1 files changed, 49 insertions, 1 deletions
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index c768371151..04bd92bc03 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -87,6 +87,11 @@ def signing_class_prepare(d):
        export(role, "SIGNING_PKCS11_URI_%s_", pkcs11_uri)
        export(role, "SIGNING_PKCS11_MODULE_%s_", pkcs11_module)
+        # there can be an optional CA associated with this role
+        ca_cert_name = d.getVarFlag("SIGNING_CA", role) or d.getVar("SIGNING_CA")
+        if ca_cert_name:
+            export(role, "SIGNING_CA_%s_", ca_cert_name)
 signing_pkcs11_tool() {
    pkcs11-tool --module "${STAGING_LIBDIR_NATIVE}/softhsm/libsofthsm2.so" --login --pin 1111 $*
 }
@@ -145,9 +150,52 @@ signing_import_cert_from_der() {
    signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}"
 }
-# signing_import_cert_chain_from_pem <role> <pem>
+# signing_import_set_ca <cert_name> <ca_cert_name>
 #
+# Link the certificate from <cert_name> to its issuer stored in
+# <ca_cert_name> By walking this linked list a CA-chain can later be
+# reconstructed from the involed roles.
+signing_import_set_ca() {
+    local cert_name="${1}"
+    local ca_cert_name="${2}"
+    echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_
+    echo "added link from ${cert_name} to ${ca_cert_name}"
+}
+# signing_get_ca <cert_name>
+#
+# returns the <ca_cert_name> that has been set previously through
+# either signing_import_set_ca;
+# or a local.conf override SIGNING_CA[role] = ...
+# If none was set, the empty string is returned.
+signing_get_ca() {
+    local cert_name="${1}"
+    # prefer local configuration
+    eval local ca="\$SIGNING_CA_${cert_name}_"
+    if [ -n "$ca" ]; then
+        echo "$ca"
+        return
+    fi
+    # fall back to softhsm
+    eval echo "\$_SIGNING_CA_${cert_name}_"
+}
+# signing_has_ca <cert_name>
+#
+# check if the cert_name links to another cert_name that is its
+# certificate authority/issuer.
+signing_has_ca() {
+    local ca_cert_name="$(signing_get_ca ${1})"
+    test -n "$ca_cert_name"
+    return $?
+}
+# signing_import_cert_chain_from_pem <role> <pem>
+#
 # Import a certificate *chain* from a PEM file to a role.
 # (e.g. multiple ones concatenated in one file)
 #

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index c768371151..04bd92bc03 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass
@@ -87,6 +87,11 @@ def signing_class_prepare(d):
87	export(role, "SIGNING_PKCS11_URI_%s_", pkcs11_uri)	87	export(role, "SIGNING_PKCS11_URI_%s_", pkcs11_uri)
88	export(role, "SIGNING_PKCS11_MODULE_%s_", pkcs11_module)	88	export(role, "SIGNING_PKCS11_MODULE_%s_", pkcs11_module)
89		89
		90	# there can be an optional CA associated with this role
		91	ca_cert_name = d.getVarFlag("SIGNING_CA", role) or d.getVar("SIGNING_CA")
		92	if ca_cert_name:
		93	export(role, "SIGNING_CA_%s_", ca_cert_name)
		94
90	signing_pkcs11_tool() {	95	signing_pkcs11_tool() {
91	pkcs11-tool --module "${STAGING_LIBDIR_NATIVE}/softhsm/libsofthsm2.so" --login --pin 1111 $*	96	pkcs11-tool --module "${STAGING_LIBDIR_NATIVE}/softhsm/libsofthsm2.so" --login --pin 1111 $*
92	}	97	}
@@ -145,9 +150,52 @@ signing_import_cert_from_der() {
145	signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}"	150	signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}"
146	}	151	}
147		152
148	# signing_import_cert_chain_from_pem <role> <pem>	153	# signing_import_set_ca <cert_name> <ca_cert_name>
149	#	154	#
		155	# Link the certificate from <cert_name> to its issuer stored in
		156	# <ca_cert_name> By walking this linked list a CA-chain can later be
		157	# reconstructed from the involed roles.
		158	signing_import_set_ca() {
		159	local cert_name="${1}"
		160	local ca_cert_name="${2}"
150		161
		162	echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_
		163	echo "added link from ${cert_name} to ${ca_cert_name}"
		164	}
		165
		166	# signing_get_ca <cert_name>
		167	#
		168	# returns the <ca_cert_name> that has been set previously through
		169	# either signing_import_set_ca;
		170	# or a local.conf override SIGNING_CA[role] = ...
		171	# If none was set, the empty string is returned.
		172	signing_get_ca() {
		173	local cert_name="${1}"
		174
		175	# prefer local configuration
		176	eval local ca="\$SIGNING_CA_${cert_name}_"
		177	if [ -n "$ca" ]; then
		178	echo "$ca"
		179	return
		180	fi
		181
		182	# fall back to softhsm
		183	eval echo "\$_SIGNING_CA_${cert_name}_"
		184	}
		185
		186	# signing_has_ca <cert_name>
		187	#
		188	# check if the cert_name links to another cert_name that is its
		189	# certificate authority/issuer.
		190	signing_has_ca() {
		191	local ca_cert_name="$(signing_get_ca ${1})"
		192
		193	test -n "$ca_cert_name"
		194	return $?
		195	}
		196
		197	# signing_import_cert_chain_from_pem <role> <pem>
		198	#
151	# Import a certificate chain from a PEM file to a role.	199	# Import a certificate chain from a PEM file to a role.
152	# (e.g. multiple ones concatenated in one file)	200	# (e.g. multiple ones concatenated in one file)
153	#	201	#