Rework TLS configuration to allow disablingHEAD master

Rework TLS configuration to add an explicit "use-tls" option like newer clients have, and to make using a CA certificate optional to allow potentially using issued certificates. The new option defaults to TLS disabled, which is a breaking change for most existing configuration files. Bug-AGL: SPEC-5387 Change-Id: I1e18ffb05c89bd05aba87b39bcfba439cbeb02e5 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
author: Scott Murray <scott.murray@konsulko.com> 2025-03-07 00:37:21 -0500
committer: Scott Murray <scott.murray@konsulko.com> 2025-03-25 15:45:19 -0400
commit: c9a3824734ce41773c4306b43bb4d1add82f9b96 (patch)
tree: d98a94c46e943c8c9b669dccab72a03cdb5d5061
parent: 4f75c049e8ba1e7fd4f1094f9ed8b681318f021d (diff)
3 files changed, 43 insertions, 32 deletions
diff --git a/vehicle-signals/VehicleSignalsConfig.cpp b/vehicle-signals/VehicleSignalsConfig.cpp
index c72c2cd..4f23fb4 100644
--- a/vehicle-signals/VehicleSignalsConfig.cpp
+++ b/vehicle-signals/VehicleSignalsConfig.cpp
@@ -14,22 +14,22 @@
 
 #include "VehicleSignalsConfig.h"
 
-#define DEFAULT_CLIENT_KEY_FILE  "/etc/kuksa-val/Client.key"
-#define DEFAULT_CLIENT_CERT_FILE "/etc/kuksa-val/Client.pem"
-#define DEFAULT_CA_CERT_FILE     "/etc/kuksa-val/CA.pem"
-
 VehicleSignalsConfig::VehicleSignalsConfig(const QString &hostname,
 					   const unsigned port,
+					   const bool useTls,
+					   const QString &caCertFileName,
 					   const QByteArray &caCert,
 					   const QString &tlsServerName,
 					   const QString &authToken) :
 	m_hostname(hostname),
 	m_port(port),
+	m_useTls(useTls),
+	m_caCertFileName(caCertFileName),
 	m_caCert(caCert),
 	m_tlsServerName(tlsServerName),
 	m_authToken(authToken),
-	m_verbose(0),
-	m_valid(true)
+	m_valid(true),
+	m_verbose(0)
 {
 	// Potentially could do some certificate validation here...
 }
@@ -42,7 +42,7 @@ VehicleSignalsConfig::VehicleSignalsConfig(const QString &appname)
 	if (!pSettings)
 		return;
 
-	m_hostname = pSettings->value("kuksa-client/server", "localhost").toString();
+	m_hostname = pSettings->value("kuksa-client/hostname", "localhost").toString();
 	if (m_hostname.isEmpty()) {
 		qCritical() << "Invalid server hostname";
 		return;
@@ -54,22 +54,22 @@ VehicleSignalsConfig::VehicleSignalsConfig(const QString &appname)
 		return;
 	}
 
-	QString caCertFileName = pSettings->value("kuksa-client/ca-certificate", DEFAULT_CA_CERT_FILE).toString();
-	if (caCertFileName.isEmpty()) {
-		qCritical() << "Invalid CA certificate filename";
-		return;
-	}
-	QFile caCertFile(caCertFileName);
-	if (!caCertFile.open(QIODevice::ReadOnly)) {
-		qCritical() << "Could not open CA certificate file";
-		return;
-	}
-	QByteArray caCertData = caCertFile.readAll();
-	if (caCertData.isEmpty()) {
-		qCritical() << "Invalid CA certificate file";
-		return;
+	m_useTls = pSettings->value("kuksa-client/use-tls", false).toBool();
+
+	m_caCertFileName = pSettings->value("kuksa-client/ca-certificate", "").toString();
+	if (!m_caCertFileName.isEmpty()) {
+		QFile caCertFile(m_caCertFileName);
+		if (!caCertFile.open(QIODevice::ReadOnly)) {
+			qCritical() << "Could not open CA certificate file " << m_caCertFileName;
+			return;
+		}
+		QByteArray caCertData = caCertFile.readAll();
+		if (caCertData.isEmpty()) {
+			qCritical() << "Invalid CA certificate file";
+			return;
+		}
+		m_caCert = caCertData;
 	}
-	m_caCert = caCertData;
 
