Message ID | CA+syA0s2NTnXrYMYq0+Gf4-Jes-yGi57A6ZsfRf=Jjou22nhog@mail.gmail.com |
---|---|
State | Changes Requested |
Delegated to: | Stefano Babic |
Headers | show |
Series | [swugenerator] CMS signing: add -certfile option | expand |
Dear Stefano, is there any possibility for this to be merged? If there are any objections, please let me know. Regards, Victor On Tue, 12 Sept 2023 at 14:07, Viktor Voronin <viktor.voronin@evologics.de> wrote: > Hi Stefano, > > here is a patch to optionally add -certfile option to openssl on CMS > signing. In my case it is due to an intermediate CA between signer and root > authority. > > Signed-off-by: Victor Voronin <viktor.voronin@evologics.de> > --- > swugenerator/main.py | 17 +++++++++++------ > swugenerator/swu_sign.py | 14 +++++++++++++- > 2 files changed, 24 insertions(+), 7 deletions(-) > > diff --git a/swugenerator/main.py b/swugenerator/main.py > index 4531865..22ff0ee 100644 > --- a/swugenerator/main.py > +++ b/swugenerator/main.py > @@ -86,6 +86,7 @@ def parse_signing_option( > ) -> Union[SWUSignCMS, SWUSignRSA, SWUSignPKCS11, SWUSignCustom]: > """Parses signgning option passed by user. Valid options can be found > below. > > + CMS,<private key>,<certificate used to sign>,<file with > password>,<file with certs> > CMS,<private key>,<certificate used to sign>,<file with password> > CMS,<private key>,<certificate used to sign> > RSA,<private key>,<file with password> > @@ -105,15 +106,19 @@ def parse_signing_option( > sign_parms = sign_arg.split(",") > cmd = sign_parms[0] > if cmd == "CMS": > - if len(sign_parms) not in (3, 4) or not all(sign_parms): > + if len(sign_parms) not in (3, 4, 5) or not all(sign_parms[0:2]): > raise InvalidSigningOption( > - "CMS requires private key, certificate, and an optional > password file" > + "CMS requires private key, certificate, an optional > password file and an optional file with additional certificates" > ) > + # Format : CMS,<private key>,<certificate used to sign>,<file > with password>,<file with certs> > + if len(sign_parms) == 5: > + return SWUSignCMS(sign_parms[1], sign_parms[2], > sign_parms[3], sign_parms[4]) > # Format : CMS,<private key>,<certificate used to sign>,<file > with password> > - if len(sign_parms) == 4: > - return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3]) > + elif len(sign_parms) == 4: > + return SWUSignCMS(sign_parms[1], sign_parms[2], > sign_parms[3], None) > # Format : CMS,<private key>,<certificate used to sign> > - return SWUSignCMS(sign_parms[1], sign_parms[2], None) > + else: > + return SWUSignCMS(sign_parms[1], sign_parms[2], None, None) > if cmd == "RSA": > if len(sign_parms) not in (2, 3) or not all(sign_parms): > raise InvalidSigningOption( > @@ -236,7 +241,7 @@ def parse_args(args: List[str]) -> None: > """\ > RSA key or certificate to sign the SWU > One of : > - CMS,<private key>,<certificate used to sign>,<file with > password if any> > + CMS,<private key>,<certificate used to sign>,<file with > password if any>,<file with certs if any> > RSA,<private key>,<file with password if any> > PKCS11,<pin> > CUSTOM,<custom command> """ > diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py > index 7097a9d..f73802e 100644 > --- a/swugenerator/swu_sign.py > +++ b/swugenerator/swu_sign.py > @@ -14,6 +14,7 @@ class SWUSign: > self.cert = None > self.cmd = None > self.passin = None > + self.certfile = None > self.signcmd = [] > > def get_passwd_file_args(self): > @@ -25,6 +26,15 @@ class SWUSign: > def set_password_file(self, passin): > self.passin = passin > > + def get_certfile_args(self): > + certfile_args = [] > + if self.certfile: > + certfile_args = ["-certfile", self.certfile] > + return certfile_args > + > + def set_certfile(self, certfile): > + self.certfile = certfile > + > def sign(self): > try: > subprocess.run(" ".join(self.signcmd), shell=True, > check=True, text=True) > @@ -36,12 +46,13 @@ class SWUSign: > > > class SWUSignCMS(SWUSign): > - def __init__(self, key, cert, passin): > + def __init__(self, key, cert, passin, certfile): > super().