Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
On Fri, 2020-05-15 at 13:21 +0200, Bastian Krause wrote: > I guess if we first append a file with no EOL at the end and then > append something else this can lead to.. > > "-END CERTIFICATE--BEGIN CERTIFICATE-" > > .. on a single line. Yes, this is the case is was thinking of. > Is there a smart way of adding an EOL? Or should we always append a > final new line? Does this break any known usecases? Empty lines don't hurt here, so always adding one seems the safe and simple solution. Regards, Jan ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
On 5/15/20 12:36 PM, Michael Olbrich wrote:
> On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote:
>> These helpers allow key providers to append certificates to their CA.
>> 'cs_get_ca ' then returns the path to the keyring allowing rules
>> and other helpers to retrieve it easily.
>>
>> Signed-off-by: Bastian Krause
>> ---
>> scripts/lib/ptxd_lib_code_signing.sh | 63
>> 1 file changed, 63 insertions(+)
>>
>> diff --git a/scripts/lib/ptxd_lib_code_signing.sh
>> b/scripts/lib/ptxd_lib_code_signing.sh
>> index f93f183df..571fe6806 100644
>> --- a/scripts/lib/ptxd_lib_code_signing.sh
>> +++ b/scripts/lib/ptxd_lib_code_signing.sh
>> @@ -261,3 +261,66 @@ cs_import_key_from_pem() {
>> cs_import_privkey_from_pem "${role}" "${pem}"
>> }
>> export -f cs_import_key_from_pem
>> +
>> +#
>> +# cs_get_ca
>> +#
>> +# Get the path to the CA in pem format from a role
>> +#
>> +cs_get_ca() {
>> +local role="${1}"
>> +cs_init_variables
>> +
>> +echo "${keydir}/${role}/ca.pem"
>> +}
>> +export -f cs_get_ca
>> +
>> +#
>> +# cs_append_ca_from_pem
>> +#
>> +# Append PEM to CA for a role
>> +#
>> +cs_append_ca_from_pem() {
>> +local role="${1}"
>> +local pem="${2}"
>> +cs_init_variables
>> +
>> +cat "${pem}" >> "${keydir}/${role}/ca.pem"
>
> Jan, is this correct? I think you said something about extra newlines that
> may be needed?
I guess if we first append a file with no EOL at the end and then append
something else this can lead to..
"-END CERTIFICATE--BEGIN CERTIFICATE-"
.. on a single line. Is there a smart way of adding an EOL? Or should we
always append a final new line? Does this break any known usecases?
Regards,
Bastian
>
>> +}
>> +export -f cs_append_ca_from_pem
>> +
>> +#
>> +# cs_append_ca_from_der
>> +#
>> +# Append DER to CA for a role
>> +#
>> +cs_append_ca_from_der() {
>> +local role="${1}"
>> +local der="${2}"
>> +cs_init_variables
>> +
>> +ptxd_exec openssl x509 -inform der -in "${der}" \
>> +-out "${tmpdir}/ca.pem" &&
>> +cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
>> +}
>> +export -f cs_append_ca_from_der
>> +
>> +#
>> +# cs_append_ca_from_uri []
>> +#
>> +# Append certificate specified by URI or by already set URI to CA for a role
>> +#
>> +cs_append_ca_from_uri() {
>> +local role="${1}"
>> +local uri="${2}"
>> +local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XX")"
>> +cs_init_variables
>> +
>> +if [ -z "${uri}" ]; then
>> +uri=$(cs_get_uri "${role}")
>> +fi
>> +
>> +ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
>> +cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
>> +}
>> +export -f cs_append_ca_from_uri
>> --
>> 2.26.2
>>
>>
>> ___
>> ptxdist mailing list
>> ptxdist@pengutronix.de
>>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0|
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- |
___
ptxdist mailing list
ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote:
> These helpers allow key providers to append certificates to their CA.
> 'cs_get_ca ' then returns the path to the keyring allowing rules
> and other helpers to retrieve it easily.
