[ptxdist] [PATCH 1/2] doc: ref_code_signing_helpers: clarify CA keyring function usage

[ptxdist] [PATCH 1/2] doc: ref_code_signing_helpers: clarify CA keyring function usage

[Bastian Krause]

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 doc/ref_code_signing_helpers.rst | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index c3ffe01cb..f7928f52e 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -7,7 +7,7 @@ PTXdist provides various bash helper functions to be used in :ref:`code signing
 providers <code_signing_providers>` and :ref:`code signing consumers
 <code_signing_consumers>`.
 
-PTXdist stores URIs and CAs using these helpers in
+PTXdist stores URIs and CA keyrings using these helpers in
 ``$(PTXDIST_SYSROOT_HOST)/var/lib/keys/<signing-provider>/<role>/{uri,ca.pem}``.
 
 SoftHSM Provider Functions
@@ -29,6 +29,8 @@ Usage:
 
 Initialize SoftHSM, and set the initial pins.
 
+.. _cs_import_cert_from_der:
+
 cs_import_cert_from_der
 ^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -46,6 +48,8 @@ Preconditions:
 - the role must have been defined (see :ref:`cs_define_role`)
 - SoftHSM must have been initialized (see :ref:`cs_init_softhsm`)
 
+.. _cs_import_cert_from_pem:
+
 cs_import_cert_from_pem
 ^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -164,7 +168,9 @@ Usage:
 
     cs_append_ca_from_pem <role> <PEM>
 
-Append certificate from a given PEM file for role.
+Append certificate from a given PEM file to the role's CA keyring.
+If no CA keyring exists yet it is created as an empty file before.
+
 
 Preconditions:
 
@@ -181,7 +187,8 @@ Usage:
 
     cs_append_ca_from_der <role> <DER>
 
-Append certificate from a given DER file for role.
+Append certificate from a given DER file to the role's CA keyring.
+If no CA keyring exists yet it is created as an empty file before.
 
 Preconditions:
 
@@ -198,18 +205,21 @@ Usage:
 
     cs_append_ca_from_uri <role> [<URI>]
 
-Append certificate from a given PKCS#11 URI for role.
+Append certificate from a given PKCS#11 URI to the role's CA keyring.
 If URI is omitted the already set URI for role is used.
+If no CA keyring exists yet it is created as an empty file before.
 
 Preconditions:
 
 - the role must have been defined (see :ref:`cs_define_role`)
+- when used with SoftHSM, certificates must have been imported before
+  (see :ref:`cs_import_cert_from_der`, :ref:`cs_import_cert_from_pem`)
 
