Add provisioning with CA

author: Anton Gerasimov <anton@advancedtelematic.com> 2018-02-15 18:17:36 +0100
committer: Anton Gerasimov <anton@advancedtelematic.com> 2018-02-26 18:27:57 +0100
commit: 793f7c8baa1b8b232311d04d7eb1e604fdd82716 (patch)
tree: e83d73b758e0965d4c8788adccea7a22e7ce411b
parent: 4edf70ff05fd5c1d980d9ebf1fdec4c5ab86f429 (diff)
download: meta-updater-793f7c8baa1b8b232311d04d7eb1e604fdd82716.tar.gz
3 files changed, 85 insertions, 1 deletions
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
new file mode 100644
index 0000000..51e313d
--- /dev/null
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
@@ -0,0 +1,72 @@
+SUMMARY = "Aktualizr configuration for implicit provisioning with CA"
+DESCRIPTION = "Systemd service and configurations for implicitly provisioning Aktualizr using externally provided or generated CA"
+# WARNING: it is NOT a production solution. The secure way to provision devices is to create certificate request directly on the device
+#  (either with HSM/TPM or with software) and then sign it with a CA stored on a disconnected machine
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
+DEPENDS = "aktualizr-native openssl-native"
+RDEPENDS_${PN} = "aktualizr"
+SRC_URI = " \
+  file://LICENSE \
+  file://ca.cnf \
+  "
+PV = "1.0"
+PR = "1"
+require environment.inc
+require credentials.inc
+export SOTA_CACERT_PATH
+export SOTA_CAKEY_PATH
+do_install() {
+    install -d ${D}${libdir}/sota
+    if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then
+        bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning"
+    fi
+    if [ -z ${SOTA_CACERT_PATH} ]; then
+        SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
+        SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
+        mkdir -p ${DEPLOY_DIR_IMAGE}/CA
+        bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH" 
+        if [ ! -f ${SOTA_CACERT_PATH} ]; then
+            bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
+            SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
+            openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
+            openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
+            bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
+        fi
+    fi
+    if [ -z ${SOTA_CAKEY_PATH} ]; then
+        bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
+    fi
+    install -d ${D}${libdir}/sota
+    install -d ${D}${localstatedir}/sota
+    install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_implicit_prov_ca.toml ${D}${libdir}/sota/sota.toml
+    aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
+                            --device-ca ${SOTA_CACERT_PATH} \
+                            --device-ca-key ${SOTA_CAKEY_PATH} \
+                            --root-ca \
+                            --server-url \
+                            --local ${D}${localstatedir}/sota \
+                            --config ${D}${libdir}/sota/sota.toml
+}
+FILES_${PN} = " \
+                ${localstatedir}/sota/* \
+                ${libdir}/sota/sota.toml \
+                ${libdir}/sota/root.crt \
+                "
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index 5ce8b84..0aeac0f 100644
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -38,12 +38,12 @@ EXTRA_OECMAKE_append_class-target = " -DBUILD_OSTREE=ON -DBUILD_ISOTP=ON ${@bb.u
 EXTRA_OECMAKE_append_class-native = " -DBUILD_SOTA_TOOLS=ON -DBUILD_OSTREE=OFF "
 do_install_append () {
-    rm -f ${D}${bindir}/aktualizr_cert_provider
    rm -fr ${D}${libdir}/systemd
 }
 do_install_append_class-target () {
    rm -f ${D}${bindir}/aktualizr_implicit_writer
    rm -f ${D}${libdir}/sota/sota.toml
+    rm -f ${D}${bindir}/aktualizr_cert_provider
    ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', '', 'rm -f ${D}${bindir}/example-interface', d)}
    ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-isotp-example', '', 'rm -f ${D}${bindir}/isotp-test-interface', d)}
@@ -51,6 +51,7 @@ do_install_append_class-target () {
    aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)}
    install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service
 }
 do_install_append_class-native () {
    rm -f ${D}${bindir}/aktualizr
    rm -f ${D}${bindir}/aktualizr-info
@@ -59,6 +60,7 @@ do_install_append_class-native () {
    install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml
    install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml
    install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml
+    install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml
    install -m 0755 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/bin/* ${D}${bindir}
    install -m 0644 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/lib/* ${D}${libdir}
diff --git a/recipes-sota/aktualizr/files/ca.cnf b/recipes-sota/aktualizr/files/ca.cnf
new file mode 100644
index 0000000..352ec38
--- /dev/null
+++ b/recipes-sota/aktualizr/files/ca.cnf
@@ -0,0 +1,10 @@
+[req]
+req_extensions = cacert
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[cacert]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
author	Anton Gerasimov <anton@advancedtelematic.com>	2018-02-15 18:17:36 +0100
committer	Anton Gerasimov <anton@advancedtelematic.com>	2018-02-26 18:27:57 +0100
commit	793f7c8baa1b8b232311d04d7eb1e604fdd82716 (patch)
tree	e83d73b758e0965d4c8788adccea7a22e7ce411b
parent	4edf70ff05fd5c1d980d9ebf1fdec4c5ab86f429 (diff)
download	meta-updater-793f7c8baa1b8b232311d04d7eb1e604fdd82716.tar.gz

diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb new file mode 100644 index 0000000..51e313d --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
@@ -0,0 +1,72 @@
		1	SUMMARY = "Aktualizr configuration for implicit provisioning with CA"
		2	DESCRIPTION = "Systemd service and configurations for implicitly provisioning Aktualizr using externally provided or generated CA"
		3
		4	# WARNING: it is NOT a production solution. The secure way to provision devices is to create certificate request directly on the device
		5	# (either with HSM/TPM or with software) and then sign it with a CA stored on a disconnected machine
		6
		7	HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
		8	SECTION = "base"
		9	LICENSE = "MPL-2.0"
		10	LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
		11
		12	DEPENDS = "aktualizr-native openssl-native"
		13	RDEPENDS_${PN} = "aktualizr"
		14
		15	SRC_URI = " \
		16	file://LICENSE \
		17	file://ca.cnf \
		18	"
		19	PV = "1.0"
		20	PR = "1"
		21
		22	require environment.inc
		23	require credentials.inc
		24
		25	export SOTA_CACERT_PATH
		26	export SOTA_CAKEY_PATH
		27
		28	do_install() {
		29	install -d ${D}${libdir}/sota
		30
		31	if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then
		32	bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning"
		33	fi
		34
		35	if [ -z ${SOTA_CACERT_PATH} ]; then
		36	SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
		37	SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
		38	mkdir -p ${DEPLOY_DIR_IMAGE}/CA
		39	bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"
		40
		41	if [ ! -f ${SOTA_CACERT_PATH} ]; then
		42	bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
		43	SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
		44	openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
		45	openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
		46	bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
		47	fi
		48	fi
		49
		50	if [ -z ${SOTA_CAKEY_PATH} ]; then
		51	bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
		52	fi
		53
		54	install -d ${D}${libdir}/sota
		55	install -d ${D}${localstatedir}/sota
		56	install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_implicit_prov_ca.toml ${D}${libdir}/sota/sota.toml
		57	aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
		58	--device-ca ${SOTA_CACERT_PATH} \
		59	--device-ca-key ${SOTA_CAKEY_PATH} \
		60	--root-ca \
		61	--server-url \
		62	--local ${D}${localstatedir}/sota \
		63	--config ${D}${libdir}/sota/sota.toml
		64	}
		65
		66	FILES_${PN} = " \
		67	${localstatedir}/sota/* \
		68	${libdir}/sota/sota.toml \
		69	${libdir}/sota/root.crt \
		70	"
		71
		72	# vim:set ts=4 sw=4 sts=4 expandtab:


diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index 5ce8b84..0aeac0f 100644 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -38,12 +38,12 @@ EXTRA_OECMAKE_append_class-target = " -DBUILD_OSTREE=ON -DBUILD_ISOTP=ON ${@bb.u
38	EXTRA_OECMAKE_append_class-native = " -DBUILD_SOTA_TOOLS=ON -DBUILD_OSTREE=OFF "	38	EXTRA_OECMAKE_append_class-native = " -DBUILD_SOTA_TOOLS=ON -DBUILD_OSTREE=OFF "
39		39
40	do_install_append () {	40	do_install_append () {
41	rm -f ${D}${bindir}/aktualizr_cert_provider
42	rm -fr ${D}${libdir}/systemd	41	rm -fr ${D}${libdir}/systemd
43	}	42	}
44	do_install_append_class-target () {	43	do_install_append_class-target () {
45	rm -f ${D}${bindir}/aktualizr_implicit_writer	44	rm -f ${D}${bindir}/aktualizr_implicit_writer
46	rm -f ${D}${libdir}/sota/sota.toml	45	rm -f ${D}${libdir}/sota/sota.toml
		46	rm -f ${D}${bindir}/aktualizr_cert_provider
47	${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', '', 'rm -f ${D}${bindir}/example-interface', d)}	47	${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', '', 'rm -f ${D}${bindir}/example-interface', d)}
48	${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-isotp-example', '', 'rm -f ${D}${bindir}/isotp-test-interface', d)}	48	${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-isotp-example', '', 'rm -f ${D}${bindir}/isotp-test-interface', d)}
49		49
@@ -51,6 +51,7 @@ do_install_append_class-target () {
51	aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)}	51	aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)}
52	install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service	52	install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service
53	}	53	}
		54
54	do_install_append_class-native () {	55	do_install_append_class-native () {
55	rm -f ${D}${bindir}/aktualizr	56	rm -f ${D}${bindir}/aktualizr
56	rm -f ${D}${bindir}/aktualizr-info	57	rm -f ${D}${bindir}/aktualizr-info
@@ -59,6 +60,7 @@ do_install_append_class-native () {
59	install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml	60	install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml
60	install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml	61	install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml
61	install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml	62	install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml
		63	install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml
62		64
63	install -m 0755 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/bin/* ${D}${bindir}	65	install -m 0755 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/bin/* ${D}${bindir}
64	install -m 0644 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/lib/* ${D}${libdir}	66	install -m 0644 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/lib/* ${D}${libdir}


diff --git a/recipes-sota/aktualizr/files/ca.cnf b/recipes-sota/aktualizr/files/ca.cnf new file mode 100644 index 0000000..352ec38 --- /dev/null +++ b/recipes-sota/aktualizr/files/ca.cnf
@@ -0,0 +1,10 @@
		1	[req]
		2	req_extensions = cacert
		3	distinguished_name = req_distinguished_name
		4
		5	[req_distinguished_name]
		6
		7	[cacert]
		8	basicConstraints = critical,CA:true
		9	keyUsage = keyCertSign
		10