* [ptxdist] [PATCH 1/2] doc: ref_code_signing_helpers: clarify CA keyring function usage
@ 2020-06-24 16:08 Bastian Krause
2020-06-24 16:08 ` [ptxdist] [PATCH 2/2] doc: dev_code_signing: add "Managing Certificate Authority Keyrings" Bastian Krause
2020-06-26 11:00 ` [ptxdist] [APPLIED] doc: ref_code_signing_helpers: clarify CA keyring function usage Michael Olbrich
0 siblings, 2 replies; 4+ messages in thread
From: Bastian Krause @ 2020-06-24 16:08 UTC (permalink / raw)
To: ptxdist; +Cc: Bastian Krause
Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
doc/ref_code_signing_helpers.rst | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
index c3ffe01cb..f7928f52e 100644
--- a/doc/ref_code_signing_helpers.rst
+++ b/doc/ref_code_signing_helpers.rst
@@ -7,7 +7,7 @@ PTXdist provides various bash helper functions to be used in :ref:`code signing
providers <code_signing_providers>` and :ref:`code signing consumers
<code_signing_consumers>`.
-PTXdist stores URIs and CAs using these helpers in
+PTXdist stores URIs and CA keyrings using these helpers in
``$(PTXDIST_SYSROOT_HOST)/var/lib/keys/<signing-provider>/<role>/{uri,ca.pem}``.
SoftHSM Provider Functions
@@ -29,6 +29,8 @@ Usage:
Initialize SoftHSM, and set the initial pins.
+.. _cs_import_cert_from_der:
+
cs_import_cert_from_der
^^^^^^^^^^^^^^^^^^^^^^^
@@ -46,6 +48,8 @@ Preconditions:
- the role must have been defined (see :ref:`cs_define_role`)
- SoftHSM must have been initialized (see :ref:`cs_init_softhsm`)
+.. _cs_import_cert_from_pem:
+
cs_import_cert_from_pem
^^^^^^^^^^^^^^^^^^^^^^^
@@ -164,7 +168,9 @@ Usage:
cs_append_ca_from_pem <role> <PEM>
-Append certificate from a given PEM file for role.
+Append certificate from a given PEM file to the role's CA keyring.
+If no CA keyring exists yet it is created as an empty file before.
+
Preconditions:
@@ -181,7 +187,8 @@ Usage:
cs_append_ca_from_der <role> <DER>
-Append certificate from a given DER file for role.
+Append certificate from a given DER file to the role's CA keyring.
+If no CA keyring exists yet it is created as an empty file before.
Preconditions:
@@ -198,18 +205,21 @@ Usage:
cs_append_ca_from_uri <role> [<URI>]
-Append certificate from a given PKCS#11 URI for role.
+Append certificate from a given PKCS#11 URI to the role's CA keyring.
If URI is omitted the already set URI for role is used.
+If no CA keyring exists yet it is created as an empty file before.
Preconditions:
- the role must have been defined (see :ref:`cs_define_role`)
+- when used with SoftHSM, certificates must have been imported before
+ (see :ref:`cs_import_cert_from_der`, :ref:`cs_import_cert_from_pem`)
Consumer Functions
~~~~~~~~~~~~~~~~~~
Packages that want to sign something or need access to keys/CAs can retrieve
-PKCS#11 URIs and CAs with these helpers.
+PKCS#11 URIs and CA keyrings with these helpers.
.. _cs_get_uri:
@@ -239,10 +249,10 @@ Usage:
cs_get_ca <role>
-Get path to the CA in PEM format for role.
+Get path to the CA keyring in PEM format for role.
Preconditions:
-- a certificate must have been appended to the CA
+- a certificate must have been appended to the CA keyring
(see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
:ref:`cs_append_ca_from_uri`)
--
2.27.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ptxdist] [PATCH 2/2] doc: dev_code_signing: add "Managing Certificate Authority Keyrings"
2020-06-24 16:08 [ptxdist] [PATCH 1/2] doc: ref_code_signing_helpers: clarify CA keyring function usage Bastian Krause
@ 2020-06-24 16:08 ` Bastian Krause
2020-06-26 11:00 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-06-26 11:00 ` [ptxdist] [APPLIED] doc: ref_code_signing_helpers: clarify CA keyring function usage Michael Olbrich
1 sibling, 1 reply; 4+ messages in thread
From: Bastian Krause @ 2020-06-24 16:08 UTC (permalink / raw)
To: ptxdist; +Cc: Bastian Krause
Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
doc/dev_code_signing.rst | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
index fbebb6b52..d47002e8c 100644
--- a/doc/dev_code_signing.rst
+++ b/doc/dev_code_signing.rst
@@ -107,6 +107,32 @@ Switching the code signing provider is now finally possible with
``ptxdist platformconfig``, then navigate to *Code signing* → *Code signing
provider*.
