blob: e00d41a0f4eb9e3d7f442221718843c5ea1c7595 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
SUMMARY = "Aktualizr configuration for implicit provisioning with CA"
DESCRIPTION = "Configuration for implicitly provisioning Aktualizr using externally provided or generated CA"
# WARNING: it is NOT a production solution. The secure way to provision devices is to create certificate request directly on the device
# (either with HSM/TPM or with software) and then sign it with a CA stored on a disconnected machine
HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
SECTION = "base"
LICENSE = "MPL-2.0"
LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
DEPENDS = "aktualizr aktualizr-native openssl-native"
SRC_URI = " \
file://LICENSE \
file://ca.cnf \
"
PV = "1.0"
PR = "1"
require environment.inc
require credentials.inc
export SOTA_CACERT_PATH
export SOTA_CAKEY_PATH
do_install() {
install -m 0700 -d ${D}${libdir}/sota/conf.d
if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then
bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning"
fi
if [ -z ${SOTA_CACERT_PATH} ]; then
SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
mkdir -p ${DEPLOY_DIR_IMAGE}/CA
bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"
if [ ! -f ${SOTA_CACERT_PATH} ]; then
bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
fi
fi
if [ -z ${SOTA_CAKEY_PATH} ]; then
bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
fi
install -m 0700 -d ${D}${localstatedir}/sota
install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \
${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml
aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
--device-ca ${SOTA_CACERT_PATH} \
--device-ca-key ${SOTA_CAKEY_PATH} \
--root-ca \
--server-url \
--local ${D}${localstatedir}/sota \
--config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml
}
FILES_${PN} = " \
${libdir}/sota/conf.d \
${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \
${libdir}/sota/root.crt \
${localstatedir}/sota/* \
"
# vim:set ts=4 sw=4 sts=4 expandtab:
|