5.5. Code Signing Helper Functions
PTXdist provides various bash helper functions to be used in code signing providers and code signing consumers.
PTXdist stores URIs and CA keyrings using these helpers in
$(PTXDIST_SYSROOT_HOST)/var/lib/keys/<signing-provider>/<role>/{uri,ca.pem}.
SoftHSM Provider Functions
These helpers initialize and import public/private keys and certificates into the SoftHSM.
cs_init_softhsm
Usage:
cs_init_softhsm
Initialize SoftHSM, and set the initial pins.
cs_import_cert_from_der
Usage:
cs_import_cert_from_der <role> <DER>
Import certificate from a given DER file for role. To be used with SoftHSM only.
Preconditions:
the role must have been defined (see cs_define_role)
SoftHSM must have been initialized (see cs_init_softhsm)
cs_import_cert_from_pem
Usage:
cs_import_cert_from_pem <role> <PEM>
Import certificate from a given PEM file for role. To be used with SoftHSM only.
Preconditions:
the role must have been defined (see cs_define_role)
SoftHSM must have been initialized (see cs_init_softhsm)
cs_import_pubkey_from_pem
Usage:
cs_import_pubkey_from_pem <role> <PEM>
Import public key from a given PEM file for role. To be used with SoftHSM only.
Preconditions:
the role must have been defined (see cs_define_role)
SoftHSM must have been initialized (see cs_init_softhsm)
cs_import_privkey_from_pem
Usage:
cs_import_privkey_from_pem <role> <PEM>
Import private key from a given PEM file for role. To be used with SoftHSM only.
Preconditions:
the role must have been defined (see cs_define_role)
SoftHSM must have been initialized (see cs_init_softhsm)
cs_import_key_from_pem
Usage:
cs_import_key_from_pem <role> <PEM>
Import private/public key pair from a given PEM file for role. To be used with SoftHSM only.
Preconditions:
the role must have been defined (see cs_define_role)
SoftHSM must have been initialized (see cs_init_softhsm)
Generic Provider Functions
These helpers allow to define roles, set PKCS#11 URIs and handle certificate authorities (CAs). HSM as well as SoftHSM code signing providers should use them.
cs_define_role
Usage:
cs_define_role <role>
Define new key role.
A default PKCS#11 URI is set implicitly as convenience for SoftHSM use cases.
cs_set_uri
Usage:
cs_set_uri <role> <URI>
Set given PKCS#11 URI for role.
Preconditions:
the role must have been defined (see cs_define_role)
cs_append_ca_from_pem
Usage:
cs_append_ca_from_pem <role> <PEM>
Append certificate from a given PEM file to the role’s CA keyring. If no CA keyring exists yet it is created as an empty file before.
Preconditions:
the role must have been defined (see cs_define_role)
cs_append_ca_from_der
Usage:
cs_append_ca_from_der <role> <DER>
Append certificate from a given DER file to the role’s CA keyring. If no CA keyring exists yet it is created as an empty file before.
Preconditions:
the role must have been defined (see cs_define_role)
cs_append_ca_from_uri
Usage:
cs_append_ca_from_uri <role> [<URI>]
Append certificate from a given PKCS#11 URI to the role’s CA keyring. If URI is omitted the already set URI for role is used. If no CA keyring exists yet it is created as an empty file before.
Preconditions:
the role must have been defined (see cs_define_role)
when used with SoftHSM, certificates must have been imported before (see cs_import_cert_from_der, cs_import_cert_from_pem)
cs_define_group
Usage:
cs_define_group <group>
Define a new role group.
See cs_group_add_roles for an example.
cs_group_add_roles
Usage:
cs_group_add_roles <group> <roles...>
Add all given roles to a role group.
Preconditions:
the group must have been defined (see cs_define_group)
the role(s) must have been defined (see cs_define_role)
Example:
# define two roles named imx-habv4-srk1 and imx-habv4-srk2
r="imx-habv4-srk1"
cs_define_role "${r}"
cs_set_uri "${r}" "pkcs11:object=SRK CA 0"
cs_append_ca_from_uri "${r}"
r="imx-habv4-srk2"
cs_define_role "${r}"
cs_set_uri "${r}" "pkcs11:object=SRK CA 1"
cs_append_ca_from_uri "${r}"
# define a group and add the roles
g="imx-habv4-srk"
cs_define_group "${g}"
cs_group_add_roles "${g}" "imx-habv4-srk1" "imx-habv4-srk2"
cs_group_get_roles
Usage:
cs_group_get_roles <group>
Get a list of all roles that have been added to the role group.
Example:
# iterate over role names in a role group, and print their name and URI
for role in $(cs_group_get_roles "imx-habv4-srk"); do
echo "role '${role}' has URI '$(cs_get_uri "${role}")'"
done
In the example given in cs_group_add_roles above, this would print:
role 'imx-habv4-srk1' has URI 'pkcs11:object=SRK CA 0'
role 'imx-habv4-srk2' has URI 'pkcs11:object=SRK CA 1'
Consumer Functions
Packages that want to sign something or need access to keys/CAs can retrieve PKCS#11 URIs and CA keyrings with these helpers.
cs_get_uri
Usage:
cs_get_uri <role>
Get PKCS#11 URI for role.
Preconditions:
the URI must have been set (see cs_set_uri)
cs_get_ca
Usage:
cs_get_ca <role>
Get path to the CA keyring in PEM format for role.
If the provider does not set a CA for this role (see cs_append_ca_from_pem, cs_append_ca_from_der, cs_append_ca_from_uri), this function will print an empty string.
Preconditions:
The role must have been defined by the provider (see cs_define_role). Otherwise, this function will print
ERROR_CA_NOT_YET_SETand return 1. This can happen if the function is evaluated by a variable expansion in make with:=instead of=before the code signing provider is set up.
Example:
# set up kernel module signing, and add a trusted CA if the provider set one
KERNEL_SIGN_OPT =
CONFIG_MODULE_SIG_KEY='"$(shell cs_get_uri kernel-modules)"' \
CONFIG_MODULE_SIG_ALL=y \
$(if $(shell cs_get_ca kernel-trusted), \
CONFIG_SYSTEM_TRUSTED_KEYS=$(shell cs_get_ca kernel-trusted))