Add a method that returns a list of intermediary CA roles.
When using a complex PKI structure with for example "openssl cms",
these roles can then be iterated over adding in turn a '-certificate'.
Pseudo-code example:
for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do
signing_extract_cert_pem $intermediate $intermediate.pem
CMD+=" --certificate=$intermediate.pem"
done
The typical use-case would be adding these intermediate certificates
to the CMS structure so that the relying party can build the chain
from the signing leaf certificate to the locally stored trusted CA
certificate.
Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a helper method to retrieve the root CA certificate for a given
role, by walking the chain that has been setup with
signing_import_set_ca up to the last element - which is the root.
Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a mechanism to establish a (metadata) link between roles and signer
certificates, in the form of a new 'ca' variable. It must point from one
role or cert to the signer certificate to preserve the leaf->intermediary->
root certificate relation.
With this additional mechanism, it would be now possible to import a
complex PKI tree of certificates and then later during usage of one
role, reconstruct the certificate chain from the leaf, through
multiple intermediary, and up to the root certificate.
Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Refactor the two methods to import certificates from PEM/DER to be
usable independently from keymaterial that is linked to a role.
By having the import_cert_from methods create a storage location (aka
role) in the softhsm dynamically. This way certificates can - but
don't have to - be linked to a key, or can stand on their own if chain
of certificates from a PKI has to be managed.
Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add a (more helpful) error message in case the Package-Name exceeds a
certain length which would have the softhsm tools error out.
The $PN is used as 'label' in the softhsm, which is a
"CK_UTF8CHAR paddedLabel[32]" in softhsm2-util.cpp,
so it must not be longer.
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add handling of ca-chains which can consist of more than one
certificate in a .pem file, which need to be split off, processed and
stored separately in the softhsm - as the tool-chain
signing.bbclass::signing_import_cert* -> softhsm -> 'extract-cert'
only supports one-per-file, due to using/expecting "plain" x509
in-/output.
The added signing_import_cert_chain_from_pem function takes a <role>
basename, and iterates through the input .pem file, creating numbered
<role>_1, _2, ... roles as needed.
Afterwards the certificates can be used or extracted one-by-one from
the softhsm, using the numbered roles; the only precondition - or
limitation - is that the PKI structure has to be known beforhand;
e.g. how many certificates are between leaf and root.
Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The function signing_import_pubkey_from_pem is defined twice, one of
them should really be named signing_import_pubkey_from_der. Fix this and
while at it fix some argument names in the comments above the functions
as well.
Reported-by: Miklos Toth <Miklos.Toth@knorr-bremse.com>
Fixes: 4a6ac691f ("add signing.bbclass as infrastructure for build artifact signing")
Signed-off-by: Sascha Hauer <sha@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
"openssl rsa" works with RSA keys only. Use "openssl pkey" instead which
is a frontend that picks the right operation automatically and works
with RSA keys, eliptic curve keys and also DSA keys.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
OPENSSL_{MODULES,ENGINES,CONF} and SSL_CERT_{DIR,FILE} are currently
exported globally for any recipe that inherits signing. This not only
affects the tasks that use the signing infrastructure, but also unrelated
tasks like e.g. do_fetch. Avoid this by exporting the variables only
for these tasks that actually call signing_prepare.
This resolves a breakage I observed on Ubuntu 18.04, where the host
tool wget is called with the environment variables set and then fails
with a SSL error (exit code 5).
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Johannes Schneider
Ulrich Ölmann
Sascha Hauer
Sascha Hauer
Ahmad Fatoum
Jan Luebbe