[ptxdist] [PATCH 5/5] host-yubihsm-shell: new package

[ptxdist] [PATCH 5/5] host-yubihsm-shell: new package

[Denis Osterland-Heim]

This package provides the pkcs11 plugin for yubi HSMs,
which allows to create a signing provider for it.

Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162

To use it together with a CA server:
Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage")
`noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP
communication in compile stage.

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 ...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++
 ...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++
 .../0003-add-noproxy-option.patch             | 76 ++++++++++++++++
 patches/yubihsm-shell-2.1.0/series            |  6 ++
 rules/host-yubihsm-shell.in                   | 13 +++
 rules/host-yubihsm-shell.make                 | 37 ++++++++
 6 files changed, 287 insertions(+)
 create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
 create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
 create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
 create mode 100644 patches/yubihsm-shell-2.1.0/series
 create mode 100644 rules/host-yubihsm-shell.in
 create mode 100644 rules/host-yubihsm-shell.make

diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
new file mode 100644
index 000000000..dbce11c85
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
@@ -0,0 +1,88 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 26 Jan 2021 14:19:52 +0100
+Subject: [PATCH] add client cert support for pkcs11 module
+
+Allows to authenticate with client certificates at HSM server.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm.h           |  6 ++++++
+ lib/yubihsm_curl.c      |  8 ++++++++
+ pkcs11/cmdline.ggo      |  2 ++
+ pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++
+ 4 files changed, 30 insertions(+)
+
+diff --git a/lib/yubihsm.h b/lib/yubihsm.h
+index ef80d42b1865..da08f68038dd 100644
+--- a/lib/yubihsm.h
++++ b/lib/yubihsm.h
+@@ -518,6 +518,12 @@ typedef enum {
+   /// Proxy server to use for connecting to the connector (const char *). Not
+   /// implemented on Windows
+   YH_CONNECTOR_PROXY_SERVER = 2,
++  /// File with client certificate to authenticate client with (const char *).
++  /// Not implemented on Windows
++  YH_CONNECTOR_HTTPS_CERT = 3,
++  /// File with client certificates key (const char *).
++  /// Not implemented on Windows
++  YH_CONNECTOR_HTTPS_KEY = 4,
+ } yh_connector_option;
+
+ #pragma pack(push, 1)
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 6360f3693268..2f46802e0fe1 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+       option = CURLOPT_CAINFO;
+       optname = "CURLOPT_CAINFO";
+       break;
++    case YH_CONNECTOR_HTTPS_CERT:
++      option = CURLOPT_SSLCERT;
++      optname = "CURLOPT_SSLCERT";
++      break;
++    case YH_CONNECTOR_HTTPS_KEY:
++      option = CURLOPT_SSLKEY;
++      optname = "CURLOPT_SSLKEY";
++      break;
+     case YH_CONNECTOR_PROXY_SERVER:
+       option = CURLOPT_PROXY;
+       optname = "CURLOPT_PROXY";
+diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
+index 9a357b73062d..9e87e2aa2861 100644
+--- a/pkcs11/cmdline.ggo
++++ b/pkcs11/cmdline.ggo
+@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off
+ option "libdebug" - "Enable libyubihsm debugging" flag off
+ option "debug-file" - "Output file for debugging" string optional default="stderr"
+ option "cacert" - "Cacert to use for HTTPS validation" string optional
++option "cert" - "HTTPS client certificate to authenticate with" string optional
++option "key" - "HTTPS client certificate key" string optional
+ option "proxy" - "Proxy server to use for connector" string optional
+ option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
+ option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
+diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
+index f543c94ed373..25aec8e7c5fe 100644
+--- a/pkcs11/yubihsm_pkcs11.c
++++ b/pkcs11/yubihsm_pkcs11.c
+@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
+         goto c_i_failure;
+       }
+     }
++    if (args_info.cert_given) {
++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT,
++                                  args_info.cert_arg) != YHR_SUCCESS) {
++        DBG_ERR("Failed to set HTTPS cert option");
++        goto c_i_failure;
++      }
++    }
++    if (args_info.key_given) {
++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY,
++                                  args_info.key_arg) != YHR_SUCCESS) {
++        DBG_ERR("Failed to set HTTPS key option");
++goto c_i_failure;
++      }
++    }
+     if (args_info.proxy_given) {
+       if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
+                                   args_info.proxy_arg) != YHR_SUCCESS) {
diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
new file mode 100644
index 000000000..e3d64659a
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
@@ -0,0 +1,67 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 2 Feb 2021 08:50:48 +0100
+Subject: [PATCH] add bash like variable extension
+
+Support for `~` and environment variables like `${HOME}`.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm_curl.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 2f46802e0fe1..52ca14ddf2d4 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -16,6 +16,7 @@
+
+ #include <string.h>
+ #include <errno.h>
++#include <wordexp.h>
+
+ #include <arpa/inet.h>
+
+@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+                             const void *val) {
+   CURLoption option;
+   const char *optname;
++  wordexp_t expanded;
++  bool expand = false;
+
+   switch (opt) {
+     case YH_CONNECTOR_HTTPS_CA:
+       option = CURLOPT_CAINFO;
+       optname = "CURLOPT_CAINFO";
++      expand = true;
+       break;
+     case YH_CONNECTOR_HTTPS_CERT:
+       option = CURLOPT_SSLCERT;
+       optname = "CURLOPT_SSLCERT";
++      expand = true;
+       break;
+     case YH_CONNECTOR_HTTPS_KEY:
+       option = CURLOPT_SSLKEY;
+       optname = "CURLOPT_SSLKEY";
++      expand = true;
+       break;
+     case YH_CONNECTOR_PROXY_SERVER:
+       option = CURLOPT_PROXY;
+@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+       DBG_ERR("%d is an unknown option", opt);
+       return YHR_INVALID_PARAMETERS;
+   }
+-  CURLcode rc = curl_easy_setopt(connection, option, (char *) val);
++  if (expand)
++  {
++    if (wordexp((const char *)val, &expanded, 0))
++    {
++      DBG_ERR("Failed to expand %s\n", optname);
++      return YHR_CONNECTOR_ERROR;
++    }
++  }
++  CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val);
++  if (expand)
++    wordfree(&expanded);
+   if (rc == CURLE_OK) {
+     DBG_INFO("Successfully set %s.", optname);
+     return YHR_SUCCESS;
diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
new file mode 100644
index 000000000..788b9cacf
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
@@ -0,0 +1,76 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 2 Feb 2021 08:32:54 +0100
+Subject: [PATCH] add noproxy option
+
+work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3
+
+Use `noproxy=*` in your config file to use the plugin outside of
+get stage, e.g. in barebox compile stage.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm.h           | 3 +++
+ lib/yubihsm_curl.c      | 4 ++++
+ pkcs11/cmdline.ggo      | 1 +
+ pkcs11/yubihsm_pkcs11.c | 7 +++++++
+ 4 files changed, 15 insertions(+)
+
+diff --git a/lib/yubihsm.h b/lib/yubihsm.h
+index da08f68038dd..5f90eca0d8e8 100644
+--- a/lib/yubihsm.h
++++ b/lib/yubihsm.h
+@@ -524,6 +524,9 @@ typedef enum {
+   /// File with client certificates key (const char *).
+   /// Not implemented on Windows
+   YH_CONNECTOR_HTTPS_KEY = 4,
++  /// Comma separated list of hosts ignoring proxy, `*` to disable proxy.
++  /// Not implemented on Windows
++  YH_CONNECTOR_NOPROXY = 5,
+ } yh_connector_option;
+
+ #pragma pack(push, 1)
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 52ca14ddf2d4..f7f7cd8f54da 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+       option = CURLOPT_PROXY;
+       optname = "CURLOPT_PROXY";
+       break;
++    case YH_CONNECTOR_NOPROXY:
++      option = CURLOPT_NOPROXY;
++      optname = "CURLOPT_NOPROXY";
++      break;
+     default:
+       DBG_ERR("%d is an unknown option", opt);
+       return YHR_INVALID_PARAMETERS;
+diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
+index 9e87e2aa2861..cdf97ae0d33d 100644
+--- a/pkcs11/cmdline.ggo
++++ b/pkcs11/cmdline.ggo
+@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional
+ option "cert" - "HTTPS client certificate to authenticate with" string optional
+ option "key" - "HTTPS client certificate key" string optional
+ option "proxy" - "Proxy server to use for connector" string optional
++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional
+ option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
+ option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
+
+diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
+index 25aec8e7c5fe..38b08bbf8000 100644
+--- a/pkcs11/yubihsm_pkcs11.c
++++ b/pkcs11/yubihsm_pkcs11.c
+@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
+         goto c_i_failure;
+       }
+     }
++    if (args_info.noproxy_given) {
++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY,
++                                  args_info.noproxy_arg) != YHR_SUCCESS) {
++        DBG_ERR("Failed to set noproxy option");
++goto c_i_failure;
++      }
++    }
+
+     if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
+       DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series
new file mode 100644
index 000000000..a0fbb2915
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/series
@@ -0,0 +1,6 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-add-client-cert-support-for-pkcs11-module.patch
+0002-add-bash-like-variable-extension.patch
+0003-add-noproxy-option.patch
+# fcbee908545e468ec4e840d2d56da1be  - git-ptx-patches magic
diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
new file mode 100644
index 000000000..3b17a2e98
--- /dev/null
+++ b/rules/host-yubihsm-shell.in
@@ -0,0 +1,13 @@
+## SECTION=hosttools_noprompt
+
+config HOST_YUBIHSM_SHELL
+tristate
+default ALLYES
+select HOST_CMAKE
+select HOST_OPENSSL
+select HOST_LIBCURL
+select HOST_LIBUSB
+select HOST_GENGETOPT
+select HOST_LIBEDIT
+select HOST_PCSC_LITE
+select HOST_LIBP11
diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
new file mode 100644
index 000000000..3ebfc8c1f
--- /dev/null
+++ b/rules/host-yubihsm-shell.make
@@ -0,0 +1,37 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
+
+#
+# Paths and names
+#
+HOST_YUBIHSM_SHELL_VERSION:= 2.1.0
+HOST_YUBIHSM_SHELL_MD5:= 7363c0bc4ed037e262474beaa6e1407b
+HOST_YUBIHSM_SHELL:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
+HOST_YUBIHSM_SHELL_SUFFIX:= tar.gz
+HOST_YUBIHSM_SHELL_URL:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
+HOST_YUBIHSM_SHELL_SOURCE:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
+HOST_YUBIHSM_SHELL_DIR:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# cmake
+#
+HOST_YUBIHSM_SHELL_CONF_TOOL:= cmake
+HOST_YUBIHSM_SHELL_CONF_OPT:=  \
+$(HOST_CMAKE_OPT) \
+-DBUILD_ONLY_LIB=OFF \
+-DENABLE_COVERAGE=OFF \
+-DSUPRESS_MSVC_WARNINGS=ON \
+-DWITHOUT_MANPAGES=1
+
+# vim: syntax=make
--
2.30.1

Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11

[Denis Osterland-Heim]

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 rules/libp11.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/libp11.make b/rules/libp11.make
index 8e2d1517f..2c551b914 100644
--- a/rules/libp11.make
+++ b/rules/libp11.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBP11) += libp11
 #
 # Paths and names
 #
-LIBP11_VERSION:= 0.4.10
-LIBP11_MD5:= 3464874bb5ca47b8e4c1d540758dcfe9
+LIBP11_VERSION:= 0.4.11
+LIBP11_MD5:= 8b907abd572b0eb8e63413549f68dbe1
 LIBP11:= libp11-$(LIBP11_VERSION)
 LIBP11_SUFFIX:= tar.gz
 LIBP11_URL:= https://github.com/OpenSC/libp11/releases/download/$(LIBP11)/$(LIBP11).$(LIBP11_SUFFIX)
--
2.30.1

Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 1/5] host-gengetopt: move to _noprompt section

[Denis Osterland-Heim]

This allows to select this from platforms as well.

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 rules/host-gengetopt.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/host-gengetopt.in b/rules/host-gengetopt.in
index f6855ab5f..d42ccf477 100644
--- a/rules/host-gengetopt.in
+++ b/rules/host-gengetopt.in
@@ -1,8 +1,8 @@
-## SECTION=hosttools
+## SECTION=hosttools_noprompt

 config HOST_GENGETOPT
 tristate
-prompt "gengetopt"
+default ALLYES
 help
   Gengetopt is a tool to write command line option
   parsing code for C programs.
--
2.30.1

Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 3/5] host-libcurl: enable http(s) support

[Denis Osterland-Heim]

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 rules/host-libcurl.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
index dc28de778..1a2a1fcf5 100644
--- a/rules/host-libcurl.make
+++ b/rules/host-libcurl.make
@@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT:= \
 --without-librtmp \
 \
 --disable-ares \
---disable-http \
+--enable-http \
 --disable-nghttp2 \
 --disable-cookies \
 --disable-ftp \
@@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT:= \
 --disable-file \
 --disable-crypto-auth \
 --disable-libssh2 \
---without-ssl
+--with-ssl

 $(STATEDIR)/host-libcurl.install:
 @$(call targetinfo)
--
2.30.1

Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] yubi HSM pkcs11 plugin for signing provider

[Denis Osterland-Heim]

Original mboxes are attached to mail in response.

Denis Osterland-Heim (5):
      host-gengetopt: move to _noprompt section
      host-libedit: new package
      host-libcurl: enable http(s) support
      libp11: version bump 0.4.10 -> 0.4.11
      host-yubihsm-shell: new package

 ...add-client-cert-support-for-pkcs11-module.patch | 88 ++++++++++++++++++++++
 .../0002-add-bash-like-variable-extension.patch    | 67 ++++++++++++++++
 .../0003-add-noproxy-option.patch                  | 76 +++++++++++++++++++
 patches/yubihsm-shell-2.1.0/series                 |  6 ++
 rules/host-gengetopt.in                            |  4 +-
 rules/host-libcurl.make                            |  4 +-
 rules/host-libedit.in                              |  5 ++
 rules/host-libedit.make                            | 11 +++
 rules/host-yubihsm-shell.in                        | 13 ++++
 rules/host-yubihsm-shell.make                      | 37 +++++++++
 rules/libp11.make                                  |  4 +-
 11 files changed, 309 insertions(+), 6 deletions(-)

base-commit: 1431ed52c ("libwacom: new package")

Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH 2/5] host-libedit: new package

[Denis Osterland-Heim]

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 rules/host-libedit.in   |  5 +++++
 rules/host-libedit.make | 11 +++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 rules/host-libedit.in
 create mode 100644 rules/host-libedit.make

diff --git a/rules/host-libedit.in b/rules/host-libedit.in
new file mode 100644
index 000000000..49e7c4548
--- /dev/null
+++ b/rules/host-libedit.in
@@ -0,0 +1,5 @@
+## SECTION=hosttools_noprompt
+
+config HOST_LIBEDIT
+tristate
+default ALLYES
diff --git a/rules/host-libedit.make b/rules/host-libedit.make
new file mode 100644
index 000000000..ae8bff95f
--- /dev/null
+++ b/rules/host-libedit.make
@@ -0,0 +1,11 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+HOST_PACKAGES-$(PTXCONF_HOST_LIBEDIT) += host-libedit
+
+# vim: syntax=make
--
2.30.1

Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] yubi HSM pkcs11 plugin for signing provider

[Denis Osterland-Heim]

[-- Attachment #1: Type: text/plain, Size: 2551 bytes --]

Am Montag, den 08.03.2021, 13:34 +0100 schrieb Denis Osterland-Heim:
> Original mboxes are attached to mail in response.
>
> Denis Osterland-Heim (5):
>       host-gengetopt: move to _noprompt section
>       host-libedit: new package
>       host-libcurl: enable http(s) support
>       libp11: version bump 0.4.10 -> 0.4.11
>       host-yubihsm-shell: new package
>
>  ...add-client-cert-support-for-pkcs11-module.patch | 88 ++++++++++++++++++++++
>  .../0002-add-bash-like-variable-extension.patch    | 67 ++++++++++++++++
>  .../0003-add-noproxy-option.patch                  | 76 +++++++++++++++++++
>  patches/yubihsm-shell-2.1.0/series                 |  6 ++
>  rules/host-gengetopt.in                            |  4 +-
>  rules/host-libcurl.make                            |  4 +-
>  rules/host-libedit.in                              |  5 ++
>  rules/host-libedit.make                            | 11 +++
>  rules/host-yubihsm-shell.in                        | 13 ++++
>  rules/host-yubihsm-shell.make                      | 37 +++++++++
>  rules/libp11.make                                  |  4 +-
>  11 files changed, 309 insertions(+), 6 deletions(-)
>
> base-commit: 1431ed52c ("libwacom: new package")
>
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/



[-- Attachment #2: Type: message/rfc822, Size: 1344 bytes --]

From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 1/5] host-gengetopt: move to _noprompt section
Date: Mon, 8 Mar 2021 13:34:14 +0100
Message-ID: <20210308123418.10187-2-denis.osterland@diehl.com>

This allows to select this from platforms as well.

