signing.bbclass: refactor signing_import_cert_from_*

Refactor the two methods to import certificates from PEM/DER to be usable independently from keymaterial that is linked to a role. By having the import_cert_from methods create a storage location (aka role) in the softhsm dynamically. This way certificates can - but don't have to - be linked to a key, or can stand on their own if chain of certificates from a PKI has to be managed. Reviewed-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Johannes Schneider <johannes.schneider@leica-geosystems.com> 2025-06-27 14:18:17 +0200
committer: Khem Raj <raj.khem@gmail.com> 2025-06-28 11:04:24 -0700
commit: 855c956fbdb581d12de770548003deb8c1f81d49 (patch)
tree: abcd68574414d0dab4beb0f9f4e5b3903c7027ec
parent: 939ba3aea777421f868bb21ffaced244da9c7749 (diff)
download: meta-openembedded-855c956fbdb581d12de770548003deb8c1f81d49.tar.gz
1 files changed, 32 insertions, 10 deletions
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 8af7bbf8e0..c768371151 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -123,15 +123,26 @@ signing_import_define_role() {
    echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_
 }
-# signing_import_cert_from_der <role> <der>
+# signing_import_cert_from_der <cert_name> <der>
 #
-# Import a certificate from DER file to a role. To be used
+# Import a certificate from DER file to a cert_name.
-# with SoftHSM.
+# Where the <cert_name> can either be a previously setup
+# signing_import_define_role linking the certificate to a signing key,
+# or a new identifier when dealing with a standalone certificate.
+#
+# To be used with SoftHSM.
 signing_import_cert_from_der() {
-    local role="${1}"
+    local cert_name="${1}"
    local der="${2}"
-    signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}"
+    # check wether the cert_name/role needs to be defined first,
+    # or do so otherwise
+    local uri=$(siging_get_uri $cert_name)
+    if [ -z "$uri" ]; then
+        signing_import_define_role "$cert_name"
+    fi
+    signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}"
 }
 # signing_import_cert_chain_from_pem <role> <pem>
@@ -164,17 +175,28 @@ signing_import_cert_chain_from_pem() {
        done
 }
-# signing_import_cert_from_pem <role> <pem>
+# signing_import_cert_from_pem <cert_name> <pem>
 #
-# Import a certificate from PEM file to a role. To be used
+# Import a certificate from PEM file to a cert_name.
-# with SoftHSM.
+# Where the <cert_name> can either be a previously setup
+# signing_import_define_role linking the certificate to a signing key,
+# or a new identifier when dealing with a standalone certificate.
+#
+# To be used with SoftHSM.
 signing_import_cert_from_pem() {
-    local role="${1}"
+    local cert_name="${1}"
    local pem="${2}"
+    # check wether the cert_name/role needs to be defined first,
+    # or do so otherwise
+    local uri=$(siging_get_uri $cert_name)
+    if [ -z "$uri" ]; then
+        signing_import_define_role "$cert_name"
+    fi
    openssl x509 \
        -in "${pem}" -inform pem -outform der |
-    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}"
+    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
 }
 # signing_import_pubkey_from_der <role> <der>
author	Johannes Schneider <johannes.schneider@leica-geosystems.com>	2025-06-27 14:18:17 +0200
committer	Khem Raj <raj.khem@gmail.com>	2025-06-28 11:04:24 -0700
commit	855c956fbdb581d12de770548003deb8c1f81d49 (patch)
tree	abcd68574414d0dab4beb0f9f4e5b3903c7027ec
parent	939ba3aea777421f868bb21ffaced244da9c7749 (diff)
download	meta-openembedded-855c956fbdb581d12de770548003deb8c1f81d49.tar.gz