summaryrefslogtreecommitdiffstats
path: root/recipes-connectivity/kuksa-val/kuksa-viss-client
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2023-04-24 18:01:29 -0400
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2023-04-27 09:55:35 +0000
commit0df051c31b1c8687441d06e66750804c115db0bd (patch)
tree17405e2e6c2eb1c07333a89508bfec1562cd44e4 /recipes-connectivity/kuksa-val/kuksa-viss-client
parente8aae0c2439c4e060149ffba014fd76e99fad5a1 (diff)
kuksa-val: Rework to support updated SSL certificates
Changes: - Tweak the kuksa-val recipe to remove installing a newer server certificate (since it will be done elsewhere), and to split the certificates up into finer grained packages to ease installing them piecemeal and replacing them with other packages. - Remove the unused genCerts.sh certificate script patch form the kuksa-val recipe, an updated patch will be added in the near future. - Added a patch in the kuksa-viss-client recipe that enables the library to use certificates installed in /etc/kuksa-certificates or /etc/kuksa-val instead of the default ones that are shipped. - Add kuksa-certificates-agl recipe that installs AGL specific CA, server, and client certificates plus the required server and client keys to act as a replacement for the default ones shipped with KUKSA.val. The kuksa-certificates-agl name is used to avoid needing a rename with a future switch to kuksa-databroker. Note that the RPROVIDES variable is used for the various certificate packages to make them installable alternatives to the kuksa-val-certificates-* ones. The certificates installed are valid for 1 year and have AGL as the providing organization, longer validity ones will be added in follow up commits for Octopus and Pike. - Update the existing users of kuksa-val-*-certificates with the new kuksa-val-certificates-* package names. - Add PREFERRED_RPROVIDER definitions for the kuksa-val-certificates-* packages to quiet the BitBake warnings coming from having multiple providers. Bug-AGL: SPEC-4763 Change-Id: I00031ada2401cd5b92419de5c7b1af8944c34e9d Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'recipes-connectivity/kuksa-val/kuksa-viss-client')
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch109
1 files changed, 109 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch b/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch
new file mode 100644
index 000000000..7ad5ac182
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch
@@ -0,0 +1,109 @@
+From 101550383386f465e689aa846826b58aa72cf793 Mon Sep 17 00:00:00 2001
+From: Scott Murray <scott.murray@konsulko.com>
+Date: Mon, 24 Apr 2023 15:49:32 -0400
+Subject: [PATCH] kuksa_viss_client: Add external certificates support
+
+Tweak the definition of __certificate_dir__ in the kuksa_certificates
+package, and certificate location logic in the client library to allow
+picking up alternative certificates from /etc/kuksa-certificates or
+/etc/kuksa-val before falling back to the shipped defaults. The
+intent is to allow packagers to more straighhtforwardly use their own
+certificates with both the server and clients.
