aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoger Zanoni <rzanoni@igalia.com>2023-02-13 21:29:09 +0100
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2023-03-23 10:19:35 +0000
commit99356a43e5ee3ae662af83e4ae6e0e11ef1aa39e (patch)
treee161c57cf450b91eda90c0b9c33de0468831fc77
parentf9004968a0e9f3e5fc075c4df474f9fa33225e6d (diff)
kuksa-val: Add root CA certificate to agl-driver nssdb
This change is needed by chromium to fix the ERR_CERT_AUTHORITY_INVALID issued when trying to connect to kuksa.val server using a secure connection. chromium is shipped with a read-only database containing trusted CA certs and also uses a local nss database (stored on the user home directory) that can be managed by the nss command line tools. This change adds the kuksa root CA to agl-driver's nssdb that can be loaded by chromium and used to perform validation. v2 (jsmoeller): Use separate package for pki db in agl-driver home. Bug-AGL: SPEC-4599 Signed-off-by: Roger Zanoni <rzanoni@igalia.com> Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Change-Id: I074d48fedfadaddd9a894b478839e16fa4757b5e
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val_git.bb9
1 files changed, 7 insertions, 2 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
index 04f6f4f64..2c1966ff6 100644
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://../LICENSE;md5=2b42edef8fa55315f34f2370b4715ca9 \
file://3rd-party-libs/turtle/LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c \
file://3rd-party-libs/jwt-cpp/LICENSE;md5=8325a5ce4414c65ffdda392e0d96a9ff"
-DEPENDS = "boost openssl mosquitto protobuf-native grpc-native grpc"
+DEPENDS = "boost openssl mosquitto nss protobuf-native grpc-native grpc"
require kuksa-val.inc
@@ -77,6 +77,11 @@ do_install:append() {
chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem
}
+pkg_postinst_ontarget:${PN}-client-certificates () {
+ certutil -A -d /home/agl-driver/.pki/nssdb -n "KuksaRootCA" -t "pC,," -i ${sysconfdir}/kuksa-val/CA.pem
+ chown agl-driver:agl-driver -R /home/agl-driver/.pki/
+}
+
# Put client certificates into their own package so we can avoid
# duplicates of them for e.g. cluster clients. Longer term this
# will need to be revisited.
@@ -90,4 +95,4 @@ FILES:${PN}-client-certificates = " \
FILES:${PN} += "${systemd_system_unitdir} ${datadir}"
-RDEPENDS:${PN} += "${PN}-client-certificates"
+RDEPENDS:${PN} += "${PN}-client-certificates nss-agl-driver-db"