__init__() > self.type = "CMS" > self.key = key > self.cert = cert > self.passin = passin > + self.certfile = certfile > > def prepare_cmd(self, sw_desc_in, sw_desc_sig): > self.signcmd = [ > @@ -64,6 +75,7 @@ class SWUSignCMS(SWUSign): > "-binary", > ] > self.signcmd += self.get_passwd_file_args() > + self.signcmd += self.get_certfile_args() > > > class SWUSignRSA(SWUSign): > -- > 2.25.1 >
Hi Viktor, On 18.09.23 16:21, 'Viktor Voronin' via swupdate wrote: > Dear Stefano, > > is there any possibility for this to be merged? If there are any > objections, please let me know. > Your patch is malformed and could not be applied, I get: error: patch fragment without header at line 7: @@ -36,12 +46,13 @@ class SWUSign: Please use git send-email to post the patch, else it seems your mail is damaging the patch. Please fix it and repost. Best regards, Stefano Babic > Regards, > Victor > > On Tue, 12 Sept 2023 at 14:07, Viktor Voronin > <viktor.voronin@evologics.de <mailto:viktor.voronin@evologics.de>> wrote: > > Hi Stefano, > > here is a patch to optionally add -certfile option to openssl on CMS > signing. In my case it is due to an intermediate CA between signer > and root authority. > > Signed-off-by: Victor Voronin <viktor.voronin@evologics.de > <mailto:viktor.voronin@evologics.de>> > --- > swugenerator/main.py | 17 +++++++++++------ > swugenerator/swu_sign.py | 14 +++++++++++++- > 2 files changed, 24 insertions(+), 7 deletions(-) > > diff --git a/swugenerator/main.py b/swugenerator/main.py > index 4531865..22ff0ee 100644 > --- a/swugenerator/main.py > +++ b/swugenerator/main.py > @@ -86,6 +86,7 @@ def parse_signing_option( > ) -> Union[SWUSignCMS, SWUSignRSA, SWUSignPKCS11, SWUSignCustom]: > """Parses signgning option passed by user. Valid options can > be found below. > > + CMS,<private key>,<certificate used to sign>,<file with > password>,<file with certs> > CMS,<private key>,<certificate used to sign>,<file with password> > CMS,<private key>,<certificate used to sign> > RSA,<private key>,<file with password> > @@ -105,15 +106,19 @@ def parse_signing_option( > sign_parms = sign_arg.split(",") > cmd = sign_parms[0] > if cmd == "CMS": > - if len(sign_parms) not in (3, 4) or not all(sign_parms): > + if len(sign_parms) not in (3, 4, 5) or not > all(sign_parms[0:2]): > raise InvalidSigningOption( > - "CMS requires private key, certificate, and an > optional password file" > + "CMS requires private key, certificate, an optional > password file and an optional file with additional certificates" > ) > + # Format : CMS,<private key>,<certificate used to > sign>,<file with password>,<file with certs> > + if len(sign_parms) == 5: > + return SWUSignCMS(sign_parms[1], sign_parms[2], > sign_parms[3], sign_parms[4]) > # Format : CMS,<private key>,<certificate used to > sign>,<file with password> > - if len(sign_parms) == 4: > - return SWUSignCMS(sign_parms[1], sign_parms[2], > sign_parms[3]) > + elif len(sign_parms) == 4: > + return SWUSignCMS(sign_parms[1], sign_parms[2], > sign_parms[3], None) > # Format : CMS,<private key>,<certificate used to sign> > - return SWUSignCMS(sign_parms[1], sign_parms[2], None) > + else: > + return SWUSignCMS(sign_parms[1], sign_parms[2], None, None) > if cmd == "RSA": > if len(sign_parms) not in (2, 3) or not all(sign_parms): > raise InvalidSigningOption( > @@ -236,7 +241,7 @@ def parse_args(args: List[str]) -> None: > """\ > RSA key or certificate to sign the SWU > One of : > - CMS,<private key>,<certificate used to sign>,<file with > password if any> > + CMS,<private key>,<certificate used to sign>,<file with > password if any>,<file with certs if any> > RSA,<private key>,<file with password if any> > PKCS11,<pin> > CUSTOM,<custom command> """ > diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py > index 7097a9d..f73802e 100644 > --- a/swugenerator/swu_sign.py > +++ b/swugenerator/swu_sign.py > @@ -14,6 +14,7 @@ class SWUSign: > self.cert = None > self.cmd = None > self.passin = None > + self.certfile = None > self.signcmd = [] > > def get_passwd_file_args(self): > @@ -25,6 +26,15 @@ class SWUSign: > def set_password_file(self, passin): > self.passin = passin > > + def get_certfile_args(self): > + certfile_args = [] > + if self.certfile: > + certfile_args = ["-certfile", self.certfile] > + return certfile_args > + > + def set_certfile(self, certfile): > + self.certfile = certfile > + > def sign(self): > try: > subprocess.run(" ".join(self.signcmd), shell=True, > check=True, text=True) > @@ -36,12 +46,13 @@ class SWUSign: > > > class SWUSignCMS(SWUSign): > - def __init__(self, key, cert, passin): > + def __init__(self, key, cert, passin, certfile): > super().__init__() > self.type = "CMS" > self.key = key > self.cert = cert > self.passin = passin > + self.certfile = certfile > > def prepare_cmd(self, sw_desc_in, sw_desc_sig): > self.signcmd = [ > @@ -64,6 +75,7 @@ class SWUSignCMS(SWUSign): > "-binary", > ] > self.signcmd += self.get_passwd_file_args() > + self.signcmd += self.get_certfile_args() > > > class SWUSignRSA(SWUSign): > -- > 2.25.1 > > -- > You received this message because you are subscribed to the Google > Groups "swupdate" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to swupdate+unsubscribe@googlegroups.com > <mailto:swupdate+unsubscribe@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/swupdate/CA%2BsyA0vLB_-pesFthQLUQ-sL7GEWzfii4F3WuDOTZB0FgFePsg%40mail.gmail.com <https://groups.google.com/d/msgid/swupdate/CA%2BsyA0vLB_-pesFthQLUQ-sL7GEWzfii4F3WuDOTZB0FgFePsg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Dear Stefano, sorry for that, I've mailed the patch again, hope that it'll be right this time. Thank you! Regards, Victor On Monday, 18 September 2023 at 19:32:39 UTC+2 Stefano Babic wrote: > Hi Viktor, > > On 18.09.23 16:21, 'Viktor Voronin' via swupdate wrote: > > Dear Stefano, > > > > is there any possibility for this to be merged? If there are any > > objections, please let me know. > > > > Your patch is malformed and could not be applied, I get: > > error: patch fragment without header at line 7: @@ -36,12 +46,13 @@ > class SWUSign: > > Please use git send-email to post the patch, else it seems your mail is > damaging the patch. Please fix it and repost. > > Best regards, > Stefano Babic > > > Regards, > > Victor > > > > On Tue, 12 Sept 2023 at 14:07, Viktor Voronin > > <viktor....@evologics.de <mailto:viktor....@evologics.de>> wrote: > > > > Hi Stefano, > > > > here is a patch to optionally add -certfile option to openssl on CMS > > signing. In my case it is due to an intermediate CA between signer > > and root authority. > > > > Signed-off-by: Victor Voronin <viktor....@evologics.de > > <mailto:viktor....@evologics.de>> > > --- > > swugenerator/main.py | 17 +++++++++++------ > > swugenerator/swu_sign.py | 14 +++++++++++++- > > 2 files changed, 24 insertions(+), 7 deletions(-) > > > > diff --git a/swugenerator/main.py b/swugenerator/main.py > > index 4531865..22ff0ee 100644 > > --- a/swugenerator/main.py > > +++ b/swugenerator/main.py > > @@ -86,6 +86,7 @@ def parse_signing_option( > > ) -> Union[SWUSignCMS, SWUSignRSA, SWUSignPKCS11, SWUSignCustom]: > > """Parses signgning option passed by user. Valid options can > > be found below. > > > > + CMS,<private key>,<certificate used to sign>,<file with > > password>,<file with