>
> Signed-off-by: Bastian Krause
> ---
> scripts/lib/ptxd_lib_code_signing.sh | 63
> 1 file changed, 63 insertions(+)
>
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh
> b/scripts/lib/ptxd_lib_code_signing.sh
> index f93f183df..571fe6806 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -261,3 +261,66 @@ cs_import_key_from_pem() {
> cs_import_privkey_from_pem "${role}" "${pem}"
> }
> export -f cs_import_key_from_pem
> +
> +#
> +# cs_get_ca
> +#
> +# Get the path to the CA in pem format from a role
> +#
> +cs_get_ca() {
> +local role="${1}"
> +cs_init_variables
> +
> +echo "${keydir}/${role}/ca.pem"
> +}
> +export -f cs_get_ca
> +
> +#
> +# cs_append_ca_from_pem
> +#
> +# Append PEM to CA for a role
> +#
> +cs_append_ca_from_pem() {
> +local role="${1}"
> +local pem="${2}"
> +cs_init_variables
> +
> +cat "${pem}" >> "${keydir}/${role}/ca.pem"
Jan, is this correct? I think you said something about extra newlines that
may be needed?
Michael
> +}
> +export -f cs_append_ca_from_pem
> +
> +#
> +# cs_append_ca_from_der
> +#
> +# Append DER to CA for a role
> +#
> +cs_append_ca_from_der() {
> +local role="${1}"
> +local der="${2}"
> +cs_init_variables
> +
> +ptxd_exec openssl x509 -inform der -in "${der}" \
> + -out "${tmpdir}/ca.pem" &&
> +cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
> +}
> +export -f cs_append_ca_from_der
> +
> +#
> +# cs_append_ca_from_uri []
> +#
> +# Append certificate specified by URI or by already set URI to CA for a role
> +#
> +cs_append_ca_from_uri() {
> +local role="${1}"
> +local uri="${2}"
> +local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XX")"
> +cs_init_variables
> +
> +if [ -z "${uri}" ]; then
> + uri=$(cs_get_uri "${role}")
> +fi
> +
> +ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
> +cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
> +}
> +export -f cs_append_ca_from_uri
> --
> 2.26.2
>
>
> ___
> ptxdist mailing list
> ptxdist@pengutronix.de
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0|
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- |
___
ptxdist mailing list
ptxdist@pengutronix.de
[ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
These helpers allow key providers to append certificates to their CA.
'cs_get_ca ' then returns the path to the keyring allowing rules
and other helpers to retrieve it easily.
Signed-off-by: Bastian Krause
---
scripts/lib/ptxd_lib_code_signing.sh | 63
1 file changed, 63 insertions(+)
diff --git a/scripts/lib/ptxd_lib_code_signing.sh
b/scripts/lib/ptxd_lib_code_signing.sh
index f93f183df..571fe6806 100644
--- a/scripts/lib/ptxd_lib_code_signing.sh
+++ b/scripts/lib/ptxd_lib_code_signing.sh
@@ -261,3 +261,66 @@ cs_import_key_from_pem() {
cs_import_privkey_from_pem "${role}" "${pem}"
}
export -f cs_import_key_from_pem
+
+#
+# cs_get_ca
+#
+# Get the path to the CA in pem format from a role
+#
+cs_get_ca() {
+local role="${1}"
+cs_init_variables
+
+echo "${keydir}/${role}/ca.pem"
+}
+export -f cs_get_ca
+
+#
+# cs_append_ca_from_pem
+#
+# Append PEM to CA for a role
+#
+cs_append_ca_from_pem() {
+local role="${1}"
+local pem="${2}"
+cs_init_variables
+
+cat "${pem}" >> "${keydir}/${role}/ca.pem"
+}
+export -f cs_append_ca_from_pem
+
+#
+# cs_append_ca_from_der
+#
+# Append DER to CA for a role
+#
+cs_append_ca_from_der() {
+local role="${1}"
+local der="${2}"
+cs_init_variables
+
+ptxd_exec openssl x509 -inform der -in "${der}" \
+ -out "${tmpdir}/ca.pem" &&
+cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
+}
+export -f cs_append_ca_from_der
+
+#
+# cs_append_ca_from_uri []
+#
+# Append certificate specified by URI or by already set URI to CA for a role
+#
+cs_append_ca_from_uri() {
+local role="${1}"
+local uri="${2}"
+local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XX")"
+cs_init_variables
+
+if [ -z "${uri}" ]; then
+ uri=$(cs_get_uri "${role}")
+fi
+
+ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
+cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
+}
+export -f cs_append_ca_from_uri
--
2.26.2
___
ptxdist mailing list
ptxdist@pengutronix.de
