $intermediate $intermediate.pem CMD+=" --certificate=$intermediate.pem" done The typical use-case would be adding these intermediate certificates to the CMS structure so that the relying party can build the chain from the signing leaf certificate to the locally stored trusted CA certificate. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index 2a94f5f5b3..248c6400ed 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -194,6 +194,27 @@ signing_has_ca() { return $? } +# signing_get_intermediate_certs +# +# return a list of role/name intermediary CA certificates for a given +# by walking the chain setup with signing_import_set_ca. +# +# The returned list will not include the the root CA, and can +# potentially be empty. +# +# To be used with SoftHSM. +signing_get_intermediate_certs() { + local cert_name="${1}" + local intermediary="" + while signing_has_ca "${cert_name}"; do + cert_name="$(signing_get_ca ${cert_name})" + if signing_has_ca "${cert_name}"; then + intermediary="${intermediary} ${cert_name}" + fi + done + echo "${intermediary}" +} + # signing_get_root_cert # # return the role/name of the CA root certificate for a given From patchwork Fri Jun 27 05:40:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BA54C83000 for ; Fri, 27 Jun 2025 05:40:34 +0000 (UTC) Received: from AM0PR83CU005.outbound.protection.outlook.com (AM0PR83CU005.outbound.protection.outlook.com [52.101.69.57]) by mx.groups.io with SMTP id smtpd.web11.6720.1751002824875521010 for ; Thu, 26 Jun 2025 22:40:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=IRraICbq; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.69.57, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=iWY1zE51xi7bJKKooPvm+ZUmOhHF0jzmQtkPgY3XQgMddbMu9bee38erhfSdGCuL3+znCSe4wVn7iPQrpJHh9Ox1Ndzf53hMsJin85ntG4kUH/CeI3Cp/KBegA3GVWeb2RnKQ11jdP2ALMxtzHCO0TpscTKSf8W/6OVmPlowzKeaHdy/l1dyxrKMTs0Ih29dCpJ5Pdi35VodiHm+pqJVAm1orgJViPYOgr6d6rpuV/NjawKtf85ehir6I7kNC5BlgUchTrv1cnDZ/xlvsYv2/K3cNGf66/m3A191rn2hal7u5RdjBwLvMC4lY6D0KkAMnjXi0u0DlIpE120qbbFeqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mrIJ8R5u1SR1VFVeVowntyvoGrhrIKJisI6lVy/ROe8=; b=ixbXtgLgPVHvoA8Q0hIKV0uGFvCX2aT5gTY3OVPVu3EXJE2SCaHijYpCrrTJvqH0W5bsV33zMXpvZYk1MyhXKhSeizC4TeX7pnfEji1wegoZaGG/+GLJwpTiOUpxkUKh05ZqrHg2SYSecz6aIrK/bCBAGqB+qc6bz2PzRu21onevkY8psPY6r5i1nQKlmtzOTwD47ykPsqsozYtI5agcV+i8xf4fdbKhwf6NHOYqc4iUh0my/nrwhMwod/TOVpvqqhz/w6Hck3y27bnW0+ITh09ixX4v0IVfaFDn6Hw5OtXb8tOwIk8rOLqfYO4AHF2Gp2T4hVYSfC1UIYsml+v1GA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mrIJ8R5u1SR1VFVeVowntyvoGrhrIKJisI6lVy/ROe8=; b=IRraICbqpOghK36Ft1aYD0ZMA9rm48CbrE1nIMuY2PPkgXzHUcQmF8VO9ulVJK0UKOAT4jVAk7J8BoiR6TiQIRA1FOdR2wtqUqDyWvJsp5JxflotUPXvJAwr2dUFXTzfsyDp6Piy6XKm64xz/8NQu/VMd658hoVEyvovs73h+Hc= Received: from PR1P264CA0103.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2cf::10) by AM8PR06MB7700.eurprd06.prod.outlook.com (2603:10a6:20b:316::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8880.23; Fri, 27 Jun 2025 05:40:20 +0000 Received: from AM4PEPF00025F95.EURPRD83.prod.outlook.com (2603:10a6:102:2cf:cafe::61) by PR1P264CA0103.outlook.office365.com (2603:10a6:102:2cf::10) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.21 via Frontend Transport; Fri, 27 Jun 2025 05:40:20 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by AM4PEPF00025F95.mail.protection.outlook.com (10.167.16.