certs> > > CMS,<private key>,<certificate used to sign>,<file with password> > > CMS,<private key>,<certificate used to sign> > > RSA,<private key>,<file with password> > > @@ -105,15 +106,19 @@ def parse_signing_option( > > sign_parms = sign_arg.split(",") > > cmd = sign_parms[0] > > if cmd == "CMS": > > - if len(sign_parms) not in (3, 4) or not all(sign_parms): > > + if len(sign_parms) not in (3, 4, 5) or not > > all(sign_parms[0:2]): > > raise InvalidSigningOption( > > - "CMS requires private key, certificate, and an > > optional password file" > > + "CMS requires private key, certificate, an optional > > password file and an optional file with additional certificates" > > ) > > + # Format : CMS,<private key>,<certificate used to > > sign>,<file with password>,<file with certs> > > + if len(sign_parms) == 5: > > + return SWUSignCMS(sign_parms[1], sign_parms[2], > > sign_parms[3], sign_parms[4]) > > # Format : CMS,<private key>,<certificate used to > > sign>,<file with password> > > - if len(sign_parms) == 4: > > - return SWUSignCMS(sign_parms[1], sign_parms[2], > > sign_parms[3]) > > + elif len(sign_parms) == 4: > > + return SWUSignCMS(sign_parms[1], sign_parms[2], > > sign_parms[3], None) > > # Format : CMS,<private key>,<certificate used to sign> > > - return SWUSignCMS(sign_parms[1], sign_parms[2], None) > > + else: > > + return SWUSignCMS(sign_parms[1], sign_parms[2], None, None) > > if cmd == "RSA": > > if len(sign_parms) not in (2, 3) or not all(sign_parms): > > raise InvalidSigningOption( > > @@ -236,7 +241,7 @@ def parse_args(args: List[str]) -> None: > > """\ > > RSA key or certificate to sign the SWU > > One of : > > - CMS,<private key>,<certificate used to sign>,<file with > > password if any> > > + CMS,<private key>,<certificate used to sign>,<file with > > password if any>,<file with certs if any> > > RSA,<private key>,<file with password if any> > > PKCS11,<pin> > > CUSTOM,<custom command> """ > > diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py > > index 7097a9d..f73802e 100644 > > --- a/swugenerator/swu_sign.py > > +++ b/swugenerator/swu_sign.py > > @@ -14,6 +14,7 @@ class SWUSign: > > self.cert = None > > self.cmd = None > > self.passin = None > > + self.certfile = None > > self.signcmd = [] > > > > def get_passwd_file_args(self): > > @@ -25,6 +26,15 @@ class SWUSign: > > def set_password_file(self, passin): > > self.passin = passin > > > > + def get_certfile_args(self): > > + certfile_args = [] > > + if self.certfile: > > + certfile_args = ["-certfile", self.certfile] > > + return certfile_args > > + > > + def set_certfile(self, certfile): > > + self.certfile = certfile > > + > > def sign(self): > > try: > > subprocess.run(" ".join(self.signcmd), shell=True, > > check=True, text=True) > > @@ -36,12 +46,13 @@ class SWUSign: > > > > > > class SWUSignCMS(SWUSign): > > - def __init__(self, key, cert, passin): > > + def __init__(self, key, cert, passin, certfile): > > super().__init__() > > self.type = "CMS" > > self.key = key > > self.cert = cert > > self.passin = passin > > + self.certfile = certfile > > > > def prepare_cmd(self, sw_desc_in, sw_desc_sig): > > self.signcmd = [ > > @@ -64,6 +75,7 @@ class SWUSignCMS(SWUSign): > > "-binary", > > ] > > self.signcmd += self.get_passwd_file_args() > > + self.signcmd += self.get_certfile_args() > > > > > > class SWUSignRSA(SWUSign): > > -- > > 2.25.1 > > > > -- > > You received this message because you are subscribed to the Google > > Groups "swupdate" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to swupdate+u...@googlegroups.com > > <mailto:swupdate+u...@googlegroups.com>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/swupdate/CA%2BsyA0vLB_-pesFthQLUQ-sL7GEWzfii4F3WuDOTZB0FgFePsg%40mail.gmail.com > < > https://groups.google.com/d/msgid/swupdate/CA%2BsyA0vLB_-pesFthQLUQ-sL7GEWzfii4F3WuDOTZB0FgFePsg%40mail.gmail.com?utm_medium=email&utm_source=footer > >. >
