From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Date: Fri, 15 May 2020 12:36:28 +0200 From: Michael Olbrich Message-ID: <20200515103628.GA7220@pengutronix.de> References: <20200514134300.16105-1-bst@pengutronix.de> <20200514134300.16105-4-bst@pengutronix.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200514134300.16105-4-bst@pengutronix.de> Subject: Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Bastian Krause , Jan Luebbe On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote: > These helpers allow key providers to append certificates to their CA. > 'cs_get_ca ' then returns the path to the keyring allowing rules > and other helpers to retrieve it easily. > > Signed-off-by: Bastian Krause > --- > scripts/lib/ptxd_lib_code_signing.sh | 63 ++++++++++++++++++++++++++++ > 1 file changed, 63 insertions(+) > > diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh > index f93f183df..571fe6806 100644 > --- a/scripts/lib/ptxd_lib_code_signing.sh > +++ b/scripts/lib/ptxd_lib_code_signing.sh > @@ -261,3 +261,66 @@ cs_import_key_from_pem() { > cs_import_privkey_from_pem "${role}" "${pem}" > } > export -f cs_import_key_from_pem > + > +# > +# cs_get_ca > +# > +# Get the path to the CA in pem format from a role > +# > +cs_get_ca() { > + local role="${1}" > + cs_init_variables > + > + echo "${keydir}/${role}/ca.pem" > +} > +export -f cs_get_ca > + > +# > +# cs_append_ca_from_pem > +# > +# Append PEM to CA for a role > +# > +cs_append_ca_from_pem() { > + local role="${1}" > + local pem="${2}" > + cs_init_variables > + > + cat "${pem}" >> "${keydir}/${role}/ca.pem" Jan, is this correct? I think you said something about extra newlines that may be needed? Michael > +} > +export -f cs_append_ca_from_pem > + > +# > +# cs_append_ca_from_der > +# > +# Append DER to CA for a role > +# > +cs_append_ca_from_der() { > + local role="${1}" > + local der="${2}" > + cs_init_variables > + > + ptxd_exec openssl x509 -inform der -in "${der}" \ > + -out "${tmpdir}/ca.pem" && > + cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem" > +} > +export -f cs_append_ca_from_der > + > +# > +# cs_append_ca_from_uri [] > +# > +# Append certificate specified by URI or by already set URI to CA for a role > +# > +cs_append_ca_from_uri() { > + local role="${1}" > + local uri="${2}" > + local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XXXXXX")" > + cs_init_variables > + > + if [ -z "${uri}" ]; then > + uri=$(cs_get_uri "${role}") > + fi > + > + ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" && > + cs_append_ca_from_der "${role}" "${tmpdir}/ca.der" > +} > +export -f cs_append_ca_from_uri > -- > 2.26.2 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de