aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2023-04-24 18:01:29 -0400
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2023-04-27 09:56:24 +0000
commit2abc36aa3020a5e9fc1597ffdc1749eda2121036 (patch)
tree946624076b6779b20465cb462c7a4d233321913b
parentbd52c7c7c182e5a5ff719f07f11e29fb2cd56eac (diff)
kuksa-val: Rework to support updated SSL certificates
Changes: - Tweak the kuksa-val recipe to remove installing a newer server certificate (since it will be done elsewhere), and to split the certificates up into finer grained packages to ease installing them piecemeal and replacing them with other packages. - Remove the unused genCerts.sh certificate script patch form the kuksa-val recipe, an updated patch will be added in the near future. - Added a patch in the kuksa-viss-client recipe that enables the library to use certificates installed in /etc/kuksa-certificates or /etc/kuksa-val instead of the default ones that are shipped. - Add kuksa-certificates-agl recipe that installs AGL specific CA, server, and client certificates plus the required server and client keys to act as a replacement for the default ones shipped with KUKSA.val. The kuksa-certificates-agl name is used to avoid needing a rename with a future switch to kuksa-databroker. Note that the RPROVIDES variable is used for the various certificate packages to make them installable alternatives to the kuksa-val-certificates-* ones. The certificates installed are valid for 1 year and have AGL as the providing organization, longer validity ones will be added in follow up commits for Octopus and Pike. - Update the existing users of kuksa-val-*-certificates with the new kuksa-val-certificates-* package names. - Add PREFERRED_RPROVIDER definitions for the kuksa-val-certificates-* packages to quiet the BitBake warnings coming from having multiple providers. Bug-AGL: SPEC-4763 Change-Id: Ic6f1ca8b54f637674cd5ae42df0bed6ca4e729aa Signed-off-by: Scott Murray <scott.murray@konsulko.com>
-rw-r--r--conf/include/agl-demo.inc7
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb58
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-certificates-agl/CA.pem23
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.key28
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.pem29
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.key28
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.pem29
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch64
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/Server.key27
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/Server.pem23
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val_git.bb70
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch109
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-viss-client_git.bb4
-rw-r--r--recipes-core/nss/nss-agl-driver-db_git.bb2
-rw-r--r--recipes-demo/cluster-dashboard/cluster-dashboard_git.bb2
-rw-r--r--recipes-platform/images/agl-cluster-demo-platform-flutter.bb1
-rw-r--r--recipes-platform/packagegroups/packagegroup-agl-ivi-services.bb1
17 files changed, 350 insertions, 155 deletions
diff --git a/conf/include/agl-demo.inc b/conf/include/agl-demo.inc
index a47f41d70..caba58cc8 100644
--- a/conf/include/agl-demo.inc
+++ b/conf/include/agl-demo.inc
@@ -17,3 +17,10 @@ AGL_FEATURES:append = " agldemo"
# install virtualbox drivers for vmdk
#IMAGE_INSTALL:append = "${@bb.utils.contains_any('IMAGE_FSTYPES', 'wic.vmdk wic.vmdk.xz', ' open-vm-tools vboxguestdrivers', '', d)}"
+
+# It is not clear these definitions affect image generation in a robust
+# way, but define them to both show our intent and quiet the warnings
+# that get spammed otherwise.
+PREFERRED_RPROVIDER_kuksa-val-certificates-ca = "kuksa-certificates-agl"
+PREFERRED_RPROVIDER_kuksa-val-certificates-server = "kuksa-certificates-agl"
+PREFERRED_RPROVIDER_kuksa-val-certificates-client = "kuksa-certificates-agl"
diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb b/recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb
new file mode 100644
index 000000000..7caa2ebf2
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb
@@ -0,0 +1,58 @@
+SUMMARY = "AGL certificates for KUKSA.val, the KUKSA Vehicle Abstraction Layer"
+HOMEPAGE = "https://github.com/eclipse/kuksa.val"
+BUGTRACKER = "https://github.com/eclipse/kuksa.val/issues"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+SRC_URI = "file://CA.pem \
+ file://Client.key \
+ file://Client.pem \
+ file://Server.key \
+ file://Server.pem \
+"
+
+inherit allarch useradd
+
+USERADD_PACKAGES = "${PN}-server"
+USERADDEXTENSION = "useradd-staticids"
+GROUPADD_PARAM:${PN}-server = "-g 900 kuksa ;"
+
+do_install() {
+ # Install replacement CA certificate, server key + certificate,
+ # and client key + certificate.
+ # These are AGL specific versions generated using a tweaked
+ # genCerts.sh script to have different expiry dates than the
+ # upstream defaults, and use AGL as the organization.
