From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package
Date: Fri, 12 Mar 2021 08:47:03 +0100 [thread overview]
Message-ID: <20210312074703.GC306772@pengutronix.de> (raw)
In-Reply-To: <20210308123418.10187-6-denis.osterland@diehl.com>
On Mon, Mar 08, 2021 at 12:35:08PM +0000, Denis Osterland-Heim wrote:
> This package provides the pkcs11 plugin for yubi HSMs,
> which allows to create a signing provider for it.
>
> Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162
>
> To use it together with a CA server:
> Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage")
> `noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP
> communication in compile stage.
Hmmm, I think you should be able to extend CODE_SIGNING_ENV and add
"HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=". That should be
evaluated after the variables set by ab4af48ba and clear them.
And expanding CODE_SIGNING_ENV depending on the signing provider is
expected. We already do this for softhsm:
rules/pre/020-code-signing-softhsm.make
Michael
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> ---
> ...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++
> ...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++
> .../0003-add-noproxy-option.patch | 76 ++++++++++++++++
> patches/yubihsm-shell-2.1.0/series | 6 ++
> rules/host-yubihsm-shell.in | 13 +++
> rules/host-yubihsm-shell.make | 37 ++++++++
> 6 files changed, 287 insertions(+)
> create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> create mode 100644 patches/yubihsm-shell-2.1.0/series
> create mode 100644 rules/host-yubihsm-shell.in
> create mode 100644 rules/host-yubihsm-shell.make
>
> diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> new file mode 100644
> index 000000000..dbce11c85
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> @@ -0,0 +1,88 @@
> +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +Date: Tue, 26 Jan 2021 14:19:52 +0100
> +Subject: [PATCH] add client cert support for pkcs11 module
> +
> +Allows to authenticate with client certificates at HSM server.
> +
> +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +---
> + lib/yubihsm.h | 6 ++++++
> + lib/yubihsm_curl.c | 8 ++++++++
> + pkcs11/cmdline.ggo | 2 ++
> + pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++
> + 4 files changed, 30 insertions(+)
> +
> +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> +index ef80d42b1865..da08f68038dd 100644
> +--- a/lib/yubihsm.h
> ++++ b/lib/yubihsm.h
> +@@ -518,6 +518,12 @@ typedef enum {
> + /// Proxy server to use for connecting to the connector (const char *). Not
> + /// implemented on Windows
> + YH_CONNECTOR_PROXY_SERVER = 2,
> ++ /// File with client certificate to authenticate client with (const char *).
> ++ /// Not implemented on Windows
> ++ YH_CONNECTOR_HTTPS_CERT = 3,
> ++ /// File with client certificates key (const char *).
> ++ /// Not implemented on Windows
> ++ YH_CONNECTOR_HTTPS_KEY = 4,
> + } yh_connector_option;
> +
> + #pragma pack(push, 1)
> +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> +index 6360f3693268..2f46802e0fe1 100644
> +--- a/lib/yubihsm_curl.c
> ++++ b/lib/yubihsm_curl.c
> +@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> + option = CURLOPT_CAINFO;
> + optname = "CURLOPT_CAINFO";
> + break;
> ++ case YH_CONNECTOR_HTTPS_CERT:
> ++ option = CURLOPT_SSLCERT;
> ++ optname = "CURLOPT_SSLCERT";
> ++ break;
> ++ case YH_CONNECTOR_HTTPS_KEY:
> ++ option = CURLOPT_SSLKEY;
> ++ optname = "CURLOPT_SSLKEY";
> ++ break;
> + case YH_CONNECTOR_PROXY_SERVER:
> + option = CURLOPT_PROXY;
> + optname = "CURLOPT_PROXY";
> +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> +index 9a357b73062d..9e87e2aa2861 100644
> +--- a/pkcs11/cmdline.ggo
> ++++ b/pkcs11/cmdline.ggo
> +@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off
> + option "libdebug" - "Enable libyubihsm debugging" flag off
> + option "debug-file" - "Output file for debugging" string optional default="stderr"
> + option "cacert" - "Cacert to use for HTTPS validation" string optional
> ++option "cert" - "HTTPS client certificate to authenticate with" string optional
> ++option "key" - "HTTPS client certificate key" string optional
> + option "proxy" - "Proxy server to use for connector" string optional
> + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> +index f543c94ed373..25aec8e7c5fe 100644
> +--- a/pkcs11/yubihsm_pkcs11.c
> ++++ b/pkcs11/yubihsm_pkcs11.c
> +@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> + goto c_i_failure;
> + }
> + }
> ++ if (args_info.cert_given) {
> ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT,
> ++ args_info.cert_arg) != YHR_SUCCESS) {
> ++ DBG_ERR("Failed to set HTTPS cert option");
> ++ goto c_i_failure;
> ++ }
> ++ }
> ++ if (args_info.key_given) {
> ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY,
> ++ args_info.key_arg) != YHR_SUCCESS) {
> ++ DBG_ERR("Failed to set HTTPS key option");
> ++goto c_i_failure;
> ++ }
> ++ }
> + if (args_info.proxy_given) {
> + if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
> + args_info.proxy_arg) != YHR_SUCCESS) {
> diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> new file mode 100644
> index 000000000..e3d64659a
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> @@ -0,0 +1,67 @@
> +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +Date: Tue, 2 Feb 2021 08:50:48 +0100
> +Subject: [PATCH] add bash like variable extension
> +
> +Support for `~` and environment variables like `${HOME}`.