+.. _code_signing_ca_keyrings:
+
+Managing Certificate Authority Keyrings
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In case a self-signed certificate is used :ref:`cs_append_ca_from_uri` can
+be called to add the certificate from the (Soft)HSM.
+
+To allow rollovers multiple certificates can be added by calling the
+``cs_append_ca_*`` functions multiple times.
+Depending on if the certificate resides on a (Soft)HSM or in a file the
+appropriate functions must be called.
+
+More complex public key infrastructures (PKIs) consist of separated CA and
+*end-entity*.
+The CA certificate is only available as a file, the private key is stored in a
+safe and inaccessible location (from the build system's perspective).
+The signing key as well as the corresponding certificate are stored on an HSM.
+Only the CA certificate should end up in the keyring, so
+:ref:`cs_append_ca_from_der` or :ref:`cs_append_ca_from_pem` must be used to
+append it to the keyring.
+
+Some HSMs do not support storing certificates at all.
+In these cases the certificate is present as a file and must be appended with
+:ref:`cs_append_ca_from_der` or :ref:`cs_append_ca_from_pem`.
+
.. _code_signing_consumers:
Code Signing Consumers
--
2.27.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] [APPLIED] doc: dev_code_signing: add "Managing Certificate Authority Keyrings"
2020-06-24 16:08 ` [ptxdist] [PATCH 2/2] doc: dev_code_signing: add "Managing Certificate Authority Keyrings" Bastian Krause
@ 2020-06-26 11:00 ` Michael Olbrich
0 siblings, 0 replies; 4+ messages in thread
From: Michael Olbrich @ 2020-06-26 11:00 UTC (permalink / raw)
To: ptxdist; +Cc: Bastian Krause
Thanks, applied as 846c8b91bb0eb7d136995c2d045f44640d407b89.
Michael
[sent from post-receive hook]
On Fri, 26 Jun 2020 13:00:55 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200624160849.6966-2-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/doc/dev_code_signing.rst b/doc/dev_code_signing.rst
> index fbebb6b524e1..d47002e8c380 100644
> --- a/doc/dev_code_signing.rst
> +++ b/doc/dev_code_signing.rst
> @@ -107,6 +107,32 @@ Switching the code signing provider is now finally possible with
> ``ptxdist platformconfig``, then navigate to *Code signing* → *Code signing
> provider*.
>
> +.. _code_signing_ca_keyrings:
> +
> +Managing Certificate Authority Keyrings
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +In case a self-signed certificate is used :ref:`cs_append_ca_from_uri` can
> +be called to add the certificate from the (Soft)HSM.
> +
> +To allow rollovers multiple certificates can be added by calling the
> +``cs_append_ca_*`` functions multiple times.
> +Depending on if the certificate resides on a (Soft)HSM or in a file the
> +appropriate functions must be called.
> +
> +More complex public key infrastructures (PKIs) consist of separated CA and
> +*end-entity*.
> +The CA certificate is only available as a file, the private key is stored in a
> +safe and inaccessible location (from the build system's perspective).
> +The signing key as well as the corresponding certificate are stored on an HSM.
> +Only the CA certificate should end up in the keyring, so
> +:ref:`cs_append_ca_from_der` or :ref:`cs_append_ca_from_pem` must be used to
> +append it to the keyring.
> +
> +Some HSMs do not support storing certificates at all.
> +In these cases the certificate is present as a file and must be appended with
> +:ref:`cs_append_ca_from_der` or :ref:`cs_append_ca_from_pem`.
> +
> .. _code_signing_consumers:
>
> Code Signing Consumers
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] [APPLIED] doc: ref_code_signing_helpers: clarify CA keyring function usage
2020-06-24 16:08 [ptxdist] [PATCH 1/2] doc: ref_code_signing_helpers: clarify CA keyring function usage Bastian Krause
2020-06-24 16:08 ` [ptxdist] [PATCH 2/2] doc: dev_code_signing: add "Managing Certificate Authority Keyrings" Bastian Krause
@ 2020-06-26 11:00 ` Michael Olbrich
1 sibling, 0 replies; 4+ messages in thread
From: Michael Olbrich @ 2020-06-26 11:00 UTC (permalink / raw)
To: ptxdist; +Cc: Bastian Krause
Thanks, applied as ea9676b3e7839dc38703a0992b5ec15e75fe83c3.
Michael
[sent from post-receive hook]
On Fri, 26 Jun 2020 13:00:54 +0200, Bastian Krause <bst@pengutronix.de> wrote:
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Message-Id: <20200624160849.6966-1-bst@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/doc/ref_code_signing_helpers.rst b/doc/ref_code_signing_helpers.rst
> index c3ffe01cbdac..f7928f52ebef 100644
> --- a/doc/ref_code_signing_helpers.rst
> +++ b/doc/ref_code_signing_helpers.rst
> @@ -7,7 +7,7 @@ PTXdist provides various bash helper functions to be used in :ref:`code signing
> providers <code_signing_providers>` and :ref:`code signing consumers
> <code_signing_consumers>`.
>
> -PTXdist stores URIs and CAs using these helpers in
> +PTXdist stores URIs and CA keyrings using these helpers in
> ``$(PTXDIST_SYSROOT_HOST)/var/lib/keys/<signing-provider>/<role>/{uri,ca.pem}``.
>
> SoftHSM Provider Functions
> @@ -29,6 +29,8 @@ Usage:
>
> Initialize SoftHSM, and set the initial pins.
>
> +.. _cs_import_cert_from_der:
> +
> cs_import_cert_from_der
> ^^^^^^^^^^^^^^^^^^^^^^^
>
> @@ -46,6 +48,8 @@ Preconditions:
> - the role must have been defined (see :ref:`cs_define_role`)
> - SoftHSM must have been initialized (see :ref:`cs_init_softhsm`)
>
> +.. _cs_import_cert_from_pem:
> +
> cs_import_cert_from_pem
> ^^^^^^^^^^^^^^^^^^^^^^^
>
> @@ -164,7 +168,9 @@ Usage:
>
> cs_append_ca_from_pem <role> <PEM>
>
> -Append certificate from a given PEM file for role.
> +Append certificate from a given PEM file to the role's CA keyring.
> +If no CA keyring exists yet it is created as an empty file before.
> +
>
> Preconditions:
>
> @@ -181,7 +187,8 @@ Usage:
>
> cs_append_ca_from_der <role> <DER>
>
> -Append certificate from a given DER file for role.
> +Append certificate from a given DER file to the role's CA keyring.
> +If no CA keyring exists yet it is created as an empty file before.
>
> Preconditions:
>
> @@ -198,18 +205,21 @@ Usage:
>
> cs_append_ca_from_uri <role> [<URI>]
>
> -Append certificate from a given PKCS#11 URI for role.
> +Append certificate from a given PKCS#11 URI to the role's CA keyring.
> If URI is omitted the already set URI for role is used.
> +If no CA keyring exists yet it is created as an empty file before.
>
> Preconditions:
>
> - the role must have been defined (see :ref:`cs_define_role`)
> +- when used with SoftHSM, certificates must have been imported before
> + (see :ref:`cs_import_cert_from_der`, :ref:`cs_import_cert_from_pem`)
>
> Consumer Functions
> ~~~~~~~~~~~~~~~~~~
>
> Packages that want to sign something or need access to keys/CAs can retrieve
> -PKCS#11 URIs and CAs with these helpers.
> +PKCS#11 URIs and CA keyrings with these helpers.
>
> .. _cs_get_uri:
>
> @@ -239,10 +249,10 @@ Usage:
>
> cs_get_ca <role>
>
> -Get path to the CA in PEM format for role.
> +Get path to the CA keyring in PEM format for role.
>
> Preconditions:
>
> -- a certificate must have been appended to the CA
> +- a certificate must have been appended to the CA keyring
> (see :ref:`cs_append_ca_from_pem`, :ref:`cs_append_ca_from_der`,
> :ref:`cs_append_ca_from_uri`)
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-06-26 11:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-24 16:08 [ptxdist] [PATCH 1/2] doc: ref_code_signing_helpers: clarify CA keyring function usage Bastian Krause
2020-06-24 16:08 ` [ptxdist] [PATCH 2/2] doc: dev_code_signing: add "Managing Certificate Authority Keyrings" Bastian Krause
2020-06-26 11:00 ` [ptxdist] [APPLIED] " Michael Olbrich
2020-06-26 11:00 ` [ptxdist] [APPLIED] doc: ref_code_signing_helpers: clarify CA keyring function usage Michael Olbrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox