MIRRORS/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2025-12-18 08:15:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

signing.bbclass: add certificate ca-chain handling

Browse Source 
Add handling of ca-chains which can consist of more than one
certificate in a .pem file, which need to be split off, processed and
stored separately in the softhsm - as the tool-chain
signing.bbclass::signing_import_cert* -> softhsm -> 'extract-cert'
only supports one-per-file, due to using/expecting "plain" x509
in-/output.

The added signing_import_cert_chain_from_pem function takes a <role>
basename, and iterates through the input .pem file, creating numbered
<role>_1, _2, ... roles as needed.

Afterwards the certificates can be used or extracted one-by-one from
the softhsm, using the numbered roles; the only precondition - or
limitation - is that the PKI structure has to be known beforhand;
e.g. how many certificates are between leaf and root.

Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Johannes Schneider 2024-11-01 13:05:13 +01:00 committed by Khem Raj
parent 4990a36eb4
commit a825b85363
No known key found for this signature in database
GPG Key ID: BB053355919D3314
1 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
meta-oe/classes/signing.bbclass
View File

@ -129,6 +129,36 @@ signing_import_cert_from_der() {
signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}"
}
# signing_import_cert_chain_from_pem <role> <pem>
#
# Import a certificate *chain* from a PEM file to a role.
# (e.g. multiple ones concatenated in one file)
#
# Due to limitations in the toolchain:
# signing class -> softhsm -> 'extract-cert'
# the input certificate is split into a sequentially numbered list of roles,
# starting at <role>_1
#
# (The limitations are the conversion step from x509 to a plain .der, and
# extract-cert expecting a x509 and then producing only plain .der again)
signing_import_cert_chain_from_pem() {
local role="${1}"
local pem="${2}"
local i=1
cat "${pem}" | \
while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do
signing_import_define_role "${role}_${i}"
signing_pkcs11_tool --type cert \
--write-object ${B}/temp_${i}.der \
--label "${role}_${i}"
rm ${B}/temp_${i}.der
echo "imported ${pem} under role: ${role}_${i}"
i=$(awk "BEGIN {print $i+1}")
done
}
# signing_import_cert_from_pem <role> <pem>
#
# Import a certificate from PEM file to a role. To be used