From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: References: <20200514134300.16105-1-bst@pengutronix.de> <20200514134300.16105-4-bst@pengutronix.de> <20200515103628.GA7220@pengutronix.de> From: Bastian Krause Message-ID: <5c78df95-a79d-24ae-f59d-8ed98d2be2ad@pengutronix.de> Date: Fri, 15 May 2020 13:21:09 +0200 MIME-Version: 1.0 In-Reply-To: <20200515103628.GA7220@pengutronix.de> Content-Language: en-US Subject: Re: [ptxdist] [PATCH 04/13] ptxd_lib_code_signing: introduce CA helper List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de, Jan Luebbe On 5/15/20 12:36 PM, Michael Olbrich wrote: > On Thu, May 14, 2020 at 03:42:51PM +0200, Bastian Krause wrote: >> These helpers allow key providers to append certificates to their CA. >> 'cs_get_ca ' then returns the path to the keyring allowing rules >> and other helpers to retrieve it easily. >> >> Signed-off-by: Bastian Krause >> --- >> scripts/lib/ptxd_lib_code_signing.sh | 63 ++++++++++++++++++++++++++++ >> 1 file changed, 63 insertions(+) >> >> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh >> index f93f183df..571fe6806 100644 >> --- a/scripts/lib/ptxd_lib_code_signing.sh >> +++ b/scripts/lib/ptxd_lib_code_signing.sh >> @@ -261,3 +261,66 @@ cs_import_key_from_pem() { >> cs_import_privkey_from_pem "${role}" "${pem}" >> } >> export -f cs_import_key_from_pem >> + >> +# >> +# cs_get_ca >> +# >> +# Get the path to the CA in pem format from a role >> +# >> +cs_get_ca() { >> + local role="${1}" >> + cs_init_variables >> + >> + echo "${keydir}/${role}/ca.pem" >> +} >> +export -f cs_get_ca >> + >> +# >> +# cs_append_ca_from_pem >> +# >> +# Append PEM to CA for a role >> +# >> +cs_append_ca_from_pem() { >> + local role="${1}" >> + local pem="${2}" >> + cs_init_variables >> + >> + cat "${pem}" >> "${keydir}/${role}/ca.pem" > > Jan, is this correct? I think you said something about extra newlines that > may be needed? I guess if we first append a file with no EOL at the end and then append something else this can lead to.. "-----END CERTIFICATE----------BEGIN CERTIFICATE-----" .. on a single line. Is there a smart way of adding an EOL? Or should we always append a final new line? Does this break any known usecases? Regards, Bastian > >> +} >> +export -f cs_append_ca_from_pem >> + >> +# >> +# cs_append_ca_from_der >> +# >> +# Append DER to CA for a role >> +# >> +cs_append_ca_from_der() { >> + local role="${1}" >> + local der="${2}" >> + cs_init_variables >> + >> + ptxd_exec openssl x509 -inform der -in "${der}" \ >> + -out "${tmpdir}/ca.pem" && >> + cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem" >> +} >> +export -f cs_append_ca_from_der >> + >> +# >> +# cs_append_ca_from_uri [] >> +# >> +# Append certificate specified by URI or by already set URI to CA for a role >> +# >> +cs_append_ca_from_uri() { >> + local role="${1}" >> + local uri="${2}" >> + local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XXXXXX")" >> + cs_init_variables >> + >> + if [ -z "${uri}" ]; then >> + uri=$(cs_get_uri "${role}") >> + fi >> + >> + ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" && >> + cs_append_ca_from_der "${role}" "${tmpdir}/ca.der" >> +} >> +export -f cs_append_ca_from_uri >> -- >> 2.26.2 >> >> >> _______________________________________________ >> ptxdist mailing list >> ptxdist@pengutronix.de >> > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de