diff options
| author | Johannes Schneider <johannes.schneider@leica-geosystems.com> | 2024-11-01 13:05:13 +0100 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2024-11-01 06:43:15 -0700 |
| commit | a825b853634714bfad5ecee0acdc2942209828c2 (patch) | |
| tree | fed48946b6fa03dda03edfba4b20ddec7f368325 /meta-oe | |
| parent | 4990a36eb404d5ae603acd6f777c38d62b7973a3 (diff) | |
| download | meta-openembedded-a825b853634714bfad5ecee0acdc2942209828c2.tar.gz | |
signing.bbclass: add certificate ca-chain handling
Add handling of ca-chains which can consist of more than one
certificate in a .pem file, which need to be split off, processed and
stored separately in the softhsm - as the tool-chain
signing.bbclass::signing_import_cert* -> softhsm -> 'extract-cert'
only supports one-per-file, due to using/expecting "plain" x509
in-/output.
The added signing_import_cert_chain_from_pem function takes a <role>
basename, and iterates through the input .pem file, creating numbered
<role>_1, _2, ... roles as needed.
Afterwards the certificates can be used or extracted one-by-one from
the softhsm, using the numbered roles; the only precondition - or
limitation - is that the PKI structure has to be known beforhand;
e.g. how many certificates are between leaf and root.
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/classes/signing.bbclass | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index f52d861b7..7fd167d93 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass | |||
| @@ -129,6 +129,36 @@ signing_import_cert_from_der() { | |||
| 129 | signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" | 129 | signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" |
| 130 | } | 130 | } |
| 131 | 131 | ||
| 132 | # signing_import_cert_chain_from_pem <role> <pem> | ||
| 133 | # | ||
| 134 | |||
| 135 | # Import a certificate *chain* from a PEM file to a role. | ||
| 136 | # (e.g. multiple ones concatenated in one file) | ||
| 137 | # | ||
| 138 | # Due to limitations in the toolchain: | ||
| 139 | # signing class -> softhsm -> 'extract-cert' | ||
| 140 | # the input certificate is split into a sequentially numbered list of roles, | ||
| 141 | # starting at <role>_1 | ||
| 142 | # | ||
| 143 | # (The limitations are the conversion step from x509 to a plain .der, and | ||
| 144 | # extract-cert expecting a x509 and then producing only plain .der again) | ||
| 145 | signing_import_cert_chain_from_pem() { | ||
| 146 | local role="${1}" | ||
| 147 | local pem="${2}" | ||
| 148 | local i=1 | ||
| 149 | |||
| 150 | cat "${pem}" | \ | ||
| 151 | while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do | ||
| 152 | signing_import_define_role "${role}_${i}" | ||
| 153 | signing_pkcs11_tool --type cert \ | ||
| 154 | --write-object ${B}/temp_${i}.der \ | ||
| 155 | --label "${role}_${i}" | ||
| 156 | rm ${B}/temp_${i}.der | ||
| 157 | echo "imported ${pem} under role: ${role}_${i}" | ||
| 158 | i=$(awk "BEGIN {print $i+1}") | ||
| 159 | done | ||
| 160 | } | ||
| 161 | |||
| 132 | # signing_import_cert_from_pem <role> <pem> | 162 | # signing_import_cert_from_pem <role> <pem> |
| 133 | # | 163 | # |
| 134 | # Import a certificate from PEM file to a role. To be used | 164 | # Import a certificate from PEM file to a role. To be used |