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.1 via Frontend Transport; Fri, 27 Jun 2025 05:40:20 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 07:40:17 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 07:40:19 +0200 Subject: [PATCH meta-oe v3 5/6] signing.bbclass: add signing_extract_cert helpers MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v3-5-030812797c6a@leica-geosystems.com> References: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 05:40:17.0594 (UTC) FILETIME=[F6AD99A0:01DBE725] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00025F95:EE_|AM8PR06MB7700:EE_ X-MS-Office365-Filtering-Correlation-Id: 4053028f-3bf9-4c3e-5973-08ddb53d1aeb X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|82310400026|1800799024|36860700013; X-Microsoft-Antispam-Message-Info: =?utf-8?q?J7IGqxcQtle3V1CBQSgWkZUX5SdSK3p?= =?utf-8?q?LS5W6xy1zO19wu9MqaFBoZUmGBe1CPHYdcgxKGxtWBzPV8CSlWGAnBLabzrDwUdAG?= =?utf-8?q?xuFNg8JlKetaTUOj8J9WeQSDVNtrU8yt3vrkZU8CTO0LSTPuewS27xJhNIENCOz1E?= =?utf-8?q?O6tmqX5WY0zMsbtLWNnsGrcIsaA2buRcrdgO7PE1qVR8rWZzeWsdQ2+VxERFAa7rp?= =?utf-8?q?huPx+8z8uNBfYJTLGWDm0d5fdZVaVrJqjCxpx/NXCSwxVJ12Rqbap87jVVhppNg/R?= =?utf-8?q?MQzFIVyqI7Si8Hye1266ei+WJRAwMITGAu3u1/+CLV45ZpxqfC65DJq0h8aIK/JSI?= =?utf-8?q?rlKTH6bSp1SFFrFfAEpKvN0Hf0U7v3Hz2VshWW4EqGbLwH1Rvo3TrEiRWHZrrybgK?= =?utf-8?q?CR25vn6JJsK3CyFihOPhzgflm4tVpADYEv59wmrNx+KgxZkfZ6ys2TnaAeB+8g3Pl?= =?utf-8?q?HEJFjlHtxfpvAA7RlBi74KnbDD11MCLKRcyGp5YrpS8XJE9c0RV1Wg1vN/XsK/7v/?= =?utf-8?q?hKwem3d3vCKU79ydqDYKam1SHga7b8RZfqHCqFrwa4t1m75/EZXhNieQSl84vP8Zb?= =?utf-8?q?MexFLiLgYX4lNOOkKPvHAI1oBXJ1HHP2pQe1ioHq9UKOkc1QJFGZw6zjhL7H6s2i7?= =?utf-8?q?qMRnRlRx0wCMLiij1DsfX8yHuWOoogHNzZLuoO5NRnWIn9boqkXJ9D7UM0jCWCWKz?= =?utf-8?q?90CZcWkMuHKilMyVaEBANuezUncXZwg++0nxyrZEPd9FsxZFEtPlerdQ6CZhJzcKC?= =?utf-8?q?iQRrpPDvBWzwgQOJ4nuD/iM1X62lnGVf6V02TrPxmqnBlgEjp/TPgJ949cLfuQhgH?= =?utf-8?q?WFgJmc6Zp2hYklmzi6cCD8KgDuEMpbdA1W4Jx6s31VHQQiuxVJTNVrHX6w4F77sll?= =?utf-8?q?U/dCsMuvCdPio5jx7EsC1qqaJVkGfN1T0KpZBBLJbzqQzBDtxqVy1H1kyUbx4V9D6?= =?utf-8?q?0qkM5yPj1luaEeEYnH5oc/QuzkaOmqeOmNGi6woBllWG7Qj+JXyQOjusBN9a1Y3YE?= =?utf-8?q?k/edGaoPJqws4zX7N9QjiiiNQaKTONxRf+jrRRXs7EAYjsLrzb6dWQsTOiaXw9vTj?= =?utf-8?q?oS23JFdXqWgc03C9hxE6qpAJTgGdgeIPieDxd7GUOGDSufSoLKmLH/zmYSK/CKy4A?= =?utf-8?q?NuBM5cid94SAEKmglULEt14rMOiv3Dq0LerxzMbw6l36QKqTmx/ypblapfdSpjfSw?= =?utf-8?q?YTwZYjkRS47vwETVX3E3YOyyvcrnkLQDnag28fMYU3cqCwbZgoPVouPoQfdy9aNxY?= =?utf-8?q?1TNeujYhc39jUjs15ElZKj78U2PCUHfkmxUdeOBPY20FgRuOlJBfWCiTBnTyRN1OI?= =?utf-8?q?Zg5K6yWlrnXR4/Ma0iPErjjg0LlIMzXlcd9C1lS6aVDTGiIkgaDOhExkwrjiMyN82?= =?utf-8?q?ZDgOO72GhezwRBsHxYBefbrAAvQg217qRwPyDYpY2ECA1eCqHpVWJ8WhTK5hJC8N7?= =?utf-8?q?rzttI04ZX3?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(376014)(82310400026)(1800799024)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 05:40:20.5400 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4053028f-3bf9-4c3e-5973-08ddb53d1aeb X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F95.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR06MB7700 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 05:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118135 Add extract-cert wrapping helper functions, to easily extract certificates again that had been previously imported into the softhsm. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index 248c6400ed..6fde22bf22 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -54,7 +54,7 @@ SIGNING_PKCS11_URI ?= "" SIGNING_PKCS11_MODULE ?= "" -DEPENDS += "softhsm-native libp11-native opensc-native openssl-native" +DEPENDS += "softhsm-native libp11-native opensc-native openssl-native extract-cert-native" def signing_class_prepare(d): import os.path @@ -453,6 +453,30 @@ signing_get_module() { fi } +# signing_extract_cert_der +# +# Export a certificate attached to a role into a DER file. +# To be used with SoftHSM. +signing_extract_cert_der() { + local role="${1}" + local output="${2}" + + extract-cert "$(signing_get_uri $role)" "${output}" +} + +# signing_extract_cert_pem +# +# Export a certificate attached to a role into a PEM file. +# To be used with SoftHSM. +signing_extract_cert_pem() { + local role="${1}" + local output="${2}" + + extract-cert "$(signing_get_uri $role)" "${output}.tmp-der" + openssl x509 -inform der -in "${output}.tmp-der" -out "${output}" + rm "${output}.tmp-der" +} + python () { signing_class_prepare(d) } From patchwork Fri Jun 27 05:40:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: SCHNEIDER Johannes X-Patchwork-Id: 65693 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 337D7C7EE39 for ; Fri, 27 Jun 2025 05:40:34 +0000 (UTC) Received: from AS8PR03CU001.outbound.protection.outlook.com (AS8PR03CU001.outbound.protection.outlook.com [52.101.71.25]) by mx.groups.io with SMTP id smtpd.web10.6809.1751002827340400205 for ; Thu, 26 Jun 2025 22:40:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@leica-geosystems.com header.s=selector1 header.b=faEt4oTE; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: leica-geosystems.com, ip: 52.101.71.25, mailfrom: johannes.schneider@leica-geosystems.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GAXDwk0BbI/nvHntfyv19EtfHyPxNsW3wLftLuYWnGqdVUS4BK/RXw5cYITlw062G6cnJv+vxe0XVhQRnpQW2hXOS5uIDyYl+lWxnTNUOvUXLpZE3JXRyqC+xoRj/crveg9R0/1S1AD7H6oE09x9SgUsYKksN+ZcnXNwY8ymvH9hscjlzVd6mqBoCcpqrn/3ipa/Z7AfBPjv+HS3gE4pvYVtqZ8GgXqdyI0gbA5Qf98x731M3E2eXXjgvlY+CClLXUYDMzHA+hW/k0lnz596h0efJCVYxGvLxryMfgk5+ULhaMtrmZnYRc32D1nhKLQ5280DAkLaF9vr9RPbFD2S+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/Pz0KBrpt6XhOwefffJ9Z2noBIDY+W4HKY9YWrIQcFI=; b=aNJeC05GAMQqPEMOTwSi5lglLioYHrJvaKmZOVVPru9fNZx2JVClVRPvoilj3Gx8/k6ofwy96evIU1Y+6G//YR4TLLvpv4NVH1juC4/X+jH2L/qDf3xt0YsDkV+4nN7FTU0DPQ2q4IMNBkaNYa+P1sWb1QoV/OgJHV7wD77lO7zd8febgVJ4y8C7oYi4qVnDRiOlPXaRd8eOzRhI0nfNQxrHXEQa8R2OZSGnrzFUAqMmVoVJThIdXIaxAsJXeJgIE/aROZXetMRugx6SiUNRRy53BswfDhKrdTkPEsI6+Oo8k8b30TDysURqCHSx9MYkT7lHsqAHqizwpnatbInqFQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 193.8.40.94) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=leica-geosystems.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=leica-geosystems.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leica-geosystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/Pz0KBrpt6XhOwefffJ9Z2noBIDY+W4HKY9YWrIQcFI=; b=faEt4oTEFjQT6XevH2sRuW9qR5+99ykMQeTcXLp/NZyut/aaPBaaYve1IZsYlYRuBNGTgLirbck9cyC8vUIue7LaLDIyMizmBu31HUczfhqX09np2LGzTsbjWLl7hyiNiXBzWuc0MSkTyfzqeOb/XpByuNXiKd2mBrB0uesNonc= Received: from PR1P264CA0100.