From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from [2a0a:edc0:0:c01:1d::a2] (helo=drehscheibe.grey.stw.pengutronix.de) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lKcVk-0000Pq-3o for ptxdist@pengutronix.de; Fri, 12 Mar 2021 08:47:04 +0100 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1lKcVj-00058S-K9 for ptxdist@pengutronix.de; Fri, 12 Mar 2021 08:47:03 +0100 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1lKcVj-001OGi-HF for ptxdist@pengutronix.de; Fri, 12 Mar 2021 08:47:03 +0100 Date: Fri, 12 Mar 2021 08:47:03 +0100 From: Michael Olbrich Message-ID: <20210312074703.GC306772@pengutronix.de> References: <20210308123418.10187-1-denis.osterland@diehl.com> <20210308123418.10187-6-denis.osterland@diehl.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20210308123418.10187-6-denis.osterland@diehl.com> Subject: Re: [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de On Mon, Mar 08, 2021 at 12:35:08PM +0000, Denis Osterland-Heim wrote: > This package provides the pkcs11 plugin for yubi HSMs, > which allows to create a signing provider for it. > = > Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/1= 62 > = > To use it together with a CA server: > Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside = the get stage") > `noproxy=3D*` in the yubihsm.conf is required to allow libcurl HTTP > communication in compile stage. Hmmm, I think you should be able to extend CODE_SIGNING_ENV and add "HTTPS_PROXY=3D HTTP_PROXY=3D https_proxy=3D http_proxy=3D". That should be evaluated after the variables set by ab4af48ba and clear them. And expanding CODE_SIGNING_ENV depending on the signing provider is expected. We already do this for softhsm: rules/pre/020-code-signing-softhsm.make Michael > Signed-off-by: Denis Osterland-Heim > --- > ...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++ > ...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++ > .../0003-add-noproxy-option.patch | 76 ++++++++++++++++ > patches/yubihsm-shell-2.1.0/series | 6 ++ > rules/host-yubihsm-shell.in | 13 +++ > rules/host-yubihsm-shell.make | 37 ++++++++ > 6 files changed, 287 insertions(+) > create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-supp= ort-for-pkcs11-module.patch > create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variab= le-extension.patch > create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.p= atch > create mode 100644 patches/yubihsm-shell-2.1.0/series > create mode 100644 rules/host-yubihsm-shell.in > create mode 100644 rules/host-yubihsm-shell.make > = > diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for= -pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-sup= port-for-pkcs11-module.patch > new file mode 100644 > index 000000000..dbce11c85 > --- /dev/null > +++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11= -module.patch > @@ -0,0 +1,88 @@ > +From: Denis Osterland-Heim > +Date: Tue, 26 Jan 2021 14:19:52 +0100 > +Subject: [PATCH] add client cert support for pkcs11 module > + > +Allows to authenticate with client certificates at HSM server. > + > +Signed-off-by: Denis Osterland-Heim > +--- > + lib/yubihsm.h | 6 ++++++ > + lib/yubihsm_curl.c | 8 ++++++++ > + pkcs11/cmdline.ggo | 2 ++ > + pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++ > + 4 files changed, 30 insertions(+) > + > +diff --git a/lib/yubihsm.h b/lib/yubihsm.h > +index ef80d42b1865..da08f68038dd 100644 > +--- a/lib/yubihsm.h > ++++ b/lib/yubihsm.h > +@@ -518,6 +518,12 @@ typedef enum { > + /// Proxy server to use for connecting to the connector (const char *= ). Not > + /// implemented on Windows > + YH_CONNECTOR_PROXY_SERVER =3D 2, > ++ /// File with client certificate to authenticate client with (const c= har *). > ++ /// Not implemented on Windows > ++ YH_CONNECTOR_HTTPS_CERT =3D 3, > ++ /// File with client certificates key (const char *). > ++ /// Not implemented on Windows > ++ YH_CONNECTOR_HTTPS_KEY =3D 4, > + } yh_connector_option; > + > + #pragma