From fdb58afacf2dff95cca48a772d653e45a1b577f3 Mon Sep 17 00:00:00 2001 From: Scott Murray Date: Mon, 24 Apr 2023 18:01:29 -0400 Subject: kuksa-val: Rework to support updated SSL certificates Changes: - Tweak the kuksa-val recipe to remove installing a newer server certificate (since it will be done elsewhere), and to split the certificates up into finer grained packages to ease installing them piecemeal and replacing them with other packages. - Remove the unused genCerts.sh certificate script patch form the kuksa-val recipe, an updated patch will be added in the near future. - Added a patch in the kuksa-viss-client recipe that enables the library to use certificates installed in /etc/kuksa-certificates or /etc/kuksa-val instead of the default ones that are shipped. - Add kuksa-certificates-agl recipe that installs AGL specific CA, server, and client certificates plus the required server and client keys to act as a replacement for the default ones shipped with KUKSA.val. The kuksa-certificates-agl name is used to avoid needing a rename with a future switch to kuksa-databroker. Note that the RPROVIDES variable is used for the various certificate packages to make them installable alternatives to the kuksa-val-certificates-* ones. The certificates installed are valid for 1 year and have AGL as the providing organization, longer validity ones will be added in follow up commits for Octopus and Pike. - Update the existing users of kuksa-val-*-certificates with the new kuksa-val-certificates-* package names. - Add PREFERRED_RPROVIDER definitions for the kuksa-val-certificates-* packages to quiet the BitBake warnings coming from having multiple providers. Bug-AGL: SPEC-4763 Change-Id: Ic6f1ca8b54f637674cd5ae42df0bed6ca4e729aa Signed-off-by: Scott Murray --- .../kuksa-val/kuksa-certificates-agl.bb | 58 ++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb (limited to 'recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb') diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb b/recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb new file mode 100644 index 00000000..7caa2ebf --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl.bb @@ -0,0 +1,58 @@ +SUMMARY = "AGL certificates for KUKSA.val, the KUKSA Vehicle Abstraction Layer" +HOMEPAGE = "https://github.com/eclipse/kuksa.val" +BUGTRACKER = "https://github.com/eclipse/kuksa.val/issues" + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +SRC_URI = "file://CA.pem \ + file://Client.key \ + file://Client.pem \ + file://Server.key \ + file://Server.pem \ +" + +inherit allarch useradd + +USERADD_PACKAGES = "${PN}-server" +USERADDEXTENSION = "useradd-staticids" +GROUPADD_PARAM:${PN}-server = "-g 900 kuksa ;" + +do_install() { + # Install replacement CA certificate, server key + certificate, + # and client key + certificate. + # These are AGL specific versions generated using a tweaked + # genCerts.sh script to have different expiry dates than the + # upstream defaults, and use AGL as the organization. + install -d ${D}${sysconfdir}/kuksa-val/ + install -m 0644 ${WORKDIR}/CA.pem ${D}${sysconfdir}/kuksa-val/ + install -m 0640 -g 900 ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/ + install -m 0640 -g 900 ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/ + install -m 0644 ${WORKDIR}/Client.key ${D}${sysconfdir}/kuksa-val/ + install -m 0644 ${WORKDIR}/Client.pem ${D}${sysconfdir}/kuksa-val/ +} + +PACKAGE_BEFORE_PN += "${PN}-ca ${PN}-server ${PN}-client" + +FILES:${PN}-ca = " \ + ${sysconfdir}/kuksa-val/CA.pem \ +" +RPROVIDES:${PN}-ca += "kuksa-val-certificates-ca" + +FILES:${PN}-server = " \ + ${sysconfdir}/kuksa-val/Server.key \ + ${sysconfdir}/kuksa-val/Server.pem \ +" +RPROVIDES:${PN}-server += "kuksa-val-certificates-server" +RDEPENDS:${PN}-server += "${PN}-ca" + +FILES:${PN}-client = " \ + ${sysconfdir}/kuksa-val/Client.key \ + ${sysconfdir}/kuksa-val/Client.pem \ +" +RPROVIDES:${PN}-client += "kuksa-val-certificates-client" +RDEPENDS:${PN}-client += "${PN}-ca" + +ALLOW_EMPTY:${PN} = "1" + +RDEPENDS:${PN} += "kuksa-val ${PN}-ca ${PN}-server ${PN}-client" -- cgit 1.2.3-korg