diff options
| author | Johannes Schneider <johannes.schneider@leica-geosystems.com> | 2025-05-31 13:32:48 +0200 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2025-06-11 16:11:57 -0700 |
| commit | cabb9a89fd9f5cd53b6263b3b3ad9c47924aa16a (patch) | |
| tree | a087f9d9e8af6f65e3544b65a8a245c95c50ea2b | |
| parent | 895f9c1ac83a1f203cc96f765080bd22ce6fa162 (diff) | |
| download | meta-openembedded-cabb9a89fd9f5cd53b6263b3b3ad9c47924aa16a.tar.gz | |
signing.bbclass: add set|get|has_ca functions
Add a mechanism to establish a (metadata) link between roles, in the
form of a new 'ca' variable. Which is intended to point from one role
to another, to preserve the leaf->intermediary certificate relation.
With this additional mechanism, it would be now possible to import a
complex PKI tree of certificates (either just the certificates, or
both cert+key where available); and then later during usage of one
role, reconstruct the verification chain from the leaf, through
multiple intermediary, and up to the root role.
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
| -rw-r--r-- | meta-oe/classes/signing.bbclass | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index c768371151..5992a75be7 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass | |||
| @@ -145,9 +145,43 @@ signing_import_cert_from_der() { | |||
| 145 | signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" | 145 | signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}" |
| 146 | } | 146 | } |
| 147 | 147 | ||
| 148 | # signing_import_cert_chain_from_pem <role> <pem> | 148 | # signing_import_set_ca <cert_name> <ca_cert_name> |
| 149 | # | ||
| 150 | # Link the certificate from <cert_name> to its issuer stored in | ||
| 151 | # <ca_cert_name> By walking this linked list a CA-chain can later be | ||
| 152 | # reconstructed from the involed roles. | ||
| 153 | signing_import_set_ca() { | ||
| 154 | local cert_name="${1}" | ||
| 155 | local ca_cert_name="${2}" | ||
| 156 | |||
| 157 | echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_ | ||
| 158 | echo "added link from ${cert_name} to ${ca_cert_name}" | ||
| 159 | } | ||
| 160 | |||
| 161 | # signing_get_ca <cert_name> | ||
| 149 | # | 162 | # |
| 163 | # returns the <ca_cert_name> that has been set previously through | ||
| 164 | # signing_import_set_ca; or the empty string if none was set | ||
| 165 | signing_get_ca() { | ||
| 166 | local cert_name="${1}" | ||
| 150 | 167 | ||
| 168 | eval local ca_cert_name="\$_SIGNING_CA_${cert_name}_" | ||
| 169 | echo "$ca_cert_name" | ||
| 170 | } | ||
| 171 | |||
| 172 | # signing_has_ca <cert_name> | ||
| 173 | # | ||
| 174 | # check if the cert_name links to another cert_name that is its | ||
| 175 | # certificate authority/issuer. | ||
| 176 | signing_has_ca() { | ||
| 177 | local ca_cert_name="$(signing_get_ca ${1})" | ||
| 178 | |||
| 179 | test -n "$ca_cert_name" | ||
| 180 | return $? | ||
| 181 | } | ||
| 182 | |||
| 183 | # signing_import_cert_chain_from_pem <role> <pem> | ||
| 184 | # | ||
| 151 | # Import a certificate *chain* from a PEM file to a role. | 185 | # Import a certificate *chain* from a PEM file to a role. |
| 152 | # (e.g. multiple ones concatenated in one file) | 186 | # (e.g. multiple ones concatenated in one file) |
| 153 | # | 187 | # |