summaryrefslogtreecommitdiffstats
path: root/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
blob: e00d41a0f4eb9e3d7f442221718843c5ea1c7595 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
SUMMARY = "Aktualizr configuration for implicit provisioning with CA"
DESCRIPTION = "Configuration for implicitly provisioning Aktualizr using externally provided or generated CA"

# WARNING: it is NOT a production solution. The secure way to provision devices is to create certificate request directly on the device
#  (either with HSM/TPM or with software) and then sign it with a CA stored on a disconnected machine

HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
SECTION = "base"
LICENSE = "MPL-2.0"
LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"

DEPENDS = "aktualizr aktualizr-native openssl-native"

SRC_URI = " \
  file://LICENSE \
  file://ca.cnf \
  "
PV = "1.0"
PR = "1"

require environment.inc
require credentials.inc

export SOTA_CACERT_PATH
export SOTA_CAKEY_PATH

do_install() {
    install -m 0700 -d ${D}${libdir}/sota/conf.d

    if [ -z "${SOTA_PACKED_CREDENTIALS}" ]; then
        bberror "SOTA_PACKED_CREDENTIALS are required for implicit provisioning"
    fi

    if [ -z ${SOTA_CACERT_PATH} ]; then
        SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
        SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
        mkdir -p ${DEPLOY_DIR_IMAGE}/CA
        bbwarn "SOTA_CACERT_PATH is not specified, use default one at $SOTA_CACERT_PATH"

        if [ ! -f ${SOTA_CACERT_PATH} ]; then
            bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
            SOTA_CACERT_DIR_PATH="$(dirname "$SOTA_CACERT_PATH")"
            openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
            openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
            bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
        fi
    fi

    if [ -z ${SOTA_CAKEY_PATH} ]; then
        bberror "SOTA_CAKEY_PATH should be set when using implicit provisioning"
    fi

    install -m 0700 -d ${D}${localstatedir}/sota
    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml \
        ${D}${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml
    aktualizr_cert_provider --credentials ${SOTA_PACKED_CREDENTIALS} \
                            --device-ca ${SOTA_CACERT_PATH} \
                            --device-ca-key ${SOTA_CAKEY_PATH} \
                            --root-ca \
                            --server-url \
                            --local ${D}${localstatedir}/sota \
                            --config ${STAGING_DIR_HOST}${libdir}/sota/sota_implicit_prov_ca.toml
}

FILES_${PN} = " \
                ${libdir}/sota/conf.d \
                ${libdir}/sota/conf.d/20-sota_implicit_prov_ca.toml \
                ${libdir}/sota/root.crt \
                ${localstatedir}/sota/* \
                "

# vim:set ts=4 sw=4 sts=4 expandtab: