5.5. Code Signing Helper Functions

PTXdist provides various bash helper functions to be used in code signing providers and code signing consumers.

PTXdist stores URIs and CA keyrings using these helpers in $(PTXDIST_SYSROOT_HOST)/var/lib/keys/<signing-provider>/<role>/{uri,ca.pem}.

SoftHSM Provider Functions

These helpers initialize and import public/private keys and certificates into the SoftHSM.

cs_init_softhsm

Usage:

cs_init_softhsm

Initialize SoftHSM, and set the initial pins.

cs_import_cert_from_der

Usage:

cs_import_cert_from_der <role> <DER>

Import certificate from a given DER file for role. To be used with SoftHSM only.

Preconditions:

cs_import_cert_from_pem

Usage:

cs_import_cert_from_pem <role> <PEM>

Import certificate from a given PEM file for role. To be used with SoftHSM only.

Preconditions:

cs_import_pubkey_from_pem

Usage:

cs_import_pubkey_from_pem <role> <PEM>

Import public key from a given PEM file for role. To be used with SoftHSM only.

Preconditions:

cs_import_privkey_from_pem

Usage:

cs_import_privkey_from_pem <role> <PEM>

Import private key from a given PEM file for role. To be used with SoftHSM only.

Preconditions:

cs_import_key_from_pem

Usage:

cs_import_key_from_pem <role> <PEM>

Import private/public key pair from a given PEM file for role. To be used with SoftHSM only.

Preconditions:

Generic Provider Functions

These helpers allow to define roles, set PKCS#11 URIs and handle certificate authorities (CAs). HSM as well as SoftHSM code signing providers should use them.

cs_define_role

Usage:

cs_define_role <role>

Define new key role.

A default PKCS#11 URI is set implicitly as convenience for SoftHSM use cases.

cs_set_uri

Usage:

cs_set_uri <role> <URI>

Set given PKCS#11 URI for role.

Preconditions:

cs_append_ca_from_pem

Usage:

cs_append_ca_from_pem <role> <PEM>

Append certificate from a given PEM file to the role’s CA keyring. If no CA keyring exists yet it is created as an empty file before.

Preconditions:

cs_append_ca_from_der

Usage:

cs_append_ca_from_der <role> <DER>

Append certificate from a given DER file to the role’s CA keyring. If no CA keyring exists yet it is created as an empty file before.

Preconditions:

cs_append_ca_from_uri

Usage:

cs_append_ca_from_uri <role> [<URI>]

Append certificate from a given PKCS#11 URI to the role’s CA keyring. If URI is omitted the already set URI for role is used. If no CA keyring exists yet it is created as an empty file before.

Preconditions:

Consumer Functions

Packages that want to sign something or need access to keys/CAs can retrieve PKCS#11 URIs and CA keyrings with these helpers.

cs_get_uri

Usage:

cs_get_uri <role>

Get PKCS#11 URI for role.

Preconditions:

cs_get_ca

Usage:

cs_get_ca <role>

Get path to the CA keyring in PEM format for role.

Preconditions: