Merge pull request #146 from advancedtelematic/feat/PRO-3805/pkcs11

Support pkcs#11 in aktualizr and add softhsm token for testing
author: Patrick Vacek <patrickvacek@gmail.com> 2017-10-16 13:40:28 +0200
committer: GitHub <noreply@github.com> 2017-10-16 13:40:28 +0200
commit: 85960c2138bc0e8ca8a70abaf4486284eaadab0e (patch)
tree: 192de4486947073c9eb7b4d65b5eb88207a5f78a
parent: df3b2637a01a2ce398a63b34be4759895f957ec2 (diff)
parent: 9d9b6a8eb297e7e90a680730bfc5068deb19a138 (diff)
download: meta-updater-85960c2138bc0e8ca8a70abaf4486284eaadab0e.tar.gz
7 files changed, 70 insertions, 8 deletions
diff --git a/classes/sota.bbclass b/classes/sota.bbclass
index d3b66e0..f191cee 100644
--- a/classes/sota.bbclass
+++ b/classes/sota.bbclass
@@ -11,6 +11,9 @@ IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PRO
 IMAGE_CLASSES += " image_types_ostree image_types_ota"
 IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush otaimg wic', ' ', d)}"
+PACKAGECONFIG_append_pn-curl = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', " ssl", " ", d)}"
+PACKAGECONFIG_remove_pn-curl = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', " gnutls", " ", d)}"
 WKS_FILE_sota ?= "sdimage-sota.wks"
 EXTRA_IMAGEDEPENDS_append_sota = " parted-native mtools-native dosfstools-native"
diff --git a/recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb
new file mode 100644
index 0000000..c77a5bc
--- /dev/null
+++ b/recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb
@@ -0,0 +1,34 @@
+SUMMARY = "Aktualizr systemd service and configuration with HSM support"
+DESCRIPTION = "Systemd service and configurations for Aktualizr, the SOTA Client application written in C++"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
+DEPENDS = "aktualizr-native"
+RDEPENDS_${PN} = "aktualizr"
+SRC_URI = " \
+  file://LICENSE \
+  file://aktualizr-autoprovision.service \
+  file://sota_hsm_test.toml \
+  "
+PV = "1.0"
+PR = "6"
+SYSTEMD_SERVICE_${PN} = "aktualizr.service"
+inherit systemd
+do_install() {
+    install -d ${D}/${systemd_unitdir}/system
+    install -m 0644 ${WORKDIR}/aktualizr-autoprovision.service ${D}/${systemd_unitdir}/system/aktualizr.service
+    install -d ${D}/usr/lib/sota
+    aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} --no-root-ca \
+        -i ${WORKDIR}/sota_hsm_test.toml -o ${D}/usr/lib/sota/sota.toml -p ${D}
+}
+FILES_${PN} = " \
+                ${systemd_unitdir}/system/aktualizr.service \
+                /usr/lib/sota/sota.toml \
+                "
diff --git a/recipes-sota/aktualizr/aktualizr_common.inc b/recipes-sota/aktualizr/aktualizr_common.inc
index b3f99cc..3f58157 100644
--- a/recipes-sota/aktualizr/aktualizr_common.inc
+++ b/recipes-sota/aktualizr/aktualizr_common.inc
@@ -11,7 +11,7 @@ PR = "7"
 SRC_URI = " \
  git://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \
  "
-SRCREV = "ed2c9684d3b7e605b41a3e7dda0afded1d4a084c"
+SRCREV = "c38a1fd990cf238de2912db4d7023ddd91e2131f"
 BRANCH ?= "master"
 S = "${WORKDIR}/git"
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index 4f6a175..f994852 100644
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -9,7 +9,7 @@ RDEPENDS_${PN}_append = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm-test'
 inherit systemd
-EXTRA_OECMAKE = "-DWARNING_AS_ERROR=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_OSTREE=ON -DAKTUALIZR_VERSION=${PV}"
+EXTRA_OECMAKE = "-DWARNING_AS_ERROR=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_OSTREE=ON ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', '-DBUILD_P11=ON', '', d)} -DAKTUALIZR_VERSION=${PV}"
 do_install_append () {
    rm ${D}${bindir}/aktualizr_cert_provider
diff --git a/recipes-sota/aktualizr/files/sota_hsm_test.toml b/recipes-sota/aktualizr/files/sota_hsm_test.toml
new file mode 100644
index 0000000..1317914
--- /dev/null
+++ b/recipes-sota/aktualizr/files/sota_hsm_test.toml
@@ -0,0 +1,17 @@
+[tls]
+certificates_directory = "/var/sota/"
+ca_file = "/var/sota/token/root.crt"
+client_certificate = "01"
+cert_source = "pkcs11"
+pkey_file = "02"
+pkey_source = "pkcs11"
+[p11]
+module = "/usr/lib/softhsm/libsofthsm2.so"
+pass = "1234"
+[uptane]
+metadata_path = "/var/sota/metadata"
+private_key_path = "ecukey.der"
+public_key_path = "ecukey.pub"
diff --git a/recipes-sota/ostree/ostree_git.bb b/recipes-sota/ostree/ostree_git.bb
index 8937e5e..7a0320e 100644
--- a/recipes-sota/ostree/ostree_git.bb
+++ b/recipes-sota/ostree/ostree_git.bb
@@ -8,9 +8,9 @@ INHERIT_remove_class-native = "systemd"
 SRC_URI = "gitsm://github.com/ostreedev/ostree.git;branch=master"
-SRCREV="3b09620c2738bce4ed45e099cf2e4c5df7671d39"
+SRCREV="e3c3ec5dd91492e82c79223052443d038c60f41c"
-PV = "2017.3-31-g3b09620c"
+PV = "v2017.11-20-ge3c3ec5d"
 S = "${WORKDIR}/git"
@@ -79,6 +79,9 @@ FILES_${PN} += " \
    ${datadir}/gir-1.0/OSTree-1.0.gir \
    ${libdir}/girepository-1.0 \
    ${libdir}/girepository-1.0/OSTree-1.0.typelib \
+    ${libdir}/tmpfiles.d/ostree-tmpfiles.conf \
+    ${datadir}/bash-completion/completions/ostree \
+    ${systemd_unitdir}/system-generators/ostree-system-generator \
 "
 PACKAGES =+ "${PN}-switchroot"
diff --git a/recipes-support/softhsm-testtoken/files/createtoken.sh b/recipes-support/softhsm-testtoken/files/createtoken.sh
index a72ec34..b01db47 100644
--- a/recipes-support/softhsm-testtoken/files/createtoken.sh
+++ b/recipes-support/softhsm-testtoken/files/createtoken.sh
@@ -5,17 +5,22 @@ if pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so -O; then
        exit 0
 fi
-if ! ls /var/sota/token/pkey.pem /var/sota/token/client.pem; then
+if ! ls /var/sota/token/pkey.pem /var/sota/token/client.pem /var/sota/token/pkey.pem; then
        # Key/certificate pair is not present, repeat
-        mkdir -p /var/sota/token
        exit 1
 fi
 mkdir -p /var/lib/softhsm/tokens
 softhsm2-util --init-token --slot 0 --label "Virtual token" --pin 1234 --so-pin 1234
-pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --label 'Virtual token' --write-object /var/sota/token/pkey.pem --type privkey --login --pin 1234
+softhsm2-util --import /var/sota/token/pkey.pem --label "pkey" --id 02 --token 'Virtual token' --pin 1234
 openssl x509 -outform der -in /var/sota/token/client.pem -out /var/sota/token/client.der
-pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --label 'Virtual token' --write-object /var/sota/token/client.der --type cert --login --pin 1234
+pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --id 1 --write-object /var/sota/token/client.der --type cert --login --pin 1234
+# Import UPTANE keypair if it exists
+if [ -f /var/sota/token/ecukey.pem ]; then
+        openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in /var/sota/token/ecukey.pem -out /var/sota/token/ecukey.p8
+        softhsm2-util --import /var/sota/token/ecukey.p8 --label "uptanekey" --id 03 --token 'Virtual token' --pin 1234
+fi
 exit 0
author	Patrick Vacek <patrickvacek@gmail.com>	2017-10-16 13:40:28 +0200
committer	GitHub <noreply@github.com>	2017-10-16 13:40:28 +0200
commit	85960c2138bc0e8ca8a70abaf4486284eaadab0e (patch)
tree	192de4486947073c9eb7b4d65b5eb88207a5f78a
parent	df3b2637a01a2ce398a63b34be4759895f957ec2 (diff)
parent	9d9b6a8eb297e7e90a680730bfc5068deb19a138 (diff)
download	meta-updater-85960c2138bc0e8ca8a70abaf4486284eaadab0e.tar.gz

diff --git a/classes/sota.bbclass b/classes/sota.bbclass index d3b66e0..f191cee 100644 --- a/classes/sota.bbclass +++ b/classes/sota.bbclass
@@ -11,6 +11,9 @@ IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PRO
11	IMAGE_CLASSES += " image_types_ostree image_types_ota"	11	IMAGE_CLASSES += " image_types_ostree image_types_ota"
12	IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush otaimg wic', ' ', d)}"	12	IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush otaimg wic', ' ', d)}"
13		13
		14	PACKAGECONFIG_append_pn-curl = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', " ssl", " ", d)}"
		15	PACKAGECONFIG_remove_pn-curl = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', " gnutls", " ", d)}"
		16
14	WKS_FILE_sota ?= "sdimage-sota.wks"	17	WKS_FILE_sota ?= "sdimage-sota.wks"
15		18
16	EXTRA_IMAGEDEPENDS_append_sota = " parted-native mtools-native dosfstools-native"	19	EXTRA_IMAGEDEPENDS_append_sota = " parted-native mtools-native dosfstools-native"


diff --git a/recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb new file mode 100644 index 0000000..c77a5bc --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-hsm-test-prov.bb
@@ -0,0 +1,34 @@
		1	SUMMARY = "Aktualizr systemd service and configuration with HSM support"
		2	DESCRIPTION = "Systemd service and configurations for Aktualizr, the SOTA Client application written in C++"
		3	HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
		4	SECTION = "base"
		5	LICENSE = "MPL-2.0"
		6	LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
		7
		8	DEPENDS = "aktualizr-native"
		9	RDEPENDS_${PN} = "aktualizr"
		10
		11	SRC_URI = " \
		12	file://LICENSE \
		13	file://aktualizr-autoprovision.service \
		14	file://sota_hsm_test.toml \
		15	"
		16	PV = "1.0"
		17	PR = "6"
		18
		19	SYSTEMD_SERVICE_${PN} = "aktualizr.service"
		20
		21	inherit systemd
		22
		23	do_install() {
		24	install -d ${D}/${systemd_unitdir}/system
		25	install -m 0644 ${WORKDIR}/aktualizr-autoprovision.service ${D}/${systemd_unitdir}/system/aktualizr.service
		26	install -d ${D}/usr/lib/sota
		27	aktualizr_implicit_writer -c ${SOTA_PACKED_CREDENTIALS} --no-root-ca \
		28	-i ${WORKDIR}/sota_hsm_test.toml -o ${D}/usr/lib/sota/sota.toml -p ${D}
		29	}
		30
		31	FILES_${PN} = " \
		32	${systemd_unitdir}/system/aktualizr.service \
		33	/usr/lib/sota/sota.toml \
		34	"


diff --git a/recipes-sota/aktualizr/aktualizr_common.inc b/recipes-sota/aktualizr/aktualizr_common.inc index b3f99cc..3f58157 100644 --- a/recipes-sota/aktualizr/aktualizr_common.inc +++ b/recipes-sota/aktualizr/aktualizr_common.inc
@@ -11,7 +11,7 @@ PR = "7"
11	SRC_URI = " \	11	SRC_URI = " \
12	git://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \	12	git://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \
13	"	13	"
14	SRCREV = "ed2c9684d3b7e605b41a3e7dda0afded1d4a084c"	14	SRCREV = "c38a1fd990cf238de2912db4d7023ddd91e2131f"
15	BRANCH ?= "master"	15	BRANCH ?= "master"
16		16
17	S = "${WORKDIR}/git"	17	S = "${WORKDIR}/git"


diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index 4f6a175..f994852 100644 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -9,7 +9,7 @@ RDEPENDS_${PN}_append = "${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm-test'
9		9
10	inherit systemd	10	inherit systemd
11		11
12	EXTRA_OECMAKE = "-DWARNING_AS_ERROR=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_OSTREE=ON -DAKTUALIZR_VERSION=${PV}"	12	EXTRA_OECMAKE = "-DWARNING_AS_ERROR=OFF -DCMAKE_BUILD_TYPE=Release -DBUILD_OSTREE=ON ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'hsm', '-DBUILD_P11=ON', '', d)} -DAKTUALIZR_VERSION=${PV}"
13		13
14	do_install_append () {	14	do_install_append () {
15	rm ${D}${bindir}/aktualizr_cert_provider	15	rm ${D}${bindir}/aktualizr_cert_provider


diff --git a/recipes-sota/aktualizr/files/sota_hsm_test.toml b/recipes-sota/aktualizr/files/sota_hsm_test.toml new file mode 100644 index 0000000..1317914 --- /dev/null +++ b/recipes-sota/aktualizr/files/sota_hsm_test.toml
@@ -0,0 +1,17 @@
		1	[tls]
		2	certificates_directory = "/var/sota/"
		3	ca_file = "/var/sota/token/root.crt"
		4	client_certificate = "01"
		5	cert_source = "pkcs11"
		6	pkey_file = "02"
		7	pkey_source = "pkcs11"
		8
		9	[p11]
		10	module = "/usr/lib/softhsm/libsofthsm2.so"
		11	pass = "1234"
		12
		13	[uptane]
		14	metadata_path = "/var/sota/metadata"
		15	private_key_path = "ecukey.der"
		16	public_key_path = "ecukey.pub"
		17


diff --git a/recipes-sota/ostree/ostree_git.bb b/recipes-sota/ostree/ostree_git.bb index 8937e5e..7a0320e 100644 --- a/recipes-sota/ostree/ostree_git.bb +++ b/recipes-sota/ostree/ostree_git.bb
@@ -8,9 +8,9 @@ INHERIT_remove_class-native = "systemd"
8		8
9	SRC_URI = "gitsm://github.com/ostreedev/ostree.git;branch=master"	9	SRC_URI = "gitsm://github.com/ostreedev/ostree.git;branch=master"
10		10
11	SRCREV="3b09620c2738bce4ed45e099cf2e4c5df7671d39"	11	SRCREV="e3c3ec5dd91492e82c79223052443d038c60f41c"
12		12
13	PV = "2017.3-31-g3b09620c"	13	PV = "v2017.11-20-ge3c3ec5d"
14		14
15	S = "${WORKDIR}/git"	15	S = "${WORKDIR}/git"
16		16
@@ -79,6 +79,9 @@ FILES_${PN} += " \
79	${datadir}/gir-1.0/OSTree-1.0.gir \	79	${datadir}/gir-1.0/OSTree-1.0.gir \
80	${libdir}/girepository-1.0 \	80	${libdir}/girepository-1.0 \
81	${libdir}/girepository-1.0/OSTree-1.0.typelib \	81	${libdir}/girepository-1.0/OSTree-1.0.typelib \
		82	${libdir}/tmpfiles.d/ostree-tmpfiles.conf \
		83	${datadir}/bash-completion/completions/ostree \
		84	${systemd_unitdir}/system-generators/ostree-system-generator \
82	"	85	"
83		86
84	PACKAGES =+ "${PN}-switchroot"	87	PACKAGES =+ "${PN}-switchroot"


diff --git a/recipes-support/softhsm-testtoken/files/createtoken.sh b/recipes-support/softhsm-testtoken/files/createtoken.sh index a72ec34..b01db47 100644 --- a/recipes-support/softhsm-testtoken/files/createtoken.sh +++ b/recipes-support/softhsm-testtoken/files/createtoken.sh
@@ -5,17 +5,22 @@ if pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so -O; then
5	exit 0	5	exit 0
6	fi	6	fi
7		7
8	if ! ls /var/sota/token/pkey.pem /var/sota/token/client.pem; then	8	if ! ls /var/sota/token/pkey.pem /var/sota/token/client.pem /var/sota/token/pkey.pem; then
9	# Key/certificate pair is not present, repeat	9	# Key/certificate pair is not present, repeat
10	mkdir -p /var/sota/token
11	exit 1	10	exit 1
12	fi	11	fi
13		12
14	mkdir -p /var/lib/softhsm/tokens	13	mkdir -p /var/lib/softhsm/tokens
15	softhsm2-util --init-token --slot 0 --label "Virtual token" --pin 1234 --so-pin 1234	14	softhsm2-util --init-token --slot 0 --label "Virtual token" --pin 1234 --so-pin 1234
16		15
17	pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --label 'Virtual token' --write-object /var/sota/token/pkey.pem --type privkey --login --pin 1234	16	softhsm2-util --import /var/sota/token/pkey.pem --label "pkey" --id 02 --token 'Virtual token' --pin 1234
18	openssl x509 -outform der -in /var/sota/token/client.pem -out /var/sota/token/client.der	17	openssl x509 -outform der -in /var/sota/token/client.pem -out /var/sota/token/client.der
19	pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --label 'Virtual token' --write-object /var/sota/token/client.der --type cert --login --pin 1234	18	pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so --id 1 --write-object /var/sota/token/client.der --type cert --login --pin 1234
		19
		20	# Import UPTANE keypair if it exists
		21	if [ -f /var/sota/token/ecukey.pem ]; then
		22	openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in /var/sota/token/ecukey.pem -out /var/sota/token/ecukey.p8
		23	softhsm2-util --import /var/sota/token/ecukey.p8 --label "uptanekey" --id 03 --token 'Virtual token' --pin 1234
		24	fi
20		25
21	exit 0	26	exit 0