 Consumer Functions
 ~~~~~~~~~~~~~~~~~~
 
 Packages that want to sign something or need access to keys/CAs can retrieve
-PKCS#11 URIs and CAs with these helpers.
+PKCS#11 URIs and CA keyrings with these helpers.
 
 .. _cs_get_uri:
 
@@ -239,10 +249,10 @@ Usage:
 
     cs_get_ca <role>
 
-Get path to the CA in PEM format for role.
+Get path to the CA keyring in PEM format for role.
 
 Preconditions:
 
-- a certificate must have been appended to the CA
+- a certificate must have been appended to the CA keyring
   (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
   :ref:`cs_append_ca_from_uri`)
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 2/2] doc: dev_code_signing: add "Managing Certificate Authority Keyrings"

[Bastian Krause]

Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
 doc/dev_code_signing.rst | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index fbebb6b52..d47002e8c 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -107,6 +107,32 @@ Switching the code signing provider is now finally possible with
 ``ptxdist platformconfig``, then navigate to *Code signing* → *Code signing
 provider*.
 
+.. _code_signing_ca_keyrings:
+
+Managing Certificate Authority Keyrings
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In case a self-signed certificate is used :ref:`cs_append_ca_from_uri` can
+be called to add the certificate from the (Soft)HSM.
+
+To allow rollovers multiple certificates can be added by calling the
+``cs_append_ca_*`` functions multiple times.
+Depending on if the certificate resides on a (Soft)HSM or in a file the
+appropriate functions must be called.
+
+More complex public key infrastructures (PKIs) consist of separated CA and
+*end-entity*.
+The CA certificate is only available as a file, the private key is stored in a
+safe and inaccessible location (from the build system's perspective).
+The signing key as well as the corresponding certificate are stored on an HSM.
+Only the CA certificate should end up in the keyring, so
+:ref:`cs_append_ca_from_der` or :ref:`cs_append_ca_from_pem` must be used to
+append it to the keyring.
+
+Some HSMs do not support storing certificates at all.
+In these cases the certificate is present as a file and must be appended with
+:ref:`cs_append_ca_from_der` or :ref:`cs_append_ca_from_pem`.
+
 .. _code_signing_consumers:
 
 Code Signing Consumers
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] doc: ref_code_signing_helpers: clarify CA keyring function usage

[Michael Olbrich]

Thanks, applied as ea9676b3e7839dc38703a0992b5ec15e75fe83c3.

Michael

[sent from post-receive hook]

On Fri, 26 Jun 2020 13:00:54 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200624160849.6966-1-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
> index c3ffe01cbdac..f7928f52ebef 100644
> --- a/doc/ref_code_signing_helpers.rst
> +++ b/doc/ref_code_signing_helpers.rst
> @@ -7,7 +7,7 @@ PTXdist provides various bash helper functions to be used in :ref:`code signing
>  providers <code_signing_providers>` and :ref:`code signing consumers
>  <code_signing_consumers>`.
>  
> -PTXdist stores URIs and CAs using these helpers in
> +PTXdist stores URIs and CA keyrings using these helpers in
>  ``$(PTXDIST_SYSROOT_HOST)/var/lib/keys/<signing-provider>/<role>/{uri,ca.pem}``.
>  
>  SoftHSM Provider Functions
> @@ -29,6 +29,8 @@ Usage:
>  
>  Initialize SoftHSM, and set the initial pins.
>  
> +.. _cs_import_cert_from_der:
> +
>  cs_import_cert_from_der
>  ^^^^^^^^^^^^^^^^^^^^^^^
>  
> @@ -46,6 +48,8 @@ Preconditions:
>  - the role must have been defined (see :ref:`cs_define_role`)
>  - SoftHSM must have been initialized (see :ref:`cs_init_softhsm`)
>  
> +.. _cs_import_cert_from_pem:
> +
>  cs_import_cert_from_pem
>  ^^^^^^^^^^^^^^^^^^^^^^^
>  
> @@ -164,7 +168,9 @@ Usage:
>  
>      cs_append_ca_from_pem <role> <PEM>
>  
> -Append certificate from a given PEM file for role.
> +Append certificate from a given PEM file to the role's CA keyring.
> +If no CA keyring exists yet it is created as an empty file before.
> +
>  
>  Preconditions:
>  
> @@ -181,7 +187,8 @@ Usage:
>  
>      cs_append_ca_from_der <role> <DER>
>  
> -Append certificate from a given DER file for role.
> +Append certificate from a given DER file to the role's CA keyring.
> +If no CA keyring exists yet it is created as an empty file before.
>  
>  Preconditions:
>  
> @@ -198,18 +205,21 @@ Usage:
>  
>      cs_append_ca_from_uri <role> [<URI>]
>  
> -Append certificate from a given PKCS#11 URI for role.
> +Append certificate from a given PKCS#11 URI to the role's CA keyring.
>  If URI is omitted the already set URI for role is used.
> +If no CA keyring exists yet it is created as an empty file before.
>  
>  Preconditions:
>  
>  - the role must have been defined (see :ref:`cs_define_role`)
> +- when used with SoftHSM, certificates must have been imported before
> +  (see :ref:`cs_import_cert_from_der`, :ref:`cs_import_cert_from_pem`)
>  
>  Consumer Functions
>  ~~~~~~~~~~~~~~~~~~
>  
>  Packages that want to sign something or need access to keys/CAs can retrieve
> -PKCS#11 URIs and CAs with these helpers.
> +PKCS#11 URIs and CA keyrings with these helpers.
>  
>  .. _cs_get_uri:
>  
> @@ -239,10 +249,10 @@ Usage:
>  
>      cs_get_ca <role>
>  
> -Get path to the CA in PEM format for role.
> +Get path to the CA keyring in PEM format for role.
>  
>  Preconditions:
>  
> -- a certificate must have been appended to the CA
> +- a certificate must have been appended to the CA keyring
>    (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
>    :ref:`cs_append_ca_from_uri`)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] doc: dev_code_signing: add "Managing Certificate Authority Keyrings"

[Michael Olbrich]

Thanks, applied as 846c8b91bb0eb7d136995c2d045f44640d407b89.

Michael

[sent from post-receive hook]

On Fri, 26 Jun 2020 13:00:55 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200624160849.6966-2-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
> index fbebb6b524e1..d47002e8c380 100644
> --- a/doc/dev_code_signing.rst
> +++ b/doc/dev_code_signing.rst
> @@ -107,6 +107,32 @@ Switching the code signing provider is now finally possible with
>  ``ptxdist platformconfig``, then navigate to *Code signing* → *Code signing
>  provider*.
>  
> +.. _code_signing_ca_keyrings:
> +
> +Managing Certificate Authority Keyrings
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +In case a self-signed certificate is used :ref:`cs_append_ca_from_uri` can
> +be called to add the certificate from the (Soft)HSM.
> +
> +To allow rollovers multiple certificates can be added by calling the
> +``cs_append_ca_*`` functions multiple times.
> +Depending on if the certificate resides on a (Soft)HSM or in a file the
> +appropriate functions must be called.
> +
> +More complex public key infrastructures (PKIs) consist of separated CA and
> +*end-entity*.
> +The CA certificate is only available as a file, the private key is stored in a
> +safe and inaccessible location (from the build system's perspective).
> +The signing key as well as the corresponding certificate are stored on an HSM.
> +Only the CA certificate should end up in the keyring, so
> +:ref:`cs_append_ca_from_der` or :ref:`cs_append_ca_from_pem` must be used to
> +append it to the keyring.
> +
> +Some HSMs do not support storing certificates at all.
> +In these cases the certificate is present as a file and must be appended with
> +:ref:`cs_append_ca_from_der` or :ref:`cs_append_ca_from_pem`.
> +
>  .. _code_signing_consumers:
>  
>  Code Signing Consumers

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de