+ install -d ${D}${sysconfdir}/kuksa-val/
+ install -m 0644 ${WORKDIR}/CA.pem ${D}${sysconfdir}/kuksa-val/
+ install -m 0640 -g 900 ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/
+ install -m 0640 -g 900 ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/
+ install -m 0644 ${WORKDIR}/Client.key ${D}${sysconfdir}/kuksa-val/
+ install -m 0644 ${WORKDIR}/Client.pem ${D}${sysconfdir}/kuksa-val/
+}
+
+PACKAGE_BEFORE_PN += "${PN}-ca ${PN}-server ${PN}-client"
+
+FILES:${PN}-ca = " \
+ ${sysconfdir}/kuksa-val/CA.pem \
+"
+RPROVIDES:${PN}-ca += "kuksa-val-certificates-ca"
+
+FILES:${PN}-server = " \
+ ${sysconfdir}/kuksa-val/Server.key \
+ ${sysconfdir}/kuksa-val/Server.pem \
+"
+RPROVIDES:${PN}-server += "kuksa-val-certificates-server"
+RDEPENDS:${PN}-server += "${PN}-ca"
+
+FILES:${PN}-client = " \
+ ${sysconfdir}/kuksa-val/Client.key \
+ ${sysconfdir}/kuksa-val/Client.pem \
+"
+RPROVIDES:${PN}-client += "kuksa-val-certificates-client"
+RDEPENDS:${PN}-client += "${PN}-ca"
+
+ALLOW_EMPTY:${PN} = "1"
+
+RDEPENDS:${PN} += "kuksa-val ${PN}-ca ${PN}-server ${PN}-client"
diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/CA.pem b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/CA.pem
new file mode 100644
index 000000000..55e344094
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/CA.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsECFF8Fc0+krnLo4rK6tD8ZS5JVGX3kMA0GCSqGSIb3DQEBCwUAMIGo
+MQswCQYDVQQGEwJDQTETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu
+IEZyYW5jaXNjbzEZMBcGA1UECgwQTGludXggRm91bmRhdGlvbjEVMBMGA1UEAwwM
+bG9jYWxob3N0LWNhMTowOAYJKoZIhvcNAQkBFithZ2wtZGV2LWNvbW11bml0eUBs
+aXN0cy5hdXRvbW90aXZlbGludXgub3JnMB4XDTIzMDQyNDIwMzAyMloXDTMzMDQy
+MTIwMzAyMlowgagxCzAJBgNVBAYTAkNBMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw
+FAYDVQQHDA1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKDBBMaW51eCBGb3VuZGF0aW9u
+MRUwEwYDVQQDDAxsb2NhbGhvc3QtY2ExOjA4BgkqhkiG9w0BCQEWK2FnbC1kZXYt
+Y29tbXVuaXR5QGxpc3RzLmF1dG9tb3RpdmVsaW51eC5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDmBHNxOpBfmYo8bc0omNuKDnnZuhB4JTbgmblN
+XCiPECdgVgSAD99YAaY/+LFKsUfwv0hMU45HcRPTN8CmijGFPMP9dmP6xZ6aCwPw
+gwCE8lTwiFp/L0BNySVhXwakCqhqssCNvmBXpJf+J+7MYXYInieBotetlAEPMV6B
+fcfJZxC00YVKlQX6vKQsxQB8LlSj57UwyjS0zYIhm3G5rAYLaEokgttbBDB5XKL2
+6D0yvqsdUoJygAeouq6PME8SiAY91ZwIwfL3BJyNoNnxxyJ7iRj28dmoetvtNQCl
+DrU82GG/hUeFF5KnLj65yHOrLiRlquHKgIG+XOvfp7WfXbstAgMBAAEwDQYJKoZI
+hvcNAQELBQADggEBAN+rVHBSJDYk6soCcd6a+zonWOiHJxw5JRbdWE56F1wvS5fv
+CFLlJ01JeaXdVdISh4/zk1sFnsGQ1NRv8C/LffciNpDpKugJgKcA1BYWECj0J9h9
+yR6Nw/Ifx3ovTJi9Rm6uYoH2shNbfX0H1HUZjLzMDZJUVdwI2bkekbYmJXI6XIAP
+3p4PFs0rH37z+ioIw10ubKdFjGMIW6vYcfWV6L/ybrh+dZ5GDkNncSaspMzf79PC
+7sAs9/RQkp92bmvygKkXO7zNBGjPF8osoY1rv9D201Ux1gJtfn3qde0LgdvOMoq8
+scN3iO1TU2pFNhxgcCkFkLmUHSceWK4l/Bxj1kM=
+-----END CERTIFICATE-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.key b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.key
new file mode 100644
index 000000000..769502a6b
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC3wZbCVTustZcM
+NNTEP2clEm6WVQSJcYOU/A5gJoXaKOR4L0jLsH6n9REcEXfEQn1ZIgVgsasu984P
+DQYe7FSOp9PcIb9HuxrCPJQJ4xXWM7b6LDgatE2TBBHyMecDToWr8JIsywZ/0q2Q
+ucbLuUCOH6A58+EBDAbMpicJFB2l5RK1mZwCGXaWc4L/mMvNjRX6oO4QcoXDSnaS
+XK6nymKBlZRhGo0YN3FIpxLLkkK1qjCDC/asUAHoU7w3AZNpN8VzXtIeqEXF+wlu
+Rljpt9XnVcNMaGIbdOzLJdyAt975O/yqlhJqPG2T4Nn3Gt7+F7gAuZl28mTO6lTC
+A7rViRw5AgMBAAECggEAERwGO6i4PlXnnyg1peKx6cigMaDvo9UFD4yTEZaQqL4d
+PMgJTwbrWhvmSI7jUAuxVGjnp4fPdLd30RyxNNSkMGa1wiXFw8nq/Uoq7gs9+6Rz
+zXIr1Ke0X+OVgK+vDvajGV30XFWYkLMG/GZh2VLxzPHqpy67JO/v26L+WDjuZEVq
+OxIWJVfVqNFGPoL7EdyneUF3PHtKsCnaoz2Q0X0HbgKodItrYbxeXjgu0NQNXRw3
+fN675z0lR1dMeqR4YqO66Hsdchn64DzSP3MUj8RAXaJsoj4PtFcFCzbqTendaHQi
+1xymao72MFrBUTmzC0hkhi8H4h9ztdGe3fEL5aiTEQKBgQDSuNh+GGxbZrMSFRr2