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2cf::17) by GV4PR06MB10039.eurprd06.prod.outlook.com (2603:10a6:150:296::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8857.30; Fri, 27 Jun 2025 05:40:21 +0000 Received: from AM4PEPF00025F95.EURPRD83.prod.outlook.com (2603:10a6:102:2cf:cafe::61) by PR1P264CA0100.outlook.office365.com (2603:10a6:102:2cf::17) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8880.21 via Frontend Transport; Fri, 27 Jun 2025 05:40:21 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 193.8.40.94) smtp.mailfrom=leica-geosystems.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=leica-geosystems.com; Received-SPF: Pass (protection.outlook.com: domain of leica-geosystems.com designates 193.8.40.94 as permitted sender) receiver=protection.outlook.com; client-ip=193.8.40.94; helo=hexagon.com; pr=C Received: from hexagon.com (193.8.40.94) by AM4PEPF00025F95.mail.protection.outlook.com (10.167.16.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8901.1 via Frontend Transport; Fri, 27 Jun 2025 05:40:20 +0000 Received: from [127.0.1.1] ([10.60.34.121]) by hexagon.com with Microsoft SMTPSVC(10.0.17763.1697); Fri, 27 Jun 2025 07:40:17 +0200 From: Johannes Schneider Date: Fri, 27 Jun 2025 07:40:20 +0200 Subject: [PATCH meta-oe v3 6/6] signing.bbclass: remove signing_import_cert_chain_from_pem MIME-Version: 1.0 Message-Id: <20250627-signing-set-ca-v3-6-030812797c6a@leica-geosystems.com> References: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> In-Reply-To: <20250627-signing-set-ca-v3-0-030812797c6a@leica-geosystems.com> To: jlu@pengutronix.de Cc: bsp-development.geo@leica-geosystems.com, openembedded-devel@lists.openembedded.org, raj.khem@gmail.com, Johannes Schneider X-Mailer: b4 0.13.0 X-OriginalArrivalTime: 27 Jun 2025 05:40:17.0594 (UTC) FILETIME=[F6AD99A0:01DBE725] X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00025F95:EE_|GV4PR06MB10039:EE_ X-MS-Office365-Filtering-Correlation-Id: b2d7267b-ff62-4cd6-ce1f-08ddb53d1b16 X-SET-LOWER-SCL-SCANNER: YES X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|82310400026|376014|1800799024; X-Microsoft-Antispam-Message-Info: =?utf-8?q?2KSLQQ45RoZ4uC1DLYM0HpoPDHMgCX2?= =?utf-8?q?iaB5nN1jX6TAyZ64la/WKW1cbmTe4bQQpWoNQUhq9jTVLhZDU3gZdN713HRMoKnxZ?= =?utf-8?q?H0KPVErgpltJORgGEfhOlnS0Y+IytkHaLr3rvrPtb78QgJiiepaFSwZrGurqNYBZ8?= =?utf-8?q?hhoPMMvM1Iz0BOAC+4wgWKXF1G6raiTRcXR9k/mQiJtt6hhY9gYo4FAU20g6/5aPH?= =?utf-8?q?ABabpLfOgDkb/I7Y1v6ieTdPFPccXzCfcITSIKsYpOXgUGAmLQb6dd3d4iOxiVSOO?= =?utf-8?q?Avp/LWNhoRChbQc/Y46bMOBWXbv3zXx2BDjtwrWEYsoaUO4IKW2It5u981/uG8wr0?= =?utf-8?q?Y4m9B+IpfeaC+i7+fEdFLCKZMhL6qcxp3cuu48TUnHjvqleHKFLUaGEFAMMpjJGU1?= =?utf-8?q?QtRm2aJHHgezL9VP/jrjGtClH7PNVXZkJw0l5t63nBsjoYDOM+XayU/upmHdpVbYc?= =?utf-8?q?qH+eJvhgNhD1WEpq/BrYbueXCKU2MWltdxb/jOaI3pk6ThIZPpjtVaVhlrBbHH9He?= =?utf-8?q?IdqNQVTmVFbEEuqj+WIoqNIxEFbYgC6HSdQl/oM8mf6DitNZXA79JI4XACyxeGJFS?= =?utf-8?q?aPcRG55PDKBjs4qZy/WqZa+NOf7NHRDJq7JufI++rCoFYfvafmt3M1U2znBs0Jp8z?= =?utf-8?q?fMmUyNhRRTBm10mGDSXQmmMJDJDd9q9Tx7Abdp9e3BoHLrC+t6nPw7MyyYypm84ap?= =?utf-8?q?bloGyhih2lhIqUI3BIAxbbKpLX2mbUPK6tfSK81CwT9pTtlH2tRJySVTgYgJkfq7R?= =?utf-8?q?SNLzHqLdccwgS8F4gFZXo6iWm2uHvuxccrYsVTiemKqUJUYdfyjm2R9P/eUoEmsi9?= =?utf-8?q?S5yat+QisF52ezzPnVQ3ygLrsNA/lxd8Gz2GpYnrW5ZiLeloak7nm+i4LXJijBWKA?= =?utf-8?q?oeCJyON/ddkbBOZ9scsakLHPIyEHUq+DpNpLUgDrL/6IvW6qd1O8+pdIMJAQZnETJ?= =?utf-8?q?w3s7smp4STl9TrlwDFF10kR3L+/eGlr9Ywkl++i4q0zgJ+p4mAyU9dNYSlKVvACu0?= =?utf-8?q?5oyuviLET4X+9/r8Vf+jA/aqfpBsPOYKJvQMpZ02XpXXacukhGrU14ClVOUGHIAhe?= =?utf-8?q?fsG4P7mAjGQ7YEwooW2sEbfAiEKHnO1+Z3OJbXzC9etb8BW61qnfR1IHGR7LGG0Kr?= =?utf-8?q?J2uKpXmK8YXLNwgb2O/jkYx8z6PeJ9QXefsLo5VHtkF9JRMlnaqTguk8Uq25apT/P?= =?utf-8?q?KtzDPVB1rq2QEpDDzwW263K1ZIRBADQkYXdURhuJAAGnyI3jyYYhifwqds/+kM7yU?= =?utf-8?q?KtGPzuan646M8XhmkXexl45yPr11U4JNRGPaJQjcWrdsLTntmavge3xc8Iw8hy+x9?= =?utf-8?q?GD6P5bd394Rrnh66j8nem5SBT1RpUwzMyGb5fHDYUW5vXv6X8T+nUniXo429bfdL6?= =?utf-8?q?8lnRfrtBy+fJleqbehhVI5vfw1fhY7q1bKpSLag3ucCm6M4auKsdj0ivPsANJIKG9?= =?utf-8?q?JaYVg6ARzH?= X-Forefront-Antispam-Report: CIP:193.8.40.94;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:hexagon.com;PTR:ahersrvdom50.leica-geosystems.com;CAT:NONE;SFS:(13230040)(36860700013)(82310400026)(376014)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: leica-geosystems.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jun 2025 05:40:20.8248 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b2d7267b-ff62-4cd6-ce1f-08ddb53d1b16 X-MS-Exchange-CrossTenant-Id: 1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1b16ab3e-b8f6-4fe3-9f3e-2db7fe549f6a;Ip=[193.8.40.94];Helo=[hexagon.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00025F95.EURPRD83.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV4PR06MB10039 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 27 Jun 2025 05:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/118137 With the now available set|get|has_ca functions to establish a CA link between roles during their import, the signing_import_cert_chain_from_pem can now be removed. As it had the shortcoming of dynamically creating roles, which are harder to handle then the manually/specifically setup CA roles. This effectively reverts: a825b853634 signing.bbclass: add certificate ca-chain handling Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider --- meta-oe/classes/signing.bbclass | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git meta-oe/classes/signing.bbclass meta-oe/classes/signing.bbclass index 6fde22bf22..5068360ca7 100644 --- meta-oe/classes/signing.bbclass +++ meta-oe/classes/signing.bbclass @@ -231,35 +231,6 @@ signing_get_root_cert() { echo "${cert_name}" } -# signing_import_cert_chain_from_pem -# -# Import a certificate *chain* from a PEM file to a role. -# (e.g. multiple ones concatenated in one file) -# -# Due to limitations in the toolchain: -# signing class -> softhsm -> 'extract-cert' -# the input certificate is split into a sequentially numbered list of roles, -# starting at _1 -# -# (The limitations are the conversion step from x509 to a plain .der, and -# extract-cert expecting a x509 and then producing only plain .der again) -signing_import_cert_chain_from_pem() { - local role="${1}" - local pem="${2}" - local i=1 - - cat "${pem}" | \ - while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do - signing_import_define_role "${role}_${i}" - signing_pkcs11_tool --type cert \ - --write-object ${B}/temp_${i}.der \ - --label "${role}_${i}" - rm ${B}/temp_${i}.der - echo "imported ${pem} under role: ${role}_${i}" - i=$(awk "BEGIN {print $i+1}") - done -} - # signing_import_cert_from_pem # # Import a certificate from PEM file to a cert_name.