diff options
author | Scott Murray <scott.murray@konsulko.com> | 2023-04-24 18:01:29 -0400 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2023-04-27 09:56:24 +0000 |
commit | 2abc36aa3020a5e9fc1597ffdc1749eda2121036 (patch) | |
tree | 946624076b6779b20465cb462c7a4d233321913b /recipes-connectivity | |
parent | bd52c7c7c182e5a5ff719f07f11e29fb2cd56eac (diff) |
kuksa-val: Rework to support updated SSL certificates
Changes:
- Tweak the kuksa-val recipe to remove installing a newer server
certificate (since it will be done elsewhere), and to split the
certificates up into finer grained packages to ease installing
them piecemeal and replacing them with other packages.
- Remove the unused genCerts.sh certificate script patch form the
kuksa-val recipe, an updated patch will be added in the near
future.
- Added a patch in the kuksa-viss-client recipe that enables the
library to use certificates installed in /etc/kuksa-certificates or
/etc/kuksa-val instead of the default ones that are shipped.
- Add kuksa-certificates-agl recipe that installs AGL specific CA,
server, and client certificates plus the required server and client
keys to act as a replacement for the default ones shipped with
KUKSA.val. The kuksa-certificates-agl name is used to avoid needing
a rename with a future switch to kuksa-databroker. Note that the
RPROVIDES variable is used for the various certificate packages to
make them installable alternatives to the kuksa-val-certificates-*
ones. The certificates installed are valid for 1 year and have
AGL as the providing organization, longer validity ones will be
added in follow up commits for Octopus and Pike.
- Update the existing users of kuksa-val-*-certificates with the new
kuksa-val-certificates-* package names.
- Add PREFERRED_RPROVIDER definitions for the kuksa-val-certificates-*
packages to quiet the BitBake warnings coming from having multiple
providers.
Bug-AGL: SPEC-4763
Change-Id: Ic6f1ca8b54f637674cd5ae42df0bed6ca4e729aa
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'recipes-connectivity')
12 files changed, 339 insertions, 153 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb b/recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb new file mode 100644 index 000000000..7caa2ebf2 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb @@ -0,0 +1,58 @@ +SUMMARY = "AGL certificates for KUKSA.val, the KUKSA Vehicle Abstraction Layer" +HOMEPAGE = "https://github.com/eclipse/kuksa.val" +BUGTRACKER = "https://github.com/eclipse/kuksa.val/issues" + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +SRC_URI = "file://CA.pem \ + file://Client.key \ + file://Client.pem \ + file://Server.key \ + file://Server.pem \ +" + +inherit allarch useradd + +USERADD_PACKAGES = "${PN}-server" +USERADDEXTENSION = "useradd-staticids" +GROUPADD_PARAM:${PN}-server = "-g 900 kuksa ;" + +do_install() { + # Install replacement CA certificate, server key + certificate, + # and client key + certificate. + # These are AGL specific versions generated using a tweaked + # genCerts.sh script to have different expiry dates than the + # upstream defaults, and use AGL as the organization. + install -d ${D}${sysconfdir}/kuksa-val/ + install -m 0644 ${WORKDIR}/CA.pem ${D}${sysconfdir}/kuksa-val/ + install -m 0640 -g 900 ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/ + install -m 0640 -g 900 ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/ + install -m 0644 ${WORKDIR}/Client.key ${D}${sysconfdir}/kuksa-val/ + install -m 0644 ${WORKDIR}/Client.pem ${D}${sysconfdir}/kuksa-val/ +} + +PACKAGE_BEFORE_PN += "${PN}-ca ${PN}-server ${PN}-client" + +FILES:${PN}-ca = " \ + ${sysconfdir}/kuksa-val/CA.pem \ +" +RPROVIDES:${PN}-ca += "kuksa-val-certificates-ca" + +FILES:${PN}-server = " \ + ${sysconfdir}/kuksa-val/Server.key \ + ${sysconfdir}/kuksa-val/Server.pem \ +" +RPROVIDES:${PN}-server += "kuksa-val-certificates-server" +RDEPENDS:${PN}-server += "${PN}-ca" + +FILES:${PN}-client = " \ + ${sysconfdir}/kuksa-val/Client.key \ + ${sysconfdir}/kuksa-val/Client.pem \ +" +RPROVIDES:${PN}-client += "kuksa-val-certificates-client" +RDEPENDS:${PN}-client += "${PN}-ca" + +ALLOW_EMPTY:${PN} = "1" + +RDEPENDS:${PN} += "kuksa-val ${PN}-ca ${PN}-server ${PN}-client" diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/CA.pem b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/CA.pem new file mode 100644 index 000000000..55e344094 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/CA.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID2TCCAsECFF8Fc0+krnLo4rK6tD8ZS5JVGX3kMA0GCSqGSIb3DQEBCwUAMIGo +MQswCQYDVQQGEwJDQTETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzEZMBcGA1UECgwQTGludXggRm91bmRhdGlvbjEVMBMGA1UEAwwM +bG9jYWxob3N0LWNhMTowOAYJKoZIhvcNAQkBFithZ2wtZGV2LWNvbW11bml0eUBs +aXN0cy5hdXRvbW90aXZlbGludXgub3JnMB4XDTIzMDQyNDIwMzAyMloXDTMzMDQy +MTIwMzAyMlowgagxCzAJBgNVBAYTAkNBMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw +FAYDVQQHDA1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKDBBMaW51eCBGb3VuZGF0aW9u +MRUwEwYDVQQDDAxsb2NhbGhvc3QtY2ExOjA4BgkqhkiG9w0BCQEWK2FnbC1kZXYt +Y29tbXVuaXR5QGxpc3RzLmF1dG9tb3RpdmVsaW51eC5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDmBHNxOpBfmYo8bc0omNuKDnnZuhB4JTbgmblN +XCiPECdgVgSAD99YAaY/+LFKsUfwv0hMU45HcRPTN8CmijGFPMP9dmP6xZ6aCwPw +gwCE8lTwiFp/L0BNySVhXwakCqhqssCNvmBXpJf+J+7MYXYInieBotetlAEPMV6B +fcfJZxC00YVKlQX6vKQsxQB8LlSj57UwyjS0zYIhm3G5rAYLaEokgttbBDB5XKL2 +6D0yvqsdUoJygAeouq6PME8SiAY91ZwIwfL3BJyNoNnxxyJ7iRj28dmoetvtNQCl +DrU82GG/hUeFF5KnLj65yHOrLiRlquHKgIG+XOvfp7WfXbstAgMBAAEwDQYJKoZI +hvcNAQELBQADggEBAN+rVHBSJDYk6soCcd6a+zonWOiHJxw5JRbdWE56F1wvS5fv +CFLlJ01JeaXdVdISh4/zk1sFnsGQ1NRv8C/LffciNpDpKugJgKcA1BYWECj0J9h9 +yR6Nw/Ifx3ovTJi9Rm6uYoH2shNbfX0H1HUZjLzMDZJUVdwI2bkekbYmJXI6XIAP +3p4PFs0rH37z+ioIw10ubKdFjGMIW6vYcfWV6L/ybrh+dZ5GDkNncSaspMzf79PC +7sAs9/RQkp92bmvygKkXO7zNBGjPF8osoY1rv9D201Ux1gJtfn3qde0LgdvOMoq8 +scN3iO1TU2pFNhxgcCkFkLmUHSceWK4l/Bxj1kM= +-----END CERTIFICATE----- diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.key b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.key new file mode 100644 index 000000000..769502a6b --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC3wZbCVTustZcM +NNTEP2clEm6WVQSJcYOU/A5gJoXaKOR4L0jLsH6n9REcEXfEQn1ZIgVgsasu984P +DQYe7FSOp9PcIb9HuxrCPJQJ4xXWM7b6LDgatE2TBBHyMecDToWr8JIsywZ/0q2Q +ucbLuUCOH6A58+EBDAbMpicJFB2l5RK1mZwCGXaWc4L/mMvNjRX6oO4QcoXDSnaS +XK6nymKBlZRhGo0YN3FIpxLLkkK1qjCDC/asUAHoU7w3AZNpN8VzXtIeqEXF+wlu +Rljpt9XnVcNMaGIbdOzLJdyAt975O/yqlhJqPG2T4Nn3Gt7+F7gAuZl28mTO6lTC +A7rViRw5AgMBAAECggEAERwGO6i4PlXnnyg1peKx6cigMaDvo9UFD4yTEZaQqL4d +PMgJTwbrWhvmSI7jUAuxVGjnp4fPdLd30RyxNNSkMGa1wiXFw8nq/Uoq7gs9+6Rz +zXIr1Ke0X+OVgK+vDvajGV30XFWYkLMG/GZh2VLxzPHqpy67JO/v26L+WDjuZEVq +OxIWJVfVqNFGPoL7EdyneUF3PHtKsCnaoz2Q0X0HbgKodItrYbxeXjgu0NQNXRw3 +fN675z0lR1dMeqR4YqO66Hsdchn64DzSP3MUj8RAXaJsoj4PtFcFCzbqTendaHQi +1xymao72MFrBUTmzC0hkhi8H4h9ztdGe3fEL5aiTEQKBgQDSuNh+GGxbZrMSFRr2 +BHGGpNRSmCTc9apn8mBkz8BerLnolYxraipsYSlToUZkTQzj7lAx8RtlbAGu3DAY +I8k2DURK/Bw7heN8Rd90X8/xn/9hj/A8U6rKGLxKyY3soy0MWdFbyiihVttuMLf7 +bw+SdGoGFkfWv/B5knJMBHlpaQKBgQDfPW/smxAmo3GsKCL+awOqEA+TEN44jkEJ +n5VrEBbFoT4CaIP/c1aSzMv17GKWqwsC9gXRr242IeDBmJh6Llu8tutJfgRt4O9r +SmwVekKWchXfp7nfsThdmVpILK0tNWFz0OW1OhR4Gtpm4g7+TeMoZyTOtTZ+q+gj +n/Z2JP5yUQKBgQCWYv1+4IdUo/Lg0NcxBPLQmQo+9/43A8zd6okI6YvtBXCYoUJZ +1qb4Ok94M/080BCHCymIuv5GX9LDrLlWQRP003sN2Od9Q4yawHM9ZrPNSdbFFijp +pPyaxxR6e2YioEIiMmfMDnb4zjhEZ9imRRjj+NlCBty2Ur2Yxf90aS0NIQKBgGiw +mSJufZ6BG7fOgsqpSOih64veZzhCjgGDU0EIJIW93iSm+u/7GOhzHltP5dQelmVn +FseE67x7GrnvY+I4h1Dyv1iRvmYBDIZWOmXAFiYTjmp6b9KVe4d5eTtLqFMBK5hy +qKbae+rvPOjurnVX9WVnKX2+wbWZzJ2YUK6LHsBhAoGBAIyJNNkybkZfXJ/nv03h +Z33paK80nptjTI/aXVg6tsRQK0Sz0jucQVI9/zhsMpUnDkwRNvfLoU6hwN+lSbmd +27/pjztXGcT9UdWoeA6YMxSfZAzzoq3Q4XJ2g7QwNjH89JwV3uoLxvy5LTzMgFDY +TaY6xdM2TvEPN13mqTbs9Olg +-----END PRIVATE KEY----- diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.pem b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.pem new file mode 100644 index 000000000..f0134f152 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Client.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE6jCCA9KgAwIBAgIUZsoE7a5zcY96l9fWgANt2eueQ+UwDQYJKoZIhvcNAQEL +BQAwgagxCzAJBgNVBAYTAkNBMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH +DA1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKDBBMaW51eCBGb3VuZGF0aW9uMRUwEwYD +VQQDDAxsb2NhbGhvc3QtY2ExOjA4BgkqhkiG9w0BCQEWK2FnbC1kZXYtY29tbXVu +aXR5QGxpc3RzLmF1dG9tb3RpdmVsaW51eC5vcmcwHhcNMjMwNDI0MjAzMDIzWhcN +MjQwNDIzMjAzMDIzWjCBojELMAkGA1UEBhMCQ0ExEzARBgNVBAgMCkNhbGlmb3Ju +aWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoMEExpbnV4IEZvdW5k +YXRpb24xDzANBgNVBAMMBkNsaWVudDE6MDgGCSqGSIb3DQEJARYrYWdsLWRldi1j +b21tdW5pdHlAbGlzdHMuYXV0b21vdGl2ZWxpbnV4Lm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALfBlsJVO6y1lww01MQ/ZyUSbpZVBIlxg5T8DmAm +hdoo5HgvSMuwfqf1ERwRd8RCfVkiBWCxqy73zg8NBh7sVI6n09whv0e7GsI8lAnj +FdYztvosOBq0TZMEEfIx5wNOhavwkizLBn/SrZC5xsu5QI4foDnz4QEMBsymJwkU +HaXlErWZnAIZdpZzgv+Yy82NFfqg7hByhcNKdpJcrqfKYoGVlGEajRg3cUinEsuS +QrWqMIML9qxQAehTvDcBk2k3xXNe0h6oRcX7CW5GWOm31edVw0xoYht07Msl3IC3 +3vk7/KqWEmo8bZPg2fca3v4XuAC5mXbyZM7qVMIDutWJHDkCAwEAAaOCAQ4wggEK +MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAdBgNVHQ4EFgQUDzUw+UO3LXFmQE7IcO/c +JDjSXoowgdIGA1UdIwSByjCBx6GBrqSBqzCBqDELMAkGA1UEBhMCQ0ExEzARBgNV +BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoM +EExpbnV4IEZvdW5kYXRpb24xFTATBgNVBAMMDGxvY2FsaG9zdC1jYTE6MDgGCSqG +SIb3DQEJARYrYWdsLWRldi1jb21tdW5pdHlAbGlzdHMuYXV0b21vdGl2ZWxpbnV4 +Lm9yZ4IUXwVzT6Sucujisrq0PxlLklUZfeQwDQYJKoZIhvcNAQELBQADggEBAJIm +HInhtZUtYxt/Q3p1HtiH3GEIkc4DZMmEef4wq4/A210y9nwxrOaDXlVlz6WWRsAl +ZpEqbLvXOM/uvh1oyyfi5xMm2cm4VytLb+NtflmFvnQj3hD1O0XSf0Vwx844aQgb +5LYq2GLXXkW5afGTtGGOg8vmNg6kkjheySqRbyebkF46BGOmB/+XRD7pzfil4eTd +Qnweso2UkGnboKpwBYLubEmhJmmX4sHeJnzzjJXkeco5uGnXfSVzYzDgco4/6JSv +p1IjGNww5D1lPZfqTnSgRqoQyUXoMdSD5Q6y3FFjK38UvR7vjPcg2VmLIluMYIzH +XJOwagvtjGTA7sfbNTU= +-----END CERTIFICATE----- diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.key b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.key new file mode 100644 index 000000000..602a8e0d8 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCnttOu8pXFbell +1xm2OKOCQUjTYdwACMXgkQm0pkCPdcZGdCJD6gaJfgVIhbbpu2eBbsXXedFfC+v/ +/iEsqW8tOonERtPxAjz1FjFZ1YumkxKUKs6VLsQPIZkd96GT6kRXLa8EzgwXV9L6 +nlb3n6HXXctLwzJhm6H1onWli3ZHrpl2ez5t/cIiZOKglh/jD+eJmEPglNZYBbBx +61FZZ9LsGSyLD8fIgIOlB6RDjXFGv9aKR98e/8O9QhnIVWHJ4x8B4VR6srmEWApV +qoccLS+HxVNqmjEVDfyavYudhCAk0PYuo0/vIcyANZkH6DxXlYrDlKxjSOZQkA55 +hB95LXdTAgMBAAECggEADFHDruAm3D+8mzx3qQj0Ccdd4BkaHe6HCn3c5qYnq+IM +1HQHaFGydTsKjE82Jmkbq0hFxBQwqvinN0ClkzBG+F2KbR5+xv9RFvewXFbxUSUQ +gk26qv6qbCodozPjbIgSyQyUBJhWDwjmeH5VCQ9yxe0f18rY0o6qEO8EEUrzP0SX +efugez1n3pUJi7s04ktmfDTeJNKkTKVNaMJ/LZdz53hgeNzRu9nFDJhKwElTC/A6 ++q4zRABvzZDh8omcOWn4Of0KEaZO4N8b7Bg3ti0SogtV3O1uU5YtslJ56Yo4dpPl +KDfu07DXjoFVD3BQ+E5PClR13kPxo+4QVy/hEYWM0QKBgQDg8tSUJndBWlb6tTiP +vT20tm6gXOY5Epb/URDs5cTjYNB4m3pj2FN8PA3kJ1NaYqQPD4PoHm6FHHcJXl3X +/bm5SUA+y+rpgOHet+vddatbV9X7Ucf1MMBdzmushEhGSXJppPdjCc7GqnbSfTDY +6qxDq/ecD98IEd3M8MyQnWu4xQKBgQC+3Xasd3+H6HHfy6GZNu3qhft2Hdtv5Rg4 +n4dU0AbUzK2jYnx4pF7Bg7TChpRQrosV7BQpFdq/UbvhiqRTtsYUXFnSpDsuZTQv +6a0EkHMbz+WQc6/rpRnBqAsGjlM/z3A33zsGjDcXT+bJ534KXzrIEZPoFaFkJ4a9 +55NG4xABNwKBgQCx3O9e0Odcgjzh8OZvKPegatsf6zSSDfPcntGeLrM2Ajf0FSN5 +zPN9+NIXA00x22rTCbaHk4BZub8ZZkcXYGQ4cAXfYUc2KBTwEEbsDX1XNSVZmTlc +0pZX1b5nYxTulmZjx+9fnMKlbOWU2y4DZdKdk1yuRhJYhB/3SrLE6ePh7QKBgDiZ +3naY3XYFZbezYJHaK0XwQ7ksc4XET6GDFZP+OPhkVl3sd/Mi84K5tyI03Mjsagyv +PO9OLterumbRQZgdzLH/DRgdYfuJQaevyYJf//LQfUiQNixQgsneNp7UGDYFI0c+ +aPexHylHpa5cexFCWmE4bT9XIsxbuGaaxR8xeO6TAoGAU/LkR6Ncvx8djtT5RpuK +BtmLXDvhaTswXq6WVqf3ihl0PfPyoyFqt0vD5gKd7ShG7jU+vHSW7UAlEVoiawTb +L+p9g/Y+0CS8+7xtbiWQZhwvdlBTYO4Ddgs/YsCEWZG3rB2p20Hj7KwrHiNFGMry +Ju6j+QZ4Go0nO/hFmWiRgdk= +-----END PRIVATE KEY----- diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.pem b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.pem new file mode 100644 index 000000000..d7e9571aa --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/Server.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE6jCCA9KgAwIBAgIUZsoE7a5zcY96l9fWgANt2eueQ+QwDQYJKoZIhvcNAQEL +BQAwgagxCzAJBgNVBAYTAkNBMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH +DA1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKDBBMaW51eCBGb3VuZGF0aW9uMRUwEwYD +VQQDDAxsb2NhbGhvc3QtY2ExOjA4BgkqhkiG9w0BCQEWK2FnbC1kZXYtY29tbXVu +aXR5QGxpc3RzLmF1dG9tb3RpdmVsaW51eC5vcmcwHhcNMjMwNDI0MjAzMDIzWhcN +MjQwNDIzMjAzMDIzWjCBojELMAkGA1UEBhMCQ0ExEzARBgNVBAgMCkNhbGlmb3Ju +aWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoMEExpbnV4IEZvdW5k +YXRpb24xDzANBgNVBAMMBlNlcnZlcjE6MDgGCSqGSIb3DQEJARYrYWdsLWRldi1j +b21tdW5pdHlAbGlzdHMuYXV0b21vdGl2ZWxpbnV4Lm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKe2067ylcVt6WXXGbY4o4JBSNNh3AAIxeCRCbSm +QI91xkZ0IkPqBol+BUiFtum7Z4Fuxdd50V8L6//+ISypby06icRG0/ECPPUWMVnV +i6aTEpQqzpUuxA8hmR33oZPqRFctrwTODBdX0vqeVvefodddy0vDMmGbofWidaWL +dkeumXZ7Pm39wiJk4qCWH+MP54mYQ+CU1lgFsHHrUVln0uwZLIsPx8iAg6UHpEON +cUa/1opH3x7/w71CGchVYcnjHwHhVHqyuYRYClWqhxwtL4fFU2qaMRUN/Jq9i52E +ICTQ9i6jT+8hzIA1mQfoPFeVisOUrGNI5lCQDnmEH3ktd1MCAwEAAaOCAQ4wggEK +MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAdBgNVHQ4EFgQUA1ZxK520N3pMPVYrUk1o +2K5tEzEwgdIGA1UdIwSByjCBx6GBrqSBqzCBqDELMAkGA1UEBhMCQ0ExEzARBgNV +BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoM +EExpbnV4IEZvdW5kYXRpb24xFTATBgNVBAMMDGxvY2FsaG9zdC1jYTE6MDgGCSqG +SIb3DQEJARYrYWdsLWRldi1jb21tdW5pdHlAbGlzdHMuYXV0b21vdGl2ZWxpbnV4 +Lm9yZ4IUXwVzT6Sucujisrq0PxlLklUZfeQwDQYJKoZIhvcNAQELBQADggEBAARb +sfPoqFk2ApNUz8PMhnk1W9XG9Z9as8Nasd39Khxq/ecyAH0eMllsK5u5z6ms9Kcu +FETd8l+t4ITpV3ST57p83/UtWiabNg39J4ChB8YfvzNAG6qew5BfnQG/4mb0xHJE +3Mnk7+4PnlDSkSXnmq0wnnavhrt4DIHuKyU3fFsYDr6rSIscVlmYPtjSlpqu+ZTP +FKrDamXPDsCiIK8dY2oN8oAjcylkPc/vD1PefBFSeCDb0isxujjgwRzCeSSAXKOi +wnYdgfH/gpkIgaZyCrm46ifkm7ckX1i5qVwUoA4ilv5AU9o1TCzijFd6505OzlO+ +8RPI4uaCYgGPCWBjMsw= +-----END CERTIFICATE----- diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch deleted file mode 100644 index 90267df60..000000000 --- a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch +++ /dev/null @@ -1,64 +0,0 @@ -From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001 -From: Scott Murray <scott.murray@konsulko.com> -Date: Mon, 11 Jul 2022 16:23:56 -0400 -Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server - certificate - -With the newer Python and OpenSSL in Yocto kirkstone, it seems that -server certificates need to have a valid Subject Alt Name extension -field, or trying to connect fails with errors of the form: - - certificate verify failed: IP address mismatch, certificate is not valid for localhost - -To fix this, the generated server certificate should not rely on the -long deprecated CN field and add the now required extension field. -To facilitate this, the genCerts.sh script has been enhanced to -add a Subject Alt Name extension field of "DNS:localhost" (or -optionally some other hostname) to the server certificate, and to -also add the commonly used keyUsage and extendedKeyUsage extension -fields with appropriate values. - -Signed-off-by: Scott Murray <scott.murray@konsulko.com> ---- - kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh -index d0ef767..dfb9458 100755 ---- a/kuksa_certificates/genCerts.sh -+++ b/kuksa_certificates/genCerts.sh -@@ -1,5 +1,11 @@ - #!/bin/sh - -+# Optional first argument is server hostname -+if [ $# -eq 1 ]; then -+ HOST=$1 -+else -+ HOST="localhost" -+fi - - genCACert() { - openssl genrsa -out CA.key 2048 -@@ -10,7 +16,18 @@ genCACert() { - genCert() { - openssl genrsa -out $1.key 2048 - openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com" -- openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -+ if [ "$1" = "Server" ]; then -+ extfile=`mktemp -p .` -+ cat > $extfile <<-EOF -+ subjectAltName=DNS:${HOST} -+ keyUsage=digitalSignature -+ extendedKeyUsage=serverAuth -+EOF -+ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile -+ rm -f $extfile -+ else -+ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -+ fi - openssl verify -CAfile CA.pem $1.pem - } - --- -2.35.3 - diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.key b/recipes-connectivity/kuksa-val/kuksa-val/Server.key deleted file mode 100644 index 857eaf46d..000000000 --- a/recipes-connectivity/kuksa-val/kuksa-val/Server.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAy9ZwmsRZWBotNQmPpLtM7m26IB49BsdKHqFx2ASbtvI3qAT8 -q0zVxx3//IipS9bMGdBGD0BimKk60ZpVXDkoRadk0H0EKnZZTQkv9qOmDLuUKjo3 -UmybGxCo4H3YSqcj+g3kjhOqMb7Mk7L/EPwfpTy1YSiO0vOejcCTQm3pZ8lvCMEn -+oDcIvLwx45aV4ZRpmKvSwVlup4SMMRoG+M3aw57iMIUoHNt/KZeeuyYsx2XSwWF -bnW6D38iKA1JQT3fFMmzBgGBTBbPY1aviG/XPImg04zBxQJgJPRjxFL2aMNuWjvo -sCUNAX40EaiuDaaG39yZJWjr3ALs0IuW3T3QiQIDAQABAoIBABpPTGt9inanskwV -NtgxYMWpnguFO6VDVdrMRdB3D842R17FfgNyQGmaAq+KyCdEy0VNr61KRy+jMDdb -r0bfDcany4hpin8clXwvAmTYTJd6Iq6sovVdlUuSA+ot9Bv2pNsirex0t1QCZ49s -3CVKFZ+TTWoD/SNXVJDBWYCKhUTi7QnLbaV6pGpOFRlShPM///09KerTsfJQiQss -K0ypOSXABawA0cK742FiCpAzqj2OusQZkGWwl86p1OhgpnYMMPcqu4/2nsZp3L3K -8+lCplJqg0C+Rl2tl+we1H5z1XrSSykZIdB9/vdsMjSg+8wxNEDIqQZvryEPG/qk -YIEwYl0CgYEA8CPo6qryc3TYiYd3el3TjQG2wSuip5n8DOLiO9TvXKZ4nPNmlajX -2kpoWxu1+KHoBwmO10U/6i0PDihvOzrBtIuRAJXr/hocnb5pR1oubfmgde3rwMMv -pPEyeTCGHW7UqMc1r78dBKFXyFwpAKCYJr0VKozD5K9IBHQ4oHjA2icCgYEA2UzB -f4fHAU0X2VT7mWCYnPXdQVFNWmiV0EqMTP9NgE+NBQw30oIijJs6p9Et5V07fEGy -GmBCkXkhnhXIo/2g2GPDpUCIy2c41b56qAAOZjunDTNcNh8HXy3dEw/ABJD8PViL -zwe8Hh9ZyhOFqB/iRJiokaN84aAWe/a/onwRHc8CgYEAr248aLsLtgblbcs2IIHM -21UmMoZzJCec97kD9xu+5ZuDv30dMzYOwpzbEbvzuzhkbkewP1mKsMPMHNazM7zf -58qR2rCrn41p3F9PP94Ezziu3Zg7Qy4Ub1X5PomRYI0n9Ejb0pE2XLyViXyyQ5AO -tzYo8VW2gij+3qoc+DZfBL8CgYEAgJ82Sc6MtPB1FWeAJaFPtFizxl3hc4pEYy49 -LbZQoYp05m/8+tWcra2UYpEmoYU2GK6qRYKE5KbWh0RNpwQRmQQ0YjR4xC0tLxe4 -cojV/R2CHAYyprZnHqd/HDFOb2WCaK1o0/q4FvxnoX08t+9nd0MFRG+JE+Q2atn7 -RKo7V3ECgYEA4Aqjw8xlTl24wv7Ofgt8TVXLf3xLah/Ypj7KGAxu+eCjgcV//ncj -E6qjldC+llo9oyCtYV3OSbCpigiyDAG2/OoEKv88xZOcno+at5+oPC1NrpR8oOrv -9ygYUGok61TrW1kw46eKPxVPYWcFtJXf1xxeULpy1/NwEzzAjR8CTBE= ------END RSA PRIVATE KEY----- diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.pem b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem deleted file mode 100644 index 514e5a725..000000000 --- a/recipes-connectivity/kuksa-val/kuksa-val/Server.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID5DCCAsygAwIBAgIUVcLiKaHJ7gzwvDCtzdobzWa1+PwwDQYJKoZIhvcNAQEL -BQAwgZAxCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzEMMAoGA1UEBwwDUm5nMRow -GAYDVQQKDBFSb2JlcnQgQm9zY2ggR21iSDELMAkGA1UECwwCQ1IxFTATBgNVBAMM -DGxvY2FsaG9zdC1jYTEmMCQGCSqGSIb3DQEJARYXQ0kuSG90bGluZUBkZS5ib3Nj -aC5jb20wHhcNMjIwNzA3MTg0MDQzWhcNMjMwNzA3MTg0MDQzWjCBijELMAkGA1UE -BhMCREUxCzAJBgNVBAgMAkJXMQwwCgYDVQQHDANSbmcxGjAYBgNVBAoMEVJvYmVy -dCBCb3NjaCBHbWJIMQswCQYDVQQLDAJDUjEPMA0GA1UEAwwGU2VydmVyMSYwJAYJ -KoZIhvcNAQkBFhdDSS5Ib3RsaW5lQGRlLmJvc2NoLmNvbTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAMvWcJrEWVgaLTUJj6S7TO5tuiAePQbHSh6hcdgE -m7byN6gE/KtM1ccd//yIqUvWzBnQRg9AYpipOtGaVVw5KEWnZNB9BCp2WU0JL/aj -pgy7lCo6N1JsmxsQqOB92EqnI/oN5I4TqjG+zJOy/xD8H6U8tWEojtLzno3Ak0Jt -6WfJbwjBJ/qA3CLy8MeOWleGUaZir0sFZbqeEjDEaBvjN2sOe4jCFKBzbfymXnrs -mLMdl0sFhW51ug9/IigNSUE93xTJswYBgUwWz2NWr4hv1zyJoNOMwcUCYCT0Y8RS -9mjDblo76LAlDQF+NBGorg2mht/cmSVo69wC7NCLlt090IkCAwEAAaM6MDgwFAYD -VR0RBA0wC4IJbG9jYWxob3N0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF -BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAoWN/NkRBFgH7rypK+d1tToOQWvoGiqLa -1jSoe9ydSeNHUSVAq/nyOvvhI/0f7sfHND8tznCgcIlZdlpDmYndB6W0Fe6S9xOk -TAsibgUbiXSurfsGHxkoTHbcj6l/eHWao3J4mdocmC7wktdR+yTsIRFG2ob37CSU -zTJd9glPWg1ntXNDbP3MWhCOYlJuePHnDoa35KQJJDepNEKvGcQsFLG6PVVehHz4 -ol4iAn6awlMAstFmXHjurO/kW9xu5U+ri1IASaRuVj7Zs3Md/zaDTAAGi6jOLPjm -ovJSyBEl7XeE92c4HzfgSzoCyoV7gxV67SXgEYrrjLFrnVMyNRPFTQ== ------END CERTIFICATE----- diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb index 04f6f4f64..a894f0133 100644 --- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb +++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb @@ -14,17 +14,12 @@ DEPENDS = "boost openssl mosquitto protobuf-native grpc-native grpc" require kuksa-val.inc SRC_URI += "file://kuksa-val.service \ - file://0001-Make-Boost-requirements-more-liberal.patch;striplevel=2 \ - file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;striplevel=2 \ - file://0003-Make-install-locations-configurable.patch;striplevel=2 \ - file://0004-Disable-default-fetch-and-build-of-googletest.patch;striplevel=2 \ - file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;striplevel=2 \ - file://Server.key \ - file://Server.pem \ + file://0001-Make-Boost-requirements-more-liberal.patch;patchdir=.. \ + file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;patchdir=.. \ + file://0003-Make-install-locations-configurable.patch;patchdir=.. \ + file://0004-Disable-default-fetch-and-build-of-googletest.patch;patchdir=.. \ + file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;patchdir=.. \ " -# NOTE: Ideally this would be applied, but our S definition makes it problematic: -# file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch;striplevel=? -# S = "${WORKDIR}/git/kuksa-val-server" @@ -32,10 +27,11 @@ inherit cmake pkgconfig systemd useradd SYSTEMD_SERVICE:${PN} = "kuksa-val.service" -USERADD_PACKAGES = "${PN}" +USERADD_PACKAGES = "${PN} ${PN}-server-certificates" USERADDEXTENSION = "useradd-staticids" GROUPADD_PARAM:${PN} = "-g 900 kuksa ;" USERADD_PARAM:${PN} = "--system -g 900 -u 900 -o -d / --shell /bin/nologin kuksa ;" +GROUPADD_PARAM:${PN}-server-certificates = "-g 900 kuksa ;" # Configure file locations more along the lines of FHS instead of kuksa.val's # default locations. @@ -55,39 +51,37 @@ do_install:append() { install -d ${D}${systemd_system_unitdir} install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir} fi - - # Install replacement server key + certificate - # These are AGL specific versions generated using a tweaked - # genCerts.sh script from the source tree that adds the now - # required subjectAltName extension field to make python3-ssl - # happy. This will be addressed with upstream and can hopefully - # be dropped in the future. - rm -f ${D}${sysconfdir}/kuksa-val/Server.key - install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/ - rm -f ${D}${sysconfdir}/kuksa-val/Server.pem - install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/ - - # Restrict server certificate access - # NOTE: The client certificates are left alone here for client - # development convenience for now, but this will need to - # be revisited. - chmod 640 ${D}${sysconfdir}/kuksa-val/Server.key - chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.key - chmod 640 ${D}${sysconfdir}/kuksa-val/Server.pem - chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem } -# Put client certificates into their own package so we can avoid -# duplicates of them for e.g. cluster clients. Longer term this -# will need to be revisited. -PACKAGE_BEFORE_PN += "${PN}-client-certificates" +# Put certificates into their own packages so we can avoid duplicates +# of them for e.g. cluster clients, and so downstream users can +# replace them with their own certificates. +# +# NOTE: +# Downstream users can replace these packages with alternates by +# having their packages set their RPROVIDES to include the desired +# kuksa-val-certificates-* and explicitly adding their package(s) +# to an image, they will end up getting priority during rootfs +# construction and installed instead of the default ones here. + +PACKAGE_BEFORE_PN += "${PN}-certificates-ca ${PN}-certificates-server ${PN}-certificates-client" + +FILES:${PN}-certificates-ca = " \ + ${sysconfdir}/kuksa-val/CA.pem \ +" -FILES:${PN}-client-certificates = " \ +FILES:${PN}-certificates-server = " \ + ${sysconfdir}/kuksa-val/Server.key \ + ${sysconfdir}/kuksa-val/Server.pem \ +" +RDEPENDS:${PN}-certificates-server += "${PN}-certificates-ca" + +FILES:${PN}-certificates-client = " \ ${sysconfdir}/kuksa-val/Client.key \ ${sysconfdir}/kuksa-val/Client.pem \ - ${sysconfdir}/kuksa-val/CA.pem \ " +RDEPENDS:${PN}-certificate-clients += "${PN}-certificates-ca" FILES:${PN} += "${systemd_system_unitdir} ${datadir}" -RDEPENDS:${PN} += "${PN}-client-certificates" +RDEPENDS:${PN} += "${PN}-certificates-server ${PN}-certificates-client" diff --git a/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch b/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch new file mode 100644 index 000000000..7ad5ac182 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-viss-client/0002-kuksa_viss_client-Add-external-certificates-support.patch @@ -0,0 +1,109 @@ +From 101550383386f465e689aa846826b58aa72cf793 Mon Sep 17 00:00:00 2001 +From: Scott Murray <scott.murray@konsulko.com> +Date: Mon, 24 Apr 2023 15:49:32 -0400 +Subject: [PATCH] kuksa_viss_client: Add external certificates support + +Tweak the definition of __certificate_dir__ in the kuksa_certificates +package, and certificate location logic in the client library to allow +picking up alternative certificates from /etc/kuksa-certificates or +/etc/kuksa-val before falling back to the shipped defaults. The +intent is to allow packagers to more straighhtforwardly use their own +certificates with both the server and clients. + +Upstream-Status: pending + +Signed-off-by: Scott Murray <scott.murray@konsulko.com> +--- + kuksa_certificates/__init__.py | 7 ++++++- + kuksa_viss_client/KuksaGrpcComm.py | 10 +++++----- + kuksa_viss_client/KuksaWsComm.py | 10 +++++----- + 3 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/kuksa_certificates/__init__.py b/kuksa_certificates/__init__.py +index 5f05b75..ac60bc3 100644 +--- a/kuksa_certificates/__init__.py ++++ b/kuksa_certificates/__init__.py +@@ -2,4 +2,9 @@ import os + + from kuksa_viss_client._metadata import * + +-__certificate_dir__= os.path.dirname(os.path.realpath(__file__)) ++if os.path.isdir("/etc/kuksa-certificates"): ++ __certificate_dir__= "/etc/kuksa-certificates" ++elif os.path.isdir("/etc/kuksa-val"): ++ __certificate_dir__= "/etc/kuksa-val" ++else: ++ __certificate_dir__= os.path.dirname(os.path.realpath(__file__)) +diff --git a/kuksa_viss_client/KuksaGrpcComm.py b/kuksa_viss_client/KuksaGrpcComm.py +index 1f55754..e425e7e 100644 +--- a/kuksa_viss_client/KuksaGrpcComm.py ++++ b/kuksa_viss_client/KuksaGrpcComm.py +@@ -28,22 +28,22 @@ import uuid, time, threading + + from . import kuksa_pb2 + from . import kuksa_pb2_grpc ++from kuksa_certificates import __certificate_dir__ + + class KuksaGrpcComm: + + # Constructor + def __init__(self, config): +- scriptDir= os.path.dirname(os.path.realpath(__file__)) + self.serverIP = config.get('ip', "127.0.0.1") + self.serverPort = config.get('port', 8090) + try: + self.insecure = config.getboolean('insecure', False) + except AttributeError: + self.insecure = config.get('insecure', False) +- self.cacertificate = config.get('cacertificate', os.path.join(scriptDir, "../kuksa_certificates/CA.pem")) +- self.certificate = config.get('certificate', os.path.join(scriptDir, "../kuksa_certificates/Client.pem")) +- self.keyfile = config.get('key', os.path.join(scriptDir, "../kuksa_certificates/Client.key")) +- self.tokenfile = config.get('token', os.path.join(scriptDir, "../kuksa_certificates/jwt/all-read-write.json.token")) ++ self.cacertificate = config.get('cacertificate', os.path.join(__certificate_dir__, "CA.pem")) ++ self.certificate = config.get('certificate', os.path.join(__certificate_dir__, "Client.pem")) ++ self.keyfile = config.get('key', os.path.join(__certificate_dir__, "Client.key")) ++ self.tokenfile = config.get('token', os.path.join(__certificate_dir__, "jwt/all-read-write.json.token")) + self.grpcConnected = False + + self.subscriptionCallbacks = {} +diff --git a/kuksa_viss_client/KuksaWsComm.py b/kuksa_viss_client/KuksaWsComm.py +index b0d4cc1..b85b573 100644 +--- a/kuksa_viss_client/KuksaWsComm.py ++++ b/kuksa_viss_client/KuksaWsComm.py +@@ -20,22 +20,22 @@ + + import json, queue, time, uuid, os, ssl + import asyncio, websockets ++from kuksa_certificates import __certificate_dir__ + + class KuksaWsComm: + + # Constructor + def __init__(self, config): + +- scriptDir= os.path.dirname(os.path.realpath(__file__)) + self.serverIP = config.get('ip', "127.0.0.1") + self.serverPort = config.get('port', 8090) + try: + self.insecure = config.getboolean('insecure', False) + except AttributeError: + self.insecure = config.get('insecure', False) +- self.cacertificate = config.get('cacertificate', os.path.join(scriptDir, "../kuksa_certificates/CA.pem")) +- self.certificate = config.get('certificate', os.path.join(scriptDir, "../kuksa_certificates/Client.pem")) +- self.keyfile = config.get('key', os.path.join(scriptDir, "../kuksa_certificates/Client.key")) ++ self.cacertificate = config.get('cacertificate', os.path.join(__certificate_dir__, "CA.pem")) ++ self.certificate = config.get('certificate', os.path.join(__certificate_dir__, "Client.pem")) ++ self.keyfile = config.get('key', os.path.join(__certificate_dir__, "Client.key")) + self.wsConnected = False + + self.subscriptionCallbacks = {} +@@ -254,4 +254,4 @@ class KuksaWsComm: + await self._msgHandler(ws) + except OSError as e: + print("Disconnected!! " + str(e)) +- pass +\ No newline at end of file ++ pass +-- +2.39.2 + diff --git a/recipes-connectivity/kuksa-val/kuksa-viss-client_git.bb b/recipes-connectivity/kuksa-val/kuksa-viss-client_git.bb index 2a4026bd6..7cefeb018 100644 --- a/recipes-connectivity/kuksa-val/kuksa-viss-client_git.bb +++ b/recipes-connectivity/kuksa-val/kuksa-viss-client_git.bb @@ -13,7 +13,9 @@ DEPENDS = " \ require kuksa-val.inc -SRC_URI += "file://0001-kuksa_viss_client-Update-cmd2-completer-usage.patch;striplevel=2" +SRC_URI += "file://0001-kuksa_viss_client-Update-cmd2-completer-usage.patch;patchdir=.. \ + file://0002-kuksa_viss_client-Add-external-certificates-support.patch;patchdir=.. \ +" S = "${WORKDIR}/git/kuksa_viss_client" |