+
+Upstream-Status: pending
+
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ kuksa_certificates/__init__.py | 7 ++++++-
+ kuksa_viss_client/KuksaGrpcComm.py | 10 +++++-----
+ kuksa_viss_client/KuksaWsComm.py | 10 +++++-----
+ 3 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/kuksa_certificates/__init__.py b/kuksa_certificates/__init__.py
+index 5f05b75..ac60bc3 100644
+--- a/kuksa_certificates/__init__.py
++++ b/kuksa_certificates/__init__.py
+@@ -2,4 +2,9 @@ import os
+
+ from kuksa_viss_client._metadata import *
+
+-__certificate_dir__= os.path.dirname(os.path.realpath(__file__))
++if os.path.isdir("/etc/kuksa-certificates"):
++ __certificate_dir__= "/etc/kuksa-certificates"
++elif os.path.isdir("/etc/kuksa-val"):
++ __certificate_dir__= "/etc/kuksa-val"
++else:
++ __certificate_dir__= os.path.dirname(os.path.realpath(__file__))
+diff --git a/kuksa_viss_client/KuksaGrpcComm.py b/kuksa_viss_client/KuksaGrpcComm.py
+index 1f55754..e425e7e 100644
+--- a/kuksa_viss_client/KuksaGrpcComm.py
++++ b/kuksa_viss_client/KuksaGrpcComm.py
+@@ -28,22 +28,22 @@ import uuid, time, threading
+
+ from . import kuksa_pb2
+ from . import kuksa_pb2_grpc
++from kuksa_certificates import __certificate_dir__
+
+ class KuksaGrpcComm:
+
+ # Constructor
+ def __init__(self, config):
+- scriptDir= os.path.dirname(os.path.realpath(__file__))
+ self.serverIP = config.get('ip', "127.0.0.1")
+ self.serverPort = config.get('port', 8090)
+ try:
+ self.insecure = config.getboolean('insecure', False)
+ except AttributeError:
+ self.insecure = config.get('insecure', False)
+- self.cacertificate = config.get('cacertificate', os.path.join(scriptDir, "../kuksa_certificates/CA.pem"))
+- self.certificate = config.get('certificate', os.path.join(scriptDir, "../kuksa_certificates/Client.pem"))
+- self.keyfile = config.get('key', os.path.join(scriptDir, "../kuksa_certificates/Client.key"))
+- self.tokenfile = config.get('token', os.path.join(scriptDir, "../kuksa_certificates/jwt/all-read-write.json.token"))
++ self.cacertificate = config.get('cacertificate', os.path.join(__certificate_dir__, "CA.pem"))
++ self.certificate = config.get('certificate', os.path.join(__certificate_dir__, "Client.pem"))
++ self.keyfile = config.get('key', os.path.join(__certificate_dir__, "Client.key"))
++ self.tokenfile = config.get('token', os.path.join(__certificate_dir__, "jwt/all-read-write.json.token"))
+ self.grpcConnected = False
+
+ self.subscriptionCallbacks = {}
+diff --git a/kuksa_viss_client/KuksaWsComm.py b/kuksa_viss_client/KuksaWsComm.py
+index b0d4cc1..b85b573 100644
+--- a/kuksa_viss_client/KuksaWsComm.py
++++ b/kuksa_viss_client/KuksaWsComm.py
+@@ -20,22 +20,22 @@
+
+ import json, queue, time, uuid, os, ssl
+ import asyncio, websockets
++from kuksa_certificates import __certificate_dir__
+
+ class KuksaWsComm:
+
+ # Constructor
+ def __init__(self, config):
+
+- scriptDir= os.path.dirname(os.path.realpath(__file__))
+ self.serverIP = config.get('ip', "127.0.0.1")
+ self.serverPort = config.get('port', 8090)
+ try:
+ self.insecure = config.getboolean('insecure', False)
+ except AttributeError:
+ self.insecure = config.get('insecure', False)
+- self.cacertificate = config.get('cacertificate', os.path.join(scriptDir, "../kuksa_certificates/CA.pem"))
+- self.certificate = config.get('certificate', os.path.join(scriptDir, "../kuksa_certificates/Client.pem"))
+- self.keyfile = config.get('key', os.path.join(scriptDir, "../kuksa_certificates/Client.key"))
++ self.cacertificate = config.get('cacertificate', os.path.join(__certificate_dir__, "CA.pem"))
++ self.certificate = config.get('certificate', os.path.join(__certificate_dir__, "Client.pem"))
++ self.keyfile = config.get('key', os.path.join(__certificate_dir__, "Client.key"))
+ self.wsConnected = False
+
+ self.subscriptionCallbacks = {}
+@@ -254,4 +254,4 @@ class KuksaWsComm:
+ await self._msgHandler(ws)
+ except OSError as e:
+ print("Disconnected!! " + str(e))
+- pass
+\ No newline at end of file
++ pass
+--
+2.39.2
+