From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
In-Reply-To: <20200617143125.23999-7-bst@pengutronix.de>
MIME-Version: 1.0
Message-Id: <E1jmP7J-0002RX-8V@dude02.lab.pengutronix.de>
From: Michael Olbrich <mol@pengutronix.de>
Date: Sat, 20 Jun 2020 00:04:09 +0200
Subject: Re: [ptxdist] [APPLIED] doc: introduce ref_code_signing_helpers
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Bastian Krause <bst@pengutronix.de>

Thanks, applied as a1fff163e86b45aab29fda3790542422eaa5fd61.

Michael

[sent from post-receive hook]

On Sat, 20 Jun 2020 00:04:09 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Reviewed-by: Roland Hieber <rhi@pengutronix.de>
> Tested-by: Ladislav Michl <ladis@linux-mips.org>
> Message-Id: <20200617143125.23999-7-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
> new file mode 100644
> index 000000000000..c3ffe01cbdac
> --- /dev/null
> +++ b/doc/ref_code_signing_helpers.rst
> @@ -0,0 +1,248 @@
> +.. _code_signing_helper_functions:
> +
> +Code Signing Helper Functions
> +-----------------------------
> +
> +PTXdist provides various bash helper functions to be used in :ref:`code signing
> +providers <code_signing_providers>` and :ref:`code signing consumers
> +<code_signing_consumers>`.
> +
> +PTXdist stores URIs and CAs using these helpers in
> +``$(PTXDIST_SYSROOT_HOST)/var/lib/keys/<signing-provider>/<role>/{uri,ca.pem}``.
> +
> +SoftHSM Provider Functions
> +~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +These helpers initialize and import public/private keys and certificates into
> +the SoftHSM.
> +
> +.. _cs_init_softhsm:
> +
> +cs_init_softhsm
> +^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_init_softhsm
> +
> +Initialize SoftHSM, and set the initial pins.
> +
> +cs_import_cert_from_der
> +^^^^^^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_import_cert_from_der <role> <DER>
> +
> +Import certificate from a given DER file for role.
> +To be used with SoftHSM only.
> +
> +Preconditions:
> +
> +- the role must have been defined (see :ref:`cs_define_role`)
> +- SoftHSM must have been initialized (see :ref:`cs_init_softhsm`)
> +
> +cs_import_cert_from_pem
> +^^^^^^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_import_cert_from_pem <role> <PEM>
> +
> +Import certificate from a given PEM file for role.
> +To be used with SoftHSM only.
> +
> +Preconditions:
> +
> +- the role must have been defined (see :ref:`cs_define_role`)
> +- SoftHSM must have been initialized (see :ref:`cs_init_softhsm`)
> +
> +cs_import_pubkey_from_pem
> +^^^^^^^^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_import_pubkey_from_pem <role> <PEM>
> +
> +Import public key from a given PEM file for role.
> +To be used with SoftHSM only.
> +
> +Preconditions:
> +
> +- the role must have been defined (see :ref:`cs_define_role`)
> +- SoftHSM must have been initialized (see :ref:`cs_init_softhsm`)
> +
> +cs_import_privkey_from_pem
> +^^^^^^^^^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_import_privkey_from_pem <role> <PEM>
> +
> +Import private key from a given PEM file for role.
> +To be used with SoftHSM only.
> +
> +Preconditions:
> +
> +- the role must have been defined (see :ref:`cs_define_role`)
> +- SoftHSM must have been initialized (see :ref:`cs_init_softhsm`)
> +
> +cs_import_key_from_pem
> +^^^^^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_import_key_from_pem <role> <PEM>
> +
> +Import private/public key pair from a given PEM file for role.
> +To be used with SoftHSM only.
> +
> +Preconditions:
> +
> +- the role must have been defined (see :ref:`cs_define_role`)
> +- SoftHSM must have been initialized (see :ref:`cs_init_softhsm`)
> +
> +Generic Provider Functions
> +~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +These helpers allow to define roles, set PKCS#11 URIs and handle certificate
> +authorities (CAs).
> +HSM as well as SoftHSM code signing providers should use them.
> +
> +.. _cs_define_role:
> +
> +cs_define_role
> +^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_define_role <role>
> +
> +Define new key role.
> +
> +A default PKCS#11 URI is set implicitly as convenience for SoftHSM use cases.
> +
> +.. _cs_set_uri:
> +
> +cs_set_uri
> +^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_set_uri <role> <URI>
> +
> +Set given PKCS#11 URI for role.
> +
> +Preconditions:
> +
> +- the role must have been defined (see :ref:`cs_define_role`)
> +
> +.. _cs_append_ca_from_pem:
> +
> +cs_append_ca_from_pem
> +^^^^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_append_ca_from_pem <role> <PEM>
> +
> +Append certificate from a given PEM file for role.
> +
> +Preconditions:
> +
> +- the role must have been defined (see :ref:`cs_define_role`)
> +
> +.. _cs_append_ca_from_der:
> +
> +cs_append_ca_from_der
> +^^^^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_append_ca_from_der <role> <DER>
> +
> +Append certificate from a given DER file for role.
> +
> +Preconditions:
> +
> +- the role must have been defined (see :ref:`cs_define_role`)
> +
> +.. _cs_append_ca_from_uri:
> +
> +cs_append_ca_from_uri
> +^^^^^^^^^^^^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_append_ca_from_uri <role> [<URI>]
> +
> +Append certificate from a given PKCS#11 URI for role.
> +If URI is omitted the already set URI for role is used.
> +
> +Preconditions:
> +
> +- the role must have been defined (see :ref:`cs_define_role`)
> +
> +Consumer Functions
> +~~~~~~~~~~~~~~~~~~
> +
> +Packages that want to sign something or need access to keys/CAs can retrieve
> +PKCS#11 URIs and CAs with these helpers.
> +
> +.. _cs_get_uri:
> +
> +cs_get_uri
> +^^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_get_uri <role>
> +
> +Get PKCS#11 URI for role.
> +
> +Preconditions:
> +
> +- the URI must have been set (see :ref:`cs_set_uri`)
> +
> +.. _cs_get_ca:
> +
> +cs_get_ca
> +^^^^^^^^^
> +
> +Usage:
> +
> +.. code-block:: bash
> +
> +    cs_get_ca <role>
> +
> +Get path to the CA in PEM format for role.
> +
> +Preconditions:
> +
> +- a certificate must have been appended to the CA
> +  (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
> +  :ref:`cs_append_ca_from_uri`)
> diff --git a/doc/ref_manual.rst b/doc/ref_manual.rst
> index 850d7239914b..dea1610c6e42 100644
> --- a/doc/ref_manual.rst
> +++ b/doc/ref_manual.rst
> @@ -7,3 +7,4 @@ PTXdist Reference
>     ref_make_macros
>     ref_rule_file_layout
>     ref_parameter
> +   ref_code_signing_helpers

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de