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 rules/host-gengetopt.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/host-gengetopt.in b/rules/host-gengetopt.in
index f6855ab5f..d42ccf477 100644
--- a/rules/host-gengetopt.in
+++ b/rules/host-gengetopt.in
@@ -1,8 +1,8 @@
-## SECTION=hosttools
+## SECTION=hosttools_noprompt
 
 config HOST_GENGETOPT
 	tristate
-	prompt "gengetopt"
+	default ALLYES
 	help
 	  Gengetopt is a tool to write command line option
 	  parsing code for C programs.
-- 
2.30.1


[-- Attachment #3: Type: message/rfc822, Size: 1698 bytes --]

From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 2/5] host-libedit: new package
Date: Mon, 8 Mar 2021 13:34:15 +0100
Message-ID: <20210308123418.10187-3-denis.osterland@diehl.com>

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 rules/host-libedit.in   |  5 +++++
 rules/host-libedit.make | 11 +++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 rules/host-libedit.in
 create mode 100644 rules/host-libedit.make

diff --git a/rules/host-libedit.in b/rules/host-libedit.in
new file mode 100644
index 000000000..49e7c4548
--- /dev/null
+++ b/rules/host-libedit.in
@@ -0,0 +1,5 @@
+## SECTION=hosttools_noprompt
+
+config HOST_LIBEDIT
+	tristate
+	default ALLYES
diff --git a/rules/host-libedit.make b/rules/host-libedit.make
new file mode 100644
index 000000000..ae8bff95f
--- /dev/null
+++ b/rules/host-libedit.make
@@ -0,0 +1,11 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+HOST_PACKAGES-$(PTXCONF_HOST_LIBEDIT) += host-libedit
+
+# vim: syntax=make
-- 
2.30.1


[-- Attachment #4: Type: message/rfc822, Size: 14253 bytes --]

From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 5/5] host-yubihsm-shell: new package
Date: Mon, 8 Mar 2021 13:34:18 +0100
Message-ID: <20210308123418.10187-6-denis.osterland@diehl.com>

This package provides the pkcs11 plugin for yubi HSMs,
which allows to create a signing provider for it.

Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162

To use it together with a CA server:
Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage")
`noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP
communication in compile stage.

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 ...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++
 ...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++
 .../0003-add-noproxy-option.patch             | 76 ++++++++++++++++
 patches/yubihsm-shell-2.1.0/series            |  6 ++
 rules/host-yubihsm-shell.in                   | 13 +++
 rules/host-yubihsm-shell.make                 | 37 ++++++++
 6 files changed, 287 insertions(+)
 create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
 create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
 create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
 create mode 100644 patches/yubihsm-shell-2.1.0/series
 create mode 100644 rules/host-yubihsm-shell.in
 create mode 100644 rules/host-yubihsm-shell.make

diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
new file mode 100644
index 000000000..dbce11c85
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
@@ -0,0 +1,88 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 26 Jan 2021 14:19:52 +0100
+Subject: [PATCH] add client cert support for pkcs11 module
+
+Allows to authenticate with client certificates at HSM server.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm.h           |  6 ++++++
+ lib/yubihsm_curl.c      |  8 ++++++++
+ pkcs11/cmdline.ggo      |  2 ++
+ pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++
+ 4 files changed, 30 insertions(+)
+
+diff --git a/lib/yubihsm.h b/lib/yubihsm.h
+index ef80d42b1865..da08f68038dd 100644
+--- a/lib/yubihsm.h
++++ b/lib/yubihsm.h
+@@ -518,6 +518,12 @@ typedef enum {
+   /// Proxy server to use for connecting to the connector (const char *). Not
+   /// implemented on Windows
+   YH_CONNECTOR_PROXY_SERVER = 2,
++  /// File with client certificate to authenticate client with (const char *).
++  /// Not implemented on Windows
++  YH_CONNECTOR_HTTPS_CERT = 3,
++  /// File with client certificates key (const char *).
++  /// Not implemented on Windows
++  YH_CONNECTOR_HTTPS_KEY = 4,
+ } yh_connector_option;
+ 
+ #pragma pack(push, 1)
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 6360f3693268..2f46802e0fe1 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+       option = CURLOPT_CAINFO;
+       optname = "CURLOPT_CAINFO";
+       break;
++    case YH_CONNECTOR_HTTPS_CERT:
++      option = CURLOPT_SSLCERT;
++      optname = "CURLOPT_SSLCERT";
++      break;
++    case YH_CONNECTOR_HTTPS_KEY:
++      option = CURLOPT_SSLKEY;
++      optname = "CURLOPT_SSLKEY";
++      break;
+     case YH_CONNECTOR_PROXY_SERVER:
+       option = CURLOPT_PROXY;
+       optname = "CURLOPT_PROXY";
+diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
+index 9a357b73062d..9e87e2aa2861 100644
+--- a/pkcs11/cmdline.ggo
++++ b/pkcs11/cmdline.ggo
+@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off
+ option "libdebug" - "Enable libyubihsm debugging" flag off
+ option "debug-file" - "Output file for debugging" string optional default="stderr"
+ option "cacert" - "Cacert to use for HTTPS validation" string optional
++option "cert" - "HTTPS client certificate to authenticate with" string optional
++option "key" - "HTTPS client certificate key" string optional
+ option "proxy" - "Proxy server to use for connector" string optional
+ option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
+ option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
+diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
+index f543c94ed373..25aec8e7c5fe 100644
+--- a/pkcs11/yubihsm_pkcs11.c
++++ b/pkcs11/yubihsm_pkcs11.c
+@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
+         goto c_i_failure;
+       }
+     }
++    if (args_info.cert_given) {
++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT,
++                                  args_info.cert_arg) != YHR_SUCCESS) {
++        DBG_ERR("Failed to set HTTPS cert option");
++        goto c_i_failure;
++      }
++    }
++    if (args_info.key_given) {
++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY,
++                                  args_info.key_arg) != YHR_SUCCESS) {
++        DBG_ERR("Failed to set HTTPS key option");
++	goto c_i_failure;
++      }
++    }
+     if (args_info.proxy_given) {
+       if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
+                                   args_info.proxy_arg) != YHR_SUCCESS) {
diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
new file mode 100644
index 000000000..e3d64659a
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
@@ -0,0 +1,67 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 2 Feb 2021 08:50:48 +0100
+Subject: [PATCH] add bash like variable extension
+
+Support for `~` and environment variables like `${HOME}`.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm_curl.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 2f46802e0fe1..52ca14ddf2d4 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -16,6 +16,7 @@
+ 
+ #include <string.h>
+ #include <errno.h>
++#include <wordexp.h>
+ 
+ #include <arpa/inet.h>
+ 
+@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+                             const void *val) {
+   CURLoption option;
+   const char *optname;
++  wordexp_t expanded;
++  bool expand = false;
+ 
+   switch (opt) {
+     case YH_CONNECTOR_HTTPS_CA:
+       option = CURLOPT_CAINFO;
+       optname = "CURLOPT_CAINFO";
++      expand = true;
+       break;
+     case YH_CONNECTOR_HTTPS_CERT:
+       option = CURLOPT_SSLCERT;
+       optname = "CURLOPT_SSLCERT";
++      expand = true;
+       break;
+     case YH_CONNECTOR_HTTPS_KEY:
+       option = CURLOPT_SSLKEY;
+       optname = "CURLOPT_SSLKEY";
++      expand = true;
+       break;
+     case YH_CONNECTOR_PROXY_SERVER:
+       option = CURLOPT_PROXY;
+@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+       DBG_ERR("%d is an unknown option", opt);
+       return YHR_INVALID_PARAMETERS;
+   }
+-  CURLcode rc = curl_easy_setopt(connection, option, (char *) val);
++  if (expand)
++  {
++    if (wordexp((const char *)val, &expanded, 0))
++    {
++      DBG_ERR("Failed to expand %s\n", optname);
++      return YHR_CONNECTOR_ERROR;
++    }
++  }
++  CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val);
++  if (expand)
++    wordfree(&expanded);
+   if (rc == CURLE_OK) {
+     DBG_INFO("Successfully set %s.", optname);
+     return YHR_SUCCESS;
diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
new file mode 100644
index 000000000..788b9cacf
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
@@ -0,0 +1,76 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 2 Feb 2021 08:32:54 +0100
+Subject: [PATCH] add noproxy option
+
+work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3
+
+Use `noproxy=*` in your config file to use the plugin outside of
+get stage, e.g. in barebox compile stage.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm.h           | 3 +++
+ lib/yubihsm_curl.c      | 4 ++++
+ pkcs11/cmdline.ggo      | 1 +
+ pkcs11/yubihsm_pkcs11.c | 7 +++++++
+ 4 files changed, 15 insertions(+)
+
+diff --git a/lib/yubihsm.h b/lib/yubihsm.h
+index da08f68038dd..5f90eca0d8e8 100644
+--- a/lib/yubihsm.h
++++ b/lib/yubihsm.h
+@@ -524,6 +524,9 @@ typedef enum {
+   /// File with client certificates key (const char *).
+   /// Not implemented on Windows
+   YH_CONNECTOR_HTTPS_KEY = 4,
++  /// Comma separated list of hosts ignoring proxy, `*` to disable proxy.
++  /// Not implemented on Windows
++  YH_CONNECTOR_NOPROXY = 5,
+ } yh_connector_option;
+ 
+ #pragma pack(push, 1)
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 52ca14ddf2d4..f7f7cd8f54da 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+       option = CURLOPT_PROXY;
+       optname = "CURLOPT_PROXY";
+       break;
++    case YH_CONNECTOR_NOPROXY:
++      option = CURLOPT_NOPROXY;
++      optname = "CURLOPT_NOPROXY";
++      break;
+     default:
+       DBG_ERR("%d is an unknown option", opt);
+       return YHR_INVALID_PARAMETERS;
+diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
+index 9e87e2aa2861..cdf97ae0d33d 100644
+--- a/pkcs11/cmdline.ggo
++++ b/pkcs11/cmdline.ggo
+@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional
+ option "cert" - "HTTPS client certificate to authenticate with" string optional
+ option "key" - "HTTPS client certificate key" string optional
+ option "proxy" - "Proxy server to use for connector" string optional
++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional
+ option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
+ option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
+ 
+diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
+index 25aec8e7c5fe..38b08bbf8000 100644
+--- a/pkcs11/yubihsm_pkcs11.c
++++ b/pkcs11/yubihsm_pkcs11.c
+@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
+         goto c_i_failure;
+       }
+     }
++    if (args_info.noproxy_given) {
++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY,
++                                  args_info.noproxy_arg) != YHR_SUCCESS) {
++        DBG_ERR("Failed to set noproxy option");
++	goto c_i_failure;
++      }
++    }
+ 
+     if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
+       DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series
new file mode 100644
index 000000000..a0fbb2915
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/series
@@ -0,0 +1,6 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-add-client-cert-support-for-pkcs11-module.patch
+0002-add-bash-like-variable-extension.patch
+0003-add-noproxy-option.patch
+# fcbee908545e468ec4e840d2d56da1be  - git-ptx-patches magic
diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
new file mode 100644
index 000000000..3b17a2e98
--- /dev/null
+++ b/rules/host-yubihsm-shell.in
@@ -0,0 +1,13 @@
+## SECTION=hosttools_noprompt
+
+config HOST_YUBIHSM_SHELL
+	tristate
+	default ALLYES
+	select HOST_CMAKE
+	select HOST_OPENSSL
+	select HOST_LIBCURL
+	select HOST_LIBUSB
+	select HOST_GENGETOPT
+	select HOST_LIBEDIT
+	select HOST_PCSC_LITE
+	select HOST_LIBP11
diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
new file mode 100644
index 000000000..3ebfc8c1f
--- /dev/null
+++ b/rules/host-yubihsm-shell.make
@@ -0,0 +1,37 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
+
+#
+# Paths and names
+#
+HOST_YUBIHSM_SHELL_VERSION	:= 2.1.0
+HOST_YUBIHSM_SHELL_MD5		:= 7363c0bc4ed037e262474beaa6e1407b
+HOST_YUBIHSM_SHELL		:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
+HOST_YUBIHSM_SHELL_SUFFIX	:= tar.gz
+HOST_YUBIHSM_SHELL_URL		:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
+HOST_YUBIHSM_SHELL_SOURCE	:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
+HOST_YUBIHSM_SHELL_DIR		:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# cmake
+#
+HOST_YUBIHSM_SHELL_CONF_TOOL	:= cmake
+HOST_YUBIHSM_SHELL_CONF_OPT	:=  \
+	$(HOST_CMAKE_OPT) \
+	-DBUILD_ONLY_LIB=OFF \
+	-DENABLE_COVERAGE=OFF \
+	-DSUPRESS_MSVC_WARNINGS=ON \
+	-DWITHOUT_MANPAGES=1
+
+# vim: syntax=make
-- 
2.30.1


[-- Attachment #5: Type: message/rfc822, Size: 1440 bytes --]

From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 3/5] host-libcurl: enable http(s) support
Date: Mon, 8 Mar 2021 13:34:16 +0100
Message-ID: <20210308123418.10187-4-denis.osterland@diehl.com>

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 rules/host-libcurl.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
index dc28de778..1a2a1fcf5 100644
--- a/rules/host-libcurl.make
+++ b/rules/host-libcurl.make
@@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT	:= \
 	--without-librtmp \
 	\
 	--disable-ares \
-	--disable-http \
+	--enable-http \
 	--disable-nghttp2 \
 	--disable-cookies \
 	--disable-ftp \
@@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT	:= \
 	--disable-file \
 	--disable-crypto-auth \
 	--disable-libssh2 \
-	--without-ssl
+	--with-ssl
 
 $(STATEDIR)/host-libcurl.install:
 	@$(call targetinfo)
-- 
2.30.1


[-- Attachment #6: Type: message/rfc822, Size: 1415 bytes --]

From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11
Date: Mon, 8 Mar 2021 13:34:17 +0100
Message-ID: <20210308123418.10187-5-denis.osterland@diehl.com>

Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
 rules/libp11.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/libp11.make b/rules/libp11.make
index 8e2d1517f..2c551b914 100644
--- a/rules/libp11.make
+++ b/rules/libp11.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBP11) += libp11
 #
 # Paths and names
 #
-LIBP11_VERSION	:= 0.4.10
-LIBP11_MD5	:= 3464874bb5ca47b8e4c1d540758dcfe9
+LIBP11_VERSION	:= 0.4.11
+LIBP11_MD5	:= 8b907abd572b0eb8e63413549f68dbe1
 LIBP11		:= libp11-$(LIBP11_VERSION)
 LIBP11_SUFFIX	:= tar.gz
 LIBP11_URL	:= https://github.com/OpenSC/libp11/releases/download/$(LIBP11)/$(LIBP11).$(LIBP11_SUFFIX)
-- 
2.30.1


[-- Attachment #7: Type: text/plain, Size: 181 bytes --]

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 3/5] host-libcurl: enable http(s) support

[Michael Olbrich]

On Mon, Mar 08, 2021 at 12:35:10PM +0000, Denis Osterland-Heim wrote:
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>

This will require host-openssl, right? At least it links to libssl and libcrypto
in my quick test.
So there should be a optional dependency that enables this. And whatever
package needs this should enable it.