+BHGGpNRSmCTc9apn8mBkz8BerLnolYxraipsYSlToUZkTQzj7lAx8RtlbAGu3DAY
+I8k2DURK/Bw7heN8Rd90X8/xn/9hj/A8U6rKGLxKyY3soy0MWdFbyiihVttuMLf7
+bw+SdGoGFkfWv/B5knJMBHlpaQKBgQDfPW/smxAmo3GsKCL+awOqEA+TEN44jkEJ
+n5VrEBbFoT4CaIP/c1aSzMv17GKWqwsC9gXRr242IeDBmJh6Llu8tutJfgRt4O9r
+SmwVekKWchXfp7nfsThdmVpILK0tNWFz0OW1OhR4Gtpm4g7+TeMoZyTOtTZ+q+gj
+n/Z2JP5yUQKBgQCWYv1+4IdUo/Lg0NcxBPLQmQo+9/43A8zd6okI6YvtBXCYoUJZ
+1qb4Ok94M/080BCHCymIuv5GX9LDrLlWQRP003sN2Od9Q4yawHM9ZrPNSdbFFijp
+pPyaxxR6e2YioEIiMmfMDnb4zjhEZ9imRRjj+NlCBty2Ur2Yxf90aS0NIQKBgGiw
+mSJufZ6BG7fOgsqpSOih64veZzhCjgGDU0EIJIW93iSm+u/7GOhzHltP5dQelmVn
+FseE67x7GrnvY+I4h1Dyv1iRvmYBDIZWOmXAFiYTjmp6b9KVe4d5eTtLqFMBK5hy
+qKbae+rvPOjurnVX9WVnKX2+wbWZzJ2YUK6LHsBhAoGBAIyJNNkybkZfXJ/nv03h
+Z33paK80nptjTI/aXVg6tsRQK0Sz0jucQVI9/zhsMpUnDkwRNvfLoU6hwN+lSbmd
+27/pjztXGcT9UdWoeA6YMxSfZAzzoq3Q4XJ2g7QwNjH89JwV3uoLxvy5LTzMgFDY
+TaY6xdM2TvEPN13mqTbs9Olg
+-----END PRIVATE KEY-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.pem b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.pem
new file mode 100644
index 000000000..f0134f152
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE6jCCA9KgAwIBAgIUZsoE7a5zcY96l9fWgANt2eueQ+UwDQYJKoZIhvcNAQEL
+BQAwgagxCzAJBgNVBAYTAkNBMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
+DA1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKDBBMaW51eCBGb3VuZGF0aW9uMRUwEwYD
+VQQDDAxsb2NhbGhvc3QtY2ExOjA4BgkqhkiG9w0BCQEWK2FnbC1kZXYtY29tbXVu
+aXR5QGxpc3RzLmF1dG9tb3RpdmVsaW51eC5vcmcwHhcNMjMwNDI0MjAzMDIzWhcN
+MjQwNDIzMjAzMDIzWjCBojELMAkGA1UEBhMCQ0ExEzARBgNVBAgMCkNhbGlmb3Ju
+aWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoMEExpbnV4IEZvdW5k
+YXRpb24xDzANBgNVBAMMBkNsaWVudDE6MDgGCSqGSIb3DQEJARYrYWdsLWRldi1j
+b21tdW5pdHlAbGlzdHMuYXV0b21vdGl2ZWxpbnV4Lm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALfBlsJVO6y1lww01MQ/ZyUSbpZVBIlxg5T8DmAm
+hdoo5HgvSMuwfqf1ERwRd8RCfVkiBWCxqy73zg8NBh7sVI6n09whv0e7GsI8lAnj
+FdYztvosOBq0TZMEEfIx5wNOhavwkizLBn/SrZC5xsu5QI4foDnz4QEMBsymJwkU
+HaXlErWZnAIZdpZzgv+Yy82NFfqg7hByhcNKdpJcrqfKYoGVlGEajRg3cUinEsuS
+QrWqMIML9qxQAehTvDcBk2k3xXNe0h6oRcX7CW5GWOm31edVw0xoYht07Msl3IC3
+3vk7/KqWEmo8bZPg2fca3v4XuAC5mXbyZM7qVMIDutWJHDkCAwEAAaOCAQ4wggEK
+MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAdBgNVHQ4EFgQUDzUw+UO3LXFmQE7IcO/c
+JDjSXoowgdIGA1UdIwSByjCBx6GBrqSBqzCBqDELMAkGA1UEBhMCQ0ExEzARBgNV
+BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoM
+EExpbnV4IEZvdW5kYXRpb24xFTATBgNVBAMMDGxvY2FsaG9zdC1jYTE6MDgGCSqG
+SIb3DQEJARYrYWdsLWRldi1jb21tdW5pdHlAbGlzdHMuYXV0b21vdGl2ZWxpbnV4
+Lm9yZ4IUXwVzT6Sucujisrq0PxlLklUZfeQwDQYJKoZIhvcNAQELBQADggEBAJIm
+HInhtZUtYxt/Q3p1HtiH3GEIkc4DZMmEef4wq4/A210y9nwxrOaDXlVlz6WWRsAl
+ZpEqbLvXOM/uvh1oyyfi5xMm2cm4VytLb+NtflmFvnQj3hD1O0XSf0Vwx844aQgb
+5LYq2GLXXkW5afGTtGGOg8vmNg6kkjheySqRbyebkF46BGOmB/+XRD7pzfil4eTd
+Qnweso2UkGnboKpwBYLubEmhJmmX4sHeJnzzjJXkeco5uGnXfSVzYzDgco4/6JSv
+p1IjGNww5D1lPZfqTnSgRqoQyUXoMdSD5Q6y3FFjK38UvR7vjPcg2VmLIluMYIzH
+XJOwagvtjGTA7sfbNTU=
+-----END CERTIFICATE-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.key b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.key
new file mode 100644
index 000000000..602a8e0d8
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCnttOu8pXFbell
+1xm2OKOCQUjTYdwACMXgkQm0pkCPdcZGdCJD6gaJfgVIhbbpu2eBbsXXedFfC+v/
+/iEsqW8tOonERtPxAjz1FjFZ1YumkxKUKs6VLsQPIZkd96GT6kRXLa8EzgwXV9L6
+nlb3n6HXXctLwzJhm6H1onWli3ZHrpl2ez5t/cIiZOKglh/jD+eJmEPglNZYBbBx
+61FZZ9LsGSyLD8fIgIOlB6RDjXFGv9aKR98e/8O9QhnIVWHJ4x8B4VR6srmEWApV
+qoccLS+HxVNqmjEVDfyavYudhCAk0PYuo0/vIcyANZkH6DxXlYrDlKxjSOZQkA55
+hB95LXdTAgMBAAECggEADFHDruAm3D+8mzx3qQj0Ccdd4BkaHe6HCn3c5qYnq+IM
+1HQHaFGydTsKjE82Jmkbq0hFxBQwqvinN0ClkzBG+F2KbR5+xv9RFvewXFbxUSUQ
+gk26qv6qbCodozPjbIgSyQyUBJhWDwjmeH5VCQ9yxe0f18rY0o6qEO8EEUrzP0SX
+efugez1n3pUJi7s04ktmfDTeJNKkTKVNaMJ/LZdz53hgeNzRu9nFDJhKwElTC/A6
++q4zRABvzZDh8omcOWn4Of0KEaZO4N8b7Bg3ti0SogtV3O1uU5YtslJ56Yo4dpPl
