On Tue, Dec 3, 2024 at 8:45 AM Jan Lübbe <[email protected]> wrote:
>
> On Sat, 2024-11-30 at 13:48 +0100, Johannes Schneider wrote:
> > Add a mechanism to establish a (metadata) link between roles, in the
> > form of a new 'ca' variable. Which is intended to point from one role
> > to another, to preserve the leaf->intermediary certificate relation.
> >
> > With this additional mechanism, it would be now possible to import a
> > complex PKI tree of certificates (either just the certificates, or
> > both cert+key where available); and then later during usage of one
> > role, reconstruct the verification chain from the leaf, through
> > multiple intermediary, and up to the root role.
> >
> > Signed-off-by: Johannes Schneider <[email protected]>
>
> No, as explained in the other thread, CA certificates are *not* roles.
> A possible extension would be that roles refer to a CA certificate. We
> should continue to discuss this in the thread "signing.bbclass: add
> set|get|has_ca functions"
perhaps a plugin sort ?
>
> Khem: This should not be merged in the current form.
yeah thanks
>
> Jan
>
> > ---
> > meta-oe/classes/signing.bbclass | 34 +++++++++++++++++++++++++++++++++
> > 1 file changed, 34 insertions(+)
> >
> > diff --git a/meta-oe/classes/signing.bbclass
> > b/meta-oe/classes/signing.bbclass
> > index 8af7bbf8e..f1765e96b 100644
> > --- a/meta-oe/classes/signing.bbclass
> > +++ b/meta-oe/classes/signing.bbclass
> > @@ -246,6 +246,18 @@ signing_import_key_from_pem() {
> > signing_import_privkey_from_pem "${role}" "${pem}"
> > }
> >
> > +# signing_import_set_ca <role> <role_ca>
> > +#
> > +# Link the certificate from <role> to its issuer stored in <ca_role>
> > +# By walking this linked list a CA-chain can later be reconstructed from
> > the
> > +# involed roles.
> > +signing_import_set_ca() {
> > + local role="${1}"
> > + local ca_role="${2}"
> > +
> > + echo "_SIGNING_CA_${role}_=\"${ca_role}\"" >> $_SIGNING_ENV_FILE_
> > +}
> > +
> > signing_import_finish() {
> > echo "loaded objects:"
> > signing_pkcs11_tool --list-objects
> > @@ -346,6 +358,28 @@ signing_get_module() {
> > fi
> > }
> >
> > +# signing_get_ca <role>
> > +#
> > +# returns the <ca_role> that has been set previously through
> > +# signing_import_set_ca; or the empty string if none was set
> > +signing_get_ca() {
> > + local role="${1}"
> > +
> > + eval local ca_role="\$_SIGNING_CA_${role}_"
> > + echo "$ca_role"
> > +}
> > +
> > +# signing_has_ca <role>
> > +#
> > +# check if the role links to another role that is its certificate
> > +# authority/issuer.
> > +signing_has_ca() {
> > + local ca_role="$(signing_get_ca ${1})"
> > +
> > + test -n "$ca_role"
> > + return $?
> > +}
> > +
> > python () {
> > signing_class_prepare(d)
> > }
>
> --
> Pengutronix e.K. | |
> Steuerwalder Str. 21 | https://www.pengutronix.de/ |
> 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
> Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#114186):
https://lists.openembedded.org/g/openembedded-devel/message/114186
Mute This Topic: https://lists.openembedded.org/mt/109846831/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