diff --git a/swugenerator/main.py b/swugenerator/main.py index 4531865..22ff0ee 100644 --- a/swugenerator/main.py +++ b/swugenerator/main.py @@ -86,6 +86,7 @@ def parse_signing_option( ) -> Union[SWUSignCMS, SWUSignRSA, SWUSignPKCS11, SWUSignCustom]: """Parses signgning option passed by user. Valid options can be found below. + CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs> CMS,<private key>,<certificate used to sign>,<file with password> CMS,<private key>,<certificate used to sign> RSA,<private key>,<file with password> @@ -105,15 +106,19 @@ def parse_signing_option( sign_parms = sign_arg.split(",") cmd = sign_parms[0] if cmd == "CMS": - if len(sign_parms) not in (3, 4) or not all(sign_parms): + if len(sign_parms) not in (3, 4, 5) or not all(sign_parms[0:2]): raise InvalidSigningOption( - "CMS requires private key, certificate, and an optional password file" + "CMS requires private key, certificate, an optional password file and an optional file with additional certificates" ) + # Format : CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs> + if len(sign_parms) == 5: + return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], sign_parms[4]) # Format : CMS,<private key>,<certificate used to sign>,<file with password> - if len(sign_parms) == 4: - return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3]) + elif len(sign_parms) == 4: + return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], None) # Format : CMS,<private key>,<certificate used to sign> - return SWUSignCMS(sign_parms[1], sign_parms[2], None) + else: + return SWUSignCMS(sign_parms[1], sign_parms[2], None, None) if cmd == "RSA": if len(sign_parms) not in (2, 3) or not all(sign_parms): raise InvalidSigningOption( @@ -236,7 +241,7 @@ def parse_args(args: List[str]) -> None: """\ RSA key or certificate to sign the SWU One of : - CMS,<private key>,<certificate used to sign>,<file with password if any> + CMS,<private key>,<certificate used to sign>,<file with password if any>,<file with certs if any> RSA,<private key>,<file with password if any> PKCS11,<pin> CUSTOM,<custom command> """ diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py index 7097a9d..f73802e 100644 --- a/swugenerator/swu_sign.py +++ b/swugenerator/swu_sign.py @@ -14,6 +14,7 @@ class SWUSign: self.cert = None self.cmd = None self.passin = None + self.certfile = None self.signcmd = [] def get_passwd_file_args(self): @@ -25,6 +26,15 @@ class SWUSign: def set_password_file(self, passin): self.passin = passin + def get_certfile_args(self): + certfile_args = [] + if self.certfile: + certfile_args = ["-certfile", self.certfile] + return certfile_args + + def set_certfile(self, certfile): + self.certfile = certfile + def sign(self): try: subprocess.run(" ".join(self.signcmd), shell=True, check=True,
Hi Stefano, here is a patch to optionally add -certfile option to openssl on CMS signing. In my case it is due to an intermediate CA between signer and root authority. Signed-off-by: Victor Voronin <viktor.voronin@evologics.de> --- swugenerator/main.py | 17 +++++++++++------ swugenerator/swu_sign.py | 14 +++++++++++++- 2 files changed, 24 insertions(+), 7 deletions(-) text=True) @@ -36,12 +46,13 @@ class SWUSign: class SWUSignCMS(SWUSign): - def __init__(self, key, cert, passin): + def __init__(self, key, cert, passin, certfile): super().__init__() self.type = "CMS" self.key = key self.cert = cert self.passin = passin + self.certfile = certfile def prepare_cmd(self, sw_desc_in, sw_desc_sig): self.signcmd = [ @@ -64,6 +75,7 @@ class SWUSignCMS(SWUSign): "-binary", ] self.signcmd += self.get_passwd_file_args() + self.signcmd += self.get_certfile_args() class SWUSignRSA(SWUSign):