diff mbox series

[meta-swupdate] swupdate-common: add -certfile arg to CMS signing

Message ID 20230623160514.1240911-1-wes@mitsi.com
State Accepted
Delegated to: Stefano Babic
Headers show
Series [meta-swupdate] swupdate-common: add -certfile arg to CMS signing | expand

Commit Message

Wes Malone June 23, 2023, 4:05 p.m. UTC 
Using openssl cms the recipient may not share intermediate certs in the
chain. The -certfile option includes these certificates in the message,
ensuring the recipient can establish the full chain of trust from a root
CA they already have, through the intermediate certificate(s) to the
signing certificate.

Add optional SWUPDATE_CMS_EXTRA_CERTS var to add additional certs to CMS
output using -certfile argument.

Signed-off-by: Wes Malone <wes@mitsi.com>
---
 README                          |  2 ++
 classes/swupdate-common.bbclass | 19 +++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/README b/README
index 52987bd..6975ae9 100644
--- a/README
+++ b/README
@@ -62,6 +62,8 @@  There are 3 signing mechanisms supported by meta-swupdate at the moment:
 
   * Set `SWUPDATE_CMS_KEY ` to the full path of private key file
 
+  * (Optional) Set `SWUPDATE_CMS_EXTRA_CERTS` to a space delimited list of intermediate certificate files
+
 3. Custom signing tool:
 
   * Set variable: `SWUPDATE_SIGNING = "CUSTOM"`
diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass
index d7139a3..2b3fa74 100644
--- a/classes/swupdate-common.bbclass
+++ b/classes/swupdate-common.bbclass
@@ -34,6 +34,18 @@  def get_pwd_file_args(d, passfile):
        pwd_args = ["-passin", "file:%s" % pwd_file]
     return pwd_args
 
+def get_certfile_args(d):
+    extra_certs = d.getVar('SWUPDATE_CMS_EXTRA_CERTS', True)
+    if not extra_certs:
+        return []
+    certfile_args = []
+    extra_paths = extra_certs.split()
+    for crt_path in extra_paths:
+        if not os.path.exists(crt_path):
+            bb.fatal("SWUPDATE_CMS_EXTRA_CERTS path %s doesn't exist" % (crt_path))
+        certfile_args.extend(["-certfile", crt_path])
+    return certfile_args
+
 def swupdate_getdepends(d):
     def adddep(depstr, deps):
         for i in (depstr or "").split():
@@ -204,8 +216,11 @@  def prepare_sw_description(d):
                 bb.fatal("SWUPDATE_CMS_KEY isn't set")
             if not os.path.exists(cms_key):
                 bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key))
-            signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig, "-signer", cms_cert, "-inkey", cms_key] + \
-                        get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + ["-outform", "DER", "-nosmimecap", "-binary"]
+            signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig] + \
+                        ["-signer", cms_cert, "-inkey", cms_key] + \
+                        ["-outform", "DER", "-nosmimecap", "-binary"] + \
+                        get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + \
+                        get_certfile_args(d)
         else:
             bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.")
         subprocess.run(' '.join(signcmd), shell=True, check=True)