> +
> +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +---
> + lib/yubihsm_curl.c | 18 +++++++++++++++++-
> + 1 file changed, 17 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> +index 2f46802e0fe1..52ca14ddf2d4 100644
> +--- a/lib/yubihsm_curl.c
> ++++ b/lib/yubihsm_curl.c
> +@@ -16,6 +16,7 @@
> +
> + #include <string.h>
> + #include <errno.h>
> ++#include <wordexp.h>
> +
> + #include <arpa/inet.h>
> +
> +@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> + const void *val) {
> + CURLoption option;
> + const char *optname;
> ++ wordexp_t expanded;
> ++ bool expand = false;
> +
> + switch (opt) {
> + case YH_CONNECTOR_HTTPS_CA:
> + option = CURLOPT_CAINFO;
> + optname = "CURLOPT_CAINFO";
> ++ expand = true;
> + break;
> + case YH_CONNECTOR_HTTPS_CERT:
> + option = CURLOPT_SSLCERT;
> + optname = "CURLOPT_SSLCERT";
> ++ expand = true;
> + break;
> + case YH_CONNECTOR_HTTPS_KEY:
> + option = CURLOPT_SSLKEY;
> + optname = "CURLOPT_SSLKEY";
> ++ expand = true;
> + break;
> + case YH_CONNECTOR_PROXY_SERVER:
> + option = CURLOPT_PROXY;
> +@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> + DBG_ERR("%d is an unknown option", opt);
> + return YHR_INVALID_PARAMETERS;
> + }
> +- CURLcode rc = curl_easy_setopt(connection, option, (char *) val);
> ++ if (expand)
> ++ {
> ++ if (wordexp((const char *)val, &expanded, 0))
> ++ {
> ++ DBG_ERR("Failed to expand %s\n", optname);
> ++ return YHR_CONNECTOR_ERROR;
> ++ }
> ++ }
> ++ CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val);
> ++ if (expand)
> ++ wordfree(&expanded);
> + if (rc == CURLE_OK) {
> + DBG_INFO("Successfully set %s.", optname);
> + return YHR_SUCCESS;
> diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> new file mode 100644
> index 000000000..788b9cacf
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> @@ -0,0 +1,76 @@
> +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +Date: Tue, 2 Feb 2021 08:32:54 +0100
> +Subject: [PATCH] add noproxy option
> +
> +work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3
> +
> +Use `noproxy=*` in your config file to use the plugin outside of
> +get stage, e.g. in barebox compile stage.
> +
> +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +---
> + lib/yubihsm.h | 3 +++
> + lib/yubihsm_curl.c | 4 ++++
> + pkcs11/cmdline.ggo | 1 +
> + pkcs11/yubihsm_pkcs11.c | 7 +++++++
> + 4 files changed, 15 insertions(+)
> +
> +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> +index da08f68038dd..5f90eca0d8e8 100644
> +--- a/lib/yubihsm.h
> ++++ b/lib/yubihsm.h
> +@@ -524,6 +524,9 @@ typedef enum {
> + /// File with client certificates key (const char *).
> + /// Not implemented on Windows
> + YH_CONNECTOR_HTTPS_KEY = 4,
> ++ /// Comma separated list of hosts ignoring proxy, `*` to disable proxy.
