From b6915f63998e17655c6d4cb094ba8880fed7fb9f Mon Sep 17 00:00:00 2001 From: Johannes Schneider Date: Fri, 27 Jun 2025 14:18:20 +0200 Subject: [PATCH] signing.bbclass: add signing_get_intermediate_certs Add a method that returns a list of intermediary CA roles. When using a complex PKI structure with for example "openssl cms", these roles can then be iterated over adding in turn a '-certificate'. Pseudo-code example: for intermediate in $(signing_get_intermediate_certs 'FooBaa'); do signing_extract_cert_pem $intermediate $intermediate.pem CMD+=" --certificate=$intermediate.pem" done The typical use-case would be adding these intermediate certificates to the CMS structure so that the relying party can build the chain from the signing leaf certificate to the locally stored trusted CA certificate. Reviewed-by: Jan Luebbe Signed-off-by: Johannes Schneider Signed-off-by: Khem Raj --- meta-oe/classes/signing.bbclass | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass index 2a94f5f5b3..248c6400ed 100644 --- a/meta-oe/classes/signing.bbclass +++ b/meta-oe/classes/signing.bbclass @@ -194,6 +194,27 @@ signing_has_ca() { return $? } +# signing_get_intermediate_certs +# +# return a list of role/name intermediary CA certificates for a given +# by walking the chain setup with signing_import_set_ca. +# +# The returned list will not include the the root CA, and can +# potentially be empty. +# +# To be used with SoftHSM. +signing_get_intermediate_certs() { + local cert_name="${1}" + local intermediary="" + while signing_has_ca "${cert_name}"; do + cert_name="$(signing_get_ca ${cert_name})" + if signing_has_ca "${cert_name}"; then + intermediary="${intermediary} ${cert_name}" + fi + done + echo "${intermediary}" +} + # signing_get_root_cert # # return the role/name of the CA root certificate for a given