diff options
author | Anton Gerasimov <anton@advancedtelematic.com> | 2017-09-27 10:14:32 +0200 |
---|---|---|
committer | Anton Gerasimov <anton@advancedtelematic.com> | 2017-10-16 12:42:37 +0200 |
commit | 9d9b6a8eb297e7e90a680730bfc5068deb19a138 (patch) | |
tree | 3735d77f600ff18d1219ad3f8ecc346188eadae7 | |
parent | 36f1d8668a0ccdfe7f71f886a6829fb33be7cb48 (diff) | |
download | meta-updater-9d9b6a8eb297e7e90a680730bfc5068deb19a138.tar.gz |
Support pkcs#11 in aktualizr and add softhsm token for testing
-rw-r--r-- | classes/sota.bbclass | 3 | ||||
-rw-r--r-- | recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb | 34 | ||||
-rw-r--r-- | recipes-sota/aktualizr/aktualizr_common.inc | 2 | ||||
-rw-r--r-- | recipes-sota/aktualizr/aktualizr_git.bb | 2 | ||||
-rw-r--r-- | recipes-sota/aktualizr/files/sota_hsm_test.toml | 17 | ||||
-rw-r--r-- | recipes-sota/ostree/ostree_git.bb | 7 | ||||
-rw-r--r-- | recipes-support/softhsm-testtoken/files/createtoken.sh | 13 |
7 files changed, 70 insertions, 8 deletions
diff --git a/classes/sota.bbclass b/classes/sota.bbclass index d3b66e0..f191cee 100644 --- a/classes/sota.bbclass +++ b/classes/sota.bbclass | |||
@@ -11,6 +11,9 @@ IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PRO | |||
11 | IMAGE_CLASSES += " image_types_ostree image_types_ota" | 11 | IMAGE_CLASSES += " image_types_ostree image_types_ota" |
12 | IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush otaimg wic', ' ', d)}" | 12 | IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush otaimg wic', ' ', d)}" |
13 | 13 | ||
14 | PACKAGECONFIG_append_pn-curl = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', " ssl", " ", d)}" | ||
15 | PACKAGECONFIG_remove_pn-curl = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', " gnutls", " ", d)}" | ||
16 | |||
14 | WKS_FILE_sota ?= "sdimage-sota.wks" | 17 | WKS_FILE_sota ?= "sdimage-sota.wks" |
15 | 18 | ||
16 | EXTRA_IMAGEDEPENDS_append_sota = " parted-native mtools-native dosfstools-native" | 19 | EXTRA_IMAGEDEPENDS_append_sota = " parted-native mtools-native dosfstools-native" |
diff --git a/recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb new file mode 100644 index 0000000..c77a5bc --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb | |||
@@ -0,0 +1,34 @@ | |||
1 | SUMMARY = "Aktualizr systemd service and configuration with HSM support" | ||
2 | DESCRIPTION = "Systemd service and configurations for Aktualizr, the SOTA Client application written in C++" | ||
3 | HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" | ||
4 | SECTION = "base" | ||
5 | LICENSE = "MPL-2.0" | ||
6 | LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3" | ||
7 | |||
8 | DEPENDS = "aktualizr-native" | ||
9 | RDEPENDS_${PN} = "aktualizr" | ||
10 | |||
11 | SRC_URI = " \ | ||
12 | file://LICENSE \ | ||
13 | file://aktualizr-autoprovision.service \ | ||
14 | file://sota_hsm_test.toml \ | ||
15 | " | ||
16 | PV = "1.0" | ||
17 | PR = "6" | ||
18 | |||
19 | SYSTEMD_SERVICE_${PN} = "aktualizr.service" | ||
20 | |||
21 | inherit systemd | ||
22 | |||
23 | do_install() { | ||
24 | install -d ${D}/${systemd_unitdir}/system | ||
25 | install -m 0644 ${WORKDIR}/aktualizr-autoprovision.service ${D}/${systemd_unitdir}/system/aktualizr.service | ||
26 | install -d ${D}/usr/lib/sota | ||
27 | aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} --no-root-ca \ | ||
28 | -i ${WORKDIR}/sota_hsm_test.toml -o ${D}/usr/lib/sota/sota.toml -p ${D} | ||
29 | } | ||
30 | |||
31 | FILES_${PN} = " \ | ||
32 | ${systemd_unitdir}/system/aktualizr.service \ | ||
33 | /usr/lib/sota/sota.toml \ | ||
34 | " | ||
diff --git a/recipes-sota/aktualizr/aktualizr_common.inc b/recipes-sota/aktualizr/aktualizr_common.inc index b3f99cc..3f58157 100644 --- a/recipes-sota/aktualizr/aktualizr_common.inc +++ b/recipes-sota/aktualizr/aktualizr_common.inc | |||
@@ -11,7 +11,7 @@ PR = "7" | |||
11 | SRC_URI = " \ | 11 | SRC_URI = " \ |
12 | git://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \ | 12 | git://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \ |
13 | " | 13 | " |
14 | SRCREV = "ed2c9684d3b7e605b41a3e7dda0afded1d4a084c" | 14 | SRCREV = "c38a1fd990cf238de2912db4d7023ddd91e2131f" |
15 | BRANCH ?= "master" | 15 | BRANCH ?= "master" |
16 | 16 | ||
17 | S = "${WORKDIR}/git" | 17 | S = "${WORKDIR}/git" |
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index 4f6a175..f994852 100644 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb | |||
@@ -9,7 +9,7 @@ RDEPENDS_${PN}_append = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm-test' | |||
9 | 9 | ||
10 | inherit systemd | 10 | inherit systemd |
11 | 11 | ||
12 | EXTRA_OECMAKE = "-DWARNING_AS_ERROR=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_OSTREE=ON -DAKTUALIZR_VERSION=${PV}" | 12 | EXTRA_OECMAKE = "-DWARNING_AS_ERROR=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_OSTREE=ON ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', '-DBUILD_P11=ON', '', d)} -DAKTUALIZR_VERSION=${PV}" |
13 | 13 | ||
14 | do_install_append () { | 14 | do_install_append () { |
15 | rm ${D}${bindir}/aktualizr_cert_provider | 15 | rm ${D}${bindir}/aktualizr_cert_provider |
diff --git a/recipes-sota/aktualizr/files/sota_hsm_test.toml b/recipes-sota/aktualizr/files/sota_hsm_test.toml new file mode 100644 index 0000000..1317914 --- /dev/null +++ b/recipes-sota/aktualizr/files/sota_hsm_test.toml | |||
@@ -0,0 +1,17 @@ | |||
1 | [tls] | ||
2 | certificates_directory = "/var/sota/" | ||
3 | ca_file = "/var/sota/token/root.crt" | ||
4 | client_certificate = "01" | ||
5 | cert_source = "pkcs11" | ||
6 | pkey_file = "02" | ||
7 | pkey_source = "pkcs11" | ||
8 | |||
9 | [p11] | ||
10 | module = "/usr/lib/softhsm/libsofthsm2.so" | ||
11 | pass = "1234" | ||
12 | |||
13 | [uptane] | ||
14 | metadata_path = "/var/sota/metadata" | ||
15 | private_key_path = "ecukey.der" | ||
16 | public_key_path = "ecukey.pub" | ||
17 | |||
diff --git a/recipes-sota/ostree/ostree_git.bb b/recipes-sota/ostree/ostree_git.bb index 8937e5e..7a0320e 100644 --- a/recipes-sota/ostree/ostree_git.bb +++ b/recipes-sota/ostree/ostree_git.bb | |||
@@ -8,9 +8,9 @@ INHERIT_remove_class-native = "systemd" | |||
8 | 8 | ||
9 | SRC_URI = "gitsm://github.com/ostreedev/ostree.git;branch=master" | 9 | SRC_URI = "gitsm://github.com/ostreedev/ostree.git;branch=master" |
10 | 10 | ||
11 | SRCREV="3b09620c2738bce4ed45e099cf2e4c5df7671d39" | 11 | SRCREV="e3c3ec5dd91492e82c79223052443d038c60f41c" |
12 | 12 | ||
13 | PV = "2017.3-31-g3b09620c" | 13 | PV = "v2017.11-20-ge3c3ec5d" |
14 | 14 | ||
15 | S = "${WORKDIR}/git" | 15 | S = "${WORKDIR}/git" |
16 | 16 | ||
@@ -79,6 +79,9 @@ FILES_${PN} += " \ | |||
79 | ${datadir}/gir-1.0/OSTree-1.0.gir \ | 79 | ${datadir}/gir-1.0/OSTree-1.0.gir \ |
80 | ${libdir}/girepository-1.0 \ | 80 | ${libdir}/girepository-1.0 \ |
81 | ${libdir}/girepository-1.0/OSTree-1.0.typelib \ | 81 | ${libdir}/girepository-1.0/OSTree-1.0.typelib \ |
82 | ${libdir}/tmpfiles.d/ostree-tmpfiles.conf \ | ||
83 | ${datadir}/bash-completion/completions/ostree \ | ||
84 | ${systemd_unitdir}/system-generators/ostree-system-generator \ | ||
82 | " | 85 | " |
83 | 86 | ||
84 | PACKAGES =+ "${PN}-switchroot" | 87 | PACKAGES =+ "${PN}-switchroot" |
diff --git a/recipes-support/softhsm-testtoken/files/createtoken.sh b/recipes-support/softhsm-testtoken/files/createtoken.sh index a72ec34..b01db47 100644 --- a/recipes-support/softhsm-testtoken/files/createtoken.sh +++ b/recipes-support/softhsm-testtoken/files/createtoken.sh | |||
@@ -5,17 +5,22 @@ if pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so -O; then | |||
5 | exit 0 | 5 | exit 0 |
6 | fi | 6 | fi |
7 | 7 | ||
8 | if ! ls /var/sota/token/pkey.pem /var/sota/token/client.pem; then | 8 | if ! ls /var/sota/token/pkey.pem /var/sota/token/client.pem /var/sota/token/pkey.pem; then |
9 | # Key/certificate pair is not present, repeat | 9 | # Key/certificate pair is not present, repeat |
10 | mkdir -p /var/sota/token | ||
11 | exit 1 | 10 | exit 1 |
12 | fi | 11 | fi |
13 | 12 | ||
14 | mkdir -p /var/lib/softhsm/tokens | 13 | mkdir -p /var/lib/softhsm/tokens |
15 | softhsm2-util --init-token --slot 0 --label "Virtual token" --pin 1234 --so-pin 1234 | 14 | softhsm2-util --init-token --slot 0 --label "Virtual token" --pin 1234 --so-pin 1234 |
16 | 15 | ||
17 | pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --label 'Virtual token' --write-object /var/sota/token/pkey.pem --type privkey --login --pin 1234 | 16 | softhsm2-util --import /var/sota/token/pkey.pem --label "pkey" --id 02 --token 'Virtual token' --pin 1234 |
18 | openssl x509 -outform der -in /var/sota/token/client.pem -out /var/sota/token/client.der | 17 | openssl x509 -outform der -in /var/sota/token/client.pem -out /var/sota/token/client.der |
19 | pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --label 'Virtual token' --write-object /var/sota/token/client.der --type cert --login --pin 1234 | 18 | pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --id 1 --write-object /var/sota/token/client.der --type cert --login --pin 1234 |
19 | |||
20 | # Import UPTANE keypair if it exists | ||
21 | if [ -f /var/sota/token/ecukey.pem ]; then | ||
22 | openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in /var/sota/token/ecukey.pem -out /var/sota/token/ecukey.p8 | ||
23 | softhsm2-util --import /var/sota/token/ecukey.p8 --label "uptanekey" --id 03 --token 'Virtual token' --pin 1234 | ||
24 | fi | ||
20 | 25 | ||
21 | exit 0 | 26 | exit 0 |