* [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package
2021-03-08 12:35 [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
@ 2021-03-08 12:35 ` Denis Osterland-Heim
2021-03-12 7:47 ` Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11 Denis Osterland-Heim
` (4 subsequent siblings)
5 siblings, 1 reply; 13+ messages in thread
From: Denis Osterland-Heim @ 2021-03-08 12:35 UTC (permalink / raw)
To: ptxdist
This package provides the pkcs11 plugin for yubi HSMs,
which allows to create a signing provider for it.
Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162
To use it together with a CA server:
Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage")
`noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP
communication in compile stage.
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++
...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++
.../0003-add-noproxy-option.patch | 76 ++++++++++++++++
patches/yubihsm-shell-2.1.0/series | 6 ++
rules/host-yubihsm-shell.in | 13 +++
rules/host-yubihsm-shell.make | 37 ++++++++
6 files changed, 287 insertions(+)
create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
create mode 100644 patches/yubihsm-shell-2.1.0/series
create mode 100644 rules/host-yubihsm-shell.in
create mode 100644 rules/host-yubihsm-shell.make
diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
new file mode 100644
index 000000000..dbce11c85
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
@@ -0,0 +1,88 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 26 Jan 2021 14:19:52 +0100
+Subject: [PATCH] add client cert support for pkcs11 module
+
+Allows to authenticate with client certificates at HSM server.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm.h | 6 ++++++
+ lib/yubihsm_curl.c | 8 ++++++++
+ pkcs11/cmdline.ggo | 2 ++
+ pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++
+ 4 files changed, 30 insertions(+)
+
+diff --git a/lib/yubihsm.h b/lib/yubihsm.h
+index ef80d42b1865..da08f68038dd 100644
+--- a/lib/yubihsm.h
++++ b/lib/yubihsm.h
+@@ -518,6 +518,12 @@ typedef enum {
+ /// Proxy server to use for connecting to the connector (const char *). Not
+ /// implemented on Windows
+ YH_CONNECTOR_PROXY_SERVER = 2,
++ /// File with client certificate to authenticate client with (const char *).
++ /// Not implemented on Windows
++ YH_CONNECTOR_HTTPS_CERT = 3,
++ /// File with client certificates key (const char *).
++ /// Not implemented on Windows
++ YH_CONNECTOR_HTTPS_KEY = 4,
+ } yh_connector_option;
+
+ #pragma pack(push, 1)
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 6360f3693268..2f46802e0fe1 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+ option = CURLOPT_CAINFO;
+ optname = "CURLOPT_CAINFO";
+ break;
++ case YH_CONNECTOR_HTTPS_CERT:
++ option = CURLOPT_SSLCERT;
++ optname = "CURLOPT_SSLCERT";
++ break;
++ case YH_CONNECTOR_HTTPS_KEY:
++ option = CURLOPT_SSLKEY;
++ optname = "CURLOPT_SSLKEY";
++ break;
+ case YH_CONNECTOR_PROXY_SERVER:
+ option = CURLOPT_PROXY;
+ optname = "CURLOPT_PROXY";
+diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
+index 9a357b73062d..9e87e2aa2861 100644
+--- a/pkcs11/cmdline.ggo
++++ b/pkcs11/cmdline.ggo
+@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off
+ option "libdebug" - "Enable libyubihsm debugging" flag off
+ option "debug-file" - "Output file for debugging" string optional default="stderr"
+ option "cacert" - "Cacert to use for HTTPS validation" string optional
++option "cert" - "HTTPS client certificate to authenticate with" string optional
++option "key" - "HTTPS client certificate key" string optional
+ option "proxy" - "Proxy server to use for connector" string optional
+ option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
+ option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
+diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
+index f543c94ed373..25aec8e7c5fe 100644
+--- a/pkcs11/yubihsm_pkcs11.c
++++ b/pkcs11/yubihsm_pkcs11.c
+@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
+ goto c_i_failure;
+ }
+ }
++ if (args_info.cert_given) {
++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT,
++ args_info.cert_arg) != YHR_SUCCESS) {
++ DBG_ERR("Failed to set HTTPS cert option");
++ goto c_i_failure;
++ }
++ }
++ if (args_info.key_given) {
++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY,
++ args_info.key_arg) != YHR_SUCCESS) {
++ DBG_ERR("Failed to set HTTPS key option");
++goto c_i_failure;
++ }
++ }
+ if (args_info.proxy_given) {
+ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
+ args_info.proxy_arg) != YHR_SUCCESS) {
diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
new file mode 100644
index 000000000..e3d64659a
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
@@ -0,0 +1,67 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 2 Feb 2021 08:50:48 +0100
+Subject: [PATCH] add bash like variable extension
+
+Support for `~` and environment variables like `${HOME}`.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm_curl.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 2f46802e0fe1..52ca14ddf2d4 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -16,6 +16,7 @@
+
+ #include <string.h>
+ #include <errno.h>
++#include <wordexp.h>
+
+ #include <arpa/inet.h>
+
+@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+ const void *val) {
+ CURLoption option;
+ const char *optname;
++ wordexp_t expanded;
++ bool expand = false;
+
+ switch (opt) {
+ case YH_CONNECTOR_HTTPS_CA:
+ option = CURLOPT_CAINFO;
+ optname = "CURLOPT_CAINFO";
++ expand = true;
+ break;
+ case YH_CONNECTOR_HTTPS_CERT:
+ option = CURLOPT_SSLCERT;
+ optname = "CURLOPT_SSLCERT";
++ expand = true;
+ break;
+ case YH_CONNECTOR_HTTPS_KEY:
+ option = CURLOPT_SSLKEY;
+ optname = "CURLOPT_SSLKEY";
++ expand = true;
+ break;
+ case YH_CONNECTOR_PROXY_SERVER:
+ option = CURLOPT_PROXY;
+@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+ DBG_ERR("%d is an unknown option", opt);
+ return YHR_INVALID_PARAMETERS;
+ }
+- CURLcode rc = curl_easy_setopt(connection, option, (char *) val);
++ if (expand)
++ {
++ if (wordexp((const char *)val, &expanded, 0))
++ {
++ DBG_ERR("Failed to expand %s\n", optname);
++ return YHR_CONNECTOR_ERROR;
++ }
++ }
++ CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val);
++ if (expand)
++ wordfree(&expanded);
+ if (rc == CURLE_OK) {
+ DBG_INFO("Successfully set %s.", optname);
+ return YHR_SUCCESS;
diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
new file mode 100644
index 000000000..788b9cacf
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
@@ -0,0 +1,76 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 2 Feb 2021 08:32:54 +0100
+Subject: [PATCH] add noproxy option
+
+work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3
+
+Use `noproxy=*` in your config file to use the plugin outside of
+get stage, e.g. in barebox compile stage.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm.h | 3 +++
+ lib/yubihsm_curl.c | 4 ++++
+ pkcs11/cmdline.ggo | 1 +
+ pkcs11/yubihsm_pkcs11.c | 7 +++++++
+ 4 files changed, 15 insertions(+)
+
+diff --git a/lib/yubihsm.h b/lib/yubihsm.h
+index da08f68038dd..5f90eca0d8e8 100644
+--- a/lib/yubihsm.h
++++ b/lib/yubihsm.h
+@@ -524,6 +524,9 @@ typedef enum {
+ /// File with client certificates key (const char *).
+ /// Not implemented on Windows
+ YH_CONNECTOR_HTTPS_KEY = 4,
++ /// Comma separated list of hosts ignoring proxy, `*` to disable proxy.