 	m_tlsServerName = pSettings->value("kuksa-client/tls-server-name", "").toString();
 
diff --git a/vehicle-signals/VehicleSignalsConfig.h b/vehicle-signals/VehicleSignalsConfig.h
index c3d52ca..a51900c 100644
--- a/vehicle-signals/VehicleSignalsConfig.h
+++ b/vehicle-signals/VehicleSignalsConfig.h
@@ -16,6 +16,8 @@ class VehicleSignalsConfig
 public:
         explicit VehicleSignalsConfig(const QString &hostname,
 				      const unsigned port,
+				      const bool useTls,
+				      const QString &caCertFileName,
 				      const QByteArray &caCert,
 				      const QString &tlsServerName,
 				      const QString &authToken);
@@ -24,6 +26,8 @@ public:
 
 	QString hostname() { return m_hostname; };
 	unsigned port() { return m_port; };
+	bool useTls() { return m_useTls; };
+	QString caCertFileName() { return m_caCertFileName; };
 	QByteArray caCert() { return m_caCert; };
 	QString tlsServerName() { return m_tlsServerName; };
 	QString authToken() { return m_authToken; };
@@ -33,6 +37,8 @@ public:
 private:
 	QString m_hostname;
 	unsigned m_port;
+	bool m_useTls;
+	QString m_caCertFileName;
 	QByteArray m_caCert;
 	QString m_tlsServerName;
 	QString m_authToken;
diff --git a/vehicle-signals/vehiclesignals.cpp b/vehicle-signals/vehiclesignals.cpp
index f550955..30a3bd3 100644
--- a/vehicle-signals/vehiclesignals.cpp
+++ b/vehicle-signals/vehiclesignals.cpp
@@ -23,18 +23,23 @@ VehicleSignals::VehicleSignals(const VehicleSignalsConfig &config, QObject *pare
 	host += QString::number(m_config.port());
 
 	std::shared_ptr<grpc::Channel> channel;
-	if (!m_config.caCert().isEmpty()) {
+	if (m_config.useTls()) {
 		qInfo() << "Using TLS";
-		grpc::SslCredentialsOptions options;
-		options.pem_root_certs = m_config.caCert().toStdString();
-		if (!m_config.tlsServerName().isEmpty()) {
-			grpc::ChannelArguments args;
-			auto target = m_config.tlsServerName();
-			qInfo() << "Overriding TLS target name with " << target;
-			args.SetString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, target.toStdString());
-			channel = grpc::CreateCustomChannel(host.toStdString(), grpc::SslCredentials(options), args);
+		if (!m_config.caCert().isEmpty()) {
+			qInfo() << "Using CA certificate " << m_config.caCertFileName();
+			grpc::SslCredentialsOptions options;
+			options.pem_root_certs = m_config.caCert().toStdString();
+			if (!m_config.tlsServerName().isEmpty()) {
+				grpc::ChannelArguments args;
+				auto target = m_config.tlsServerName();
+				qInfo() << "Overriding TLS server name with " << target;
+				args.SetString(GRPC_SSL_TARGET_NAME_OVERRIDE_ARG, target.toStdString());
+				channel = grpc::CreateCustomChannel(host.toStdString(), grpc::SslCredentials(options), args);
+			} else {
+				channel = grpc::CreateChannel(host.toStdString(), grpc::SslCredentials(options));
+			}
 		} else {
-			channel = grpc::CreateChannel(host.toStdString(), grpc::SslCredentials(options));
+			channel = grpc::CreateChannel(host.toStdString(), grpc::SslCredentials(grpc::SslCredentialsOptions()));
 		}
 	} else {
 		channel = grpc::CreateChannel(host.toStdString(), grpc::InsecureChannelCredentials());
author	Scott Murray <scott.murray@konsulko.com>	2025-03-07 00:37:21 -0500
committer	Scott Murray <scott.murray@konsulko.com>	2025-03-25 15:45:19 -0400
commit	c9a3824734ce41773c4306b43bb4d1add82f9b96 (patch)
tree	d98a94c46e943c8c9b669dccab72a03cdb5d5061
parent	4f75c049e8ba1e7fd4f1094f9ed8b681318f021d (diff)