pack(push, 1) > +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c > +index 6360f3693268..2f46802e0fe1 100644 > +--- a/lib/yubihsm_curl.c > ++++ b/lib/yubihsm_curl.c > +@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection,= yh_connector_option opt, > + option =3D CURLOPT_CAINFO; > + optname =3D "CURLOPT_CAINFO"; > + break; > ++ case YH_CONNECTOR_HTTPS_CERT: > ++ option =3D CURLOPT_SSLCERT; > ++ optname =3D "CURLOPT_SSLCERT"; > ++ break; > ++ case YH_CONNECTOR_HTTPS_KEY: > ++ option =3D CURLOPT_SSLKEY; > ++ optname =3D "CURLOPT_SSLKEY"; > ++ break; > + case YH_CONNECTOR_PROXY_SERVER: > + option =3D CURLOPT_PROXY; > + optname =3D "CURLOPT_PROXY"; > +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo > +index 9a357b73062d..9e87e2aa2861 100644 > +--- a/pkcs11/cmdline.ggo > ++++ b/pkcs11/cmdline.ggo > +@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" fla= g off > + option "libdebug" - "Enable libyubihsm debugging" flag off > + option "debug-file" - "Output file for debugging" string optional defau= lt=3D"stderr" > + option "cacert" - "Cacert to use for HTTPS validation" string optional > ++option "cert" - "HTTPS client certificate to authenticate with" string = optional > ++option "key" - "HTTPS client certificate key" string optional > + option "proxy" - "Proxy server to use for connector" string optional > + option "timeout" - "Timeout to use for initial connection to connector"= int optional default=3D"5" > + option "device-pubkey" - "List of device public keys allowed for asymme= tric authentication" string optional multiple > +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c > +index f543c94ed373..25aec8e7c5fe 100644 > +--- a/pkcs11/yubihsm_pkcs11.c > ++++ b/pkcs11/yubihsm_pkcs11.c > +@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR= pInitArgs) { > + goto c_i_failure; > + } > + } > ++ if (args_info.cert_given) { > ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS= _CERT, > ++ args_info.cert_arg) !=3D YHR_SUCCESS)= { > ++ DBG_ERR("Failed to set HTTPS cert option"); > ++ goto c_i_failure; > ++ } > ++ } > ++ if (args_info.key_given) { > ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS= _KEY, > ++ args_info.key_arg) !=3D YHR_SUCCESS) { > ++ DBG_ERR("Failed to set HTTPS key option"); > ++goto c_i_failure; > ++ } > ++ } > + if (args_info.proxy_given) { > + if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY= _SERVER, > + args_info.proxy_arg) !=3D YHR_SUCCESS= ) { > diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-exte= nsion.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-exten= sion.patch > new file mode 100644 > index 000000000..e3d64659a > --- /dev/null > +++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.p= atch > @@ -0,0 +1,67 @@ > +From: Denis Osterland-Heim > +Date: Tue, 2 Feb 2021 08:50:48 +0100 > +Subject: [PATCH] add bash like variable extension > + > +Support for `~` and environment variables like `${HOME}`. > + > +Signed-off-by: Denis Osterland-Heim > +--- > + lib/yubihsm_curl.c | 18 +++++++++++++++++- > + 1 file changed, 17 insertions(+), 1 deletion(-) > + > +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c > +index 2f46802e0fe1..52ca14ddf2d4 100644 > +--- a/lib/yubihsm_curl.c > ++++ b/lib/yubihsm_curl.c > +@@ -16,6 +16,7 @@ > + > + #include > + #include > ++#include > + > + #include > + > +@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection= , yh_connector_option opt, > + const void *val) { > + CURLoption option; > + const char *optname; > ++ wordexp_t expanded; > ++ bool expand =3D false; > + > + switch (opt) { > + case YH_CONNECTOR_HTTPS_CA: > + option =3D CURLOPT_CAINFO; > + optname =3D "CURLOPT_CAINFO"; > ++ expand =3D true; > + break; > + case YH_CONNECTOR_HTTPS_CERT: > + option =3D CURLOPT_SSLCERT; > + optname =3D "CURLOPT_SSLCERT"; > ++ expand =3D true; > + break; > + case YH_CONNECTOR_HTTPS_KEY: > + option =3D CURLOPT_SSLKEY; > + optname =3D "CURLOPT_SSLKEY"; > ++ expand =3D true; > + break; > + case