add CMS signing support

Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com>
Acked-by: Stefano Babic <sbabic@denx.de>

classes/swupdate.bbclass

@@ -1,5 +1,5 @@
 # Copyright (C) 2015 Stefano Babic <sbabic@denx.de>
-# 
+#
 # Some parts from the patch class
 #
 # swupdate allows to generate a compound image for the
@@ -14,7 +14,7 @@
 
 S = "${WORKDIR}/${PN}"
 
-DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) == '1' else ''}"
+DEPENDS += "${@ 'openssl-native' if d.getVar('SWUPDATE_SIGNING', True) else ''}"
 IMAGE_DEPENDS ?= ""
 
 def swupdate_is_hash_needed(s, filename):
@@ -101,7 +101,7 @@ python do_swuimage () {
     fetch = bb.fetch2.Fetch([], d)
     list_for_cpio = ["sw-description"]
 
-    if d.getVar('SWUPDATE_SIGNING', True) == '1':
+    if d.getVar('SWUPDATE_SIGNING', True):
         list_for_cpio.append('sw-description.sig')
 
     for url in fetch.urls:
@@ -140,12 +140,20 @@ python do_swuimage () {
             hash = swupdate_get_sha256(s, file)
             swupdate_write_sha256(s, file, hash)
 
-    if d.getVar('SWUPDATE_SIGNING', True) == '1':
-        sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True)
-        if sign_tool:
-            if os.system(sign_tool) != 0:
-                bb.fatal("Failed to sign with %s" % (sign_tool))
-        else:
+    signing = d.getVar('SWUPDATE_SIGNING', True)
+    if signing == "1":
+        bb.warn('SWUPDATE_SIGNING = "1" is deprecated, falling back to "RSA". It is advised to set it to "RSA" if using RSA signing.')
+        signing = "RSA"
+    if signing:
+        if signing == "CUSTOM":
+            sign_tool = d.getVar('SWUPDATE_SIGN_TOOL', True)
+            if sign_tool:
+                ret = os.system(sign_tool)
+                if ret != 0:
+                    bb.fatal("Failed to sign with %s" % (sign_tool))
+            else:
+                bb.fatal("Custom SWUPDATE_SIGN_TOOL is not given")
+        elif signing == "RSA":
             privkey = d.getVar('SWUPDATE_PRIVATE_KEY', True)
             if not privkey:
                 bb.fatal("SWUPDATE_PRIVATE_KEY isn't set")
@@ -163,6 +171,26 @@ python do_swuimage () {
                 os.path.join(s, 'sw-description'))
             if os.system(signcmd) != 0:
                 bb.fatal("Failed to sign sw-description with %s" % (privkey))
+        elif signing == "CMS":
+            cms_cert = d.getVar('SWUPDATE_CMS_CERT', True)
+            if not cms_cert:
+                bb.fatal("SWUPDATE_CMS_CERT is not set")
+            if not os.path.exists(cms_cert):
+                bb.fatal("SWUPDATE_CMS_CERT %s doesn't exist" % (cms_cert))
+            cms_key = d.getVar('SWUPDATE_CMS_KEY', True)
+            if not cms_key:
+                bb.fatal("SWUPDATE_CMS_KEY isn't set")
+            if not os.path.exists(cms_key):
+                bb.fatal("SWUPDATE_CMS_KEY %s doesn't exist" % (cms_key))
+            signcmd = "openssl cms -sign -in '%s' -out '%s' -signer '%s' -inkey '%s' -outform DER -nosmimecap -binary" % (
+                os.path.join(s, 'sw-description'),
+                os.path.join(s, 'sw-description.sig'),
+                cms_cert,
+                cms_key)
+            if os.system(signcmd) != 0:
+                bb.fatal("Failed to sign sw-description with %s" % (privkey))
+        else:
+            bb.fatal("Unrecognized SWUPDATE_SIGNING mechanism.");
 
     line = 'for i in ' + ' '.join(list_for_cpio) + '; do echo $i;done | cpio -ov -H crc >' + os.path.join(deploydir,d.getVar('IMAGE_NAME', True) + '.swu')
     os.system("cd " + s + ";" + line)