Michael

> ---
>  rules/host-libcurl.make | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
> index dc28de778..1a2a1fcf5 100644
> --- a/rules/host-libcurl.make
> +++ b/rules/host-libcurl.make
> @@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT:= \
>  --without-librtmp \
>  \
>  --disable-ares \
> ---disable-http \
> +--enable-http \
>  --disable-nghttp2 \
>  --disable-cookies \
>  --disable-ftp \
> @@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT:= \
>  --disable-file \
>  --disable-crypto-auth \
>  --disable-libssh2 \
> ---without-ssl
> +--with-ssl
> 
>  $(STATEDIR)/host-libcurl.install:
>  @$(call targetinfo)
> --
> 2.30.1
> 
> Diehl Connectivity Solutions GmbH
> Geschäftsführung: Horst Leonberger
> Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
> Nürnberg: HRB 32315
> 
> ________________________________
> 
> Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
> Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
> Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
> 
> - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
> 
> https://www.diehl.com/group/de/transparenz-und-informationspflichten/
> 
> The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
> mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
> 
> - For general information on data protection and your respective rights please visit:
> 
> https://www.diehl.com/group/en/transparency-and-information-obligations/
> 
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package

[Michael Olbrich]

On Mon, Mar 08, 2021 at 12:35:08PM +0000, Denis Osterland-Heim wrote:
> This package provides the pkcs11 plugin for yubi HSMs,
> which allows to create a signing provider for it.
> 
> Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162
> 
> To use it together with a CA server:
> Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage")
> `noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP
> communication in compile stage.

Hmmm, I think you should be able to extend CODE_SIGNING_ENV and add
"HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=". That should be
evaluated after the variables set by ab4af48ba and clear them.

And expanding CODE_SIGNING_ENV depending on the signing provider is
expected. We already do this for softhsm:
rules/pre/020-code-signing-softhsm.make

