Página inicial Explorar Ajuda
Entrar
vdd
/
meta-swupdate
mirror de https://github.com/sbabic/meta-swupdate
1
0
Fork 0
Arquivos Issues 0 Wiki
Ver código fonte

swupdate-common: add -certfile arg to CMS signing

Using openssl cms the recipient may not share intermediate certs in the
chain. The -certfile option includes these certificates in the message,
ensuring the recipient can establish the full chain of trust from a root
CA they already have, through the intermediate certificate(s) to the
signing certificate.

Add optional SWUPDATE_CMS_EXTRA_CERTS var to add additional certs to CMS
output using -certfile argument.

Patch based on the original work from Wes Malone, applied manually and
tested on 'dunfell', will require a rebase to apply on 'master'.

Signed-off-by: Victor Voronin <viktor.voronin@evologics.de>
Victor Voronin 2 anos atrás
pai
7a85c71f40
commit
4515ef4d99
2 arquivos alterados com 17 adições e 1 exclusões
Visão unificada Mostrar estatísticas do Diff
  1. 2 0
      README
  2. 15 1
      classes/swupdate-common.bbclass

+ 2 - 0
README
Ver arquivo 

@@ -62,6 +62,8 @@ There are 3 signing mechanisms supported by meta-swupdate at the moment:
 
 
 
   * Set `SWUPDATE_CMS_KEY ` to the full path of private key file
 
   * Set `SWUPDATE_CMS_KEY ` to the full path of private key file
 
 
 
+  * (Optional) Set `SWUPDATE_CMS_EXTRA_CERTS` to a space delimited list of intermediate certificate files
 
+
 
 3. Custom signing tool:
 
 3. Custom signing tool:
 
 
 
   * Set variable: `SWUPDATE_SIGNING = "CUSTOM"`
 
   * Set variable: `SWUPDATE_SIGNING = "CUSTOM"`

+ 15 - 1
classes/swupdate-common.bbclass
Ver arquivo 

@@ -34,6 +34,18 @@ def get_pwd_file_args(d, passfile):
 
        pwd_args = ["-passin", "file:%s" % pwd_file]
 
        pwd_args = ["-passin", "file:%s" % pwd_file]
 
     return pwd_args
 
     return pwd_args
 
 
 
+def get_certfile_args(d):
 
+    extra_certs = d.getVar('SWUPDATE_CMS_EXTRA_CERTS', True)
 
+    if not extra_certs:
 
+        return []
 
+    certfile_args = []
 
+    extra_paths = extra_certs.split()
 
+    for crt_path in extra_paths:
 
+        if not os.path.exists(crt_path):
 
+            bb.fatal("SWUPDATE_CMS_EXTRA_CERTS path %s doesn't exist" % (crt_path))
 
+        certfile_args.extend(["-certfile", crt_path])
 
+    return certfile_args
 
+
 
 def swupdate_getdepends(d):
 
 def swupdate_getdepends(d):
 
     def adddep(depstr, deps):
 
     def adddep(depstr, deps):
 
         for i in (depstr or "").split():
 
         for i in (depstr or "").split():
 
@@ -205,7 +217,9 @@ def prepare_sw_description(d):
 
             if not os.path.exists(cms_key):
 
             if not os.path.exists(cms_key):
 
                 bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key))
 
                 bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key))
 
             signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig, "-signer", cms_cert, "-inkey", cms_key] + \
 
             signcmd = ["openssl", "cms", "-sign", "-in", sw_desc, "-out", sw_desc_sig, "-signer", cms_cert, "-inkey", cms_key] + \
 
-                        get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + ["-outform", "DER", "-nosmimecap", "-binary"]
 
+                        ["-outform", "DER", "-nosmimecap", "-binary"] + \
 
+                        get_pwd_file_args(d, 'SWUPDATE_PASSWORD_FILE') + \
 
+                        get_certfile_args(d)
 
         else:
 
         else:
 
             bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.")
 
             bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.")
 
         subprocess.run(' '.join(signcmd), shell=True, check=True)
 
         subprocess.run(' '.join(signcmd), shell=True, check=True)