On Sat, 2024-11-30 at 13:48 +0100, Johannes Schneider wrote:
> Add a mechanism to establish a (metadata) link between roles, in the
> form of a new 'ca' variable. Which is intended to point from one role
> to another, to preserve the leaf->intermediary certificate relation.
>
> With this additional mechanism, it would be now possible to import a
> complex PKI tree of certificates (either just the certificates, or
> both cert+key where available); and then later during usage of one
> role, reconstruct the verification chain from the leaf, through
> multiple intermediary, and up to the root role.
>
> Signed-off-by: Johannes Schneider <[email protected]>
No, as explained in the other thread, CA certificates are *not* roles.
A possible extension would be that roles refer to a CA certificate. We
should continue to discuss this in the thread "signing.bbclass: add
set|get|has_ca functions"
Khem: This should not be merged in the current form.
Jan
> ---
> meta-oe/classes/signing.bbclass | 34 +++++++++++++++++++++++++++++++++
> 1 file changed, 34 insertions(+)
>
> diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
> index 8af7bbf8e..f1765e96b 100644
> --- a/meta-oe/classes/signing.bbclass
> +++ b/meta-oe/classes/signing.bbclass
> @@ -246,6 +246,18 @@ signing_import_key_from_pem() {
> signing_import_privkey_from_pem "${role}" "${pem}"
> }
>
> +# signing_import_set_ca <role> <role_ca>
> +#
> +# Link the certificate from <role> to its issuer stored in <ca_role>
> +# By walking this linked list a CA-chain can later be reconstructed from the
> +# involed roles.
> +signing_import_set_ca() {
> + local role="${1}"
> + local ca_role="${2}"
> +
> + echo "_SIGNING_CA_${role}_=\"${ca_role}\"" >> $_SIGNING_ENV_FILE_
> +}
> +
> signing_import_finish() {
> echo "loaded objects:"
> signing_pkcs11_tool --list-objects
> @@ -346,6 +358,28 @@ signing_get_module() {
> fi
> }
>
> +# signing_get_ca <role>
> +#
> +# returns the <ca_role> that has been set previously through
> +# signing_import_set_ca; or the empty string if none was set
> +signing_get_ca() {
> + local role="${1}"
> +
> + eval local ca_role="\$_SIGNING_CA_${role}_"
> + echo "$ca_role"
> +}
> +
> +# signing_has_ca <role>
> +#
> +# check if the role links to another role that is its certificate
> +# authority/issuer.
> +signing_has_ca() {
> + local ca_role="$(signing_get_ca ${1})"
> +
> + test -n "$ca_role"
> + return $?
> +}
> +
> python () {
> signing_class_prepare(d)
> }
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#114185):
https://lists.openembedded.org/g/openembedded-devel/message/114185
Mute This Topic: https://lists.openembedded.org/mt/109846831/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
