On 5/15/20 12:36 PM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote:
>> These helpers allow key providers to append certificates to their CA.
>> 'cs_get_ca <role>' then returns the path to the keyring allowing rules
>> and other helpers to retrieve it easily.
>>
>> Signed-off-by: Bastian Krause <[email protected]>
>> ---
>> scripts/lib/ptxd_lib_code_signing.sh | 63 ++++++++++++++++++++++++++++
>> 1 file changed, 63 insertions(+)
>>
>> diff --git a/scripts/lib/ptxd_lib_code_signing.sh
>> b/scripts/lib/ptxd_lib_code_signing.sh
>> index f93f183df..571fe6806 100644
>> --- a/scripts/lib/ptxd_lib_code_signing.sh
>> +++ b/scripts/lib/ptxd_lib_code_signing.sh
>> @@ -261,3 +261,66 @@ cs_import_key_from_pem() {
>> cs_import_privkey_from_pem "${role}" "${pem}"
>> }
>> export -f cs_import_key_from_pem
>> +
>> +#
>> +# cs_get_ca <role>
>> +#
>> +# Get the path to the CA in pem format from a role
>> +#
>> +cs_get_ca() {
>> + local role="${1}"
>> + cs_init_variables
>> +
>> + echo "${keydir}/${role}/ca.pem"
>> +}
>> +export -f cs_get_ca
>> +
>> +#
>> +# cs_append_ca_from_pem <role> <pem>
>> +#
>> +# Append PEM to CA for a role
>> +#
>> +cs_append_ca_from_pem() {
>> + local role="${1}"
>> + local pem="${2}"
>> + cs_init_variables
>> +
>> + cat "${pem}" >> "${keydir}/${role}/ca.pem"
>
> Jan, is this correct? I think you said something about extra newlines that
> may be needed?
I guess if we first append a file with no EOL at the end and then append
something else this can lead to..
"-----END CERTIFICATE----------BEGIN CERTIFICATE-----"
.. on a single line. Is there a smart way of adding an EOL? Or should we
always append a final new line? Does this break any known usecases?
Regards,
Bastian
>
>> +}
>> +export -f cs_append_ca_from_pem
>> +
>> +#
>> +# cs_append_ca_from_der <role> <der>
>> +#
>> +# Append DER to CA for a role
>> +#
>> +cs_append_ca_from_der() {
>> + local role="${1}"
>> + local der="${2}"
>> + cs_init_variables
>> +
>> + ptxd_exec openssl x509 -inform der -in "${der}" \
>> + -out "${tmpdir}/ca.pem" &&
>> + cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
>> +}
>> +export -f cs_append_ca_from_der
>> +
>> +#
>> +# cs_append_ca_from_uri <role> [<uri>]
>> +#
>> +# Append certificate specified by URI or by already set URI to CA for a role
>> +#
>> +cs_append_ca_from_uri() {
>> + local role="${1}"
>> + local uri="${2}"
>> + local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XXXXXX")"
>> + cs_init_variables
>> +
>> + if [ -z "${uri}" ]; then
>> + uri=$(cs_get_uri "${role}")
>> + fi
>> +
>> + ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
>> + cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
>> +}
>> +export -f cs_append_ca_from_uri
>> --
>> 2.26.2
>>
>>
>> _______________________________________________
>> ptxdist mailing list
>> [email protected]
>>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
[email protected]
