Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
On Fri, 2020-05-15 at 13:21 +0200, Bastian Krause wrote: > I guess if we first append a file with no EOL at the end and then > append something else this can lead to.. > > "-END CERTIFICATE--BEGIN CERTIFICATE-" > > .. on a single line. Yes, this is the case is was thinking of. > Is there a smart way of adding an EOL? Or should we always append a > final new line? Does this break any known usecases? Empty lines don't hurt here, so always adding one seems the safe and simple solution. Regards, Jan ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
On 5/15/20 12:36 PM, Michael Olbrich wrote: > On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote: >> These helpers allow key providers to append certificates to their CA. >> 'cs_get_ca ' then returns the path to the keyring allowing rules >> and other helpers to retrieve it easily. >> >> Signed-off-by: Bastian Krause >> --- >> scripts/lib/ptxd_lib_code_signing.sh | 63 >> 1 file changed, 63 insertions(+) >> >> diff --git a/scripts/lib/ptxd_lib_code_signing.sh >> b/scripts/lib/ptxd_lib_code_signing.sh >> index f93f183df..571fe6806 100644 >> --- a/scripts/lib/ptxd_lib_code_signing.sh >> +++ b/scripts/lib/ptxd_lib_code_signing.sh >> @@ -261,3 +261,66 @@ cs_import_key_from_pem() { >> cs_import_privkey_from_pem "${role}" "${pem}" >> } >> export -f cs_import_key_from_pem >> + >> +# >> +# cs_get_ca >> +# >> +# Get the path to the CA in pem format from a role >> +# >> +cs_get_ca() { >> +local role="${1}" >> +cs_init_variables >> + >> +echo "${keydir}/${role}/ca.pem" >> +} >> +export -f cs_get_ca >> + >> +# >> +# cs_append_ca_from_pem >> +# >> +# Append PEM to CA for a role >> +# >> +cs_append_ca_from_pem() { >> +local role="${1}" >> +local pem="${2}" >> +cs_init_variables >> + >> +cat "${pem}" >> "${keydir}/${role}/ca.pem" > > Jan, is this correct? I think you said something about extra newlines that > may be needed? I guess if we first append a file with no EOL at the end and then append something else this can lead to.. "-END CERTIFICATE--BEGIN CERTIFICATE-" .. on a single line. Is there a smart way of adding an EOL? Or should we always append a final new line? Does this break any known usecases? Regards, Bastian > >> +} >> +export -f cs_append_ca_from_pem >> + >> +# >> +# cs_append_ca_from_der >> +# >> +# Append DER to CA for a role >> +# >> +cs_append_ca_from_der() { >> +local role="${1}" >> +local der="${2}" >> +cs_init_variables >> + >> +ptxd_exec openssl x509 -inform der -in "${der}" \ >> +-out "${tmpdir}/ca.pem" && >> +cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem" >> +} >> +export -f cs_append_ca_from_der >> + >> +# >> +# cs_append_ca_from_uri [] >> +# >> +# Append certificate specified by URI or by already set URI to CA for a role >> +# >> +cs_append_ca_from_uri() { >> +local role="${1}" >> +local uri="${2}" >> +local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XX")" >> +cs_init_variables >> + >> +if [ -z "${uri}" ]; then >> +uri=$(cs_get_uri "${role}") >> +fi >> + >> +ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" && >> +cs_append_ca_from_der "${role}" "${tmpdir}/ca.der" >> +} >> +export -f cs_append_ca_from_uri >> -- >> 2.26.2 >> >> >> ___ >> ptxdist mailing list >> ptxdist@pengutronix.de >> > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote: > These helpers allow key providers to append certificates to their CA. > 'cs_get_ca ' then returns the path to the keyring allowing rules > and other helpers to retrieve it easily. > > Signed-off-by: Bastian Krause > --- > scripts/lib/ptxd_lib_code_signing.sh | 63 > 1 file changed, 63 insertions(+) > > diff --git a/scripts/lib/ptxd_lib_code_signing.sh > b/scripts/lib/ptxd_lib_code_signing.sh > index f93f183df..571fe6806 100644 > --- a/scripts/lib/ptxd_lib_code_signing.sh > +++ b/scripts/lib/ptxd_lib_code_signing.sh > @@ -261,3 +261,66 @@ cs_import_key_from_pem() { > cs_import_privkey_from_pem "${role}" "${pem}" > } > export -f cs_import_key_from_pem > + > +# > +# cs_get_ca > +# > +# Get the path to the CA in pem format from a role > +# > +cs_get_ca() { > +local role="${1}" > +cs_init_variables > + > +echo "${keydir}/${role}/ca.pem" > +} > +export -f cs_get_ca > + > +# > +# cs_append_ca_from_pem > +# > +# Append PEM to CA for a role > +# > +cs_append_ca_from_pem() { > +local role="${1}" > +local pem="${2}" > +cs_init_variables > + > +cat "${pem}" >> "${keydir}/${role}/ca.pem" Jan, is this correct? I think you said something about extra newlines that may be needed? Michael > +} > +export -f cs_append_ca_from_pem > + > +# > +# cs_append_ca_from_der > +# > +# Append DER to CA for a role > +# > +cs_append_ca_from_der() { > +local role="${1}" > +local der="${2}" > +cs_init_variables > + > +ptxd_exec openssl x509 -inform der -in "${der}" \ > + -out "${tmpdir}/ca.pem" && > +cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem" > +} > +export -f cs_append_ca_from_der > + > +# > +# cs_append_ca_from_uri [] > +# > +# Append certificate specified by URI or by already set URI to CA for a role > +# > +cs_append_ca_from_uri() { > +local role="${1}" > +local uri="${2}" > +local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XX")" > +cs_init_variables > + > +if [ -z "${uri}" ]; then > + uri=$(cs_get_uri "${role}") > +fi > + > +ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" && > +cs_append_ca_from_der "${role}" "${tmpdir}/ca.der" > +} > +export -f cs_append_ca_from_uri > -- > 2.26.2 > > > ___ > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
[ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper
These helpers allow key providers to append certificates to their CA. 'cs_get_ca ' then returns the path to the keyring allowing rules and other helpers to retrieve it easily. Signed-off-by: Bastian Krause --- scripts/lib/ptxd_lib_code_signing.sh | 63 1 file changed, 63 insertions(+) diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh index f93f183df..571fe6806 100644 --- a/scripts/lib/ptxd_lib_code_signing.sh +++ b/scripts/lib/ptxd_lib_code_signing.sh @@ -261,3 +261,66 @@ cs_import_key_from_pem() { cs_import_privkey_from_pem "${role}" "${pem}" } export -f cs_import_key_from_pem + +# +# cs_get_ca +# +# Get the path to the CA in pem format from a role +# +cs_get_ca() { +local role="${1}" +cs_init_variables + +echo "${keydir}/${role}/ca.pem" +} +export -f cs_get_ca + +# +# cs_append_ca_from_pem +# +# Append PEM to CA for a role +# +cs_append_ca_from_pem() { +local role="${1}" +local pem="${2}" +cs_init_variables + +cat "${pem}" >> "${keydir}/${role}/ca.pem" +} +export -f cs_append_ca_from_pem + +# +# cs_append_ca_from_der +# +# Append DER to CA for a role +# +cs_append_ca_from_der() { +local role="${1}" +local der="${2}" +cs_init_variables + +ptxd_exec openssl x509 -inform der -in "${der}" \ + -out "${tmpdir}/ca.pem" && +cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem" +} +export -f cs_append_ca_from_der + +# +# cs_append_ca_from_uri [] +# +# Append certificate specified by URI or by already set URI to CA for a role +# +cs_append_ca_from_uri() { +local role="${1}" +local uri="${2}" +local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XX")" +cs_init_variables + +if [ -z "${uri}" ]; then + uri=$(cs_get_uri "${role}") +fi + +ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" && +cs_append_ca_from_der "${role}" "${tmpdir}/ca.der" +} +export -f cs_append_ca_from_uri -- 2.26.2 ___ ptxdist mailing list ptxdist@pengutronix.de