From patchwork Mon Oct 9 07:43:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Victor Voronin X-Patchwork-Id: 1845059 X-Patchwork-Delegate: sbabic@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.a=rsa-sha256 header.s=20230601 header.b=EOPtaWQb; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::339; helo=mail-wm1-x339.google.com; envelope-from=swupdate+bncbaabbyo6r2uqmgqezfpqj5i@googlegroups.com; receiver=patchwork.ozlabs.org) Received: from mail-wm1-x339.google.com (mail-wm1-x339.google.com [IPv6:2a00:1450:4864:20::339]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4S3rdz251wz20Vh for ; Mon, 9 Oct 2023 18:44:37 +1100 (AEDT) Received: by mail-wm1-x339.google.com with SMTP id 5b1f17b1804b1-407455298e9sf8435375e9.1 for ; Mon, 09 Oct 2023 00:44:37 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1696837474; cv=pass; d=google.com; s=arc-20160816; b=D5vIZFj4UvTc+weDQEfI0Hix4EzS8Xhc+JmMovlW9q+W5XQqRLxRQ8MJFKXo+c+NoX EVbVlt/5mvP84/pErUw5/1fLDuw/3FS5gU0cs2BsSMHYS8R0C3GNNC1r/TcygPI4yiU6 SrR3DTnVNCrW3N09wxKt/tqSth9UWecAiHIQ9fdpZLHFN3+tccrbvdlkDBuADHBzxmfW iL9diVN72zrl770HWY64HIdGc4Nx5J6gEaGLTGsvADRpR94qIMkag69D4YF0KVRGjskr nK3LLAO20cGQDTll9a5VIH3iONPHzC5JtpOXSoP5KU2rSkUBGUvxviPMt9+oFNQImOqk G7YQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=GwnGckFwssGsDa+gyaQVin26+dKdEWWQxZwZuwakHq8=; fh=sKSH8jIcl684w6CaYNTQ0/mFg9Q4dtwEqN5eo477spY=; b=SL4Re0BNOAGolw7EI8bmKCeQdv0A8igtd6s2s04fHTYEpF2q2W3s1y3pUDY5jee7N2 Mif2Jpq1UnVQ16GhDPb5JIaM05NCbLX6dr5eABIWQqbkGuajv0xEI3js+JlJfUoz9Fhd Sf2FPR10IyH8f6iJqxv4cf3dyHegA33j8eTE9jegeDDNDtKO2vTtYbXS289YklBeVhmz t3PP0EoEzvgjmXjpTaOX86thzL6IZQq/GlIhXM0tPyp5HVRHkmLFgc4BZE0+xcZD6KFF umAeOOrsapN1lstjNEk9UTBTTF76eMHNfXEQYhig1OkTUccJhb5gzuI22jcaE/IT3Z8p ITdw== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@evologics.de header.s=dkim header.b=ONaqYJ++; spf=permerror (google.com: permanent error in processing during lookup of viktor.voronin@evologics.de: spf.strato.de not found) smtp.mailfrom=viktor.voronin@evologics.de; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=evologics.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1696837474; x=1697442274; darn=patchwork.ozlabs.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GwnGckFwssGsDa+gyaQVin26+dKdEWWQxZwZuwakHq8=; b=EOPtaWQbiuZH7lupNT4n0tJUkclIgYiSbVMcLalS0bxgCEXcaHxUNdJkBicDQyxCTw WD6H2yBqR9jfauCmD/SO01NrLpX9rIrmKH12j8wflRVQ31TDeW234EKJAIT4uLAQKTdG dwpBZe5B0OhtXi08Z0WVuQkt6nnAgLG/1U96RTTgZlXXYtmza9zIEl6Sc0lsnnbVO0jE 2zdi6LAMj+TEI8xraY0WJH6XV97+iefQ2R4NTTI1UQEkcAb6wG8aXE7Qenow6fl1on0G SpP71eAl+ypRw0+SQprsQRxKGGViUuZdKoIiKwEEDqIfemm3Mhcx9F/NNF9ownl+ykVB V7WQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696837474; x=1697442274; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=GwnGckFwssGsDa+gyaQVin26+dKdEWWQxZwZuwakHq8=; b=ZCRHg4BJHmpae344/046TK2LbXxKb71GZPzb557Krf4gkXDydNh6FDhyVyecWCgz9h kn5LIfs1mQaWqEDAdIRNFtK2EZd29sKMnegUJIaXVshxxZHXfycLjpOGZ9J2ypIEWTwc 8xJJOQWZcENqPCOtI1v+WUUi4Mu/054/5qFCejDSuyZE50r2bnvBy4D2rEatXwubTalL IuU2HETCHjt7tzth9cc2K7lwUF62DCEE2VFn15BdAF/zkg2mu5AEzBs68b90k4YE7o21 70b0dWgSLmHKtv6taHYwlOmjM+PM1vLWGL2S7oi7ibxpDlwLvBaZgE/UDqfmEh0JnA1W xSEg== X-Gm-Message-State: AOJu0Yx1OuWN1yHBEdPN0/MS4ngscdu/TA55IVXADWYmcuZZ0yV0qbN9 mEs3ygi2kwt6Uj90u4+0Tdc= X-Google-Smtp-Source: AGHT+IGsFlzIGNz3V9KdIuPkpqU2UhsQUe4rqFfPTzAW73QH0Cah+7Y1PKvjNNhTazgLGLmnEP4DvQ== X-Received: by 2002:a05:600c:5192:b0:405:1ba2:4fcf with SMTP id fa18-20020a05600c519200b004051ba24fcfmr12869564wmb.4.1696837473726; Mon, 09 Oct 2023 00:44:33 -0700 (PDT) X-BeenThere: swupdate@googlegroups.com Received: by 2002:a05:600c:1c8b:b0:405:2359:570a with SMTP id k11-20020a05600c1c8b00b004052359570als2279687wms.1.-pod-prod-01-eu; Mon, 09 Oct 2023 00:44:32 -0700 (PDT) X-Received: by 2002:a1c:720a:0:b0:401:b6f6:d90c with SMTP id n10-20020a1c720a000000b00401b6f6d90cmr13236354wmc.35.1696837472022; Mon, 09 Oct 2023 00:44:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696837472; cv=none; d=google.com; s=arc-20160816; b=vY6xGIJHPni1PV3L9IHIziiVATWjTJjxpf5QD3tOammG8i4RPI00s61Klu/OuhwW5C 4d7N45Ui9/uZNckCXquY2+NuIv66ZIASdn86sx8icBnn7u3X/iUrOgWlv9oIiCOdWpBt Y0PvJ1aor4vkTMv/SVtB2Ru/JUilGicnfZ5aK1FMVIh2CIXP0iKm32T9xP4/Jcr0osHm sMM3xV9LXWXygKbWKSYt95P6D6C5PuQNWmbIQYd2QnLkVWEng0MxUcnAQB0aZYgElbPV mDzlAxTy3T6nr4gaiTDXFxdTmXKdYwd9TthdER79rrIEOYAE5P6WjRR5Fenpd+VSLTwt asBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=80i/4tj+5rIIMLHl3A6pntTG4Hl2RQ4J/rPIowf81aw=; fh=sKSH8jIcl684w6CaYNTQ0/mFg9Q4dtwEqN5eo477spY=; b=WMs/0QTMSOTN4d0ctSNjnL6xuTnuPbGNgynyS0rGjwOjLXy33fKb1GjZyS/dfWYtM8 itxByvWmU/1PTH8MNpxcmvc7MmPP3sddmLXEwQSZlvT3kZD5Q2jFLweU61PfO4jdcEBf qWpyBuKa/9sjTkSNhGu7YI0t+p8SbLjCwWNFwdLKNSku7RCMNkH8V44BUhi4PC3YMwu1 xA80reFMWvxO3miChMVRVkS6OPB8R+8BJhk47qEAxuiavjYg/2gIY69z2ow8h6r7OLeg 5CzEsQrCIXVF1UztSD1le+ZXZjt4MBd5sfRg2QcZuYOJevtZGeTsW7HCwdkGGjXjVHoB Az7w== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@evologics.de header.s=dkim header.b=ONaqYJ++; spf=permerror (google.com: permanent error in processing during lookup of viktor.voronin@evologics.de: spf.strato.de not found) smtp.mailfrom=viktor.voronin@evologics.de; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=evologics.de Received: from mail.evologics.biz (mail.evologics.biz. [178.251.229.40]) by gmr-mx.google.com with ESMTPS id j2-20020a05600c1c0200b004051c2a3263si471481wms.0.2023.10.09.00.44.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Oct 2023 00:44:31 -0700 (PDT) Received-SPF: permerror (google.com: permanent error in processing during lookup of viktor.voronin@evologics.de: spf.strato.de not found) client-ip=178.251.229.40; Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id B3A4D88A48; Mon, 9 Oct 2023 09:44:30 +0200 (CEST) X-Patchwork-Original-From: "'Victor Voronin' via swupdate" From: Victor Voronin To: swupdate@googlegroups.com Cc: Victor Voronin Subject: [swupdate] [meta-swupdate][PATCH] swupdate-common: add -certfile arg to CMS signing Date: Mon, 9 Oct 2023 09:43:45 +0200 Message-Id: <20231009074344.2890616-1-viktor.voronin@evologics.de> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 X-Original-Sender: viktor.voronin@evologics.de X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@evologics.de header.s=dkim header.b=ONaqYJ++; spf=permerror (google.com: permanent error in processing during lookup of viktor.voronin@evologics.de: spf.strato.de not found) smtp.mailfrom=viktor.voronin@evologics.de; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=evologics.de X-Original-From: Victor Voronin Reply-To: Victor Voronin Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Using openssl cms the recipient may not share intermediate certs in the chain. The -certfile option includes these certificates in the message, ensuring the recipient can establish the full chain of trust from a root CA they already have, through the intermediate certificate(s) to the signing certificate. Add optional SWUPDATE_CMS_EXTRA_CERTS var to add additional certs to CMS output using -certfile argument. Patch based on the original work from Wes Malone, applied manually and tested on 'dunfell', will require a rebase to apply on 'master'. Signed-off-by: Victor Voronin --- README | 2 ++ classes/swupdate-common.bbclass | 16 +++++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/README b/README index 52987bd..6975ae9 100644 --- a/README +++ b/README @@ -62,6 +62,8 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment: * Set `SWUPDATE_CMS_KEY ` to the full path of private key file + * (Optional) Set `SWUPDATE_CMS_EXTRA_CERTS` to a space delimited list of intermediate certificate files + 3. Custom signing tool: * Set variable: `SWUPDATE_SIGNING = "CUSTOM"` diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass index fbbd275..40c1afe 100644 --- a/classes/swupdate-common.bbclass +++ b/classes/swupdate-common.bbclass @@ -34,6 +34,18 @@ def get_pwd_file_args(d, passfile): pwd_args = ["-passin", "file:%s" % pwd_file] return pwd_args +def get_certfile_args(d): + extra_certs = d.getVar('SWUPDATE_CMS_EXTRA_CERTS', True) + if not extra_certs: + return [] + certfile_args = [] + extra_paths = extra_certs.split() + for crt_path in extra_paths: + if not os.path.exists(crt_path): + bb.fatal("SWUPDATE_CMS_EXTRA_CERTS path %s doesn't exist" % (crt_path)) + certfile_args.extend(["-certfile", crt_path]) + return certfile_args + def swupdate_getdepends(d): def adddep(depstr, deps): for i in (depstr or "").split(): @@ -205,7 +217,9 @@ def prepare_sw_description(d): if not os.path.exists(cms_key): bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key)) signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig, "-signer", cms_cert, "-inkey", cms_key] + \ - get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + ["-outform", "DER", "-nosmimecap", "-binary"] + ["-outform", "DER", "-nosmimecap", "-binary"] + \ + get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + \ + get_certfile_args(d) else: bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.") subprocess.run(' '.join(signcmd), shell=True, check=True)