From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
In-Reply-To: <20200515142641.812-5-bst@pengutronix.de>
MIME-Version: 1.0
Message-Id: <E1jb1HX-0001A7-DQ@dude02.lab.pengutronix.de>
From: Michael Olbrich <mol@pengutronix.de>
Date: Tue, 19 May 2020 14:23:39 +0200
Subject: Re: [ptxdist] [APPLIED] ptxd_lib_code_signing: introduce CA helper
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Bastian Krause <bst@pengutronix.de>

Thanks, applied as 2670bde257e1a0fd4f56ef6d983d770cf251b2dd.

Michael

[sent from post-receive hook]

On Tue, 19 May 2020 14:23:39 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> These helpers allow key providers to append certificates to their CA.
> 'cs_get_ca <role>' then returns the path to the keyring allowing rules
> and other helpers to retrieve it easily.
> 
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200515142641.812-5-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index f93f183df8e8..a7779f8212c6 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -261,3 +261,68 @@ cs_import_key_from_pem() {
>      cs_import_privkey_from_pem "${role}" "${pem}"
>  }
>  export -f cs_import_key_from_pem
> +
> +#
> +# cs_get_ca <role>
> +#
> +# Get the path to the CA in pem format from a role
> +#
> +cs_get_ca() {
> +    local role="${1}"
> +    cs_init_variables
> +
> +    echo "${keydir}/${role}/ca.pem"
> +}
> +export -f cs_get_ca
> +
> +#
> +# cs_append_ca_from_pem <role> <pem>
> +#
> +# Append PEM to CA for a role
> +#
> +cs_append_ca_from_pem() {
> +    local role="${1}"
> +    local pem="${2}"
> +    cs_init_variables
> +
> +    cat "${pem}" >> "${keydir}/${role}/ca.pem"
> +    # add new line in case ${pem} does not end with an EOL
> +    echo >> "${keydir}/${role}/ca.pem"
> +}
> +export -f cs_append_ca_from_pem
> +
> +#
> +# cs_append_ca_from_der <role> <der>
> +#
> +# Append DER to CA for a role
> +#
> +cs_append_ca_from_der() {
> +    local role="${1}"
> +    local der="${2}"
> +    cs_init_variables
> +
> +    ptxd_exec openssl x509 -inform der -in "${der}" \
> +	-out "${tmpdir}/ca.pem" &&
> +    cs_append_ca_from_pem "${role}" "${tmpdir}/ca.pem"
> +}
> +export -f cs_append_ca_from_der
> +
> +#
> +# cs_append_ca_from_uri <role> [<uri>]
> +#
> +# Append certificate specified by URI or by already set URI to CA for a role
> +#
> +cs_append_ca_from_uri() {
> +    local role="${1}"
> +    local uri="${2}"
> +    local tmpdir="$(mktemp -d "${PTXDIST_TEMPDIR}/${role}-ca.XXXXXX")"
> +    cs_init_variables
> +
> +    if [ -z "${uri}" ]; then
> +	uri=$(cs_get_uri "${role}")
> +    fi
> +
> +    ptxd_exec extract-cert "${uri}" "${tmpdir}/ca.der" &&
> +    cs_append_ca_from_der "${role}" "${tmpdir}/ca.der"
> +}
> +export -f cs_append_ca_from_uri

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de