def test_cert_provider_local_output(self):
bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS', 'T'],
'aktualizr-native')
creds = bb_vars['SOTA_PACKED_CREDENTIALS']
temp_dir = bb_vars['T']
bb_vars_prov = get_bb_vars(['WORKDIR', 'libdir'],
'aktualizr-device-prov')
config = bb_vars_prov['WORKDIR'] + '/sysroot-destdir' + bb_vars_prov[
'libdir'] + '/sota/conf.d/20-sota-device-cred.toml'
akt_native_run(
self,
'aktualizr-cert-provider -c {creds} -r -l {temp} -g {config}'.
format(creds=creds, temp=temp_dir, config=config))
# Might be nice if these names weren't hardcoded.
cert_path = temp_dir + '/var/sota/import/client.pem'
self.assertTrue(os.path.isfile(cert_path),
"Client certificate not found at %s." % cert_path)
self.assertTrue(
os.path.getsize(cert_path) > 0,
"Client certificate at %s is empty." % cert_path)
pkey_path = temp_dir + '/var/sota/import/pkey.pem'
self.assertTrue(os.path.isfile(pkey_path),
"Private key not found at %s." % pkey_path)
self.assertTrue(
os.path.getsize(pkey_path) > 0,
"Private key at %s is empty." % pkey_path)
ca_path = temp_dir + '/var/sota/import/root.crt'
self.assertTrue(os.path.isfile(ca_path),
"Client certificate not found at %s." % ca_path)
self.assertTrue(
os.path.getsize(ca_path) > 0,
"Client certificate at %s is empty." % ca_path)
def test_provisioning(self):
print('Checking machine name (hostname) of device:')
stdout, stderr, retcode = self.qemu_command('hostname')
self.assertEqual(
retcode, 0, "Unable to check hostname. " +
"Is an ssh daemon (such as dropbear or openssh) installed on the device?"
)
machine = get_bb_var('MACHINE', 'core-image-minimal')
self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
# Strip off line ending.
value = stdout.decode()[:-1]
self.assertEqual(
value, machine,
'MACHINE does not match hostname: ' + machine + ', ' + value)
verifyNotProvisioned(self, machine)
# Run aktualizr-cert-provider.
bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
creds = bb_vars['SOTA_PACKED_CREDENTIALS']
bb_vars_prov = get_bb_vars(['WORKDIR', 'libdir'],
'aktualizr-device-prov')
config = bb_vars_prov['WORKDIR'] + '/sysroot-destdir' + bb_vars_prov[
'libdir'] + '/sota/conf.d/20-sota-device-cred.toml'
print('Provisining at root@localhost:%d' % self.qemu.ssh_port)
akt_native_run(
self,
'aktualizr-cert-provider -c {creds} -t root@localhost -p {port} -s -u -r -g {config}'
.format(creds=creds, port=self.qemu.ssh_port, config=config))
verifyProvisioned(self, machine)
def test_cert_provider_local_output(self):
logger = logging.getLogger("selftest")
logger.info('Running bitbake to build aktualizr-device-prov')
bitbake('aktualizr-device-prov')
bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS', 'T'],
'aktualizr-native')
creds = bb_vars['SOTA_PACKED_CREDENTIALS']
temp_dir = bb_vars['T']
bb_vars_prov = get_bb_vars(['STAGING_DIR_HOST', 'libdir'],
'aktualizr-device-prov')
config = bb_vars_prov['STAGING_DIR_HOST'] + bb_vars_prov[
'libdir'] + '/sota/sota-device-cred.toml'
akt_native_run(
self,
'aktualizr-cert-provider -c {creds} -r -l {temp} -g {config}'.
format(creds=creds, temp=temp_dir, config=config))
# Might be nice if these names weren't hardcoded.
cert_path = temp_dir + '/var/sota/import/client.pem'
self.assertTrue(os.path.isfile(cert_path),
"Client certificate not found at %s." % cert_path)
self.assertTrue(
os.path.getsize(cert_path) > 0,
"Client certificate at %s is empty." % cert_path)
pkey_path = temp_dir + '/var/sota/import/pkey.pem'
self.assertTrue(os.path.isfile(pkey_path),
"Private key not found at %s." % pkey_path)
self.assertTrue(
os.path.getsize(pkey_path) > 0,
"Private key at %s is empty." % pkey_path)
ca_path = temp_dir + '/var/sota/import/root.crt'
self.assertTrue(os.path.isfile(ca_path),
"Client certificate not found at %s." % ca_path)
self.assertTrue(
os.path.getsize(ca_path) > 0,
"Client certificate at %s is empty." % ca_path)
def test_cert_provider_help(self):
akt_native_run(self, 'aktualizr-cert-provider --help')
def test_provisioning(self):
print('Checking machine name (hostname) of device:')
stdout, stderr, retcode = self.qemu_command('hostname')
self.assertEqual(
retcode, 0, "Unable to check hostname. " +
"Is an ssh daemon (such as dropbear or openssh) installed on the device?"
)
machine = get_bb_var('MACHINE', 'core-image-minimal')
self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
# Strip off line ending.
value = stdout.decode()[:-1]
self.assertEqual(
value, machine,
'MACHINE does not match hostname: ' + machine + ', ' + value)
verifyNotProvisioned(self, machine)
# Verify that HSM is not yet initialized.
pkcs11_command = 'pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so -O'
stdout, stderr, retcode = self.qemu_command(pkcs11_command)
self.assertNotEqual(
retcode, 0, 'pkcs11-tool succeeded before initialization: ' +
stdout.decode() + stderr.decode())
softhsm2_command = 'softhsm2-util --show-slots'
stdout, stderr, retcode = self.qemu_command(softhsm2_command)
self.assertNotEqual(
retcode, 0, 'softhsm2-tool succeeded before initialization: ' +
stdout.decode() + stderr.decode())
# Run aktualizr-cert-provider.
bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
creds = bb_vars['SOTA_PACKED_CREDENTIALS']
bb_vars_prov = get_bb_vars(['WORKDIR', 'libdir'],
'aktualizr-device-prov-hsm')
config = bb_vars_prov['WORKDIR'] + '/sysroot-destdir' + bb_vars_prov[
'libdir'] + '/sota/conf.d/20-sota-device-cred-hsm.toml'
akt_native_run(
self,
'aktualizr-cert-provider -c {creds} -t root@localhost -p {port} -r -s -u -g {config}'
.format(creds=creds, port=self.qemu.ssh_port, config=config))
# Verify that HSM is able to initialize.
for delay in [5, 5, 5, 5, 10]:
sleep(delay)
p11_out, p11_err, p11_ret = self.qemu_command(pkcs11_command)
hsm_out, hsm_err, hsm_ret = self.qemu_command(softhsm2_command)
if (p11_ret == 0 and hsm_ret == 0 and hsm_err == b''
and b'X.509 cert' in p11_out
and b'present token' in p11_err):
break
else:
self.fail('pkcs11-tool or softhsm2-tool failed: ' +
p11_err.decode() + p11_out.decode() + hsm_err.decode() +
hsm_out.decode())
self.assertIn(
b'Initialized: yes', hsm_out,
'softhsm2-tool failed: ' + hsm_err.decode() + hsm_out.decode())
self.assertIn(
b'User PIN init.: yes', hsm_out,
'softhsm2-tool failed: ' + hsm_err.decode() + hsm_out.decode())
# Check that pkcs11 output matches sofhsm output.
p11_p = re.compile(
r'Using slot [0-9] with a present token \((0x[0-9a-f]*)\)\s')
p11_m = p11_p.search(p11_err.decode())
self.assertTrue(
p11_m, 'Slot number not found with pkcs11-tool: ' +
p11_err.decode() + p11_out.decode())
self.assertGreater(
p11_m.lastindex, 0, 'Slot number not found with pkcs11-tool: ' +
p11_err.decode() + p11_out.decode())
hsm_p = re.compile(r'Description:\s*SoftHSM slot ID (0x[0-9a-f]*)\s')
hsm_m = hsm_p.search(hsm_out.decode())
self.assertTrue(
hsm_m, 'Slot number not found with softhsm2-tool: ' +
hsm_err.decode() + hsm_out.decode())
self.assertGreater(
hsm_m.lastindex, 0, 'Slot number not found with softhsm2-tool: ' +
hsm_err.decode() + hsm_out.decode())
self.assertEqual(
p11_m.group(1), hsm_m.group(1),
'Slot number does not match: ' + p11_err.decode() +
p11_out.decode() + hsm_err.decode() + hsm_out.decode())
verifyProvisioned(self, machine)
def test_garagesign_help(self):
akt_native_run(self, 'garage-sign --help')
def test_deploy_help(self):
akt_native_run(self, 'garage-deploy --help')
def test_push_help(self):
akt_native_run(self, 'garage-push --help')
