From patchwork Tue Sep 19 07:53:19 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Victor Voronin <viktor.voronin@evologics.de>
X-Patchwork-Id: 1836524
X-Patchwork-Delegate: sbabic@denx.de
Return-Path: <swupdate+bncBAABBRVHUWUAMGQEK4Z7NKQ@googlegroups.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=googlegroups.com header.i=@googlegroups.com
 header.a=rsa-sha256 header.s=20230601 header.b=iVfg5lOm;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com
 (client-ip=2a00:1450:4864:20::13f; helo=mail-lf1-x13f.google.com;
 envelope-from=swupdate+bncbaabbrvhuwuamgqek4z7nkq@googlegroups.com;
 receiver=patchwork.ozlabs.org)
Received: from mail-lf1-x13f.google.com (mail-lf1-x13f.google.com
 [IPv6:2a00:1450:4864:20::13f])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RqYq20PChz1ynZ
	for <incoming@patchwork.ozlabs.org>; Tue, 19 Sep 2023 17:54:52 +1000 (AEST)
Received: by mail-lf1-x13f.google.com with SMTP id
 2adb3069b0e04-503177646d2sf2315231e87.2
        for <incoming@patchwork.ozlabs.org>;
 Tue, 19 Sep 2023 00:54:52 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1695110087; cv=pass;
        d=google.com; s=arc-20160816;
        b=E2MaaT+4wOoscrrhkOhDSJWRZzb+y5eR36tr1McwsFNKwGiIbPiyGPox0KDwsgJ0UU
         6DjbcJcZ8UQv6qzkdm2VA8JzQ62U3z9K0zfBafD0m74kLh3Ljj0qWLwHM6ChVvQbJRtP
         A3CM3H5DGveKyrIQHxLu9fRoqtoz26Fvq9+w3po0P6/kWoqktRnZyWDoM+5A8Sd1/4iK
         /ILOda0gnJR6Uh1eldkUmb9X0PT7uWU18c3nrVa2fdPA5nN1IBbXSNSlZjHuFyRMFwh5
         UCrzIgiW2ZIA4KFamjniky3MXyMuV1rplJwGnF1cB2JNVSJsobAFDwyvAp5hE3/Cu/NC
         P/og==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:mime-version:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=TuVyNitf+FXq5dDMdg36pF3c/kYDU1XcrZtcg05Tq34=;
        fh=sKSH8jIcl684w6CaYNTQ0/mFg9Q4dtwEqN5eo477spY=;
        b=CObPMGu7cOH5phUtVo3hcEr0yq1z74EvP1p7TBk//bF03t0PCcdVsqjr1Mb9TQ6cdk
         hlYV516bBTnMjzK3rZitAzUk1ohGHFs2SwDMeOdhZQn7GpEwDD3cyo0/V5nvGNxzBnGx
         j00FpNf8iLMEMSYyoqmuKv42fqH2iU6Wwn67j4piy9KlmlN6Cdtr/Z6F42utw/KOLSyE
         Mgbd1l9noAlyjPnczK5GbLKwDT9IgF/xPJSNbussQsstmgn8+p10+81VOWVZOtMoTQ4p
         SoBT7J0jdJHrbBOGsvuocAvKzpAacHZPKsP9nd95HePoTixGDd40gsGVXkk/N63XC9H8
         MGtQ==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@evologics.de header.s=dkim header.b=ZQ75w2xr;
       spf=permerror (google.com: permanent error in processing during lookup
 of viktor.voronin@evologics.de: spf.strato.de not found)
 smtp.mailfrom=viktor.voronin@evologics.de;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=evologics.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1695110087; x=1695714887;
 darn=patchwork.ozlabs.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TuVyNitf+FXq5dDMdg36pF3c/kYDU1XcrZtcg05Tq34=;
        b=iVfg5lOmgOp5pphddSnqyGk6nA27M/+e0Nehxkn6NURVewik5afnF9jBo7lprdPkIW
         AYt2QvqMJ15bJvcFe763ycNsDrYMZlAJU9zi0rU/GC85ZTMhU+Q0on28Ax+z8p7QyQwL
         7NJ4J2lxHzKd3RJy+gRxV4a1IpwtpsqzX+LzBSPMdE8Jrj20h5PiK5w/EyuQ/8MQUchC
         b9ze156ZEisqSpJ44okKXw6XGmoQ+zswhQhUIv6PXmP4622Qz8NPzu8Tc7p7VNqOtrPU
         wX8CMOiN82oTk2ZJ3kk+qJ9xp+l8ofKeKP/dBRwoK4DfBpj6aTcWE3WhtIkGlqPuer1d
         9Exw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695110087; x=1695714887;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=TuVyNitf+FXq5dDMdg36pF3c/kYDU1XcrZtcg05Tq34=;
        b=pXLVmAQOd0bfS4tCFBZ/CRSz4Wz0mbJUl9kVqhiMqGrm2ihC6eMrCgBnb/Va5SEqiY
         FHvh8bbdBtGGVBFZN9lSZDBQPl2FqsQXVuQJRv7Hpi2euJSkuKCfy9/3Abvj/6TRlCzK
         5ct4rt9faiN/2EZh3zHTOLox0iJLxg9hyt5zf/7A+Q3T2q/rxoKbsAdclEixfr+becC8
         jSSll0rPTuE9RBsUpBBYvymW1sNN27DdTF6UpaR8q6yzPnNqbck3NzMTcEG5qmWg/+zB
         gqTNjTXSjmXWdBQkJXOeZgDZPloUhUTcOxlHwaYiLERUYfBARXcJPERBEqFb3s80aU/Z
         PN4g==
X-Gm-Message-State: AOJu0Yx661s1umcn5U5BzcG2pFuXrf+Ogboulh6SJhn6OQV2Ba8Mgnr2
	FOQdaOoctRthe6eoiHZgEZQ=
X-Google-Smtp-Source: 
 AGHT+IF9pAfJ3MjVZ9eEcZzDL3GhO+D4846yLH9+uGmZk1Z90IwWX7HkD2R+0gq1+/RsbVs/2rinhw==
X-Received: by 2002:a05:6512:2ed:b0:4fb:8939:d95c with SMTP id
 m13-20020a05651202ed00b004fb8939d95cmr9106501lfq.30.1695110086823;
        Tue, 19 Sep 2023 00:54:46 -0700 (PDT)
X-BeenThere: swupdate@googlegroups.com
Received: by 2002:a05:600c:3c8e:b0:3fe:e525:caf2 with SMTP id
 bg14-20020a05600c3c8e00b003fee525caf2ls802189wmb.0.-pod-prod-08-eu; Tue, 19
 Sep 2023 00:54:45 -0700 (PDT)
X-Received: by 2002:a1c:7718:0:b0:401:d803:6242 with SMTP id
 t24-20020a1c7718000000b00401d8036242mr9704916wmi.27.1695110085237;
        Tue, 19 Sep 2023 00:54:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695110085; cv=none;
        d=google.com; s=arc-20160816;
        b=eBwes9nNggbb+3hdbimHtVeEDtXMAXyU7Xdt75tkS7yfxzaOkWQ7etaS3ZG1yoZfwE
         qB7owyvE3vHPdvGtwwiHzjPDyfyprg3E9l8AUJREl3zt1DgVSAx3bjIgoz8DZJwm9nJM
         5JrEORsaP3keNiFcQQb1BLbwKOKqO6iJbG2NdLM/QeRBzLXdl+3OxnTUN1WKUJ5X8b0r
         b0ez5EpmKBMDc3a4vhCY3sD7ujaY6JO9lXMmCdIWlzKuDe9psZOIFmMegldfBmjNZ55b
         LoSbdza/JqDuv/xkp3RPWoJP1Zsd2dAFXcO1pnlSNjc7tXq6LchSCqq0GUN8DF1Gqk6P
         ECzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:dkim-signature;
        bh=PpyEM3c4sY378D4ysCBRAjO99ul8GoO/vTb/s1VBLVg=;
        fh=sKSH8jIcl684w6CaYNTQ0/mFg9Q4dtwEqN5eo477spY=;
        b=an0Oe2/Uo6sV9VlzG2A2vJJ6s5Cs2pF22wxQxq8YB9ctD5cpZs3PDd0yPk0kgKoiBX
         sIncM7zICsSs+cQee39B0qFBdiwV7fw7qJ/rNAfegUVRW55Z0PrkvwILZGQnTh216zLW
         ESMeV5Ar7i4kzE7xK687jDqRiFXSc+CBK++o56S5OhepRQlWr0h/FhSoERMxxsHOzwVU
         orG6UOwIEOc43aeBoTFjcAhPxNO5kSx93yp4AjtQX0rPPuVxFwyYgpkOgbD2YAEFXCvg
         hoWT35uXdDMAjz86QzNfBn1Psn1/hhmaO+AwN7HL71LRbuWI5+bQIB9w0ef5VZZkUk8H
         CKaQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@evologics.de header.s=dkim header.b=ZQ75w2xr;
       spf=permerror (google.com: permanent error in processing during lookup
 of viktor.voronin@evologics.de: spf.strato.de not found)
 smtp.mailfrom=viktor.voronin@evologics.de;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=evologics.de
Received: from mail.evologics.biz (mail.evologics.biz. [178.251.229.40])
        by gmr-mx.google.com with ESMTPS id
 az36-20020a05600c602400b00404ca34ab7csi72083wmb.1.2023.09.19.00.54.45
        for <swupdate@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 Sep 2023 00:54:45 -0700 (PDT)
Received-SPF: permerror (google.com: permanent error in processing during
 lookup of viktor.voronin@evologics.de: spf.strato.de not found)
 client-ip=178.251.229.40;
Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon)
 with ESMTPSA id B5CB588B87;
	Tue, 19 Sep 2023 09:54:44 +0200 (CEST)
X-Patchwork-Original-From: "'Victor Voronin' via swupdate"
 <swupdate@googlegroups.com>
From: Victor Voronin <viktor.voronin@evologics.de>
To: swupdate@googlegroups.com
Cc: Victor Voronin <viktor.voronin@evologics.de>
Subject: [swupdate] [swugenerator][PATCH] CMS signing: add -certfile option
Date: Tue, 19 Sep 2023 09:53:19 +0200
Message-Id: <20230919075318.27595-1-viktor.voronin@evologics.de>
MIME-Version: 1.0
X-Last-TLS-Session-Version: TLSv1.3
X-Original-Sender: viktor.voronin@evologics.de
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@evologics.de header.s=dkim header.b=ZQ75w2xr;       spf=permerror
 (google.com: permanent error in processing during lookup of
 viktor.voronin@evologics.de: spf.strato.de not found)
 smtp.mailfrom=viktor.voronin@evologics.de;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=evologics.de
X-Original-From: Victor Voronin <viktor.voronin@evologics.de>
Reply-To: Victor Voronin <viktor.voronin@evologics.de>
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com
List-ID: <swupdate.googlegroups.com>
X-Spam-Checked-In-Group: swupdate@googlegroups.com
X-Google-Group-Id: 605343134186
List-Post: <https://groups.google.com/group/swupdate/post>,
 <mailto:swupdate@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:swupdate+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/swupdate
List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>,
 <mailto:swupdate+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/swupdate/subscribe>

