[swugenerator][PATCH] CMS signing: add -certfile option
68 views
Skip to first unread message
Viktor Voronin
Sep 12, 2023, 8:08:15 AM9/12/23
to swup...@googlegroups.com
Hi Stefano,
here is a patch to optionally
add -certfile option to openssl on CMS signing. In my case it is due to
an intermediate CA between signer and root authority.
Signed-off-by: Victor Voronin <viktor....@evologics.de>
---
swugenerator/main.py | 17 +++++++++++------
swugenerator/swu_sign.py | 14 +++++++++++++-
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/swugenerator/main.py b/swugenerator/main.py
index 4531865..22ff0ee 100644
--- a/swugenerator/main.py
+++ b/swugenerator/main.py
@@ -86,6 +86,7 @@ def parse_signing_option(
) -> Union[SWUSignCMS, SWUSignRSA, SWUSignPKCS11, SWUSignCustom]:
"""Parses signgning option passed by user. Valid options can be found below.
+ CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs>
CMS,<private key>,<certificate used to sign>,<file with password>
CMS,<private key>,<certificate used to sign>
RSA,<private key>,<file with password>
@@ -105,15 +106,19 @@ def parse_signing_option(
sign_parms = sign_arg.split(",")
cmd = sign_parms[0]
if cmd == "CMS":
- if len(sign_parms) not in (3, 4) or not all(sign_parms):
+ if len(sign_parms) not in (3, 4, 5) or not all(sign_parms[0:2]):
raise InvalidSigningOption(
- "CMS requires private key, certificate, and an optional password file"
+ "CMS requires private key, certificate, an optional password file and an optional file with additional certificates"
)
+ # Format : CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs>
+ if len(sign_parms) == 5:
+ return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], sign_parms[4])
# Format : CMS,<private key>,<certificate used to sign>,<file with password>
- if len(sign_parms) == 4:
- return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3])
+ elif len(sign_parms) == 4:
+ return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], None)
# Format : CMS,<private key>,<certificate used to sign>
- return SWUSignCMS(sign_parms[1], sign_parms[2], None)
+ else:
+ return SWUSignCMS(sign_parms[1], sign_parms[2], None, None)
if cmd == "RSA":
if len(sign_parms) not in (2, 3) or not all(sign_parms):
raise InvalidSigningOption(
@@ -236,7 +241,7 @@ def parse_args(args: List[str]) -> None:
"""\
RSA key or certificate to sign the SWU
One of :
- CMS,<private key>,<certificate used to sign>,<file with password if any>
+ CMS,<private key>,<certificate used to sign>,<file with password if any>,<file with certs if any>
RSA,<private key>,<file with password if any>
PKCS11,<pin>
CUSTOM,<custom command> """
diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py
index 7097a9d..f73802e 100644
--- a/swugenerator/swu_sign.py
+++ b/swugenerator/swu_sign.py
@@ -14,6 +14,7 @@ class SWUSign:
self.cert = None
self.cmd = None
self.passin = None
+ self.certfile = None
self.signcmd = []
def get_passwd_file_args(self):
@@ -25,6 +26,15 @@ class SWUSign:
def set_password_file(self, passin):
self.passin = passin
+ def get_certfile_args(self):
+ certfile_args = []
+ if self.certfile:
+ certfile_args = ["-certfile", self.certfile]
+ return certfile_args
+
+ def set_certfile(self, certfile):
+ self.certfile = certfile
+
def sign(self):
try:
subprocess.run(" ".join(self.signcmd), shell=True, check=True, text=True)
@@ -36,12 +46,13 @@ class SWUSign:
class SWUSignCMS(SWUSign):
- def __init__(self, key, cert, passin):
+ def __init__(self, key, cert, passin, certfile):
super().__init__()
self.type = "CMS"
self.key = key
self.cert = cert
self.passin = passin
+ self.certfile = certfile
def prepare_cmd(self, sw_desc_in, sw_desc_sig):
self.signcmd = [
@@ -64,6 +75,7 @@ class SWUSignCMS(SWUSign):
"-binary",
]
self.signcmd += self.get_passwd_file_args()
+ self.signcmd += self.get_certfile_args()
class SWUSignRSA(SWUSign):
--
2.25.1
Viktor Voronin
Sep 18, 2023, 10:22:38 AM9/18/23
to swup...@googlegroups.com
Dear Stefano,
is there any possibility for this to be merged? If there are any objections, please let me know.
Regards,
Victor
is there any possibility for this to be merged? If there are any objections, please let me know.
Regards,
Victor
Stefano Babic
Sep 18, 2023, 1:32:39 PM9/18/23
to viktor....@evologics.com, swup...@googlegroups.com
Hi Viktor,
On 18.09.23 16:21, 'Viktor Voronin' via swupdate wrote:
> Dear Stefano,
>
> is there any possibility for this to be merged? If there are any
> objections, please let me know.
>
Your patch is malformed and could not be applied, I get:
error: patch fragment without header at line 7: @@ -36,12 +46,13 @@
class SWUSign:
Please use git send-email to post the patch, else it seems your mail is
damaging the patch. Please fix it and repost.
Best regards,
Stefano Babic
> Regards,
> Victor
>
> On Tue, 12 Sept 2023 at 14:07, Viktor Voronin
> --
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/swupdate/CA%2BsyA0vLB_-pesFthQLUQ-sL7GEWzfii4F3WuDOTZB0FgFePsg%40mail.gmail.com <https://groups.google.com/d/msgid/swupdate/CA%2BsyA0vLB_-pesFthQLUQ-sL7GEWzfii4F3WuDOTZB0FgFePsg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
On 18.09.23 16:21, 'Viktor Voronin' via swupdate wrote:
> Dear Stefano,
>
> is there any possibility for this to be merged? If there are any
> objections, please let me know.
>
error: patch fragment without header at line 7: @@ -36,12 +46,13 @@
class SWUSign:
Please use git send-email to post the patch, else it seems your mail is
damaging the patch. Please fix it and repost.
Best regards,
Stefano Babic
> Regards,
> Victor
>
> On Tue, 12 Sept 2023 at 14:07, Viktor Voronin
> <viktor....@evologics.de <mailto:viktor....@evologics.de>> wrote:
>
> Hi Stefano,
>
> here is a patch to optionally add -certfile option to openssl on CMS
> signing. In my case it is due to an intermediate CA between signer
> and root authority.
>
> Signed-off-by: Victor Voronin <viktor....@evologics.de
> <mailto:viktor....@evologics.de>>
>
> Hi Stefano,
>
> here is a patch to optionally add -certfile option to openssl on CMS
> signing. In my case it is due to an intermediate CA between signer
> and root authority.
>
> Signed-off-by: Victor Voronin <viktor....@evologics.de
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/swupdate/CA%2BsyA0vLB_-pesFthQLUQ-sL7GEWzfii4F3WuDOTZB0FgFePsg%40mail.gmail.com <https://groups.google.com/d/msgid/swupdate/CA%2BsyA0vLB_-pesFthQLUQ-sL7GEWzfii4F3WuDOTZB0FgFePsg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Victor Voronin
Sep 19, 2023, 3:54:46 AM9/19/23
to swup...@googlegroups.com, Victor Voronin
Viktor Voronin
Sep 19, 2023, 3:59:55 AM9/19/23
to swupdate
Dear Stefano,
sorry for that, I've mailed the patch again, hope that it'll be right this time.
Thank you!
Regards,
Victor
Stefano Babic
Sep 20, 2023, 6:20:54 AM9/20/23
to Victor Voronin, swup...@googlegroups.com
Best regards,
Stefano Babic
Reply all
Reply to author
Forward
0 new messages