diff options
author | Scott Murray <scott.murray@konsulko.com> | 2023-04-24 18:01:29 -0400 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2023-04-27 09:55:35 +0000 |
commit | 0df051c31b1c8687441d06e66750804c115db0bd (patch) | |
tree | 17405e2e6c2eb1c07333a89508bfec1562cd44e4 /recipes-connectivity/kuksa-val/kuksa-viss-client | |
parent | e8aae0c2439c4e060149ffba014fd76e99fad5a1 (diff) |
kuksa-val: Rework to support updated SSL certificates
Changes:
- Tweak the kuksa-val recipe to remove installing a newer server
certificate (since it will be done elsewhere), and to split the
certificates up into finer grained packages to ease installing
them piecemeal and replacing them with other packages.
- Remove the unused genCerts.sh certificate script patch form the
kuksa-val recipe, an updated patch will be added in the near
future.
- Added a patch in the kuksa-viss-client recipe that enables the
library to use certificates installed in /etc/kuksa-certificates or
/etc/kuksa-val instead of the default ones that are shipped.
- Add kuksa-certificates-agl recipe that installs AGL specific CA,
server, and client certificates plus the required server and client
keys to act as a replacement for the default ones shipped with
KUKSA.val. The kuksa-certificates-agl name is used to avoid needing
a rename with a future switch to kuksa-databroker. Note that the
RPROVIDES variable is used for the various certificate packages to
make them installable alternatives to the kuksa-val-certificates-*
ones. The certificates installed are valid for 1 year and have
AGL as the providing organization, longer validity ones will be
added in follow up commits for Octopus and Pike.
- Update the existing users of kuksa-val-*-certificates with the new
kuksa-val-certificates-* package names.
- Add PREFERRED_RPROVIDER definitions for the kuksa-val-certificates-*
packages to quiet the BitBake warnings coming from having multiple
providers.
Bug-AGL: SPEC-4763
Change-Id: I00031ada2401cd5b92419de5c7b1af8944c34e9d
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'recipes-connectivity/kuksa-val/kuksa-viss-client')
-rw-r--r-- | recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch b/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch new file mode 100644 index 000000000..7ad5ac182 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch @@ -0,0 +1,109 @@ +From 101550383386f465e689aa846826b58aa72cf793 Mon Sep 17 00:00:00 2001 +From: Scott Murray <scott.murray@konsulko.com> +Date: Mon, 24 Apr 2023 15:49:32 -0400 +Subject: [PATCH] kuksa_viss_client: Add external certificates support + +Tweak the definition of __certificate_dir__ in the kuksa_certificates +package, and certificate location logic in the client library to allow +picking up alternative certificates from /etc/kuksa-certificates or +/etc/kuksa-val before falling back to the shipped defaults. The +intent is to allow packagers to more straighhtforwardly use their own +certificates with both the server and clients. + +Upstream-Status: pending + +Signed-off-by: Scott Murray <scott.murray@konsulko.com> +--- + kuksa_certificates/__init__.py | 7 ++++++- + kuksa_viss_client/KuksaGrpcComm.py | 10 +++++----- + kuksa_viss_client/KuksaWsComm.py | 10 +++++----- + 3 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/kuksa_certificates/__init__.py b/kuksa_certificates/__init__.py +index 5f05b75..ac60bc3 100644 +--- a/kuksa_certificates/__init__.py ++++ b/kuksa_certificates/__init__.py +@@ -2,4 +2,9 @@ import os + + from kuksa_viss_client._metadata import * + +-__certificate_dir__= os.path.dirname(os.path.realpath(__file__)) ++if os.path.isdir("/etc/kuksa-certificates"): ++ __certificate_dir__= "/etc/kuksa-certificates" ++elif os.path.isdir("/etc/kuksa-val"): ++ __certificate_dir__= "/etc/kuksa-val" ++else: ++ __certificate_dir__= os.path.dirname(os.path.realpath(__file__)) +diff --git a/kuksa_viss_client/KuksaGrpcComm.py b/kuksa_viss_client/KuksaGrpcComm.py +index 1f55754..e425e7e 100644 +--- a/kuksa_viss_client/KuksaGrpcComm.py ++++ b/kuksa_viss_client/KuksaGrpcComm.py +@@ -28,22 +28,22 @@ import uuid, time, threading + + from . import kuksa_pb2 + from . import kuksa_pb2_grpc ++from kuksa_certificates import __certificate_dir__ + + class KuksaGrpcComm: + + # Constructor + def __init__(self, config): +- scriptDir= os.path.dirname(os.path.realpath(__file__)) + self.serverIP = config.get('ip', "127.0.0.1") + self.serverPort = config.get('port', 8090) + try: + self.insecure = config.getboolean('insecure', False) + except AttributeError: + self.insecure = config.get('insecure', False) +- self.cacertificate = config.get('cacertificate', os.path.join(scriptDir, "../kuksa_certificates/CA.pem")) +- self.certificate = config.get('certificate', os.path.join(scriptDir, "../kuksa_certificates/Client.pem")) +- self.keyfile = config.get('key', os.path.join(scriptDir, "../kuksa_certificates/Client.key")) +- self.tokenfile = config.get('token', os.path.join(scriptDir, "../kuksa_certificates/jwt/all-read-write.json.token")) ++ self.cacertificate = config.get('cacertificate', os.path.join(__certificate_dir__, "CA.pem")) ++ self.certificate = config.get('certificate', os.path.join(__certificate_dir__, "Client.pem")) ++ self.keyfile = config.get('key', os.path.join(__certificate_dir__, "Client.key")) ++ self.tokenfile = config.get('token', os.path.join(__certificate_dir__, "jwt/all-read-write.json.token")) + self.grpcConnected = False + + self.subscriptionCallbacks = {} +diff --git a/kuksa_viss_client/KuksaWsComm.py b/kuksa_viss_client/KuksaWsComm.py +index b0d4cc1..b85b573 100644 +--- a/kuksa_viss_client/KuksaWsComm.py ++++ b/kuksa_viss_client/KuksaWsComm.py +@@ -20,22 +20,22 @@ + + import json, queue, time, uuid, os, ssl + import asyncio, websockets ++from kuksa_certificates import __certificate_dir__ + + class KuksaWsComm: + + # Constructor + def __init__(self, config): + +- scriptDir= os.path.dirname(os.path.realpath(__file__)) + self.serverIP = config.get('ip', "127.0.0.1") + self.serverPort = config.get('port', 8090) + try: + self.insecure = config.getboolean('insecure', False) + except AttributeError: + self.insecure = config.get('insecure', False) +- self.cacertificate = config.get('cacertificate', os.path.join(scriptDir, "../kuksa_certificates/CA.pem")) +- self.certificate = config.get('certificate', os.path.join(scriptDir, "../kuksa_certificates/Client.pem")) +- self.keyfile = config.get('key', os.path.join(scriptDir, "../kuksa_certificates/Client.key")) ++ self.cacertificate = config.get('cacertificate', os.path.join(__certificate_dir__, "CA.pem")) ++ self.certificate = config.get('certificate', os.path.join(__certificate_dir__, "Client.pem")) ++ self.keyfile = config.get('key', os.path.join(__certificate_dir__, "Client.key")) + self.wsConnected = False + + self.subscriptionCallbacks = {} +@@ -254,4 +254,4 @@ class KuksaWsComm: + await self._msgHandler(ws) + except OSError as e: + print("Disconnected!! " + str(e)) +- pass +\ No newline at end of file ++ pass +-- +2.39.2 + |