++ /// Not implemented on Windows
++ YH_CONNECTOR_NOPROXY = 5,
+ } yh_connector_option;
+
+ #pragma pack(push, 1)
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 52ca14ddf2d4..f7f7cd8f54da 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+ option = CURLOPT_PROXY;
+ optname = "CURLOPT_PROXY";
+ break;
++ case YH_CONNECTOR_NOPROXY:
++ option = CURLOPT_NOPROXY;
++ optname = "CURLOPT_NOPROXY";
++ break;
+ default:
+ DBG_ERR("%d is an unknown option", opt);
+ return YHR_INVALID_PARAMETERS;
+diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
+index 9e87e2aa2861..cdf97ae0d33d 100644
+--- a/pkcs11/cmdline.ggo
++++ b/pkcs11/cmdline.ggo
+@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional
+ option "cert" - "HTTPS client certificate to authenticate with" string optional
+ option "key" - "HTTPS client certificate key" string optional
+ option "proxy" - "Proxy server to use for connector" string optional
++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional
+ option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
+ option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
+
+diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
+index 25aec8e7c5fe..38b08bbf8000 100644
+--- a/pkcs11/yubihsm_pkcs11.c
++++ b/pkcs11/yubihsm_pkcs11.c
+@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
+ goto c_i_failure;
+ }
+ }
++ if (args_info.noproxy_given) {
++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY,
++ args_info.noproxy_arg) != YHR_SUCCESS) {
++ DBG_ERR("Failed to set noproxy option");
++goto c_i_failure;
++ }
++ }
+
+ if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
+ DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series
new file mode 100644
index 000000000..a0fbb2915
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/series
@@ -0,0 +1,6 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-add-client-cert-support-for-pkcs11-module.patch
+0002-add-bash-like-variable-extension.patch
+0003-add-noproxy-option.patch
+# fcbee908545e468ec4e840d2d56da1be - git-ptx-patches magic
diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
new file mode 100644
index 000000000..3b17a2e98
--- /dev/null
+++ b/rules/host-yubihsm-shell.in
@@ -0,0 +1,13 @@
+## SECTION=hosttools_noprompt
+
+config HOST_YUBIHSM_SHELL
+tristate
+default ALLYES
+select HOST_CMAKE
+select HOST_OPENSSL
+select HOST_LIBCURL
+select HOST_LIBUSB
+select HOST_GENGETOPT
+select HOST_LIBEDIT
+select HOST_PCSC_LITE
+select HOST_LIBP11
diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
new file mode 100644
index 000000000..3ebfc8c1f
--- /dev/null
+++ b/rules/host-yubihsm-shell.make
@@ -0,0 +1,37 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
+
+#
+# Paths and names
+#
+HOST_YUBIHSM_SHELL_VERSION:= 2.1.0
+HOST_YUBIHSM_SHELL_MD5:= 7363c0bc4ed037e262474beaa6e1407b
+HOST_YUBIHSM_SHELL:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
+HOST_YUBIHSM_SHELL_SUFFIX:= tar.gz
+HOST_YUBIHSM_SHELL_URL:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
+HOST_YUBIHSM_SHELL_SOURCE:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
+HOST_YUBIHSM_SHELL_DIR:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# cmake
+#
+HOST_YUBIHSM_SHELL_CONF_TOOL:= cmake
+HOST_YUBIHSM_SHELL_CONF_OPT:= \
+$(HOST_CMAKE_OPT) \
+-DBUILD_ONLY_LIB=OFF \
+-DENABLE_COVERAGE=OFF \
+-DSUPRESS_MSVC_WARNINGS=ON \
+-DWITHOUT_MANPAGES=1
+
+# vim: syntax=make
--
2.30.1
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ptxdist] [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11
2021-03-08 12:35 [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
2021-03-08 12:35 ` [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package Denis Osterland-Heim
@ 2021-03-08 12:35 ` Denis Osterland-Heim
2021-03-14 13:35 ` [ptxdist] [APPLIED] " Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 1/5] host-gengetopt: move to _noprompt section Denis Osterland-Heim
` (3 subsequent siblings)
5 siblings, 1 reply; 13+ messages in thread
From: Denis Osterland-Heim @ 2021-03-08 12:35 UTC (permalink / raw)
To: ptxdist
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
rules/libp11.make | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/libp11.make b/rules/libp11.make
index 8e2d1517f..2c551b914 100644
--- a/rules/libp11.make
+++ b/rules/libp11.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBP11) += libp11
#
# Paths and names
#
-LIBP11_VERSION:= 0.4.10
-LIBP11_MD5:= 3464874bb5ca47b8e4c1d540758dcfe9
+LIBP11_VERSION:= 0.4.11
+LIBP11_MD5:= 8b907abd572b0eb8e63413549f68dbe1
LIBP11:= libp11-$(LIBP11_VERSION)
LIBP11_SUFFIX:= tar.gz
LIBP11_URL:= https://github.com/OpenSC/libp11/releases/download/$(LIBP11)/$(LIBP11).$(LIBP11_SUFFIX)
--
2.30.1
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ptxdist] [PATCH 1/5] host-gengetopt: move to _noprompt section
2021-03-08 12:35 [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
2021-03-08 12:35 ` [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package Denis Osterland-Heim
2021-03-08 12:35 ` [ptxdist] [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11 Denis Osterland-Heim
@ 2021-03-08 12:35 ` Denis Osterland-Heim
2021-03-14 13:35 ` [ptxdist] [APPLIED] " Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 3/5] host-libcurl: enable http(s) support Denis Osterland-Heim
` (2 subsequent siblings)
5 siblings, 1 reply; 13+ messages in thread
From: Denis Osterland-Heim @ 2021-03-08 12:35 UTC (permalink / raw)
To: ptxdist
This allows to select this from platforms as well.
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
rules/host-gengetopt.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/host-gengetopt.in b/rules/host-gengetopt.in
index f6855ab5f..d42ccf477 100644
--- a/rules/host-gengetopt.in
+++ b/rules/host-gengetopt.in
@@ -1,8 +1,8 @@
-## SECTION=hosttools
+## SECTION=hosttools_noprompt
config HOST_GENGETOPT
tristate
-prompt "gengetopt"
+default ALLYES
help
Gengetopt is a tool to write command line option
parsing code for C programs.
--
2.30.1
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ptxdist] [PATCH 3/5] host-libcurl: enable http(s) support
2021-03-08 12:35 [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
` (2 preceding siblings ...)
2021-03-08 12:35 ` [ptxdist] [PATCH 1/5] host-gengetopt: move to _noprompt section Denis Osterland-Heim
@ 2021-03-08 12:35 ` Denis Osterland-Heim
2021-03-12 7:35 ` Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 2/5] host-libedit: new package Denis Osterland-Heim
2021-03-08 14:35 ` [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
5 siblings, 1 reply; 13+ messages in thread
From: Denis Osterland-Heim @ 2021-03-08 12:35 UTC (permalink / raw)
To: ptxdist
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
rules/host-libcurl.make | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
index dc28de778..1a2a1fcf5 100644
--- a/rules/host-libcurl.make
+++ b/rules/host-libcurl.make
@@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT:= \
--without-librtmp \
\
--disable-ares \
---disable-http \
+--enable-http \
--disable-nghttp2 \
--disable-cookies \
--disable-ftp \
@@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT:= \
--disable-file \
--disable-crypto-auth \
--disable-libssh2 \
---without-ssl
+--with-ssl
$(STATEDIR)/host-libcurl.install:
@$(call targetinfo)
--
2.30.1
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ptxdist] yubi HSM pkcs11 plugin for signing provider
@ 2021-03-08 12:35 Denis Osterland-Heim
2021-03-08 12:35 ` [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package Denis Osterland-Heim
` (5 more replies)
0 siblings, 6 replies; 13+ messages in thread
From: Denis Osterland-Heim @ 2021-03-08 12:35 UTC (permalink / raw)
To: ptxdist
Original mboxes are attached to mail in response.
Denis Osterland-Heim (5):
host-gengetopt: move to _noprompt section
host-libedit: new package
host-libcurl: enable http(s) support
libp11: version bump 0.4.10 -> 0.4.11
host-yubihsm-shell: new package
...add-client-cert-support-for-pkcs11-module.patch | 88 ++++++++++++++++++++++
.../0002-add-bash-like-variable-extension.patch | 67 ++++++++++++++++
.../0003-add-noproxy-option.patch | 76 +++++++++++++++++++
patches/yubihsm-shell-2.1.0/series | 6 ++
rules/host-gengetopt.in | 4 +-
rules/host-libcurl.make | 4 +-
rules/host-libedit.in | 5 ++
rules/host-libedit.make | 11 +++
rules/host-yubihsm-shell.in | 13 ++++
rules/host-yubihsm-shell.make | 37 +++++++++
rules/libp11.make | 4 +-
11 files changed, 309 insertions(+), 6 deletions(-)
base-commit: 1431ed52c ("libwacom: new package")
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* [ptxdist] [PATCH 2/5] host-libedit: new package
2021-03-08 12:35 [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
` (3 preceding siblings ...)
2021-03-08 12:35 ` [ptxdist] [PATCH 3/5] host-libcurl: enable http(s) support Denis Osterland-Heim
@ 2021-03-08 12:35 ` Denis Osterland-Heim
2021-03-14 13:35 ` [ptxdist] [APPLIED] " Michael Olbrich
2021-03-08 14:35 ` [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
5 siblings, 1 reply; 13+ messages in thread
From: Denis Osterland-Heim @ 2021-03-08 12:35 UTC (permalink / raw)
To: ptxdist
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
rules/host-libedit.in | 5 +++++
rules/host-libedit.make | 11 +++++++++++
2 files changed, 16 insertions(+)
create mode 100644 rules/host-libedit.in
create mode 100644 rules/host-libedit.make
diff --git a/rules/host-libedit.in b/rules/host-libedit.in
new file mode 100644
index 000000000..49e7c4548
--- /dev/null
+++ b/rules/host-libedit.in
@@ -0,0 +1,5 @@
+## SECTION=hosttools_noprompt
+
+config HOST_LIBEDIT
+tristate
+default ALLYES
diff --git a/rules/host-libedit.make b/rules/host-libedit.make
new file mode 100644
index 000000000..ae8bff95f
--- /dev/null
+++ b/rules/host-libedit.make
@@ -0,0 +1,11 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+HOST_PACKAGES-$(PTXCONF_HOST_LIBEDIT) += host-libedit
+
+# vim: syntax=make
--
2.30.1
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ptxdist] yubi HSM pkcs11 plugin for signing provider
2021-03-08 12:35 [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
` (4 preceding siblings ...)
2021-03-08 12:35 ` [ptxdist] [PATCH 2/5] host-libedit: new package Denis Osterland-Heim
@ 2021-03-08 14:35 ` Denis Osterland-Heim
5 siblings, 0 replies; 13+ messages in thread
From: Denis Osterland-Heim @ 2021-03-08 14:35 UTC (permalink / raw)
To: ptxdist
[-- Attachment #1: Type: text/plain, Size: 2551 bytes --]
Am Montag, den 08.03.2021, 13:34 +0100 schrieb Denis Osterland-Heim:
> Original mboxes are attached to mail in response.
