Message ID | c42fcd38-b56d-4f3b-8ecf-3ddaaa45864dn@googlegroups.com |
---|---|
State | Accepted |
Delegated to: | Stefano Babic |
Headers | show |
Series | Re: [meta-swupdate][PATCH] swupdate-common: add -certfile arg to CMS signing | expand |
On 29.09.23 09:29, Viktor Voronin wrote: > Dear Stefano, > > any chance for this to be merged? I have problems to find the patch in patchwork: https://patchwork.ozlabs.org/project/swupdate/list/ I see this reply, I cannot find the original patch. Regards, Stefano > > Regards, Victor > > On Friday, 23 June 2023 at 18:06:20 UTC+2 Wes Malone wrote: > > Using openssl cms the recipient may not share intermediate certs in the > chain. The -certfile option includes these certificates in the message, > ensuring the recipient can establish the full chain of trust from a > root > CA they already have, through the intermediate certificate(s) to the > signing certificate. > > Add optional SWUPDATE_CMS_EXTRA_CERTS var to add additional certs to > CMS > output using -certfile argument. > > Signed-off-by: Wes Malone <w...@mitsi.com> > --- > README | 2 ++ > classes/swupdate-common.bbclass | 19 +++++++++++++++++-- > 2 files changed, 19 insertions(+), 2 deletions(-) > > diff --git a/README b/README > index 52987bd..6975ae9 100644 > --- a/README > +++ b/README > @@ -62,6 +62,8 @@ There are 3 signing mechanisms supported by > meta-swupdate at the moment: > > * Set `SWUPDATE_CMS_KEY ` to the full path of private key file > > + * (Optional) Set `SWUPDATE_CMS_EXTRA_CERTS` to a space delimited > list of intermediate certificate files > + > 3. Custom signing tool: > > * Set variable: `SWUPDATE_SIGNING = "CUSTOM"` > diff --git a/classes/swupdate-common.bbclass > b/classes/swupdate-common.bbclass > index d7139a3..2b3fa74 100644 > --- a/classes/swupdate-common.bbclass > +++ b/classes/swupdate-common.bbclass > @@ -34,6 +34,18 @@ def get_pwd_file_args(d, passfile): > pwd_args = ["-passin", "file:%s" % pwd_file] > return pwd_args > > +def get_certfile_args(d): > + extra_certs = d.getVar('SWUPDATE_CMS_EXTRA_CERTS', True) > + if not extra_certs: > + return [] > + certfile_args = [] > + extra_paths = extra_certs.split() > + for crt_path in extra_paths: > + if not os.path.exists(crt_path): > + bb.fatal("SWUPDATE_CMS_EXTRA_CERTS path %s doesn't exist" % > (crt_path)) > + certfile_args.extend(["-certfile", crt_path]) > + return certfile_args > + > def swupdate_getdepends(d): > def adddep(depstr, deps): > for i in (depstr or "").split(): > @@ -204,8 +216,11 @@ def prepare_sw_description(d): > bb.fatal("SWUPDATE_CMS_KEY isn't set") > if not os.path.exists(cms_key): > bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key)) > - signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", > sw_desc_sig, "-signer", cms_cert, "-inkey", cms_key] + \ > - get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + ["-outform", > "DER", "-nosmimecap", "-binary"] > + signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", > sw_desc_sig] + \ > + ["-signer", cms_cert, "-inkey", cms_key] + \ > + ["-outform", "DER", "-nosmimecap", "-binary"] + \ > + get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + \ > + get_certfile_args(d) > else: > bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.") > subprocess.run(' '.join(signcmd), shell=True, check=True) > -- > 2.41.0 > > -- > You received this message because you are subscribed to the Google > Groups "swupdate" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to swupdate+unsubscribe@googlegroups.com > <mailto:swupdate+unsubscribe@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/swupdate/c42fcd38-b56d-4f3b-8ecf-3ddaaa45864dn%40googlegroups.com <https://groups.google.com/d/msgid/swupdate/c42fcd38-b56d-4f3b-8ecf-3ddaaa45864dn%40googlegroups.com?utm_medium=email&utm_source=footer>.
diff --git a/README b/README index 52987bd..6975ae9 100644 --- a/README +++ b/README @@ -62,6 +62,8 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment: * Set `SWUPDATE_CMS_KEY ` to the full path of private key file + * (Optional) Set `SWUPDATE_CMS_EXTRA_CERTS` to a space delimited list of intermediate certificate files + 3. Custom signing tool: * Set variable: `SWUPDATE_SIGNING = "CUSTOM"` diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass index d7139a3..2b3fa74 100644 --- a/classes/swupdate-common.bbclass +++ b/classes/swupdate-common.bbclass @@ -34,6 +34,18 @@ def get_pwd_file_args(d, passfile): pwd_args = ["-passin", "file:%s" % pwd_file] return pwd_args +def get_certfile_args(d): + extra_certs = d.getVar('SWUPDATE_CMS_EXTRA_CERTS', True) + if not extra_certs: + return [] + certfile_args = [] + extra_paths = extra_certs.split() + for crt_path in extra_paths: + if not os.path.exists(crt_path): + bb.fatal("SWUPDATE_CMS_EXTRA_CERTS path %s doesn't exist" % (crt_path)) + certfile_args.extend(["-certfile", crt_path]) + return certfile_args + def swupdate_getdepends(d): def adddep(depstr, deps): for i in (depstr or "").split(): @@ -204,8 +216,11 @@ def prepare_sw_description(d): bb.fatal("SWUPDATE_CMS_KEY isn't set") if not os.path.exists(cms_key): bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key)) - signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig, "-signer", cms_cert, "-inkey", cms_key] + \ - get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + ["-outform", "DER", "-nosmimecap", "-binary"] + signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig] + \ + ["-signer", cms_cert, "-inkey", cms_key] + \ + ["-outform", "DER", "-nosmimecap", "-binary"] + \ + get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + \ + get_certfile_args(d)
Dear Stefano, any chance for this to be merged? Regards, Victor On Friday, 23 June 2023 at 18:06:20 UTC+2 Wes Malone wrote: Using openssl cms the recipient may not share intermediate certs in the chain. The -certfile option includes these certificates in the message, ensuring the recipient can establish the full chain of trust from a root CA they already have, through the intermediate certificate(s) to the signing certificate. Add optional SWUPDATE_CMS_EXTRA_CERTS var to add additional certs to CMS output using -certfile argument. Signed-off-by: Wes Malone <w...@mitsi.com> --- README | 2 ++ classes/swupdate-common.bbclass | 19 +++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) else: bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.") subprocess.run(' '.join(signcmd), shell=True, check=True)