Signed-off-by: Victor Voronin <viktor.voronin@evologics.de>
---
 swugenerator/main.py     | 17 +++++++++++------
 swugenerator/swu_sign.py | 14 +++++++++++++-
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/swugenerator/main.py b/swugenerator/main.py
index 4531865..22ff0ee 100644
--- a/swugenerator/main.py
+++ b/swugenerator/main.py
@@ -86,6 +86,7 @@ def parse_signing_option(
 ) -> Union[SWUSignCMS, SWUSignRSA, SWUSignPKCS11, SWUSignCustom]:
     """Parses signgning option passed by user. Valid options can be found below.
 
+    CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs>
     CMS,<private key>,<certificate used to sign>,<file with password>
     CMS,<private key>,<certificate used to sign>
     RSA,<private key>,<file with password>
@@ -105,15 +106,19 @@ def parse_signing_option(
     sign_parms = sign_arg.split(",")
     cmd = sign_parms[0]
     if cmd == "CMS":
-        if len(sign_parms) not in (3, 4) or not all(sign_parms):
+        if len(sign_parms) not in (3, 4, 5) or not all(sign_parms[0:2]):
             raise InvalidSigningOption(
-                "CMS requires private key, certificate, and an optional password file"
+                "CMS requires private key, certificate, an optional password file and an optional file with additional certificates"
             )
+        # Format : CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs>
+        if len(sign_parms) == 5:
+            return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], sign_parms[4])
         # Format : CMS,<private key>,<certificate used to sign>,<file with password>
-        if len(sign_parms) == 4:
-            return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3])
+        elif len(sign_parms) == 4:
+            return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], None)
         # Format : CMS,<private key>,<certificate used to sign>
-        return SWUSignCMS(sign_parms[1], sign_parms[2], None)
+        else:
+            return SWUSignCMS(sign_parms[1], sign_parms[2], None, None)
     if cmd == "RSA":
         if len(sign_parms) not in (2, 3) or not all(sign_parms):
             raise InvalidSigningOption(
@@ -236,7 +241,7 @@ def parse_args(args: List[str]) -> None:
             """\
             RSA key or certificate to sign the SWU
             One of :
-            CMS,<private key>,<certificate used to sign>,<file with password if any>
+            CMS,<private key>,<certificate used to sign>,<file with password if any>,<file with certs if any>
             RSA,<private key>,<file with password if any>
             PKCS11,<pin>
             CUSTOM,<custom command> """
diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py
index 7097a9d..f73802e 100644
--- a/swugenerator/swu_sign.py
+++ b/swugenerator/swu_sign.py
@@ -14,6 +14,7 @@ class SWUSign:
         self.cert = None
         self.cmd = None
         self.passin = None
+        self.certfile = None
         self.signcmd = []
 
     def get_passwd_file_args(self):
@@ -25,6 +26,15 @@ class SWUSign:
     def set_password_file(self, passin):
         self.passin = passin
 
+    def get_certfile_args(self):
+        certfile_args = []
+        if self.certfile:
+            certfile_args = ["-certfile", self.certfile]
+        return certfile_args
+
+    def set_certfile(self, certfile):
+        self.certfile = certfile
+
     def sign(self):
         try:
             subprocess.run(" ".join(self.signcmd), shell=True, check=True, text=True)
@@ -36,12 +46,13 @@ class SWUSign:
 
 
 class SWUSignCMS(SWUSign):
-    def __init__(self, key, cert, passin):
+    def __init__(self, key, cert, passin, certfile):
         super().__init__()
         self.type = "CMS"
         self.key = key
         self.cert = cert
         self.passin = passin
+        self.certfile = certfile
 
     def prepare_cmd(self, sw_desc_in, sw_desc_sig):
         self.signcmd = [
@@ -64,6 +75,7 @@ class SWUSignCMS(SWUSign):
             "-binary",
         ]
         self.signcmd += self.get_passwd_file_args()
+        self.signcmd += self.get_certfile_args()
 
 
 class SWUSignRSA(SWUSign):