>
> Denis Osterland-Heim (5):
> host-gengetopt: move to _noprompt section
> host-libedit: new package
> host-libcurl: enable http(s) support
> libp11: version bump 0.4.10 -> 0.4.11
> host-yubihsm-shell: new package
>
> ...add-client-cert-support-for-pkcs11-module.patch | 88 ++++++++++++++++++++++
> .../0002-add-bash-like-variable-extension.patch | 67 ++++++++++++++++
> .../0003-add-noproxy-option.patch | 76 +++++++++++++++++++
> patches/yubihsm-shell-2.1.0/series | 6 ++
> rules/host-gengetopt.in | 4 +-
> rules/host-libcurl.make | 4 +-
> rules/host-libedit.in | 5 ++
> rules/host-libedit.make | 11 +++
> rules/host-yubihsm-shell.in | 13 ++++
> rules/host-yubihsm-shell.make | 37 +++++++++
> rules/libp11.make | 4 +-
> 11 files changed, 309 insertions(+), 6 deletions(-)
>
> base-commit: 1431ed52c ("libwacom: new package")
>
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
[-- Attachment #2: Type: message/rfc822, Size: 1344 bytes --]
From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 1/5] host-gengetopt: move to _noprompt section
Date: Mon, 8 Mar 2021 13:34:14 +0100
Message-ID: <20210308123418.10187-2-denis.osterland@diehl.com>
This allows to select this from platforms as well.
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
rules/host-gengetopt.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/host-gengetopt.in b/rules/host-gengetopt.in
index f6855ab5f..d42ccf477 100644
--- a/rules/host-gengetopt.in
+++ b/rules/host-gengetopt.in
@@ -1,8 +1,8 @@
-## SECTION=hosttools
+## SECTION=hosttools_noprompt
config HOST_GENGETOPT
tristate
- prompt "gengetopt"
+ default ALLYES
help
Gengetopt is a tool to write command line option
parsing code for C programs.
--
2.30.1
[-- Attachment #3: Type: message/rfc822, Size: 1698 bytes --]
From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 2/5] host-libedit: new package
Date: Mon, 8 Mar 2021 13:34:15 +0100
Message-ID: <20210308123418.10187-3-denis.osterland@diehl.com>
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
rules/host-libedit.in | 5 +++++
rules/host-libedit.make | 11 +++++++++++
2 files changed, 16 insertions(+)
create mode 100644 rules/host-libedit.in
create mode 100644 rules/host-libedit.make
diff --git a/rules/host-libedit.in b/rules/host-libedit.in
new file mode 100644
index 000000000..49e7c4548
--- /dev/null
+++ b/rules/host-libedit.in
@@ -0,0 +1,5 @@
+## SECTION=hosttools_noprompt
+
+config HOST_LIBEDIT
+ tristate
+ default ALLYES
diff --git a/rules/host-libedit.make b/rules/host-libedit.make
new file mode 100644
index 000000000..ae8bff95f
--- /dev/null
+++ b/rules/host-libedit.make
@@ -0,0 +1,11 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+HOST_PACKAGES-$(PTXCONF_HOST_LIBEDIT) += host-libedit
+
+# vim: syntax=make
--
2.30.1
[-- Attachment #4: Type: message/rfc822, Size: 14253 bytes --]
From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 5/5] host-yubihsm-shell: new package
Date: Mon, 8 Mar 2021 13:34:18 +0100
Message-ID: <20210308123418.10187-6-denis.osterland@diehl.com>
This package provides the pkcs11 plugin for yubi HSMs,
which allows to create a signing provider for it.
Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162
To use it together with a CA server:
Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage")
`noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP
communication in compile stage.
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++
...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++
.../0003-add-noproxy-option.patch | 76 ++++++++++++++++
patches/yubihsm-shell-2.1.0/series | 6 ++
rules/host-yubihsm-shell.in | 13 +++
rules/host-yubihsm-shell.make | 37 ++++++++
6 files changed, 287 insertions(+)
create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
create mode 100644 patches/yubihsm-shell-2.1.0/series
create mode 100644 rules/host-yubihsm-shell.in
create mode 100644 rules/host-yubihsm-shell.make
diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
new file mode 100644
index 000000000..dbce11c85
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
@@ -0,0 +1,88 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 26 Jan 2021 14:19:52 +0100
+Subject: [PATCH] add client cert support for pkcs11 module
+
+Allows to authenticate with client certificates at HSM server.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm.h | 6 ++++++
+ lib/yubihsm_curl.c | 8 ++++++++
+ pkcs11/cmdline.ggo | 2 ++
+ pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++
+ 4 files changed, 30 insertions(+)
+
+diff --git a/lib/yubihsm.h b/lib/yubihsm.h
+index ef80d42b1865..da08f68038dd 100644
+--- a/lib/yubihsm.h
++++ b/lib/yubihsm.h
+@@ -518,6 +518,12 @@ typedef enum {
+ /// Proxy server to use for connecting to the connector (const char *). Not
+ /// implemented on Windows
+ YH_CONNECTOR_PROXY_SERVER = 2,
++ /// File with client certificate to authenticate client with (const char *).
++ /// Not implemented on Windows
++ YH_CONNECTOR_HTTPS_CERT = 3,
++ /// File with client certificates key (const char *).
++ /// Not implemented on Windows
++ YH_CONNECTOR_HTTPS_KEY = 4,
+ } yh_connector_option;
+
+ #pragma pack(push, 1)
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 6360f3693268..2f46802e0fe1 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+ option = CURLOPT_CAINFO;
+ optname = "CURLOPT_CAINFO";
+ break;
++ case YH_CONNECTOR_HTTPS_CERT:
++ option = CURLOPT_SSLCERT;
++ optname = "CURLOPT_SSLCERT";
++ break;
++ case YH_CONNECTOR_HTTPS_KEY:
++ option = CURLOPT_SSLKEY;
++ optname = "CURLOPT_SSLKEY";
++ break;
+ case YH_CONNECTOR_PROXY_SERVER:
+ option = CURLOPT_PROXY;
+ optname = "CURLOPT_PROXY";
+diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
+index 9a357b73062d..9e87e2aa2861 100644
+--- a/pkcs11/cmdline.ggo
++++ b/pkcs11/cmdline.ggo
+@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off
+ option "libdebug" - "Enable libyubihsm debugging" flag off
+ option "debug-file" - "Output file for debugging" string optional default="stderr"
+ option "cacert" - "Cacert to use for HTTPS validation" string optional
++option "cert" - "HTTPS client certificate to authenticate with" string optional
++option "key" - "HTTPS client certificate key" string optional
+ option "proxy" - "Proxy server to use for connector" string optional
+ option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
+ option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
+diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
+index f543c94ed373..25aec8e7c5fe 100644
+--- a/pkcs11/yubihsm_pkcs11.c
++++ b/pkcs11/yubihsm_pkcs11.c
+@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
+ goto c_i_failure;
+ }
+ }
++ if (args_info.cert_given) {
++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT,
++ args_info.cert_arg) != YHR_SUCCESS) {
++ DBG_ERR("Failed to set HTTPS cert option");
++ goto c_i_failure;
++ }
++ }
++ if (args_info.key_given) {
++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY,
++ args_info.key_arg) != YHR_SUCCESS) {
++ DBG_ERR("Failed to set HTTPS key option");
++ goto c_i_failure;
++ }
++ }
+ if (args_info.proxy_given) {
+ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
+ args_info.proxy_arg) != YHR_SUCCESS) {
diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
new file mode 100644
index 000000000..e3d64659a
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
@@ -0,0 +1,67 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 2 Feb 2021 08:50:48 +0100
+Subject: [PATCH] add bash like variable extension
+
+Support for `~` and environment variables like `${HOME}`.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm_curl.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 2f46802e0fe1..52ca14ddf2d4 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -16,6 +16,7 @@
+
+ #include <string.h>
+ #include <errno.h>
++#include <wordexp.h>
+
+ #include <arpa/inet.h>
+
+@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+ const void *val) {
+ CURLoption option;
+ const char *optname;
++ wordexp_t expanded;
++ bool expand = false;
+
+ switch (opt) {
+ case YH_CONNECTOR_HTTPS_CA:
+ option = CURLOPT_CAINFO;
+ optname = "CURLOPT_CAINFO";
++ expand = true;
+ break;
+ case YH_CONNECTOR_HTTPS_CERT:
+ option = CURLOPT_SSLCERT;
+ optname = "CURLOPT_SSLCERT";
++ expand = true;
+ break;
+ case YH_CONNECTOR_HTTPS_KEY:
+ option = CURLOPT_SSLKEY;
+ optname = "CURLOPT_SSLKEY";
++ expand = true;
+ break;
+ case YH_CONNECTOR_PROXY_SERVER:
+ option = CURLOPT_PROXY;
+@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+ DBG_ERR("%d is an unknown option", opt);
+ return YHR_INVALID_PARAMETERS;
+ }
+- CURLcode rc = curl_easy_setopt(connection, option, (char *) val);
++ if (expand)
++ {
++ if (wordexp((const char *)val, &expanded, 0))
++ {
++ DBG_ERR("Failed to expand %s\n", optname);
++ return YHR_CONNECTOR_ERROR;
++ }
++ }
++ CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val);
++ if (expand)
++ wordfree(&expanded);
+ if (rc == CURLE_OK) {
+ DBG_INFO("Successfully set %s.", optname);
+ return YHR_SUCCESS;
diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
new file mode 100644
index 000000000..788b9cacf
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
@@ -0,0 +1,76 @@
+From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+Date: Tue, 2 Feb 2021 08:32:54 +0100
+Subject: [PATCH] add noproxy option
+
+work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3
+
+Use `noproxy=*` in your config file to use the plugin outside of
+get stage, e.g. in barebox compile stage.
+
+Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
+---
+ lib/yubihsm.h | 3 +++
+ lib/yubihsm_curl.c | 4 ++++
+ pkcs11/cmdline.ggo | 1 +
+ pkcs11/yubihsm_pkcs11.c | 7 +++++++
+ 4 files changed, 15 insertions(+)
+
+diff --git a/lib/yubihsm.h b/lib/yubihsm.h
+index da08f68038dd..5f90eca0d8e8 100644
+--- a/lib/yubihsm.h
++++ b/lib/yubihsm.h
+@@ -524,6 +524,9 @@ typedef enum {
+ /// File with client certificates key (const char *).
+ /// Not implemented on Windows
+ YH_CONNECTOR_HTTPS_KEY = 4,
++ /// Comma separated list of hosts ignoring proxy, `*` to disable proxy.
++ /// Not implemented on Windows
++ YH_CONNECTOR_NOPROXY = 5,
+ } yh_connector_option;
+
+ #pragma pack(push, 1)
+diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
+index 52ca14ddf2d4..f7f7cd8f54da 100644
+--- a/lib/yubihsm_curl.c
++++ b/lib/yubihsm_curl.c
+@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
+ option = CURLOPT_PROXY;
+ optname = "CURLOPT_PROXY";
+ break;
++ case YH_CONNECTOR_NOPROXY:
++ option = CURLOPT_NOPROXY;
++ optname = "CURLOPT_NOPROXY";
++ break;
+ default:
+ DBG_ERR("%d is an unknown option", opt);
+ return YHR_INVALID_PARAMETERS;
+diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
+index 9e87e2aa2861..cdf97ae0d33d 100644
+--- a/pkcs11/cmdline.ggo
++++ b/pkcs11/cmdline.ggo
+@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional
+ option "cert" - "HTTPS client certificate to authenticate with" string optional
+ option "key" - "HTTPS client certificate key" string optional
+ option "proxy" - "Proxy server to use for connector" string optional
++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional
+ option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
+ option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
+
+diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
+index 25aec8e7c5fe..38b08bbf8000 100644
+--- a/pkcs11/yubihsm_pkcs11.c
++++ b/pkcs11/yubihsm_pkcs11.c
+@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
+ goto c_i_failure;
+ }
+ }
++ if (args_info.noproxy_given) {
++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY,
++ args_info.noproxy_arg) != YHR_SUCCESS) {
++ DBG_ERR("Failed to set noproxy option");
++ goto c_i_failure;
++ }
++ }
+
+ if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
+ DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series
new file mode 100644
index 000000000..a0fbb2915
--- /dev/null
+++ b/patches/yubihsm-shell-2.1.0/series
@@ -0,0 +1,6 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-add-client-cert-support-for-pkcs11-module.patch
+0002-add-bash-like-variable-extension.patch
+0003-add-noproxy-option.patch
+# fcbee908545e468ec4e840d2d56da1be - git-ptx-patches magic
diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
new file mode 100644
index 000000000..3b17a2e98
--- /dev/null
+++ b/rules/host-yubihsm-shell.in
@@ -0,0 +1,13 @@
+## SECTION=hosttools_noprompt
+
+config HOST_YUBIHSM_SHELL
+ tristate
+ default ALLYES
+ select HOST_CMAKE
+ select HOST_OPENSSL
+ select HOST_LIBCURL
+ select HOST_LIBUSB
+ select HOST_GENGETOPT
+ select HOST_LIBEDIT
+ select HOST_PCSC_LITE
+ select HOST_LIBP11
diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
new file mode 100644
index 000000000..3ebfc8c1f
--- /dev/null
+++ b/rules/host-yubihsm-shell.make
@@ -0,0 +1,37 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
+
+#
+# Paths and names
+#
+HOST_YUBIHSM_SHELL_VERSION := 2.1.0
+HOST_YUBIHSM_SHELL_MD5 := 7363c0bc4ed037e262474beaa6e1407b
+HOST_YUBIHSM_SHELL := yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
+HOST_YUBIHSM_SHELL_SUFFIX := tar.gz
+HOST_YUBIHSM_SHELL_URL := https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
+HOST_YUBIHSM_SHELL_SOURCE := $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
+HOST_YUBIHSM_SHELL_DIR := $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# cmake
+#
+HOST_YUBIHSM_SHELL_CONF_TOOL := cmake
+HOST_YUBIHSM_SHELL_CONF_OPT := \
+ $(HOST_CMAKE_OPT) \
+ -DBUILD_ONLY_LIB=OFF \
+ -DENABLE_COVERAGE=OFF \
+ -DSUPRESS_MSVC_WARNINGS=ON \
+ -DWITHOUT_MANPAGES=1
+
+# vim: syntax=make
--
2.30.1
[-- Attachment #5: Type: message/rfc822, Size: 1440 bytes --]
From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 3/5] host-libcurl: enable http(s) support
Date: Mon, 8 Mar 2021 13:34:16 +0100
Message-ID: <20210308123418.10187-4-denis.osterland@diehl.com>
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
rules/host-libcurl.make | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
index dc28de778..1a2a1fcf5 100644
--- a/rules/host-libcurl.make
+++ b/rules/host-libcurl.make
@@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT := \
--without-librtmp \
\
--disable-ares \
- --disable-http \
+ --enable-http \
--disable-nghttp2 \
--disable-cookies \
--disable-ftp \
@@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT := \
--disable-file \
--disable-crypto-auth \
--disable-libssh2 \
- --without-ssl
+ --with-ssl
$(STATEDIR)/host-libcurl.install:
@$(call targetinfo)
--
2.30.1
[-- Attachment #6: Type: message/rfc822, Size: 1415 bytes --]
From: Denis Osterland-Heim <denis.osterland@diehl.com>
To: <ptxdist@pengutronix.de>
Subject: [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11
Date: Mon, 8 Mar 2021 13:34:17 +0100
Message-ID: <20210308123418.10187-5-denis.osterland@diehl.com>
Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
---
rules/libp11.make | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/libp11.make b/rules/libp11.make
index 8e2d1517f..2c551b914 100644
--- a/rules/libp11.make
+++ b/rules/libp11.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBP11) += libp11
#
# Paths and names
#
-LIBP11_VERSION := 0.4.10
-LIBP11_MD5 := 3464874bb5ca47b8e4c1d540758dcfe9
+LIBP11_VERSION := 0.4.11
+LIBP11_MD5 := 8b907abd572b0eb8e63413549f68dbe1
LIBP11 := libp11-$(LIBP11_VERSION)
LIBP11_SUFFIX := tar.gz
LIBP11_URL := https://github.com/OpenSC/libp11/releases/download/$(LIBP11)/$(LIBP11).$(LIBP11_SUFFIX)
--
2.30.1
[-- Attachment #7: Type: text/plain, Size: 181 bytes --]
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ptxdist] [PATCH 3/5] host-libcurl: enable http(s) support
2021-03-08 12:35 ` [ptxdist] [PATCH 3/5] host-libcurl: enable http(s) support Denis Osterland-Heim
@ 2021-03-12 7:35 ` Michael Olbrich
0 siblings, 0 replies; 13+ messages in thread
From: Michael Olbrich @ 2021-03-12 7:35 UTC (permalink / raw)
To: ptxdist
On Mon, Mar 08, 2021 at 12:35:10PM +0000, Denis Osterland-Heim wrote:
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
This will require host-openssl, right? At least it links to libssl and libcrypto
in my quick test.
So there should be a optional dependency that enables this. And whatever
package needs this should enable it.
Michael
> ---
> rules/host-libcurl.make | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/rules/host-libcurl.make b/rules/host-libcurl.make
> index dc28de778..1a2a1fcf5 100644
> --- a/rules/host-libcurl.make
> +++ b/rules/host-libcurl.make
> @@ -61,7 +61,7 @@ HOST_LIBCURL_CONF_OPT:= \
> --without-librtmp \
> \
> --disable-ares \
> ---disable-http \
> +--enable-http \
> --disable-nghttp2 \
> --disable-cookies \
> --disable-ftp \
> @@ -69,7 +69,7 @@ HOST_LIBCURL_CONF_OPT:= \
> --disable-file \
> --disable-crypto-auth \
> --disable-libssh2 \
> ---without-ssl
> +--with-ssl
>
> $(STATEDIR)/host-libcurl.install:
> @$(call targetinfo)
> --
> 2.30.1
>
> Diehl Connectivity Solutions GmbH
> Geschäftsführung: Horst Leonberger
> Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
> Nürnberg: HRB 32315
>
> ________________________________
>
> Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
> Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
> Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
>
> - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
>
> https://www.diehl.com/group/de/transparenz-und-informationspflichten/
>
> The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
> mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
>
> - For general information on data protection and your respective rights please visit:
>
> https://www.diehl.com/group/en/transparency-and-information-obligations/
>
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package
2021-03-08 12:35 ` [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package Denis Osterland-Heim
@ 2021-03-12 7:47 ` Michael Olbrich
2021-03-12 8:17 ` Denis Osterland-Heim
0 siblings, 1 reply; 13+ messages in thread
From: Michael Olbrich @ 2021-03-12 7:47 UTC (permalink / raw)
To: ptxdist
On Mon, Mar 08, 2021 at 12:35:08PM +0000, Denis Osterland-Heim wrote:
> This package provides the pkcs11 plugin for yubi HSMs,
> which allows to create a signing provider for it.
>
> Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162
>
> To use it together with a CA server:
> Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage")
> `noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP
> communication in compile stage.
Hmmm, I think you should be able to extend CODE_SIGNING_ENV and add
"HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=". That should be
evaluated after the variables set by ab4af48ba and clear them.
And expanding CODE_SIGNING_ENV depending on the signing provider is
expected. We already do this for softhsm:
rules/pre/020-code-signing-softhsm.make
Michael
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> ---
> ...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++
> ...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++
> .../0003-add-noproxy-option.patch | 76 ++++++++++++++++
> patches/yubihsm-shell-2.1.0/series | 6 ++
> rules/host-yubihsm-shell.in | 13 +++
> rules/host-yubihsm-shell.make | 37 ++++++++
> 6 files changed, 287 insertions(+)
> create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> create mode 100644 patches/yubihsm-shell-2.1.0/series
> create mode 100644 rules/host-yubihsm-shell.in
> create mode 100644 rules/host-yubihsm-shell.make
>
> diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> new file mode 100644
> index 000000000..dbce11c85
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> @@ -0,0 +1,88 @@
> +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +Date: Tue, 26 Jan 2021 14:19:52 +0100
> +Subject: [PATCH] add client cert support for pkcs11 module
> +
> +Allows to authenticate with client certificates at HSM server.
> +
> +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +---
> + lib/yubihsm.h | 6 ++++++
> + lib/yubihsm_curl.c | 8 ++++++++
> + pkcs11/cmdline.ggo | 2 ++
> + pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++
> + 4 files changed, 30 insertions(+)
> +
> +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> +index ef80d42b1865..da08f68038dd 100644
> +--- a/lib/yubihsm.h
> ++++ b/lib/yubihsm.h
> +@@ -518,6 +518,12 @@ typedef enum {
> + /// Proxy server to use for connecting to the connector (const char *). Not
> + /// implemented on Windows
> + YH_CONNECTOR_PROXY_SERVER = 2,
> ++ /// File with client certificate to authenticate client with (const char *).
> ++ /// Not implemented on Windows
> ++ YH_CONNECTOR_HTTPS_CERT = 3,
> ++ /// File with client certificates key (const char *).
> ++ /// Not implemented on Windows
> ++ YH_CONNECTOR_HTTPS_KEY = 4,
> + } yh_connector_option;
> +
> + #pragma pack(push, 1)
> +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> +index 6360f3693268..2f46802e0fe1 100644
> +--- a/lib/yubihsm_curl.c
> ++++ b/lib/yubihsm_curl.c
> +@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> + option = CURLOPT_CAINFO;
> + optname = "CURLOPT_CAINFO";
> + break;
> ++ case YH_CONNECTOR_HTTPS_CERT:
> ++ option = CURLOPT_SSLCERT;
> ++ optname = "CURLOPT_SSLCERT";
> ++ break;
> ++ case YH_CONNECTOR_HTTPS_KEY:
> ++ option = CURLOPT_SSLKEY;
> ++ optname = "CURLOPT_SSLKEY";
> ++ break;
> + case YH_CONNECTOR_PROXY_SERVER:
> + option = CURLOPT_PROXY;
> + optname = "CURLOPT_PROXY";
> +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> +index 9a357b73062d..9e87e2aa2861 100644
> +--- a/pkcs11/cmdline.ggo
> ++++ b/pkcs11/cmdline.ggo
> +@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off
> + option "libdebug" - "Enable libyubihsm debugging" flag off
> + option "debug-file" - "Output file for debugging" string optional default="stderr"
> + option "cacert" - "Cacert to use for HTTPS validation" string optional
> ++option "cert" - "HTTPS client certificate to authenticate with" string optional
> ++option "key" - "HTTPS client certificate key" string optional
> + option "proxy" - "Proxy server to use for connector" string optional
> + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> +index f543c94ed373..25aec8e7c5fe 100644
> +--- a/pkcs11/yubihsm_pkcs11.c
> ++++ b/pkcs11/yubihsm_pkcs11.c
> +@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> + goto c_i_failure;
> + }
> + }
> ++ if (args_info.cert_given) {
> ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT,
> ++ args_info.cert_arg) != YHR_SUCCESS) {
> ++ DBG_ERR("Failed to set HTTPS cert option");
> ++ goto c_i_failure;
> ++ }
> ++ }
> ++ if (args_info.key_given) {
> ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY,
> ++ args_info.key_arg) != YHR_SUCCESS) {
> ++ DBG_ERR("Failed to set HTTPS key option");
> ++goto c_i_failure;
> ++ }
> ++ }
> + if (args_info.proxy_given) {
> + if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
> + args_info.proxy_arg) != YHR_SUCCESS) {
> diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> new file mode 100644
> index 000000000..e3d64659a
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> @@ -0,0 +1,67 @@
> +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +Date: Tue, 2 Feb 2021 08:50:48 +0100
> +Subject: [PATCH] add bash like variable extension
> +
> +Support for `~` and environment variables like `${HOME}`.
> +
> +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +---
> + lib/yubihsm_curl.c | 18 +++++++++++++++++-
> + 1 file changed, 17 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> +index 2f46802e0fe1..52ca14ddf2d4 100644
> +--- a/lib/yubihsm_curl.c
> ++++ b/lib/yubihsm_curl.c
> +@@ -16,6 +16,7 @@
> +
> + #include <string.h>
> + #include <errno.h>
> ++#include <wordexp.h>
> +
> + #include <arpa/inet.h>
> +
> +@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> + const void *val) {
> + CURLoption option;
> + const char *optname;
> ++ wordexp_t expanded;
> ++ bool expand = false;
> +
> + switch (opt) {
> + case YH_CONNECTOR_HTTPS_CA:
> + option = CURLOPT_CAINFO;
> + optname = "CURLOPT_CAINFO";
> ++ expand = true;
> + break;
> + case YH_CONNECTOR_HTTPS_CERT:
> + option = CURLOPT_SSLCERT;
> + optname = "CURLOPT_SSLCERT";
> ++ expand = true;
> + break;
> + case YH_CONNECTOR_HTTPS_KEY:
> + option = CURLOPT_SSLKEY;
> + optname = "CURLOPT_SSLKEY";
> ++ expand = true;
> + break;
> + case YH_CONNECTOR_PROXY_SERVER:
> + option = CURLOPT_PROXY;
> +@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> + DBG_ERR("%d is an unknown option", opt);
> + return YHR_INVALID_PARAMETERS;
> + }
> +- CURLcode rc = curl_easy_setopt(connection, option, (char *) val);
> ++ if (expand)
> ++ {
> ++ if (wordexp((const char *)val, &expanded, 0))
> ++ {
> ++ DBG_ERR("Failed to expand %s\n", optname);
> ++ return YHR_CONNECTOR_ERROR;
> ++ }
> ++ }
> ++ CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val);
> ++ if (expand)
> ++ wordfree(&expanded);
> + if (rc == CURLE_OK) {
> + DBG_INFO("Successfully set %s.", optname);
> + return YHR_SUCCESS;
> diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> new file mode 100644
> index 000000000..788b9cacf
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> @@ -0,0 +1,76 @@
> +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +Date: Tue, 2 Feb 2021 08:32:54 +0100
> +Subject: [PATCH] add noproxy option
> +
> +work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3
> +
> +Use `noproxy=*` in your config file to use the plugin outside of
> +get stage, e.g. in barebox compile stage.
> +
> +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +---
> + lib/yubihsm.h | 3 +++
> + lib/yubihsm_curl.c | 4 ++++
> + pkcs11/cmdline.ggo | 1 +
> + pkcs11/yubihsm_pkcs11.c | 7 +++++++
> + 4 files changed, 15 insertions(+)
> +
> +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> +index da08f68038dd..5f90eca0d8e8 100644
> +--- a/lib/yubihsm.h
> ++++ b/lib/yubihsm.h
> +@@ -524,6 +524,9 @@ typedef enum {
> + /// File with client certificates key (const char *).
> + /// Not implemented on Windows
> + YH_CONNECTOR_HTTPS_KEY = 4,
> ++ /// Comma separated list of hosts ignoring proxy, `*` to disable proxy.
