Code Review / AGL / meta-agl-demo.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: f900496)
kuksa-val: Add root CA certificate to agl-driver nssdb 70/28470/9
authorRoger Zanoni <rzanoni@igalia.com>
Mon, 13 Feb 2023 20:29:09 +0000 (21:29 +0100)
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>
Thu, 23 Mar 2023 10:19:35 +0000 (10:19 +0000)
This change is needed by chromium to fix the ERR_CERT_AUTHORITY_INVALID
issued when trying to connect to kuksa.val server using a secure
connection.

chromium is shipped with a read-only database containing trusted
CA certs and also uses a local nss database (stored on the user home
directory) that can be managed by the nss command line tools.

This change adds the kuksa root CA to agl-driver's nssdb
that can be loaded by chromium and used to perform validation.

v2 (jsmoeller): Use separate package for pki db in agl-driver home.

Bug-AGL: SPEC-4599
Signed-off-by: Roger Zanoni <rzanoni@igalia.com>
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Change-Id: I074d48fedfadaddd9a894b478839e16fa4757b5e

recipes-connectivity/kuksa-val/kuksa-val_git.bb patch | blob | history

diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
index 04f6f4f..2c1966f 100644 (file)
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://../LICENSE;md5=2b42edef8fa55315f34f2370b4715ca9 \
                     file://3rd-party-libs/turtle/LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c \
                     file://3rd-party-libs/jwt-cpp/LICENSE;md5=8325a5ce4414c65ffdda392e0d96a9ff"
 
-DEPENDS = "boost openssl mosquitto protobuf-native grpc-native grpc"
+DEPENDS = "boost openssl mosquitto nss protobuf-native grpc-native grpc"
 
 require kuksa-val.inc
 
@@ -77,6 +77,11 @@ do_install:append() {
     chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem
 }
 
+pkg_postinst_ontarget:${PN}-client-certificates () {
+    certutil -A -d /home/agl-driver/.pki/nssdb -n "KuksaRootCA" -t "pC,," -i ${sysconfdir}/kuksa-val/CA.pem
+    chown agl-driver:agl-driver -R /home/agl-driver/.pki/
+}
+
 # Put client certificates into their own package so we can avoid
 # duplicates of them for e.g. cluster clients.  Longer term this
 # will need to be revisited.
@@ -90,4 +95,4 @@ FILES:${PN}-client-certificates = " \
 
 FILES:${PN} += "${systemd_system_unitdir} ${datadir}"
 
-RDEPENDS:${PN} += "${PN}-client-certificates"
+RDEPENDS:${PN} += "${PN}-client-certificates nss-agl-driver-db"
meta-agl-demo layer (demo/staging/"one-shot")