+KDfu07DXjoFVD3BQ+E5PClR13kPxo+4QVy/hEYWM0QKBgQDg8tSUJndBWlb6tTiP
+vT20tm6gXOY5Epb/URDs5cTjYNB4m3pj2FN8PA3kJ1NaYqQPD4PoHm6FHHcJXl3X
+/bm5SUA+y+rpgOHet+vddatbV9X7Ucf1MMBdzmushEhGSXJppPdjCc7GqnbSfTDY
+6qxDq/ecD98IEd3M8MyQnWu4xQKBgQC+3Xasd3+H6HHfy6GZNu3qhft2Hdtv5Rg4
+n4dU0AbUzK2jYnx4pF7Bg7TChpRQrosV7BQpFdq/UbvhiqRTtsYUXFnSpDsuZTQv
+6a0EkHMbz+WQc6/rpRnBqAsGjlM/z3A33zsGjDcXT+bJ534KXzrIEZPoFaFkJ4a9
+55NG4xABNwKBgQCx3O9e0Odcgjzh8OZvKPegatsf6zSSDfPcntGeLrM2Ajf0FSN5
+zPN9+NIXA00x22rTCbaHk4BZub8ZZkcXYGQ4cAXfYUc2KBTwEEbsDX1XNSVZmTlc
+0pZX1b5nYxTulmZjx+9fnMKlbOWU2y4DZdKdk1yuRhJYhB/3SrLE6ePh7QKBgDiZ
+3naY3XYFZbezYJHaK0XwQ7ksc4XET6GDFZP+OPhkVl3sd/Mi84K5tyI03Mjsagyv
+PO9OLterumbRQZgdzLH/DRgdYfuJQaevyYJf//LQfUiQNixQgsneNp7UGDYFI0c+
+aPexHylHpa5cexFCWmE4bT9XIsxbuGaaxR8xeO6TAoGAU/LkR6Ncvx8djtT5RpuK
+BtmLXDvhaTswXq6WVqf3ihl0PfPyoyFqt0vD5gKd7ShG7jU+vHSW7UAlEVoiawTb
+L+p9g/Y+0CS8+7xtbiWQZhwvdlBTYO4Ddgs/YsCEWZG3rB2p20Hj7KwrHiNFGMry
+Ju6j+QZ4Go0nO/hFmWiRgdk=
+-----END PRIVATE KEY-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.pem b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.pem
new file mode 100644
index 000000000..d7e9571aa
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE6jCCA9KgAwIBAgIUZsoE7a5zcY96l9fWgANt2eueQ+QwDQYJKoZIhvcNAQEL
+BQAwgagxCzAJBgNVBAYTAkNBMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
+DA1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKDBBMaW51eCBGb3VuZGF0aW9uMRUwEwYD
+VQQDDAxsb2NhbGhvc3QtY2ExOjA4BgkqhkiG9w0BCQEWK2FnbC1kZXYtY29tbXVu
+aXR5QGxpc3RzLmF1dG9tb3RpdmVsaW51eC5vcmcwHhcNMjMwNDI0MjAzMDIzWhcN
+MjQwNDIzMjAzMDIzWjCBojELMAkGA1UEBhMCQ0ExEzARBgNVBAgMCkNhbGlmb3Ju
+aWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoMEExpbnV4IEZvdW5k
+YXRpb24xDzANBgNVBAMMBlNlcnZlcjE6MDgGCSqGSIb3DQEJARYrYWdsLWRldi1j
+b21tdW5pdHlAbGlzdHMuYXV0b21vdGl2ZWxpbnV4Lm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKe2067ylcVt6WXXGbY4o4JBSNNh3AAIxeCRCbSm
+QI91xkZ0IkPqBol+BUiFtum7Z4Fuxdd50V8L6//+ISypby06icRG0/ECPPUWMVnV
+i6aTEpQqzpUuxA8hmR33oZPqRFctrwTODBdX0vqeVvefodddy0vDMmGbofWidaWL
+dkeumXZ7Pm39wiJk4qCWH+MP54mYQ+CU1lgFsHHrUVln0uwZLIsPx8iAg6UHpEON
+cUa/1opH3x7/w71CGchVYcnjHwHhVHqyuYRYClWqhxwtL4fFU2qaMRUN/Jq9i52E
+ICTQ9i6jT+8hzIA1mQfoPFeVisOUrGNI5lCQDnmEH3ktd1MCAwEAAaOCAQ4wggEK
+MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAdBgNVHQ4EFgQUA1ZxK520N3pMPVYrUk1o
+2K5tEzEwgdIGA1UdIwSByjCBx6GBrqSBqzCBqDELMAkGA1UEBhMCQ0ExEzARBgNV
+BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoM
+EExpbnV4IEZvdW5kYXRpb24xFTATBgNVBAMMDGxvY2FsaG9zdC1jYTE6MDgGCSqG
+SIb3DQEJARYrYWdsLWRldi1jb21tdW5pdHlAbGlzdHMuYXV0b21vdGl2ZWxpbnV4
+Lm9yZ4IUXwVzT6Sucujisrq0PxlLklUZfeQwDQYJKoZIhvcNAQELBQADggEBAARb
+sfPoqFk2ApNUz8PMhnk1W9XG9Z9as8Nasd39Khxq/ecyAH0eMllsK5u5z6ms9Kcu
+FETd8l+t4ITpV3ST57p83/UtWiabNg39J4ChB8YfvzNAG6qew5BfnQG/4mb0xHJE
+3Mnk7+4PnlDSkSXnmq0wnnavhrt4DIHuKyU3fFsYDr6rSIscVlmYPtjSlpqu+ZTP
+FKrDamXPDsCiIK8dY2oN8oAjcylkPc/vD1PefBFSeCDb0isxujjgwRzCeSSAXKOi
+wnYdgfH/gpkIgaZyCrm46ifkm7ckX1i5qVwUoA4ilv5AU9o1TCzijFd6505OzlO+
+8RPI4uaCYgGPCWBjMsw=
+-----END CERTIFICATE-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
deleted file mode 100644
index 90267df60..000000000
--- a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001
-From: Scott Murray <scott.murray@konsulko.com>
-Date: Mon, 11 Jul 2022 16:23:56 -0400
-Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server
- certificate
-
-With the newer Python and OpenSSL in Yocto kirkstone, it seems that
-server certificates need to have a valid Subject Alt Name extension
-field, or trying to connect fails with errors of the form:
-
- certificate verify failed: IP address mismatch, certificate is not valid for localhost
-
-To fix this, the generated server certificate should not rely on the
-long deprecated CN field and add the now required extension field.