Michael

> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> ---
>  ...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++
>  ...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++
>  .../0003-add-noproxy-option.patch             | 76 ++++++++++++++++
>  patches/yubihsm-shell-2.1.0/series            |  6 ++
>  rules/host-yubihsm-shell.in                   | 13 +++
>  rules/host-yubihsm-shell.make                 | 37 ++++++++
>  6 files changed, 287 insertions(+)
>  create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
>  create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
>  create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
>  create mode 100644 patches/yubihsm-shell-2.1.0/series
>  create mode 100644 rules/host-yubihsm-shell.in
>  create mode 100644 rules/host-yubihsm-shell.make
> 
> diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> new file mode 100644
> index 000000000..dbce11c85
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> @@ -0,0 +1,88 @@
> +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +Date: Tue, 26 Jan 2021 14:19:52 +0100
> +Subject: [PATCH] add client cert support for pkcs11 module
> +
> +Allows to authenticate with client certificates at HSM server.
> +
> +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +---
> + lib/yubihsm.h           |  6 ++++++
> + lib/yubihsm_curl.c      |  8 ++++++++
> + pkcs11/cmdline.ggo      |  2 ++
> + pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++
> + 4 files changed, 30 insertions(+)
> +
> +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> +index ef80d42b1865..da08f68038dd 100644
> +--- a/lib/yubihsm.h
> ++++ b/lib/yubihsm.h
> +@@ -518,6 +518,12 @@ typedef enum {
> +   /// Proxy server to use for connecting to the connector (const char *). Not
> +   /// implemented on Windows
> +   YH_CONNECTOR_PROXY_SERVER = 2,
> ++  /// File with client certificate to authenticate client with (const char *).
> ++  /// Not implemented on Windows
> ++  YH_CONNECTOR_HTTPS_CERT = 3,
> ++  /// File with client certificates key (const char *).
> ++  /// Not implemented on Windows
> ++  YH_CONNECTOR_HTTPS_KEY = 4,
> + } yh_connector_option;
> +
> + #pragma pack(push, 1)
> +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> +index 6360f3693268..2f46802e0fe1 100644
> +--- a/lib/yubihsm_curl.c
> ++++ b/lib/yubihsm_curl.c
> +@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> +       option = CURLOPT_CAINFO;
> +       optname = "CURLOPT_CAINFO";
> +       break;
> ++    case YH_CONNECTOR_HTTPS_CERT:
> ++      option = CURLOPT_SSLCERT;
> ++      optname = "CURLOPT_SSLCERT";
> ++      break;
> ++    case YH_CONNECTOR_HTTPS_KEY:
> ++      option = CURLOPT_SSLKEY;
> ++      optname = "CURLOPT_SSLKEY";
> ++      break;
> +     case YH_CONNECTOR_PROXY_SERVER:
> +       option = CURLOPT_PROXY;
> +       optname = "CURLOPT_PROXY";
> +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> +index 9a357b73062d..9e87e2aa2861 100644
> +--- a/pkcs11/cmdline.ggo
> ++++ b/pkcs11/cmdline.ggo
> +@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off
> + option "libdebug" - "Enable libyubihsm debugging" flag off
> + option "debug-file" - "Output file for debugging" string optional default="stderr"
> + option "cacert" - "Cacert to use for HTTPS validation" string optional
> ++option "cert" - "HTTPS client certificate to authenticate with" string optional
> ++option "key" - "HTTPS client certificate key" string optional
> + option "proxy" - "Proxy server to use for connector" string optional
> + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> +index f543c94ed373..25aec8e7c5fe 100644
> +--- a/pkcs11/yubihsm_pkcs11.c
> ++++ b/pkcs11/yubihsm_pkcs11.c
> +@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> +         goto c_i_failure;
> +       }
> +     }
> ++    if (args_info.cert_given) {
> ++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT,
> ++                                  args_info.cert_arg) != YHR_SUCCESS) {
> ++        DBG_ERR("Failed to set HTTPS cert option");
> ++        goto c_i_failure;
> ++      }
> ++    }
> ++    if (args_info.key_given) {
> ++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY,
> ++                                  args_info.key_arg) != YHR_SUCCESS) {
> ++        DBG_ERR("Failed to set HTTPS key option");
> ++goto c_i_failure;
> ++      }
> ++    }
> +     if (args_info.proxy_given) {
> +       if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
> +                                   args_info.proxy_arg) != YHR_SUCCESS) {
> diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> new file mode 100644
> index 000000000..e3d64659a
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> @@ -0,0 +1,67 @@
> +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +Date: Tue, 2 Feb 2021 08:50:48 +0100
> +Subject: [PATCH] add bash like variable extension
> +
> +Support for `~` and environment variables like `${HOME}`.
> +
> +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +---
> + lib/yubihsm_curl.c | 18 +++++++++++++++++-
> + 1 file changed, 17 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> +index 2f46802e0fe1..52ca14ddf2d4 100644
> +--- a/lib/yubihsm_curl.c
> ++++ b/lib/yubihsm_curl.c
> +@@ -16,6 +16,7 @@
> +
> + #include <string.h>
> + #include <errno.h>
> ++#include <wordexp.h>
> +
> + #include <arpa/inet.h>
> +
> +@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> +                             const void *val) {
> +   CURLoption option;
> +   const char *optname;
> ++  wordexp_t expanded;
> ++  bool expand = false;
> +
> +   switch (opt) {
> +     case YH_CONNECTOR_HTTPS_CA:
> +       option = CURLOPT_CAINFO;
> +       optname = "CURLOPT_CAINFO";
> ++      expand = true;
> +       break;
> +     case YH_CONNECTOR_HTTPS_CERT:
> +       option = CURLOPT_SSLCERT;
> +       optname = "CURLOPT_SSLCERT";
> ++      expand = true;
> +       break;
> +     case YH_CONNECTOR_HTTPS_KEY:
> +       option = CURLOPT_SSLKEY;
> +       optname = "CURLOPT_SSLKEY";
> ++      expand = true;
> +       break;
> +     case YH_CONNECTOR_PROXY_SERVER:
> +       option = CURLOPT_PROXY;
> +@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> +       DBG_ERR("%d is an unknown option", opt);
> +       return YHR_INVALID_PARAMETERS;
> +   }
> +-  CURLcode rc = curl_easy_setopt(connection, option, (char *) val);
> ++  if (expand)
> ++  {
> ++    if (wordexp((const char *)val, &expanded, 0))
> ++    {
> ++      DBG_ERR("Failed to expand %s\n", optname);
> ++      return YHR_CONNECTOR_ERROR;
> ++    }
> ++  }
> ++  CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val);
> ++  if (expand)
> ++    wordfree(&expanded);
> +   if (rc == CURLE_OK) {
> +     DBG_INFO("Successfully set %s.", optname);
> +     return YHR_SUCCESS;
> diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> new file mode 100644
> index 000000000..788b9cacf
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> @@ -0,0 +1,76 @@
> +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +Date: Tue, 2 Feb 2021 08:32:54 +0100
> +Subject: [PATCH] add noproxy option
> +
> +work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3
> +
> +Use `noproxy=*` in your config file to use the plugin outside of
> +get stage, e.g. in barebox compile stage.
> +
> +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +---
> + lib/yubihsm.h           | 3 +++
> + lib/yubihsm_curl.c      | 4 ++++
> + pkcs11/cmdline.ggo      | 1 +
> + pkcs11/yubihsm_pkcs11.c | 7 +++++++
> + 4 files changed, 15 insertions(+)
> +
> +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> +index da08f68038dd..5f90eca0d8e8 100644
> +--- a/lib/yubihsm.h
> ++++ b/lib/yubihsm.h
> +@@ -524,6 +524,9 @@ typedef enum {
> +   /// File with client certificates key (const char *).
> +   /// Not implemented on Windows
> +   YH_CONNECTOR_HTTPS_KEY = 4,
> ++  /// Comma separated list of hosts ignoring proxy, `*` to disable proxy.
> ++  /// Not implemented on Windows
> ++  YH_CONNECTOR_NOPROXY = 5,
> + } yh_connector_option;
> +
> + #pragma pack(push, 1)
> +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> +index 52ca14ddf2d4..f7f7cd8f54da 100644
> +--- a/lib/yubihsm_curl.c
> ++++ b/lib/yubihsm_curl.c
> +@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> +       option = CURLOPT_PROXY;
> +       optname = "CURLOPT_PROXY";
> +       break;
> ++    case YH_CONNECTOR_NOPROXY:
> ++      option = CURLOPT_NOPROXY;
> ++      optname = "CURLOPT_NOPROXY";
> ++      break;
> +     default:
> +       DBG_ERR("%d is an unknown option", opt);
> +       return YHR_INVALID_PARAMETERS;
> +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> +index 9e87e2aa2861..cdf97ae0d33d 100644
> +--- a/pkcs11/cmdline.ggo
> ++++ b/pkcs11/cmdline.ggo
> +@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional
> + option "cert" - "HTTPS client certificate to authenticate with" string optional
> + option "key" - "HTTPS client certificate key" string optional
> + option "proxy" - "Proxy server to use for connector" string optional
> ++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional
> + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> +
> +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> +index 25aec8e7c5fe..38b08bbf8000 100644
> +--- a/pkcs11/yubihsm_pkcs11.c
> ++++ b/pkcs11/yubihsm_pkcs11.c
> +@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> +         goto c_i_failure;
> +       }
> +     }
> ++    if (args_info.noproxy_given) {
> ++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY,
> ++                                  args_info.noproxy_arg) != YHR_SUCCESS) {
> ++        DBG_ERR("Failed to set noproxy option");
> ++goto c_i_failure;
> ++      }
> ++    }
> +
> +     if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
> +       DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
> diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series
> new file mode 100644
> index 000000000..a0fbb2915
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/series
> @@ -0,0 +1,6 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-add-client-cert-support-for-pkcs11-module.patch
> +0002-add-bash-like-variable-extension.patch
> +0003-add-noproxy-option.patch
> +# fcbee908545e468ec4e840d2d56da1be  - git-ptx-patches magic
> diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
> new file mode 100644
> index 000000000..3b17a2e98
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.in
> @@ -0,0 +1,13 @@
> +## SECTION=hosttools_noprompt
> +
> +config HOST_YUBIHSM_SHELL
> +tristate
> +default ALLYES
> +select HOST_CMAKE
> +select HOST_OPENSSL
> +select HOST_LIBCURL
> +select HOST_LIBUSB
> +select HOST_GENGETOPT
> +select HOST_LIBEDIT
> +select HOST_PCSC_LITE
> +select HOST_LIBP11
> diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
> new file mode 100644
> index 000000000..3ebfc8c1f
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.make
> @@ -0,0 +1,37 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
> +
> +#
> +# Paths and names
> +#
> +HOST_YUBIHSM_SHELL_VERSION:= 2.1.0
> +HOST_YUBIHSM_SHELL_MD5:= 7363c0bc4ed037e262474beaa6e1407b
> +HOST_YUBIHSM_SHELL:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
> +HOST_YUBIHSM_SHELL_SUFFIX:= tar.gz
> +HOST_YUBIHSM_SHELL_URL:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_SOURCE:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_DIR:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# cmake
> +#
> +HOST_YUBIHSM_SHELL_CONF_TOOL:= cmake
> +HOST_YUBIHSM_SHELL_CONF_OPT:=  \
> +$(HOST_CMAKE_OPT) \
> +-DBUILD_ONLY_LIB=OFF \
> +-DENABLE_COVERAGE=OFF \
> +-DSUPRESS_MSVC_WARNINGS=ON \
> +-DWITHOUT_MANPAGES=1
> +
> +# vim: syntax=make
> --
> 2.30.1
> 
> Diehl Connectivity Solutions GmbH
> Geschäftsführung: Horst Leonberger
> Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
> Nürnberg: HRB 32315
> 
> ________________________________
> 
> Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
> Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
> Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
> 
> - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
> 
> https://www.diehl.com/group/de/transparenz-und-informationspflichten/
> 
> The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
> mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
> 
> - For general information on data protection and your respective rights please visit:
> 
> https://www.diehl.com/group/en/transparency-and-information-obligations/
> 
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package

[Denis Osterland-Heim]

Hi,

Thanks for the hint.
I will give it a try.

You are right, I forgot host-openssl as dependency.

Regards, Denis

Am Freitag, den 12.03.2021, 08:47 +0100 schrieb Michael Olbrich:
> On Mon, Mar 08, 2021 at 12:35:08PM +0000, Denis Osterland-Heim wrote:
> > This package provides the pkcs11 plugin for yubi HSMs,
> > which allows to create a signing provider for it.
> >
> > Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162
> >
> > To use it together with a CA server:
> > Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage")
> > `noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP
> > communication in compile stage.
>
> Hmmm, I think you should be able to extend CODE_SIGNING_ENV and add
> "HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=". That should be
> evaluated after the variables set by ab4af48ba and clear them.
>
> And expanding CODE_SIGNING_ENV depending on the signing provider is
> expected. We already do this for softhsm:
> rules/pre/020-code-signing-softhsm.make
>
> Michael
>
> > Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> > ---
> >  ...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++
> >  ...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++
> >  .../0003-add-noproxy-option.patch             | 76 ++++++++++++++++
> >  patches/yubihsm-shell-2.1.0/series            |  6 ++
> >  rules/host-yubihsm-shell.in                   | 13 +++
> >  rules/host-yubihsm-shell.make                 | 37 ++++++++
> >  6 files changed, 287 insertions(+)
> >  create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> >  create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> >  create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> >  create mode 100644 patches/yubihsm-shell-2.1.0/series
> >  create mode 100644 rules/host-yubihsm-shell.in
> >  create mode 100644 rules/host-yubihsm-shell.make
> >
> > diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> > new file mode 100644
> > index 000000000..dbce11c85
> > --- /dev/null
> > +++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> > @@ -0,0 +1,88 @@
> > +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +Date: Tue, 26 Jan 2021 14:19:52 +0100
> > +Subject: [PATCH] add client cert support for pkcs11 module
> > +
> > +Allows to authenticate with client certificates at HSM server.
> > +
> > +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +---
> > + lib/yubihsm.h           |  6 ++++++
> > + lib/yubihsm_curl.c      |  8 ++++++++
> > + pkcs11/cmdline.ggo      |  2 ++
> > + pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++
> > + 4 files changed, 30 insertions(+)
> > +
> > +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> > +index ef80d42b1865..da08f68038dd 100644
> > +--- a/lib/yubihsm.h
> > ++++ b/lib/yubihsm.h
> > +@@ -518,6 +518,12 @@ typedef enum {
> > +   /// Proxy server to use for connecting to the connector (const char *). Not
> > +   /// implemented on Windows
> > +   YH_CONNECTOR_PROXY_SERVER = 2,
> > ++  /// File with client certificate to authenticate client with (const char *).
> > ++  /// Not implemented on Windows
> > ++  YH_CONNECTOR_HTTPS_CERT = 3,
> > ++  /// File with client certificates key (const char *).
> > ++  /// Not implemented on Windows
> > ++  YH_CONNECTOR_HTTPS_KEY = 4,
> > + } yh_connector_option;
> > +
> > + #pragma pack(push, 1)
> > +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> > +index 6360f3693268..2f46802e0fe1 100644
> > +--- a/lib/yubihsm_curl.c
> > ++++ b/lib/yubihsm_curl.c
> > +@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> > +       option = CURLOPT_CAINFO;
> > +       optname = "CURLOPT_CAINFO";
> > +       break;
> > ++    case YH_CONNECTOR_HTTPS_CERT:
> > ++      option = CURLOPT_SSLCERT;
> > ++      optname = "CURLOPT_SSLCERT";
> > ++      break;
> > ++    case YH_CONNECTOR_HTTPS_KEY:
> > ++      option = CURLOPT_SSLKEY;
> > ++      optname = "CURLOPT_SSLKEY";
> > ++      break;
> > +     case YH_CONNECTOR_PROXY_SERVER:
> > +       option = CURLOPT_PROXY;
> > +       optname = "CURLOPT_PROXY";
> > +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> > +index 9a357b73062d..9e87e2aa2861 100644
> > +--- a/pkcs11/cmdline.ggo
> > ++++ b/pkcs11/cmdline.ggo
> > +@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off
> > + option "libdebug" - "Enable libyubihsm debugging" flag off
> > + option "debug-file" - "Output file for debugging" string optional default="stderr"
> > + option "cacert" - "Cacert to use for HTTPS validation" string optional
> > ++option "cert" - "HTTPS client certificate to authenticate with" string optional
> > ++option "key" - "HTTPS client certificate key" string optional
> > + option "proxy" - "Proxy server to use for connector" string optional
> > + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> > + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> > +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> > +index f543c94ed373..25aec8e7c5fe 100644
> > +--- a/pkcs11/yubihsm_pkcs11.c
> > ++++ b/pkcs11/yubihsm_pkcs11.c
> > +@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> > +         goto c_i_failure;
> > +       }
> > +     }
> > ++    if (args_info.cert_given) {
> > ++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT,
> > ++                                  args_info.cert_arg) != YHR_SUCCESS) {
> > ++        DBG_ERR("Failed to set HTTPS cert option");
> > ++        goto c_i_failure;
> > ++      }
> > ++    }
> > ++    if (args_info.key_given) {
> > ++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY,
> > ++                                  args_info.key_arg) != YHR_SUCCESS) {
> > ++        DBG_ERR("Failed to set HTTPS key option");
> > ++goto c_i_failure;
> > ++      }
> > ++    }
> > +     if (args_info.proxy_given) {
> > +       if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
> > +                                   args_info.proxy_arg) != YHR_SUCCESS) {
> > diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> > new file mode 100644
> > index 000000000..e3d64659a
> > --- /dev/null
> > +++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> > @@ -0,0 +1,67 @@
> > +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +Date: Tue, 2 Feb 2021 08:50:48 +0100
> > +Subject: [PATCH] add bash like variable extension
> > +
> > +Support for `~` and environment variables like `${HOME}`.
> > +
> > +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +---
> > + lib/yubihsm_curl.c | 18 +++++++++++++++++-
> > + 1 file changed, 17 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> > +index 2f46802e0fe1..52ca14ddf2d4 100644
> > +--- a/lib/yubihsm_curl.c
> > ++++ b/lib/yubihsm_curl.c
> > +@@ -16,6 +16,7 @@
> > +
> > + #include <string.h>
> > + #include <errno.h>
> > ++#include <wordexp.h>
> > +
> > + #include <arpa/inet.h>
> > +
> > +@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> > +                             const void *val) {
> > +   CURLoption option;
> > +   const char *optname;
> > ++  wordexp_t expanded;
> > ++  bool expand = false;
> > +
> > +   switch (opt) {
> > +     case YH_CONNECTOR_HTTPS_CA:
> > +       option = CURLOPT_CAINFO;
> > +       optname = "CURLOPT_CAINFO";
> > ++      expand = true;
> > +       break;
> > +     case YH_CONNECTOR_HTTPS_CERT:
> > +       option = CURLOPT_SSLCERT;
> > +       optname = "CURLOPT_SSLCERT";
> > ++      expand = true;
> > +       break;
> > +     case YH_CONNECTOR_HTTPS_KEY:
> > +       option = CURLOPT_SSLKEY;
> > +       optname = "CURLOPT_SSLKEY";
> > ++      expand = true;
> > +       break;
> > +     case YH_CONNECTOR_PROXY_SERVER:
> > +       option = CURLOPT_PROXY;
> > +@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> > +       DBG_ERR("%d is an unknown option", opt);
> > +       return YHR_INVALID_PARAMETERS;
> > +   }
> > +-  CURLcode rc = curl_easy_setopt(connection, option, (char *) val);
> > ++  if (expand)
> > ++  {
> > ++    if (wordexp((const char *)val, &expanded, 0))
> > ++    {
> > ++      DBG_ERR("Failed to expand %s\n", optname);
> > ++      return YHR_CONNECTOR_ERROR;
> > ++    }
> > ++  }
> > ++  CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val);
> > ++  if (expand)
> > ++    wordfree(&expanded);
> > +   if (rc == CURLE_OK) {
> > +     DBG_INFO("Successfully set %s.", optname);
> > +     return YHR_SUCCESS;
> > diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> > new file mode 100644
> > index 000000000..788b9cacf
> > --- /dev/null
> > +++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> > @@ -0,0 +1,76 @@
> > +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +Date: Tue, 2 Feb 2021 08:32:54 +0100
> > +Subject: [PATCH] add noproxy option
> > +
> > +work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3
> > +
> > +Use `noproxy=*` in your config file to use the plugin outside of
> > +get stage, e.g. in barebox compile stage.
> > +
> > +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +---
> > + lib/yubihsm.h           | 3 +++
> > + lib/yubihsm_curl.c      | 4 ++++
> > + pkcs11/cmdline.ggo      | 1 +
> > + pkcs11/yubihsm_pkcs11.c | 7 +++++++
> > + 4 files changed, 15 insertions(+)
> > +
> > +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> > +index da08f68038dd..5f90eca0d8e8 100644
> > +--- a/lib/yubihsm.h
> > ++++ b/lib/yubihsm.h
> > +@@ -524,6 +524,9 @@ typedef enum {
> > +   /// File with client certificates key (const char *).
> > +   /// Not implemented on Windows
> > +   YH_CONNECTOR_HTTPS_KEY = 4,
> > ++  /// Comma separated list of hosts ignoring proxy, `*` to disable proxy.
> > ++  /// Not implemented on Windows
> > ++  YH_CONNECTOR_NOPROXY = 5,
> > + } yh_connector_option;
> > +
> > + #pragma pack(push, 1)
> > +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> > +index 52ca14ddf2d4..f7f7cd8f54da 100644
> > +--- a/lib/yubihsm_curl.c
> > ++++ b/lib/yubihsm_curl.c
> > +@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> > +       option = CURLOPT_PROXY;
> > +       optname = "CURLOPT_PROXY";
> > +       break;
> > ++    case YH_CONNECTOR_NOPROXY:
> > ++      option = CURLOPT_NOPROXY;
> > ++      optname = "CURLOPT_NOPROXY";
> > ++      break;
> > +     default:
> > +       DBG_ERR("%d is an unknown option", opt);
> > +       return YHR_INVALID_PARAMETERS;
> > +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> > +index 9e87e2aa2861..cdf97ae0d33d 100644
> > +--- a/pkcs11/cmdline.ggo
> > ++++ b/pkcs11/cmdline.ggo
> > +@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional
> > + option "cert" - "HTTPS client certificate to authenticate with" string optional
> > + option "key" - "HTTPS client certificate key" string optional
> > + option "proxy" - "Proxy server to use for connector" string optional
> > ++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional
> > + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> > + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> > +
> > +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> > +index 25aec8e7c5fe..38b08bbf8000 100644
> > +--- a/pkcs11/yubihsm_pkcs11.c
> > ++++ b/pkcs11/yubihsm_pkcs11.c
> > +@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> > +         goto c_i_failure;
> > +       }
> > +     }
> > ++    if (args_info.noproxy_given) {
> > ++      if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY,
> > ++                                  args_info.noproxy_arg) != YHR_SUCCESS) {
> > ++        DBG_ERR("Failed to set noproxy option");
> > ++goto c_i_failure;
> > ++      }
> > ++    }
> > +
> > +     if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
> > +       DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
> > diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series
> > new file mode 100644
> > index 000000000..a0fbb2915
> > --- /dev/null
> > +++ b/patches/yubihsm-shell-2.1.0/series
> > @@ -0,0 +1,6 @@
> > +# generated by git-ptx-patches
> > +#tag:base --start-number 1
> > +0001-add-client-cert-support-for-pkcs11-module.patch
> > +0002-add-bash-like-variable-extension.patch
> > +0003-add-noproxy-option.patch
> > +# fcbee908545e468ec4e840d2d56da1be  - git-ptx-patches magic
> > diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
> > new file mode 100644
> > index 000000000..3b17a2e98
> > --- /dev/null
> > +++ b/rules/host-yubihsm-shell.in
> > @@ -0,0 +1,13 @@
> > +## SECTION=hosttools_noprompt
> > +
> > +config HOST_YUBIHSM_SHELL
> > +tristate
> > +default ALLYES
> > +select HOST_CMAKE
> > +select HOST_OPENSSL
> > +select HOST_LIBCURL
> > +select HOST_LIBUSB
> > +select HOST_GENGETOPT
> > +select HOST_LIBEDIT
> > +select HOST_PCSC_LITE
> > +select HOST_LIBP11
> > diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
> > new file mode 100644
> > index 000000000..3ebfc8c1f
> > --- /dev/null
> > +++ b/rules/host-yubihsm-shell.make
> > @@ -0,0 +1,37 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +#
> > +# For further information about the PTXdist project and license conditions
> > +# see the README file.
> > +#
> > +
> > +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
> > +
> > +#
> > +# Paths and names
> > +#
> > +HOST_YUBIHSM_SHELL_VERSION:= 2.1.0
> > +HOST_YUBIHSM_SHELL_MD5:= 7363c0bc4ed037e262474beaa6e1407b
> > +HOST_YUBIHSM_SHELL:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
> > +HOST_YUBIHSM_SHELL_SUFFIX:= tar.gz
> > +HOST_YUBIHSM_SHELL_URL:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
> > +HOST_YUBIHSM_SHELL_SOURCE:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
> > +HOST_YUBIHSM_SHELL_DIR:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
> > +
> > +# ----------------------------------------------------------------------------
> > +# Prepare
> > +# ----------------------------------------------------------------------------
> > +
> > +#
> > +# cmake
> > +#
> > +HOST_YUBIHSM_SHELL_CONF_TOOL:= cmake
> > +HOST_YUBIHSM_SHELL_CONF_OPT:=  \
> > +$(HOST_CMAKE_OPT) \
> > +-DBUILD_ONLY_LIB=OFF \
> > +-DENABLE_COVERAGE=OFF \
> > +-DSUPRESS_MSVC_WARNINGS=ON \
> > +-DWITHOUT_MANPAGES=1
> > +
> > +# vim: syntax=make
> > --
> > 2.30.1
> >
> > Diehl Connectivity Solutions GmbH
> > Geschäftsführung: Horst Leonberger
> > Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
> > Nürnberg: HRB 32315
> >
> > ________________________________
> >
> > Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
> > Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
> > Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
> >
> > - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
> >
> > https://www.diehl.com/group/de/transparenz-und-informationspflichten/
> >
> > The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
> > mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
> >
> > - For general information on data protection and your respective rights please visit:
> >
> > https://www.diehl.com/group/en/transparency-and-information-obligations/
> >
> >
> >
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> >
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] host-gengetopt: move to _noprompt section