> ++ /// Not implemented on Windows
> ++ YH_CONNECTOR_NOPROXY = 5,
> + } yh_connector_option;
> +
> + #pragma pack(push, 1)
> +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> +index 52ca14ddf2d4..f7f7cd8f54da 100644
> +--- a/lib/yubihsm_curl.c
> ++++ b/lib/yubihsm_curl.c
> +@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> + option = CURLOPT_PROXY;
> + optname = "CURLOPT_PROXY";
> + break;
> ++ case YH_CONNECTOR_NOPROXY:
> ++ option = CURLOPT_NOPROXY;
> ++ optname = "CURLOPT_NOPROXY";
> ++ break;
> + default:
> + DBG_ERR("%d is an unknown option", opt);
> + return YHR_INVALID_PARAMETERS;
> +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> +index 9e87e2aa2861..cdf97ae0d33d 100644
> +--- a/pkcs11/cmdline.ggo
> ++++ b/pkcs11/cmdline.ggo
> +@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional
> + option "cert" - "HTTPS client certificate to authenticate with" string optional
> + option "key" - "HTTPS client certificate key" string optional
> + option "proxy" - "Proxy server to use for connector" string optional
> ++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional
> + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> +
> +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> +index 25aec8e7c5fe..38b08bbf8000 100644
> +--- a/pkcs11/yubihsm_pkcs11.c
> ++++ b/pkcs11/yubihsm_pkcs11.c
> +@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> + goto c_i_failure;
> + }
> + }
> ++ if (args_info.noproxy_given) {
> ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY,
> ++ args_info.noproxy_arg) != YHR_SUCCESS) {
> ++ DBG_ERR("Failed to set noproxy option");
> ++goto c_i_failure;
> ++ }
> ++ }
> +
> + if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
> + DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
> diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series
> new file mode 100644
> index 000000000..a0fbb2915
> --- /dev/null
> +++ b/patches/yubihsm-shell-2.1.0/series
> @@ -0,0 +1,6 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-add-client-cert-support-for-pkcs11-module.patch
> +0002-add-bash-like-variable-extension.patch
> +0003-add-noproxy-option.patch
> +# fcbee908545e468ec4e840d2d56da1be - git-ptx-patches magic
> diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
> new file mode 100644
> index 000000000..3b17a2e98
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.in
> @@ -0,0 +1,13 @@
> +## SECTION=hosttools_noprompt
> +
> +config HOST_YUBIHSM_SHELL
> +tristate
> +default ALLYES
> +select HOST_CMAKE
> +select HOST_OPENSSL
> +select HOST_LIBCURL
> +select HOST_LIBUSB
> +select HOST_GENGETOPT
> +select HOST_LIBEDIT
> +select HOST_PCSC_LITE
> +select HOST_LIBP11
> diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
> new file mode 100644
> index 000000000..3ebfc8c1f
> --- /dev/null
> +++ b/rules/host-yubihsm-shell.make
> @@ -0,0 +1,37 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
> +
> +#
> +# Paths and names
> +#
> +HOST_YUBIHSM_SHELL_VERSION:= 2.1.0
> +HOST_YUBIHSM_SHELL_MD5:= 7363c0bc4ed037e262474beaa6e1407b
> +HOST_YUBIHSM_SHELL:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
> +HOST_YUBIHSM_SHELL_SUFFIX:= tar.gz
> +HOST_YUBIHSM_SHELL_URL:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_SOURCE:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
> +HOST_YUBIHSM_SHELL_DIR:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# cmake
> +#
> +HOST_YUBIHSM_SHELL_CONF_TOOL:= cmake
> +HOST_YUBIHSM_SHELL_CONF_OPT:= \
> +$(HOST_CMAKE_OPT) \
> +-DBUILD_ONLY_LIB=OFF \
> +-DENABLE_COVERAGE=OFF \
> +-DSUPRESS_MSVC_WARNINGS=ON \
> +-DWITHOUT_MANPAGES=1
> +
> +# vim: syntax=make
> --
> 2.30.1
>
> Diehl Connectivity Solutions GmbH
> Geschäftsführung: Horst Leonberger
> Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
> Nürnberg: HRB 32315
>
> ________________________________
>
> Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
> Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
> Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
>
> - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
>
> https://www.diehl.com/group/de/transparenz-und-informationspflichten/
>
> The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
> mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
>
> - For general information on data protection and your respective rights please visit:
>
> https://www.diehl.com/group/en/transparency-and-information-obligations/
>
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package
2021-03-12 7:47 ` Michael Olbrich
@ 2021-03-12 8:17 ` Denis Osterland-Heim
0 siblings, 0 replies; 13+ messages in thread
From: Denis Osterland-Heim @ 2021-03-12 8:17 UTC (permalink / raw)
To: ptxdist
Hi,
Thanks for the hint.
I will give it a try.
You are right, I forgot host-openssl as dependency.
Regards, Denis
Am Freitag, den 12.03.2021, 08:47 +0100 schrieb Michael Olbrich:
> On Mon, Mar 08, 2021 at 12:35:08PM +0000, Denis Osterland-Heim wrote:
> > This package provides the pkcs11 plugin for yubi HSMs,
> > which allows to create a signing provider for it.
> >
> > Patches are sent upstream: https://github.com/Yubico/yubihsm-shell/pull/162
> >
> > To use it together with a CA server:
> > Since ab4af48ba ("ptxd_make_world_init: try to prevent downloads outside the get stage")
> > `noproxy=*` in the yubihsm.conf is required to allow libcurl HTTP
> > communication in compile stage.
>
> Hmmm, I think you should be able to extend CODE_SIGNING_ENV and add
> "HTTPS_PROXY= HTTP_PROXY= https_proxy= http_proxy=". That should be
> evaluated after the variables set by ab4af48ba and clear them.
>
> And expanding CODE_SIGNING_ENV depending on the signing provider is
> expected. We already do this for softhsm:
> rules/pre/020-code-signing-softhsm.make
>
> Michael
>
> > Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> > ---
> > ...lient-cert-support-for-pkcs11-module.patch | 88 +++++++++++++++++++
> > ...002-add-bash-like-variable-extension.patch | 67 ++++++++++++++
> > .../0003-add-noproxy-option.patch | 76 ++++++++++++++++
> > patches/yubihsm-shell-2.1.0/series | 6 ++
> > rules/host-yubihsm-shell.in | 13 +++
> > rules/host-yubihsm-shell.make | 37 ++++++++
> > 6 files changed, 287 insertions(+)
> > create mode 100644 patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> > create mode 100644 patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> > create mode 100644 patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> > create mode 100644 patches/yubihsm-shell-2.1.0/series
> > create mode 100644 rules/host-yubihsm-shell.in
> > create mode 100644 rules/host-yubihsm-shell.make
> >
> > diff --git a/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> > new file mode 100644
> > index 000000000..dbce11c85
> > --- /dev/null
> > +++ b/patches/yubihsm-shell-2.1.0/0001-add-client-cert-support-for-pkcs11-module.patch
> > @@ -0,0 +1,88 @@
> > +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +Date: Tue, 26 Jan 2021 14:19:52 +0100
> > +Subject: [PATCH] add client cert support for pkcs11 module
> > +
> > +Allows to authenticate with client certificates at HSM server.
> > +
> > +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +---
> > + lib/yubihsm.h | 6 ++++++
> > + lib/yubihsm_curl.c | 8 ++++++++
> > + pkcs11/cmdline.ggo | 2 ++
> > + pkcs11/yubihsm_pkcs11.c | 14 ++++++++++++++
> > + 4 files changed, 30 insertions(+)
> > +
> > +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> > +index ef80d42b1865..da08f68038dd 100644
> > +--- a/lib/yubihsm.h
> > ++++ b/lib/yubihsm.h
> > +@@ -518,6 +518,12 @@ typedef enum {
> > + /// Proxy server to use for connecting to the connector (const char *). Not
> > + /// implemented on Windows
> > + YH_CONNECTOR_PROXY_SERVER = 2,
> > ++ /// File with client certificate to authenticate client with (const char *).
> > ++ /// Not implemented on Windows
> > ++ YH_CONNECTOR_HTTPS_CERT = 3,
> > ++ /// File with client certificates key (const char *).
> > ++ /// Not implemented on Windows
> > ++ YH_CONNECTOR_HTTPS_KEY = 4,
> > + } yh_connector_option;
> > +
> > + #pragma pack(push, 1)
> > +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> > +index 6360f3693268..2f46802e0fe1 100644
> > +--- a/lib/yubihsm_curl.c
> > ++++ b/lib/yubihsm_curl.c
> > +@@ -231,6 +231,14 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> > + option = CURLOPT_CAINFO;
> > + optname = "CURLOPT_CAINFO";
> > + break;
> > ++ case YH_CONNECTOR_HTTPS_CERT:
> > ++ option = CURLOPT_SSLCERT;
> > ++ optname = "CURLOPT_SSLCERT";
> > ++ break;
> > ++ case YH_CONNECTOR_HTTPS_KEY:
> > ++ option = CURLOPT_SSLKEY;
> > ++ optname = "CURLOPT_SSLKEY";
> > ++ break;
> > + case YH_CONNECTOR_PROXY_SERVER:
> > + option = CURLOPT_PROXY;
> > + optname = "CURLOPT_PROXY";
> > +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> > +index 9a357b73062d..9e87e2aa2861 100644
> > +--- a/pkcs11/cmdline.ggo
> > ++++ b/pkcs11/cmdline.ggo
> > +@@ -21,6 +21,8 @@ option "dinout" - "Enable pkcs11 function tracing" flag off
> > + option "libdebug" - "Enable libyubihsm debugging" flag off
> > + option "debug-file" - "Output file for debugging" string optional default="stderr"
> > + option "cacert" - "Cacert to use for HTTPS validation" string optional
> > ++option "cert" - "HTTPS client certificate to authenticate with" string optional
> > ++option "key" - "HTTPS client certificate key" string optional
> > + option "proxy" - "Proxy server to use for connector" string optional
> > + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> > + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> > +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> > +index f543c94ed373..25aec8e7c5fe 100644
> > +--- a/pkcs11/yubihsm_pkcs11.c
> > ++++ b/pkcs11/yubihsm_pkcs11.c
> > +@@ -275,6 +275,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> > + goto c_i_failure;
> > + }
> > + }
> > ++ if (args_info.cert_given) {
> > ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_CERT,
> > ++ args_info.cert_arg) != YHR_SUCCESS) {
> > ++ DBG_ERR("Failed to set HTTPS cert option");
> > ++ goto c_i_failure;
> > ++ }
> > ++ }
> > ++ if (args_info.key_given) {
> > ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_HTTPS_KEY,
> > ++ args_info.key_arg) != YHR_SUCCESS) {
> > ++ DBG_ERR("Failed to set HTTPS key option");
> > ++goto c_i_failure;
> > ++ }
> > ++ }
> > + if (args_info.proxy_given) {
> > + if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_PROXY_SERVER,
> > + args_info.proxy_arg) != YHR_SUCCESS) {
> > diff --git a/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> > new file mode 100644
> > index 000000000..e3d64659a
> > --- /dev/null
> > +++ b/patches/yubihsm-shell-2.1.0/0002-add-bash-like-variable-extension.patch
> > @@ -0,0 +1,67 @@
> > +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +Date: Tue, 2 Feb 2021 08:50:48 +0100
> > +Subject: [PATCH] add bash like variable extension
> > +
> > +Support for `~` and environment variables like `${HOME}`.
> > +
> > +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +---
> > + lib/yubihsm_curl.c | 18 +++++++++++++++++-
> > + 1 file changed, 17 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> > +index 2f46802e0fe1..52ca14ddf2d4 100644
> > +--- a/lib/yubihsm_curl.c
> > ++++ b/lib/yubihsm_curl.c
> > +@@ -16,6 +16,7 @@
> > +
> > + #include <string.h>
> > + #include <errno.h>
> > ++#include <wordexp.h>
> > +
> > + #include <arpa/inet.h>
> > +
> > +@@ -225,19 +226,24 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> > + const void *val) {
> > + CURLoption option;
> > + const char *optname;
> > ++ wordexp_t expanded;
> > ++ bool expand = false;
> > +
> > + switch (opt) {
> > + case YH_CONNECTOR_HTTPS_CA:
> > + option = CURLOPT_CAINFO;
> > + optname = "CURLOPT_CAINFO";
> > ++ expand = true;
> > + break;
> > + case YH_CONNECTOR_HTTPS_CERT:
> > + option = CURLOPT_SSLCERT;
> > + optname = "CURLOPT_SSLCERT";
> > ++ expand = true;
> > + break;
> > + case YH_CONNECTOR_HTTPS_KEY:
> > + option = CURLOPT_SSLKEY;
> > + optname = "CURLOPT_SSLKEY";
> > ++ expand = true;
> > + break;
> > + case YH_CONNECTOR_PROXY_SERVER:
> > + option = CURLOPT_PROXY;
> > +@@ -247,7 +253,17 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> > + DBG_ERR("%d is an unknown option", opt);
> > + return YHR_INVALID_PARAMETERS;
> > + }
> > +- CURLcode rc = curl_easy_setopt(connection, option, (char *) val);
> > ++ if (expand)
> > ++ {
> > ++ if (wordexp((const char *)val, &expanded, 0))
> > ++ {
> > ++ DBG_ERR("Failed to expand %s\n", optname);
> > ++ return YHR_CONNECTOR_ERROR;
> > ++ }
> > ++ }
> > ++ CURLcode rc = curl_easy_setopt(connection, option, expand ? expanded.we_wordv[0] : (char *) val);
> > ++ if (expand)
> > ++ wordfree(&expanded);
> > + if (rc == CURLE_OK) {
> > + DBG_INFO("Successfully set %s.", optname);
> > + return YHR_SUCCESS;
> > diff --git a/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> > new file mode 100644
> > index 000000000..788b9cacf
> > --- /dev/null
> > +++ b/patches/yubihsm-shell-2.1.0/0003-add-noproxy-option.patch
> > @@ -0,0 +1,76 @@
> > +From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +Date: Tue, 2 Feb 2021 08:32:54 +0100
> > +Subject: [PATCH] add noproxy option
> > +
> > +work-around for https://git.pengutronix.de/cgit/ptxdist/commit/?id=ab4af48ba403167f42c417f8ecfef1d0a870c0c3
> > +
> > +Use `noproxy=*` in your config file to use the plugin outside of
> > +get stage, e.g. in barebox compile stage.
> > +
> > +Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +---
> > + lib/yubihsm.h | 3 +++
> > + lib/yubihsm_curl.c | 4 ++++
> > + pkcs11/cmdline.ggo | 1 +
> > + pkcs11/yubihsm_pkcs11.c | 7 +++++++
> > + 4 files changed, 15 insertions(+)
> > +
> > +diff --git a/lib/yubihsm.h b/lib/yubihsm.h
> > +index da08f68038dd..5f90eca0d8e8 100644
> > +--- a/lib/yubihsm.h
> > ++++ b/lib/yubihsm.h
> > +@@ -524,6 +524,9 @@ typedef enum {
> > + /// File with client certificates key (const char *).
> > + /// Not implemented on Windows
> > + YH_CONNECTOR_HTTPS_KEY = 4,
> > ++ /// Comma separated list of hosts ignoring proxy, `*` to disable proxy.
> > ++ /// Not implemented on Windows
> > ++ YH_CONNECTOR_NOPROXY = 5,
> > + } yh_connector_option;
> > +
> > + #pragma pack(push, 1)
> > +diff --git a/lib/yubihsm_curl.c b/lib/yubihsm_curl.c
> > +index 52ca14ddf2d4..f7f7cd8f54da 100644
> > +--- a/lib/yubihsm_curl.c
> > ++++ b/lib/yubihsm_curl.c
> > +@@ -249,6 +249,10 @@ static yh_rc backend_option(yh_backend *connection, yh_connector_option opt,
> > + option = CURLOPT_PROXY;
> > + optname = "CURLOPT_PROXY";
> > + break;
> > ++ case YH_CONNECTOR_NOPROXY:
> > ++ option = CURLOPT_NOPROXY;
> > ++ optname = "CURLOPT_NOPROXY";
> > ++ break;
> > + default:
> > + DBG_ERR("%d is an unknown option", opt);
> > + return YHR_INVALID_PARAMETERS;
> > +diff --git a/pkcs11/cmdline.ggo b/pkcs11/cmdline.ggo
> > +index 9e87e2aa2861..cdf97ae0d33d 100644
> > +--- a/pkcs11/cmdline.ggo
> > ++++ b/pkcs11/cmdline.ggo
> > +@@ -24,6 +24,7 @@ option "cacert" - "Cacert to use for HTTPS validation" string optional
> > + option "cert" - "HTTPS client certificate to authenticate with" string optional
> > + option "key" - "HTTPS client certificate key" string optional
> > + option "proxy" - "Proxy server to use for connector" string optional
> > ++option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional
> > + option "timeout" - "Timeout to use for initial connection to connector" int optional default="5"
> > + option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple
> > +
> > +diff --git a/pkcs11/yubihsm_pkcs11.c b/pkcs11/yubihsm_pkcs11.c
> > +index 25aec8e7c5fe..38b08bbf8000 100644
> > +--- a/pkcs11/yubihsm_pkcs11.c
> > ++++ b/pkcs11/yubihsm_pkcs11.c
> > +@@ -296,6 +296,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
> > + goto c_i_failure;
> > + }
> > + }
> > ++ if (args_info.noproxy_given) {
> > ++ if (yh_set_connector_option(connector_list[i], YH_CONNECTOR_NOPROXY,
> > ++ args_info.noproxy_arg) != YHR_SUCCESS) {
> > ++ DBG_ERR("Failed to set noproxy option");
> > ++goto c_i_failure;
> > ++ }
> > ++ }
> > +
> > + if (yh_connect(connector_list[i], args_info.timeout_arg) != YHR_SUCCESS) {
> > + DBG_ERR("Failed to connect '%s'", args_info.connector_arg[i]);
> > diff --git a/patches/yubihsm-shell-2.1.0/series b/patches/yubihsm-shell-2.1.0/series
> > new file mode 100644
> > index 000000000..a0fbb2915
> > --- /dev/null
> > +++ b/patches/yubihsm-shell-2.1.0/series
> > @@ -0,0 +1,6 @@
> > +# generated by git-ptx-patches
> > +#tag:base --start-number 1
> > +0001-add-client-cert-support-for-pkcs11-module.patch
> > +0002-add-bash-like-variable-extension.patch
> > +0003-add-noproxy-option.patch
> > +# fcbee908545e468ec4e840d2d56da1be - git-ptx-patches magic
> > diff --git a/rules/host-yubihsm-shell.in b/rules/host-yubihsm-shell.in
> > new file mode 100644
> > index 000000000..3b17a2e98
> > --- /dev/null
> > +++ b/rules/host-yubihsm-shell.in
> > @@ -0,0 +1,13 @@
> > +## SECTION=hosttools_noprompt
> > +
> > +config HOST_YUBIHSM_SHELL
> > +tristate
> > +default ALLYES
> > +select HOST_CMAKE
> > +select HOST_OPENSSL
> > +select HOST_LIBCURL
> > +select HOST_LIBUSB
> > +select HOST_GENGETOPT
> > +select HOST_LIBEDIT
> > +select HOST_PCSC_LITE
> > +select HOST_LIBP11
> > diff --git a/rules/host-yubihsm-shell.make b/rules/host-yubihsm-shell.make
> > new file mode 100644
> > index 000000000..3ebfc8c1f
> > --- /dev/null
> > +++ b/rules/host-yubihsm-shell.make
> > @@ -0,0 +1,37 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > +#
> > +# For further information about the PTXdist project and license conditions
> > +# see the README file.