-To facilitate this, the genCerts.sh script has been enhanced to
-add a Subject Alt Name extension field of "DNS:localhost" (or
-optionally some other hostname) to the server certificate, and to
-also add the commonly used keyUsage and extendedKeyUsage extension
-fields with appropriate values.
-
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
----
- kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh
-index d0ef767..dfb9458 100755
---- a/kuksa_certificates/genCerts.sh
-+++ b/kuksa_certificates/genCerts.sh
-@@ -1,5 +1,11 @@
- #!/bin/sh
-
-+# Optional first argument is server hostname
-+if [ $# -eq 1 ]; then
-+ HOST=$1
-+else
-+ HOST="localhost"
-+fi
-
- genCACert() {
- openssl genrsa -out CA.key 2048
-@@ -10,7 +16,18 @@ genCACert() {
- genCert() {
- openssl genrsa -out $1.key 2048
- openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com"
-- openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
-+ if [ "$1" = "Server" ]; then
-+ extfile=`mktemp -p .`
-+ cat > $extfile <<-EOF
-+ subjectAltName=DNS:${HOST}
-+ keyUsage=digitalSignature
-+ extendedKeyUsage=serverAuth
-+EOF
-+ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile
-+ rm -f $extfile
-+ else
-+ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
-+ fi
- openssl verify -CAfile CA.pem $1.pem
- }
-
---
-2.35.3
-
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.key b/recipes-connectivity/kuksa-val/kuksa-val/Server.key
deleted file mode 100644
index 857eaf46d..000000000
--- a/recipes-connectivity/kuksa-val/kuksa-val/Server.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAy9ZwmsRZWBotNQmPpLtM7m26IB49BsdKHqFx2ASbtvI3qAT8
-q0zVxx3//IipS9bMGdBGD0BimKk60ZpVXDkoRadk0H0EKnZZTQkv9qOmDLuUKjo3
-UmybGxCo4H3YSqcj+g3kjhOqMb7Mk7L/EPwfpTy1YSiO0vOejcCTQm3pZ8lvCMEn
-+oDcIvLwx45aV4ZRpmKvSwVlup4SMMRoG+M3aw57iMIUoHNt/KZeeuyYsx2XSwWF
-bnW6D38iKA1JQT3fFMmzBgGBTBbPY1aviG/XPImg04zBxQJgJPRjxFL2aMNuWjvo
-sCUNAX40EaiuDaaG39yZJWjr3ALs0IuW3T3QiQIDAQABAoIBABpPTGt9inanskwV
-NtgxYMWpnguFO6VDVdrMRdB3D842R17FfgNyQGmaAq+KyCdEy0VNr61KRy+jMDdb
-r0bfDcany4hpin8clXwvAmTYTJd6Iq6sovVdlUuSA+ot9Bv2pNsirex0t1QCZ49s
-3CVKFZ+TTWoD/SNXVJDBWYCKhUTi7QnLbaV6pGpOFRlShPM///09KerTsfJQiQss
-K0ypOSXABawA0cK742FiCpAzqj2OusQZkGWwl86p1OhgpnYMMPcqu4/2nsZp3L3K
-8+lCplJqg0C+Rl2tl+we1H5z1XrSSykZIdB9/vdsMjSg+8wxNEDIqQZvryEPG/qk
-YIEwYl0CgYEA8CPo6qryc3TYiYd3el3TjQG2wSuip5n8DOLiO9TvXKZ4nPNmlajX
-2kpoWxu1+KHoBwmO10U/6i0PDihvOzrBtIuRAJXr/hocnb5pR1oubfmgde3rwMMv
-pPEyeTCGHW7UqMc1r78dBKFXyFwpAKCYJr0VKozD5K9IBHQ4oHjA2icCgYEA2UzB
-f4fHAU0X2VT7mWCYnPXdQVFNWmiV0EqMTP9NgE+NBQw30oIijJs6p9Et5V07fEGy
-GmBCkXkhnhXIo/2g2GPDpUCIy2c41b56qAAOZjunDTNcNh8HXy3dEw/ABJD8PViL
-zwe8Hh9ZyhOFqB/iRJiokaN84aAWe/a/onwRHc8CgYEAr248aLsLtgblbcs2IIHM
-21UmMoZzJCec97kD9xu+5ZuDv30dMzYOwpzbEbvzuzhkbkewP1mKsMPMHNazM7zf
-58qR2rCrn41p3F9PP94Ezziu3Zg7Qy4Ub1X5PomRYI0n9Ejb0pE2XLyViXyyQ5AO
-tzYo8VW2gij+3qoc+DZfBL8CgYEAgJ82Sc6MtPB1FWeAJaFPtFizxl3hc4pEYy49
-LbZQoYp05m/8+tWcra2UYpEmoYU2GK6qRYKE5KbWh0RNpwQRmQQ0YjR4xC0tLxe4
-cojV/R2CHAYyprZnHqd/HDFOb2WCaK1o0/q4FvxnoX08t+9nd0MFRG+JE+Q2atn7
-RKo7V3ECgYEA4Aqjw8xlTl24wv7Ofgt8TVXLf3xLah/Ypj7KGAxu+eCjgcV//ncj
-E6qjldC+llo9oyCtYV3OSbCpigiyDAG2/OoEKv88xZOcno+at5+oPC1NrpR8oOrv
-9ygYUGok61TrW1kw46eKPxVPYWcFtJXf1xxeULpy1/NwEzzAjR8CTBE=
------END RSA PRIVATE KEY-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.pem b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem
deleted file mode 100644
index 514e5a725..000000000
--- a/recipes-connectivity/kuksa-val/kuksa-val/Server.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID5DCCAsygAwIBAgIUVcLiKaHJ7gzwvDCtzdobzWa1+PwwDQYJKoZIhvcNAQEL
-BQAwgZAxCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzEMMAoGA1UEBwwDUm5nMRow
-GAYDVQQKDBFSb2JlcnQgQm9zY2ggR21iSDELMAkGA1UECwwCQ1IxFTATBgNVBAMM
-DGxvY2FsaG9zdC1jYTEmMCQGCSqGSIb3DQEJARYXQ0kuSG90bGluZUBkZS5ib3Nj
-aC5jb20wHhcNMjIwNzA3MTg0MDQzWhcNMjMwNzA3MTg0MDQzWjCBijELMAkGA1UE
-BhMCREUxCzAJBgNVBAgMAkJXMQwwCgYDVQQHDANSbmcxGjAYBgNVBAoMEVJvYmVy
-dCBCb3NjaCBHbWJIMQswCQYDVQQLDAJDUjEPMA0GA1UEAwwGU2VydmVyMSYwJAYJ
-KoZIhvcNAQkBFhdDSS5Ib3RsaW5lQGRlLmJvc2NoLmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMvWcJrEWVgaLTUJj6S7TO5tuiAePQbHSh6hcdgE
-m7byN6gE/KtM1ccd//yIqUvWzBnQRg9AYpipOtGaVVw5KEWnZNB9BCp2WU0JL/aj
-pgy7lCo6N1JsmxsQqOB92EqnI/oN5I4TqjG+zJOy/xD8H6U8tWEojtLzno3Ak0Jt
-6WfJbwjBJ/qA3CLy8MeOWleGUaZir0sFZbqeEjDEaBvjN2sOe4jCFKBzbfymXnrs
-mLMdl0sFhW51ug9/IigNSUE93xTJswYBgUwWz2NWr4hv1zyJoNOMwcUCYCT0Y8RS
-9mjDblo76LAlDQF+NBGorg2mht/cmSVo69wC7NCLlt090IkCAwEAAaM6MDgwFAYD
-VR0RBA0wC4IJbG9jYWxob3N0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF
-BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAoWN/NkRBFgH7rypK+d1tToOQWvoGiqLa
-1jSoe9ydSeNHUSVAq/nyOvvhI/0f7sfHND8tznCgcIlZdlpDmYndB6W0Fe6S9xOk
-TAsibgUbiXSurfsGHxkoTHbcj6l/eHWao3J4mdocmC7wktdR+yTsIRFG2ob37CSU
-zTJd9glPWg1ntXNDbP3MWhCOYlJuePHnDoa35KQJJDepNEKvGcQsFLG6PVVehHz4
-ol4iAn6awlMAstFmXHjurO/kW9xu5U+ri1IASaRuVj7Zs3Md/zaDTAAGi6jOLPjm
-ovJSyBEl7XeE92c4HzfgSzoCyoV7gxV67SXgEYrrjLFrnVMyNRPFTQ==
------END CERTIFICATE-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
index 04f6f4f64..a894f0133 100644
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -14,17 +14,12 @@ DEPENDS = "boost openssl mosquitto protobuf-native grpc-native grpc"
require kuksa-val.inc
SRC_URI += "file://kuksa-val.service \
- file://0001-Make-Boost-requirements-more-liberal.patch;striplevel=2 \
- file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;striplevel=2 \
- file://0003-Make-install-locations-configurable.patch;striplevel=2 \
- file://0004-Disable-default-fetch-and-build-of-googletest.patch;striplevel=2 \
- file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;striplevel=2 \
- file://Server.key \
- file://Server.pem \
+ file://0001-Make-Boost-requirements-more-liberal.patch;patchdir=.. \
+ file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;patchdir=.. \
+ file://0003-Make-install-locations-configurable.patch;patchdir=.. \
+ file://0004-Disable-default-fetch-and-build-of-googletest.patch;patchdir=.. \
+ file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;patchdir=.. \
"
-# NOTE: Ideally this would be applied, but our S definition makes it problematic:
-# file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch;striplevel=?
-#
S = "${WORKDIR}/git/kuksa-val-server"
@@ -32,10 +27,11 @@ inherit cmake pkgconfig systemd useradd
SYSTEMD_SERVICE:${PN} = "kuksa-val.service"
-USERADD_PACKAGES = "${PN}"
+USERADD_PACKAGES = "${PN} ${PN}-server-certificates"
USERADDEXTENSION = "useradd-staticids"
GROUPADD_PARAM:${PN} = "-g 900 kuksa ;"
USERADD_PARAM:${PN} = "--system -g 900 -u 900 -o -d / --shell /bin/nologin kuksa ;"
+GROUPADD_PARAM:${PN}-server-certificates = "-g 900 kuksa ;"
# Configure file locations more along the lines of FHS instead of kuksa.val's
# default locations.
@@ -55,39 +51,37 @@ do_install:append() {
install -d ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir}
fi
-
- # Install replacement server key + certificate
- # These are AGL specific versions generated using a tweaked
- # genCerts.sh script from the source tree that adds the now
- # required subjectAltName extension field to make python3-ssl
- # happy. This will be addressed with upstream and can hopefully
- # be dropped in the future.
- rm -f ${D}${sysconfdir}/kuksa-val/Server.key
- install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/
- rm -f ${D}${sysconfdir}/kuksa-val/Server.pem
- install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/
-
- # Restrict server certificate access
- # NOTE: The client certificates are left alone here for client
- # development convenience for now, but this will need to
- # be revisited.
- chmod 640 ${D}${sysconfdir}/kuksa-val/Server.key
- chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.key
- chmod 640 ${D}${sysconfdir}/kuksa-val/Server.pem
- chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem
}
-# Put client certificates into their own package so we can avoid
-# duplicates of them for e.g. cluster clients. Longer term this
-# will need to be revisited.
-PACKAGE_BEFORE_PN += "${PN}-client-certificates"
+# Put certificates into their own packages so we can avoid duplicates
+# of them for e.g. cluster clients, and so downstream users can
+# replace them with their own certificates.
+#
+# NOTE:
+# Downstream users can replace these packages with alternates by
+# having their packages set their RPROVIDES to include the desired
+# kuksa-val-certificates-* and explicitly adding their package(s)
+# to an image, they will end up getting priority during rootfs
+# construction and installed instead of the default ones here.
+
+PACKAGE_BEFORE_PN += "${PN}-certificates-ca ${PN}-certificates-server ${PN}-certificates-client"
+
+FILES:${PN}-certificates-ca = " \
+ ${sysconfdir}/kuksa-val/CA.pem \
+"
-FILES:${PN}-client-certificates = " \
+FILES:${PN}-certificates-server = " \
+ ${sysconfdir}/kuksa-val/Server.key \
+ ${sysconfdir}/kuksa-val/Server.pem \
+"
+RDEPENDS:${PN}-certificates-server += "${PN}-certificates-ca"
+
+FILES:${PN}-certificates-client = " \
${sysconfdir}/kuksa-val/Client.key \
${sysconfdir}/kuksa-val/Client.pem \
- ${sysconfdir}/kuksa-val/CA.pem \
"
+RDEPENDS:${PN}-certificate-clients += "${PN}-certificates-ca"
FILES:${PN} += "${systemd_system_unitdir} ${datadir}"
-RDEPENDS:${PN} += "${PN}-client-certificates"
+RDEPENDS:${PN} += "${PN}-certificates-server ${PN}-certificates-client"
diff --git a/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch b/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch
new file mode 100644
index 000000000..7ad5ac182
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch
@@ -0,0 +1,109 @@
+From 101550383386f465e689aa846826b58aa72cf793 Mon Sep 17 00:00:00 2001
+From: Scott Murray <scott.murray@konsulko.com>
+Date: Mon, 24 Apr 2023 15:49:32 -0400
+Subject: [PATCH] kuksa_viss_client: Add external certificates support
+
+Tweak the definition of __certificate_dir__ in the kuksa_certificates
+package, and certificate location logic in the client library to allow
+picking up alternative certificates from /etc/kuksa-certificates or
+/etc/kuksa-val before falling back to the shipped defaults. The
+intent is to allow packagers to more straighhtforwardly use their own
+certificates with both the server and clients.
+
+Upstream-Status: pending
+
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ kuksa_certificates/__init__.py | 7 ++++++-
+ kuksa_viss_client/KuksaGrpcComm.py | 10 +++++-----
+ kuksa_viss_client/KuksaWsComm.py | 10 +++++-----
+ 3 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/kuksa_certificates/__init__.py b/kuksa_certificates/__init__.py
+index 5f05b75..ac60bc3 100644
+--- a/kuksa_certificates/__init__.py
++++ b/kuksa_certificates/__init__.py
+@@ -2,4 +2,9 @@ import os
+
+ from kuksa_viss_client._metadata import *
+
+-__certificate_dir__= os.path.dirname(os.path.realpath(__file__))
++if os.path.isdir("/etc/kuksa-certificates"):
++ __certificate_dir__= "/etc/kuksa-certificates"
++elif os.path.isdir("/etc/kuksa-val"):
++ __certificate_dir__= "/etc/kuksa-val"
++else:
++ __certificate_dir__= os.path.dirname(os.path.realpath(__file__))
+diff --git a/kuksa_viss_client/KuksaGrpcComm.py b/kuksa_viss_client/KuksaGrpcComm.py
+index 1f55754..e425e7e 100644
+--- a/kuksa_viss_client/KuksaGrpcComm.py
++++ b/kuksa_viss_client/KuksaGrpcComm.py
+@@ -28,22 +28,22 @@ import uuid, time, threading
+
+ from . import kuksa_pb2
+ from . import kuksa_pb2_grpc
++from kuksa_certificates import __certificate_dir__
+
+ class KuksaGrpcComm:
+
+ # Constructor
+ def __init__(self, config):
+- scriptDir= os.path.dirname(os.path.realpath(__file__))
+ self.serverIP = config.get('ip', "127.0.0.1")
+ self.serverPort = config.get('port', 8090)
+ try:
+ self.insecure = config.getboolean('insecure', False)
+ except AttributeError:
+ self.insecure = config.get('insecure', False)
+- self.cacertificate = config.get('cacertificate', os.path.join(scriptDir, "../kuksa_certificates/CA.pem"))
+- self.certificate = config.get('certificate', os.path.join(scriptDir, "../kuksa_certificates/Client.pem"))
+- self.keyfile = config.get('key', os.path.join(scriptDir, "../kuksa_certificates/Client.key"))
+- self.tokenfile = config.get('token', os.path.join(scriptDir, "../kuksa_certificates/jwt/all-read-write.json.token"))
++ self.cacertificate = config.get('cacertificate', os.path.join(__certificate_dir__, "CA.pem"))
++ self.certificate = config.get('certificate', os.path.join(__certificate_dir__, "Client.pem"))
++ self.keyfile = config.get('key', os.path.join(__certificate_dir__, "Client.key"))
++ self.tokenfile = config.get('token', os.path.join(__certificate_dir__, "jwt/all-read-write.json.token"))
+ self.grpcConnected = False
+
+ self.subscriptionCallbacks = {}
+diff --git a/kuksa_viss_client/KuksaWsComm.py b/kuksa_viss_client/KuksaWsComm.py
+index b0d4cc1..b85b573 100644
+--- a/kuksa_viss_client/KuksaWsComm.py
++++ b/kuksa_viss_client/KuksaWsComm.py
+@@ -20,22 +20,22 @@
+
+ import json, queue, time, uuid, os, ssl
+ import asyncio, websockets
++from kuksa_certificates import __certificate_dir__
+
+ class KuksaWsComm:
+
+ # Constructor
+ def __init__(self, config):
+
+- scriptDir= os.path.dirname(os.path.realpath(__file__))
+ self.serverIP = config.get('ip', "127.0.0.1")
+ self.serverPort = config.get('port', 8090)
+ try:
+ self.insecure = config.getboolean('insecure', False)
+ except AttributeError:
+ self.insecure = config.get('insecure', False)
+- self.cacertificate = config.get('cacertificate', os.path.join(scriptDir, "../kuksa_certificates/CA.pem"))
+- self.certificate = config.get('certificate', os.path.join(scriptDir, "../kuksa_certificates/Client.pem"))
+- self.keyfile = config.get('key', os.path.join(scriptDir, "../kuksa_certificates/Client.key"))
++ self.cacertificate = config.get('cacertificate', os.path.join(__certificate_dir__, "CA.pem"))
++ self.certificate = config.get('certificate', os.path.join(__certificate_dir__, "Client.pem"))
++ self.keyfile = config.get('key', os.path.join(__certificate_dir__, "Client.key"))
+ self.wsConnected = False
+
+ self.subscriptionCallbacks = {}
+@@ -254,4 +254,4 @@ class KuksaWsComm:
+ await self._msgHandler(ws)
+ except OSError as e:
+ print("Disconnected!! " + str(e))
+- pass
+\ No newline at end of file
++ pass
+--
+2.39.2
+
diff --git a/recipes-connectivity/kuksa-val/kuksa-viss-client_git.bb b/recipes-connectivity/kuksa-val/kuksa-viss-client_git.bb
index 2a4026bd6..7cefeb018 100644
--- a/recipes-connectivity/kuksa-val/kuksa-viss-client_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-viss-client_git.bb
@@ -13,7 +13,9 @@ DEPENDS = " \
require kuksa-val.inc
-SRC_URI += "file://0001-kuksa_viss_client-Update-cmd2-completer-usage.patch;striplevel=2"
+SRC_URI += "file://0001-kuksa_viss_client-Update-cmd2-completer-usage.patch;patchdir=.. \
+ file://0002-kuksa_viss_client-Add-external-certificates-support.patch;patchdir=.. \
+"
S = "${WORKDIR}/git/kuksa_viss_client"
diff --git a/recipes-core/nss/nss-agl-driver-db_git.bb b/recipes-core/nss/nss-agl-driver-db_git.bb
index c32ba71d2..2426c4090 100644
--- a/recipes-core/nss/nss-agl-driver-db_git.bb
+++ b/recipes-core/nss/nss-agl-driver-db_git.bb
@@ -29,4 +29,4 @@ do_install() {
FILES:${PN} += "${systemd_system_unitdir} ${sbindir}"
-RDEPENDS:${PN} += "nss agl-session kuksa-val-client-certificates bash"
+RDEPENDS:${PN} += "nss agl-session kuksa-val-certificates-client bash"
diff --git a/recipes-demo/cluster-dashboard/cluster-dashboard_git.bb b/recipes-demo/cluster-dashboard/cluster-dashboard_git.bb
index b28e64873..dd4633822 100644
--- a/recipes-demo/cluster-dashboard/cluster-dashboard_git.bb
+++ b/recipes-demo/cluster-dashboard/cluster-dashboard_git.bb
@@ -56,5 +56,5 @@ RDEPENDS:${PN} += " \
qtquickcontrols2-qmlplugins \
qtgraphicaleffects-qmlplugins \
qtsvg-plugins \
- kuksa-val-client-certificates \
+ kuksa-val-certificates-client \
"
diff --git a/recipes-platform/images/agl-cluster-demo-platform-flutter.bb b/recipes-platform/images/agl-cluster-demo-platform-flutter.bb
index a0314f2f4..735bb3145 100644
--- a/recipes-platform/images/agl-cluster-demo-platform-flutter.bb
+++ b/recipes-platform/images/agl-cluster-demo-platform-flutter.bb
@@ -12,6 +12,7 @@ IMAGE_FEATURES += "splash package-management ssh-server-openssh"
IMAGE_KUKSA_PACKAGES = " \
kuksa-val \
kuksa-val-agl \
+ kuksa-certificates-agl \
kuksa-dbc-feeder \
kuksa-vss-init \
"
diff --git a/recipes-platform/packagegroups/packagegroup-agl-ivi-services.bb b/recipes-platform/packagegroups/packagegroup-agl-ivi-services.bb
index b2cc48885..0b1cf5765 100644
--- a/recipes-platform/packagegroups/packagegroup-agl-ivi-services.bb
+++ b/recipes-platform/packagegroups/packagegroup-agl-ivi-services.bb
@@ -10,6 +10,7 @@ PACKAGES = "\
RDEPENDS:${PN} += "\
kuksa-val \
kuksa-val-agl \
+ kuksa-certificates-agl \
kuksa-dbc-feeder \
kuksa-vss-init \
agl-service-hvac \