[Michael Olbrich]

Thanks, applied as c369517da9672d567fe433e95649203670cbab2e.

Michael

[sent from post-receive hook]

On Sun, 14 Mar 2021 14:35:41 +0100, Denis Osterland-Heim <denis.osterland@diehl.com> wrote:
> This allows to select this from platforms as well.
> 
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> Message-Id: <20210308123418.10187-2-denis.osterland@diehl.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/host-gengetopt.in b/rules/host-gengetopt.in
> index f6855ab5f8dc..d42ccf477bdc 100644
> --- a/rules/host-gengetopt.in
> +++ b/rules/host-gengetopt.in
> @@ -1,8 +1,8 @@
> -## SECTION=hosttools
> +## SECTION=hosttools_noprompt
>  
>  config HOST_GENGETOPT
>  	tristate
> -	prompt "gengetopt"
> +	default ALLYES
>  	help
>  	  Gengetopt is a tool to write command line option
>  	  parsing code for C programs.

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] host-libedit: new package

[Michael Olbrich]

Thanks, applied as 815a2bd59c163a0430a02c740244d4131ec65ddc.

Michael

[sent from post-receive hook]

On Sun, 14 Mar 2021 14:35:42 +0100, Denis Osterland-Heim <denis.osterland@diehl.com> wrote:
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> Message-Id: <20210308123418.10187-3-denis.osterland@diehl.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/host-libedit.in b/rules/host-libedit.in
> new file mode 100644
> index 000000000000..49e7c4548df6
> --- /dev/null
> +++ b/rules/host-libedit.in
> @@ -0,0 +1,5 @@
> +## SECTION=hosttools_noprompt
> +
> +config HOST_LIBEDIT
> +	tristate
> +	default ALLYES
> diff --git a/rules/host-libedit.make b/rules/host-libedit.make
> new file mode 100644
> index 000000000000..ae8bff95f052
> --- /dev/null
> +++ b/rules/host-libedit.make
> @@ -0,0 +1,11 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +HOST_PACKAGES-$(PTXCONF_HOST_LIBEDIT) += host-libedit
> +
> +# vim: syntax=make

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] libp11: version bump 0.4.10 -> 0.4.11

[Michael Olbrich]

Thanks, applied as 2ba9450d833dbe3337a2ee812aa45e5f8f7115b1.

Michael

[sent from post-receive hook]

On Sun, 14 Mar 2021 14:35:43 +0100, Denis Osterland-Heim <denis.osterland@diehl.com> wrote:
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> Message-Id: <20210308123418.10187-5-denis.osterland@diehl.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/libp11.make b/rules/libp11.make
> index 8e2d1517fd24..2c551b914f9b 100644
> --- a/rules/libp11.make
> +++ b/rules/libp11.make
> @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBP11) += libp11
>  #
>  # Paths and names
>  #
> -LIBP11_VERSION	:= 0.4.10
> -LIBP11_MD5	:= 3464874bb5ca47b8e4c1d540758dcfe9
> +LIBP11_VERSION	:= 0.4.11
> +LIBP11_MD5	:= 8b907abd572b0eb8e63413549f68dbe1
>  LIBP11		:= libp11-$(LIBP11_VERSION)
>  LIBP11_SUFFIX	:= tar.gz
>  LIBP11_URL	:= https://github.com/OpenSC/libp11/releases/download/$(LIBP11)/$(LIBP11).$(LIBP11_SUFFIX)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de