YH_CONNECTOR_PROXY_SERVER: > + option =3D CURLOPT_PROXY; > +@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection,= yh_connector_option opt, > + DBG_ERR("%d is an unknown option", opt); > + return YHR_INVALID_PARAMETERS; > + } > +- CURLcode rc =3D curl_easy_setopt(connection, option, (char *) val); > ++ if (expand) > ++ { > ++ if (wordexp((const char *)val, &expanded, 0)) > ++ { > ++ DBG_ERR("Failed to expand %s\n", optname); > ++ return YHR_CONNECTOR_ERROR; > ++ } > ++ } > ++ CURLcode rc =3D curl_easy_setopt(connection, option, expand ? expande= d.we_wordv[0] : (char *) val); > ++ if (expand) > ++ wordfree(&expanded); > + if (rc =3D=3D CURLE_OK) { > + DBG_INFO("Successfully set %s.", optname); > + return YHR_SUCCESS; > diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/= patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch > new file mode 100644 > index 000000000..788b9cacf > --- /dev/null > +++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch > @@ -0,0 +1,76 @@ > +From: Denis Osterland-Heim > +Date: Tue, 2 Feb 2021 08:32:54 +0100 > +Subject: [PATCH] add noproxy option > + > +work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=3Dab4= af48ba403167f42c417f8ecfef1d0a870c0c3 > + > +Use `noproxy=3D*` in your config file to use the plugin outside of > +get stage, e.g. in barebox compile stage. > + > +Signed-off-by: Denis Osterland-Heim > +--- > + lib/yubihsm.h | 3 +++ > + lib/yubihsm_curl.c | 4 ++++ > + pkcs11/cmdline.ggo | 1 + > + pkcs11/yubihsm_pkcs11.c | 7 +++++++ > + 4 files changed, 15 insertions(+) > + > +diff --git a/lib/yubihsm.h b/lib/yubihsm.h > +index da08f68038dd..5f90eca0d8e8 100644 > +--- a/lib/yubihsm.h > ++++ b/lib/yubihsm.h > +@@ -524,6 +524,9 @@ typedef enum { > + /// File with client certificates key (const char *). > + /// Not implemented on Windows > + YH_CONNECTOR_HTTPS_KEY =3D 4, > ++ /// Comma separated list of hosts ignoring proxy, `*` to disable prox= y. > ++ /// Not implemented on Windows > ++ YH_CONNECTOR_NOPROXY =3D 5, > + } yh_connector_option; > + > + #pragma pack(push, 1) > +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c > +index 52ca14ddf2d4..f7f7cd8f54da 100644 > +--- a/lib/yubihsm_curl.c > ++++ b/lib/yubihsm_curl.c > +@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection,= yh_connector_option opt, > + option =3D CURLOPT_PROXY; > + optname =3D "CURLOPT_PROXY"; > + break; > ++ case YH_CONNECTOR_NOPROXY: > ++ option =3D CURLOPT_NOPROXY; > ++ optname =3D "CURLOPT_NOPROXY"; > ++ break; > + default: > + DBG_ERR("%d is an unknown option", opt); > + return YHR_INVALID_PARAMETERS; > +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo > +index 9e87e2aa2861..cdf97ae0d33d 100644 > +--- a/pkcs11/cmdline.ggo > ++++ b/pkcs11/cmdline.ggo > +@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation"= string optional > + option "cert" - "HTTPS client certificate to authenticate with" string = optional > + option "key" - "HTTPS client certificate key" string optional > + option "proxy" - "Proxy server to use for connector" string optional > ++option "noproxy" - "Comma separated list of hosts ignore proxy for" str= ing optional > + option "timeout" - "Timeout to use for initial connection to connector"= int optional default=3D"5" > + option "device-pubkey" - "List of device public keys allowed for asymme= tric authentication" string optional multiple > + > +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c > +index 25aec8e7c5fe..38b08bbf8000 100644 > +--- a/pkcs11/yubihsm_pkcs11.c > ++++ b/pkcs11/yubihsm_pkcs11.c > +@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR= pInitArgs) { > + goto c_i_failure; > + } > + } > ++ if (args_info.noproxy_given) { > ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPRO= XY, > ++ args_info.noproxy_arg) !=3D YHR_SUCCE= SS) { > ++ DBG_ERR("Failed to set noproxy option"); > ++goto c_i_failure; > ++ } > ++ } > + > + if (yh_connect(connector_list[i], args_info.timeout_arg) !=3D YHR_S= UCCESS) { > + DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]); > diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2= .1.0/series > new file mode 100644 > index 000000000..a0fbb2915 > --- /dev/null > +++ b/patches/yubihsm-shell-2.1.0/series > @@ -0,0 +1,6 @@ > +# generated by git-ptx-patches > +#tag:base --start-number 1 > +0001-add-client-cert-support-for-pkcs11-module.patch > +0002-add-bash-like-variable-extension.patch > +0003-add-noproxy-option.patch > +# fcbee908545e468ec4e840d2d56da1be - git-ptx-patches magic > diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in > new file mode 100644 > index 000000000..3b17a2e98 > --- /dev/null > +++ b/rules/host-yubihsm-shell.in > @@ -0,0 +1,13 @@ > +## SECTION=3Dhosttools_noprompt > + > +config HOST_YUBIHSM_SHELL > +tristate > +default ALLYES > +select HOST_CMAKE > +select HOST_OPENSSL > +select HOST_LIBCURL > +select HOST_LIBUSB > +select HOST_GENGETOPT > +select HOST_LIBEDIT > +select HOST_PCSC_LITE > +select HOST_LIBP11 > diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make > new file mode 100644 > index 000000000..3ebfc8c1f > --- /dev/null > +++ b/rules/host-yubihsm-shell.make > @@ -0,0 +1,37 @@ > +# -*-makefile-*- > +# > +# Copyright (C) 2021 by Denis Osterland-Heim > +# > +# For further information about the PTXdist project and license conditio= ns > +# see the README file. > +# > + > +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) +=3D host-yubihsm-shell > + > +# > +# Paths and names > +# > +HOST_YUBIHSM_SHELL_VERSION:=3D 2.1.0 > +HOST_YUBIHSM_SHELL_MD5:=3D 7363c0bc4ed037e262474beaa6e1407b > +HOST_YUBIHSM_SHELL:=3D yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION) > +HOST_YUBIHSM_SHELL_SUFFIX:=3D tar.gz > +HOST_YUBIHSM_SHELL_URL:=3D https://github.com/Yubico/yubihsm-shell/archi= ve/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX) > +HOST_YUBIHSM_SHELL_SOURCE:=3D $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUB= IHSM_SHELL_SUFFIX) > +HOST_YUBIHSM_SHELL_DIR:=3D $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL) > + > +# ----------------------------------------------------------------------= ------ > +# Prepare > +# ----------------------------------------------------------------------= ------ > + > +# > +# cmake > +# > +HOST_YUBIHSM_SHELL_CONF_TOOL:=3D cmake > +HOST_YUBIHSM_SHELL_CONF_OPT:=3D \ > +$(HOST_CMAKE_OPT) \ > +-DBUILD_ONLY_LIB=3DOFF \ > +-DENABLE_COVERAGE=3DOFF \ > +-DSUPRESS_MSVC_WARNINGS=3DON \ > +-DWITHOUT_MANPAGES=3D1 > + > +# vim: syntax=3Dmake > -- > 2.30.1 > = > Diehl Connectivity Solutions GmbH > Gesch=E4ftsf=FChrung: Horst Leonberger > Sitz der Gesellschaft: N=FCrnberg - Registergericht: Amtsgericht > N=FCrnberg: HRB 32315 > = > ________________________________ > = > Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-M= ail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. > Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhal= ten haben. Bitte loeschen Sie in diesem Fall die Nachricht. > Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung= und/oder Publikation dieser E-Mail ist strengstens untersagt. > = > - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten = Sie unter: > = > https://www.diehl.com/group/de/transparenz-und-informationspflichten/ > = > The contents of the above mentioned e-mail is not legally binding. This e= -mail contains confidential and/or legally protected information. Please in= form us if you have received this e-mail by > mistake and delete it in such a case. Each unauthorized reproduction, dis= closure, alteration, distribution and/or publication of this e-mail is stri= ctly prohibited. > = > - For general information on data protection and your respective rights p= lease visit: > = > https://www.diehl.com/group/en/transparency-and-information-obligations/ > = > = > = > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request= @pengutronix.de > = _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@p= engutronix.de