Add handling of ca-chains which can consist of more than one certificate in a .pem file, which need to be split off, processed and stored separately in the softhsm - as the tool-chain signing.bbclass::signing_import_cert* -> softhsm -> 'extract-cert' only supports one-per-file, due to using/expecting "plain" x509 in-/output.
The added signing_import_cert_chain_from_pem function takes a <role> basename, and iterates through the input .pem file, creating numbered <role>_1, _2, ... roles as needed. Afterwards the certificates can be used or extracted one-by-one from the softhsm, using the numbered roles; the only precondition - or limitation - is that the PKI structure has to be known beforhand; e.g. how many certificates are between leaf and root. Signed-off-by: Johannes Schneider <[email protected]> --- meta-oe/classes/signing.bbclass | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 3e662ff73..8af7bbf8e 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -134,6 +134,36 @@ signing_import_cert_from_der() { signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}" } +# signing_import_cert_chain_from_pem <role> <pem> +# + +# Import a certificate *chain* from a PEM file to a role. +# (e.g. multiple ones concatenated in one file) +# +# Due to limitations in the toolchain: +# signing class -> softhsm -> 'extract-cert' +# the input certificate is split into a sequentially numbered list of roles, +# starting at <role>_1 +# +# (The limitations are the conversion step from x509 to a plain .der, and +# extract-cert expecting a x509 and then producing only plain .der again) +signing_import_cert_chain_from_pem() { + local role="${1}" + local pem="${2}" + local i=1 + + cat "${pem}" | \ + while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do + signing_import_define_role "${role}_${i}" + signing_pkcs11_tool --type cert \ + --write-object ${B}/temp_${i}.der \ + --label "${role}_${i}" + rm ${B}/temp_${i}.der + echo "imported ${pem} under role: ${role}_${i}" + i=$(awk "BEGIN {print $i+1}") + done +} + # signing_import_cert_from_pem <role> <pem> # # Import a certificate from PEM file to a role. To be used -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#113382): https://lists.openembedded.org/g/openembedded-devel/message/113382 Mute This Topic: https://lists.openembedded.org/mt/109331453/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