> ++ /// Not implemented on Windows
> ++ YH_CONNECTOR_NOPROXY = 5,
> + } yh_connector_option;
> +
> + #pragma pack(push, 1)
> +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> +index 52ca14ddf2d4..f7f7cd8f54da 100644
> +--- a/lib/yubihsm_curl.c
> ++++ b/lib/yubihsm_curl.c
> +@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> + option = CURLOPT_PROXY;
> + optname = "CURLOPT_PROXY";
> + break;
> ++ case YH_CONNECTOR_NOPROXY:
> ++ option = CURLOPT_NOPROXY;
> ++ optname = "CURLOPT_NOPROXY";
> ++ break;
> + default:
> + DBG_ERR("%d is an unknown option", opt);
> + return YHR_INVALID_PARAMETERS;
> +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> +index 9e87e2aa2861..cdf97ae0d33d 100644
> +--- a/pkcs11/cmdline.ggo
> ++++ b/pkcs11/cmdline.ggo
> +@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional
> + option "cert" - "HTTPS client certificate to authenticate with" string optional
> + option "key" - "HTTPS client certificate key" string optional
> + option "proxy" - "Proxy server to use for connector" string optional
> ++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional
> + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> +
> +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> +index 25aec8e7c5fe..38b08bbf8000 100644
> +--- a/pkcs11/yubihsm_pkcs11.c
> ++++ b/pkcs11/yubihsm_pkcs11.c
> +@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> + goto c_i_failure;
> + }
> + }
> ++ if (args_info.noproxy_given) {
> ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY,
> ++ args_info.noproxy_arg) != YHR_SUCCESS) {
> ++ DBG_ERR("Failed to set noproxy option");
> ++goto c_i_failure;
> ++ }
> ++ }
> +
> + if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
> + DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
> diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series
> new file mode 100644
> index 000000000..a0fbb2915
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/series
> @@ -0,0 +1,6 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-add-client-cert-support-for-pkcs11-module.patch
> +0002-add-bash-like-variable-extension.patch
> +0003-add-noproxy-option.patch
> +# fcbee908545e468ec4e840d2d56da1be - git-ptx-patches magic
> diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
> new file mode 100644
> index 000000000..3b17a2e98
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.in
> @@ -0,0 +1,13 @@
> +## SECTION=hosttools_noprompt
> +
> +config HOST_YUBIHSM_SHELL
> +tristate
> +default ALLYES
> +select HOST_CMAKE
> +select HOST_OPENSSL
> +select HOST_LIBCURL
> +select HOST_LIBUSB
> +select HOST_GENGETOPT
> +select HOST_LIBEDIT
> +select HOST_PCSC_LITE
> +select HOST_LIBP11
> diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
> new file mode 100644
> index 000000000..3ebfc8c1f
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.make
> @@ -0,0 +1,37 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
> +
> +#
> +# Paths and names
> +#
> +HOST_YUBIHSM_SHELL_VERSION:= 2.1.0
> +HOST_YUBIHSM_SHELL_MD5:= 7363c0bc4ed037e262474beaa6e1407b
> +HOST_YUBIHSM_SHELL:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
> +HOST_YUBIHSM_SHELL_SUFFIX:= tar.gz
> +HOST_YUBIHSM_SHELL_URL:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_SOURCE:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_DIR:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# cmake
> +#
> +HOST_YUBIHSM_SHELL_CONF_TOOL:= cmake
> +HOST_YUBIHSM_SHELL_CONF_OPT:= \
> +$(HOST_CMAKE_OPT) \
> +-DBUILD_ONLY_LIB=OFF \
> +-DENABLE_COVERAGE=OFF \
> +-DSUPRESS_MSVC_WARNINGS=ON \
> +-DWITHOUT_MANPAGES=1
> +
> +# vim: syntax=make
> --
> 2.30.1
>
> Diehl Connectivity Solutions GmbH
> Geschäftsführung: Horst Leonberger
> Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
> Nürnberg: HRB 32315
>
> ________________________________
>
> Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
> Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
> Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
>
> - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
>
> https://www.diehl.com/group/de/transparenz-und-informationspflichten/
>
> The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
> mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
>
> - For general information on data protection and your respective rights please visit:
>
> https://www.diehl.com/group/en/transparency-and-information-obligations/
>
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
next prev parent reply other threads:[~2021-03-12 7:47 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-08 12:35 [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
2021-03-08 12:35 ` [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package Denis Osterland-Heim
2021-03-12 7:47 ` Michael Olbrich [this message]
2021-03-12 8:17 ` Denis Osterland-Heim
2021-03-08 12:35 ` [ptxdist] [PATCH 1/5] host-gengetopt: move to _noprompt section Denis Osterland-Heim
2021-03-14 13:35 ` [ptxdist] [APPLIED] " Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11 Denis Osterland-Heim
2021-03-14 13:35 ` [ptxdist] [APPLIED] " Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 3/5] host-libcurl: enable http(s) support Denis Osterland-Heim
2021-03-12 7:35 ` Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 2/5] host-libedit: new package Denis Osterland-Heim
2021-03-14 13:35 ` [ptxdist] [APPLIED] " Michael Olbrich
2021-03-08 14:35 ` [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210312074703.GC306772@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox