From 793f7c8baa1b8b232311d04d7eb1e604fdd82716 Mon Sep 17 00:00:00 2001 From: Anton Gerasimov Date: Thu, 15 Feb 2018 18:17:36 +0100 Subject: Add provisioning with CA --- .../aktualizr/aktualizr-ca-implicit-prov.bb | 72 ++++++++++++++++++++++ recipes-sota/aktualizr/aktualizr_git.bb | 4 +- recipes-sota/aktualizr/files/ca.cnf | 10 +++ 3 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb create mode 100644 recipes-sota/aktualizr/files/ca.cnf (limited to 'recipes-sota/aktualizr') diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb new file mode 100644 index 0000000..51e313d --- /dev/null +++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb @@ -0,0 +1,72 @@ +SUMMARY = "Aktualizr configuration for implicit provisioning with CA" +DESCRIPTION = "Systemd service and configurations for implicitly provisioning Aktualizr using externally provided or generated CA" + +# WARNING: it is NOT a production solution. The secure way to provision devices is to create certificate request directly on the device +# (either with HSM/TPM or with software) and then sign it with a CA stored on a disconnected machine + +HOMEPAGE = "https://github.com/advancedtelematic/aktualizr" +SECTION = "base" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3" + +DEPENDS = "aktualizr-native openssl-native" +RDEPENDS_${PN} = "aktualizr" + +SRC_URI = " \ + file://LICENSE \ + file://ca.cnf \ + " +PV = "1.0" +PR = "1" + +require environment.inc +require credentials.inc + +export SOTA_CACERT_PATH +export SOTA_CAKEY_PATH + +do_install() { + install -d ${D}${libdir}/sota + + if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then + bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning" + fi + + if [ -z ${SOTA_CACERT_PATH} ]; then + SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem + SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem + mkdir -p ${DEPLOY_DIR_IMAGE}/CA + bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH" + + if [ ! -f ${SOTA_CACERT_PATH} ]; then + bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA" + SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")" + openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096 + openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert + bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server" + fi + fi + + if [ -z ${SOTA_CAKEY_PATH} ]; then + bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning" + fi + + install -d ${D}${libdir}/sota + install -d ${D}${localstatedir}/sota + install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_implicit_prov_ca.toml ${D}${libdir}/sota/sota.toml + aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \ + --device-ca ${SOTA_CACERT_PATH} \ + --device-ca-key ${SOTA_CAKEY_PATH} \ + --root-ca \ + --server-url \ + --local ${D}${localstatedir}/sota \ + --config ${D}${libdir}/sota/sota.toml +} + +FILES_${PN} = " \ + ${localstatedir}/sota/* \ + ${libdir}/sota/sota.toml \ + ${libdir}/sota/root.crt \ + " + +# vim:set ts=4 sw=4 sts=4 expandtab: diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb index 5ce8b84..0aeac0f 100644 --- a/recipes-sota/aktualizr/aktualizr_git.bb +++ b/recipes-sota/aktualizr/aktualizr_git.bb @@ -38,12 +38,12 @@ EXTRA_OECMAKE_append_class-target = " -DBUILD_OSTREE=ON -DBUILD_ISOTP=ON ${@bb.u EXTRA_OECMAKE_append_class-native = " -DBUILD_SOTA_TOOLS=ON -DBUILD_OSTREE=OFF " do_install_append () { - rm -f ${D}${bindir}/aktualizr_cert_provider rm -fr ${D}${libdir}/systemd } do_install_append_class-target () { rm -f ${D}${bindir}/aktualizr_implicit_writer rm -f ${D}${libdir}/sota/sota.toml + rm -f ${D}${bindir}/aktualizr_cert_provider ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-example', '', 'rm -f ${D}${bindir}/example-interface', d)} ${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'secondary-isotp-example', '', 'rm -f ${D}${bindir}/isotp-test-interface', d)} @@ -51,6 +51,7 @@ do_install_append_class-target () { aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)} install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service } + do_install_append_class-native () { rm -f ${D}${bindir}/aktualizr rm -f ${D}${bindir}/aktualizr-info @@ -59,6 +60,7 @@ do_install_append_class-native () { install -m 0644 ${S}/config/sota_autoprov.toml ${D}/${libdir}/sota/sota_autoprov.toml install -m 0644 ${S}/config/sota_hsm_prov.toml ${D}/${libdir}/sota/sota_hsm_prov.toml install -m 0644 ${S}/config/sota_implicit_prov.toml ${D}/${libdir}/sota/sota_implicit_prov.toml + install -m 0644 ${S}/config/sota_implicit_prov_ca.toml ${D}/${libdir}/sota/sota_implicit_prov_ca.toml install -m 0755 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/bin/* ${D}${bindir} install -m 0644 ${B}/src/sota_tools/garage-sign-prefix/src/garage-sign/lib/* ${D}${libdir} diff --git a/recipes-sota/aktualizr/files/ca.cnf b/recipes-sota/aktualizr/files/ca.cnf new file mode 100644 index 0000000..352ec38 --- /dev/null +++ b/recipes-sota/aktualizr/files/ca.cnf @@ -0,0 +1,10 @@ +[req] +req_extensions = cacert +distinguished_name = req_distinguished_name + +[req_distinguished_name] + +[cacert] +basicConstraints = critical,CA:true +keyUsage = keyCertSign + -- cgit v1.2.3-54-g00ecf