> > +#
> > +
> > +HOST_PACKAGES-$(PTXCONF_HOST_YUBIHSM_SHELL) += host-yubihsm-shell
> > +
> > +#
> > +# Paths and names
> > +#
> > +HOST_YUBIHSM_SHELL_VERSION:= 2.1.0
> > +HOST_YUBIHSM_SHELL_MD5:= 7363c0bc4ed037e262474beaa6e1407b
> > +HOST_YUBIHSM_SHELL:= yubihsm-shell-$(HOST_YUBIHSM_SHELL_VERSION)
> > +HOST_YUBIHSM_SHELL_SUFFIX:= tar.gz
> > +HOST_YUBIHSM_SHELL_URL:= https://github.com/Yubico/yubihsm-shell/archive/$(HOST_YUBIHSM_SHELL_VERSION).$(HOST_YUBIHSM_SHELL_SUFFIX)
> > +HOST_YUBIHSM_SHELL_SOURCE:= $(SRCDIR)/$(HOST_YUBIHSM_SHELL).$(HOST_YUBIHSM_SHELL_SUFFIX)
> > +HOST_YUBIHSM_SHELL_DIR:= $(HOST_BUILDDIR)/$(HOST_YUBIHSM_SHELL)
> > +
> > +# ----------------------------------------------------------------------------
> > +# Prepare
> > +# ----------------------------------------------------------------------------
> > +
> > +#
> > +# cmake
> > +#
> > +HOST_YUBIHSM_SHELL_CONF_TOOL:= cmake
> > +HOST_YUBIHSM_SHELL_CONF_OPT:= \
> > +$(HOST_CMAKE_OPT) \
> > +-DBUILD_ONLY_LIB=OFF \
> > +-DENABLE_COVERAGE=OFF \
> > +-DSUPRESS_MSVC_WARNINGS=ON \
> > +-DWITHOUT_MANPAGES=1
> > +
> > +# vim: syntax=make
> > --
> > 2.30.1
> >
> > Diehl Connectivity Solutions GmbH
> > Geschäftsführung: Horst Leonberger
> > Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
> > Nürnberg: HRB 32315
> >
> > ________________________________
> >
> > Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
> > Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
> > Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
> >
> > - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
> >
> > https://www.diehl.com/group/de/transparenz-und-informationspflichten/
> >
> > The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
> > mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
> >
> > - For general information on data protection and your respective rights please visit:
> >
> > https://www.diehl.com/group/en/transparency-and-information-obligations/
> >
> >
> >
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> >
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
________________________________
Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
https://www.diehl.com/group/de/transparenz-und-informationspflichten/
The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
- For general information on data protection and your respective rights please visit:
https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ptxdist] [APPLIED] host-gengetopt: move to _noprompt section
2021-03-08 12:35 ` [ptxdist] [PATCH 1/5] host-gengetopt: move to _noprompt section Denis Osterland-Heim
@ 2021-03-14 13:35 ` Michael Olbrich
0 siblings, 0 replies; 13+ messages in thread
From: Michael Olbrich @ 2021-03-14 13:35 UTC (permalink / raw)
To: ptxdist; +Cc: Denis Osterland-Heim
Thanks, applied as c369517da9672d567fe433e95649203670cbab2e.
Michael
[sent from post-receive hook]
On Sun, 14 Mar 2021 14:35:41 +0100, Denis Osterland-Heim <denis.osterland@diehl.com> wrote:
> This allows to select this from platforms as well.
>
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> Message-Id: <20210308123418.10187-2-denis.osterland@diehl.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/rules/host-gengetopt.in b/rules/host-gengetopt.in
> index f6855ab5f8dc..d42ccf477bdc 100644
> --- a/rules/host-gengetopt.in
> +++ b/rules/host-gengetopt.in
> @@ -1,8 +1,8 @@
> -## SECTION=hosttools
> +## SECTION=hosttools_noprompt
>
> config HOST_GENGETOPT
> tristate
> - prompt "gengetopt"
> + default ALLYES
> help
> Gengetopt is a tool to write command line option
> parsing code for C programs.
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ptxdist] [APPLIED] host-libedit: new package
2021-03-08 12:35 ` [ptxdist] [PATCH 2/5] host-libedit: new package Denis Osterland-Heim
@ 2021-03-14 13:35 ` Michael Olbrich
0 siblings, 0 replies; 13+ messages in thread
From: Michael Olbrich @ 2021-03-14 13:35 UTC (permalink / raw)
To: ptxdist; +Cc: Denis Osterland-Heim
Thanks, applied as 815a2bd59c163a0430a02c740244d4131ec65ddc.
Michael
[sent from post-receive hook]
On Sun, 14 Mar 2021 14:35:42 +0100, Denis Osterland-Heim <denis.osterland@diehl.com> wrote:
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> Message-Id: <20210308123418.10187-3-denis.osterland@diehl.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/rules/host-libedit.in b/rules/host-libedit.in
> new file mode 100644
> index 000000000000..49e7c4548df6
> --- /dev/null
> +++ b/rules/host-libedit.in
> @@ -0,0 +1,5 @@
> +## SECTION=hosttools_noprompt
> +
> +config HOST_LIBEDIT
> + tristate
> + default ALLYES
> diff --git a/rules/host-libedit.make b/rules/host-libedit.make
> new file mode 100644
> index 000000000000..ae8bff95f052
> --- /dev/null
> +++ b/rules/host-libedit.make
> @@ -0,0 +1,11 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2021 by Denis Osterland-Heim <Denis.Osterland@diehl.com>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +HOST_PACKAGES-$(PTXCONF_HOST_LIBEDIT) += host-libedit
> +
> +# vim: syntax=make
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [ptxdist] [APPLIED] libp11: version bump 0.4.10 -> 0.4.11
2021-03-08 12:35 ` [ptxdist] [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11 Denis Osterland-Heim
@ 2021-03-14 13:35 ` Michael Olbrich
0 siblings, 0 replies; 13+ messages in thread
From: Michael Olbrich @ 2021-03-14 13:35 UTC (permalink / raw)
To: ptxdist; +Cc: Denis Osterland-Heim
Thanks, applied as 2ba9450d833dbe3337a2ee812aa45e5f8f7115b1.
Michael
[sent from post-receive hook]
On Sun, 14 Mar 2021 14:35:43 +0100, Denis Osterland-Heim <denis.osterland@diehl.com> wrote:
> Signed-off-by: Denis Osterland-Heim <denis.osterland@diehl.com>
> Message-Id: <20210308123418.10187-5-denis.osterland@diehl.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/rules/libp11.make b/rules/libp11.make
> index 8e2d1517fd24..2c551b914f9b 100644
> --- a/rules/libp11.make
> +++ b/rules/libp11.make
> @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBP11) += libp11
> #
> # Paths and names
> #
> -LIBP11_VERSION := 0.4.10
> -LIBP11_MD5 := 3464874bb5ca47b8e4c1d540758dcfe9
> +LIBP11_VERSION := 0.4.11
> +LIBP11_MD5 := 8b907abd572b0eb8e63413549f68dbe1
> LIBP11 := libp11-$(LIBP11_VERSION)
> LIBP11_SUFFIX := tar.gz
> LIBP11_URL := https://github.com/OpenSC/libp11/releases/download/$(LIBP11)/$(LIBP11).$(LIBP11_SUFFIX)
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2021-03-14 13:35 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-08 12:35 [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
2021-03-08 12:35 ` [ptxdist] [PATCH 5/5] host-yubihsm-shell: new package Denis Osterland-Heim
2021-03-12 7:47 ` Michael Olbrich
2021-03-12 8:17 ` Denis Osterland-Heim
2021-03-08 12:35 ` [ptxdist] [PATCH 4/5] libp11: version bump 0.4.10 -> 0.4.11 Denis Osterland-Heim
2021-03-14 13:35 ` [ptxdist] [APPLIED] " Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 1/5] host-gengetopt: move to _noprompt section Denis Osterland-Heim
2021-03-14 13:35 ` [ptxdist] [APPLIED] " Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 3/5] host-libcurl: enable http(s) support Denis Osterland-Heim
2021-03-12 7:35 ` Michael Olbrich
2021-03-08 12:35 ` [ptxdist] [PATCH 2/5] host-libedit: new package Denis Osterland-Heim
2021-03-14 13:35 ` [ptxdist] [APPLIED] " Michael Olbrich
2021-03-08 14:35 ` [ptxdist] yubi HSM pkcs11 plugin for signing provider Denis Osterland-Heim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox