afc: Use either ca-cert or access-token to get authorization in curl command for the AFC server

Fixes:WIFI-14427 Signed-off-by: Tanya Singh <tanya_singh@accton.com>
qca-wifi-7/afc: Use curl instead of uclient to send/receive AFC request/response using hostapd
2025-10-29 17:42:41 +00:00 · 2025-07-30 17:04:09 +08:00 · 2025-07-30 09:34:26 +02:00 · 2025-07-30 09:04:52 +02:00 · 2025-07-30 09:02:17 +02:00 · 2025-07-30 09:02:05 +02:00
5 changed files with 52 additions and 10 deletions
--- a/feeds/ipq807x_v5.4/hostapd/files/hostapd.uc
+++ b/feeds/ipq807x_v5.4/hostapd/files/hostapd.uc
@@ -900,7 +900,10 @@ return {
 				hostapd.printf(`Sending AFC request: ${data}`);
 				writefile("/tmp/afc-request.json", data);

-				system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' -H \'Authorization: Bearer ${afc_server.access_token}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
+				if (afc_server.access_token)
+					system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' -H \'Authorization: Bearer ${afc_server.access_token}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
+				else if (afc_server.cert)
+					system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' --cert \'${afc_server.cert}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);

 				let afc_response = (readfile("/tmp/afc-response.json"));
 				if (afc_response)
--- a/feeds/qca-wifi-7/hostapd/files/hostapd.uc
+++ b/feeds/qca-wifi-7/hostapd/files/hostapd.uc
@@ -1,7 +1,8 @@
 let libubus = require("ubus");
-import { open, readfile } from "fs";
+import { open, readfile, writefile } from "fs";
 import { wdev_remove, is_equal, vlist_new, phy_is_fullmac, phy_open, wdev_set_radio_mask } from "common";

+let uci = require('uci').cursor();
 let ubus = libubus.connect(null, 60);

 hostapd.data.config = {};
@@ -1006,7 +1007,6 @@ let main_obj = {
 hostapd.data.ubus = ubus;
 hostapd.data.obj = ubus.publish("hostapd", main_obj);

-
 let auth_obj = {};
 hostapd.data.auth_obj = ubus.publish("hostapd-auth", auth_obj);

@@ -1026,10 +1026,24 @@ return {
 		hostapd.ubus.disconnect();
 	},
 	afc_request: function(iface, data) {
-		let ret = ubus.call("afc", "request", { data });
-		if (type(ret) != "object")
-			return;
-		return ret.data;
+		let wireless_config = uci.get_all('wireless');
+		for (let l, afc_server in wireless_config) {
+			if (afc_server['.type'] == 'afc-server' && afc_server.url && data) {
+				hostapd.printf(`Sending AFC request: ${data}`);
+				writefile("/tmp/afc-request.json", data);
+
+				if (afc_server.access_token)
+					system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' -H \'Authorization: Bearer ${afc_server.access_token}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
+				else if (afc_server.cert)
+					system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' --cert \'${afc_server.cert}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
+
+				let afc_response = (readfile("/tmp/afc-response.json"));
+				if (afc_response)
+					return afc_response;
+				else
+					return;
+			}
+		}
 	},
 	bss_create: function(phy, name, obj) {
 		phy = hostapd.data.config[phy];
--- a/feeds/tip/certificates/files/usr/bin/mount_certs
+++ b/feeds/tip/certificates/files/usr/bin/mount_certs
@@ -58,6 +58,19 @@ udaya,a5-id2)
 		[ -n "$mtd" ] && tar xf /dev/mtdblock$mtd -C /certificates
 	fi
 	;;
+sonicfi,rap6*)
+	mtd=$(find_mtd_index certificates)
+	if [ "$(head -c 4 /dev/mtd$mtd)" == "hsqs" ]; then
+		mount -t squashfs /dev/mtdblock$mtd /mnt
+		cp /mnt/* /certificates
+		umount /mnt
+	fi
+	part=$(tar_part_lookup "0:BOOTCONFIG" "0:BOOTCONFIG1")
+	if [ -n "$part" ]; then
+		mtd=$(find_mtd_index $part)
+		[ -n "$mtd" ] && tar xf /dev/mtdblock$mtd -C /certificates
+	fi
+	;;
 *)
 	mtd=$(find_mtd_index certificates)

--- a/feeds/tip/certificates/files/usr/bin/store_certs
+++ b/feeds/tip/certificates/files/usr/bin/store_certs
@@ -28,4 +28,16 @@ udaya,a5-id2)
 	mtd=$(find_mtd_index $part)
 	dd if=/tmp/certs.tar of=/dev/mtdblock$mtd
 	;;
+sonicfi,rap6*)
+	if [ "$(fw_printenv -n store_certs_disabled)" != "1" ]; then
+		cd /certificates
+		tar cf /tmp/certs.tar .
+		part=$(tar_part_lookup "0:BOOTCONFIG" "0:BOOTCONFIG1")
+		mtd=$(find_mtd_index $part)
+		block_size=$(cat /sys/class/mtd/mtd$mtd/size)
+		dd if=/tmp/certs.tar of=/tmp/certs_pad.tar bs=$block_size conv=sync
+		mtd write /tmp/certs_pad.tar /dev/mtd$mtd
+		rm -f /tmp/certs.tar /tmp/certs_pad.tar
+	fi
+	;;
 esac
--- a/feeds/ucentral/ucentral-schema/Makefile
+++ b/feeds/ucentral/ucentral-schema/Makefile
@@ -4,10 +4,10 @@ PKG_NAME:=ucentral-schema
 PKG_RELEASE:=1

 PKG_SOURCE_URL=https://github.com/Telecominfraproject/wlan-ucentral-schema.git
-PKG_MIRROR_HASH:=c1e757c5e25731ef86724fd315850367d11303c2e329aaaa9bd2024fbebbae2e
+PKG_MIRROR_HASH:=45575f1f345368d109f74dc5ae3c8648dadbebef37e2d8eadc95b4fca2fbf43f
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2025-07-27
-PKG_SOURCE_VERSION:=92fb3c123e362c36c279f8f2065935dc7ba82c5c
+PKG_SOURCE_DATE:=2025-07-30
+PKG_SOURCE_VERSION:=30c73745c104d56f58d4f457956fe7ebac6e0f86
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=BSD-3-Clause
Author	SHA1	Message	Date
Tanya Singh	cca5fabf4c	afc: Use either ca-cert or access-token to get authorization in curl command for the AFC server Fixes:WIFI-14427 Signed-off-by: Tanya Singh <tanya_singh@accton.com>	2025-07-30 17:04:09 +08:00
Tanya Singh	3a8fc316f2	qca-wifi-7/afc: Use curl instead of uclient to send/receive AFC request/response using hostapd Fixes: WIFI-14427 Signed-off-by: Tanya Singh <tanya_singh@accton.com>	2025-07-30 09:34:26 +02:00
jackcybertan	d85dc2a819	certificates: Enhance PKI enrollment on squashfs (SonicFi RAP6* series) The updated flow: - Mount /dev/mtdblock* (the certificates partition) to /mnt - Copy its contents to /certificates - Unmount /mnt - Extract the PKI 2.0 certificates into /certificates Fixes: WIFI-14904 Signed-off-by: jackcybertan <jack.tsai@cybertan.com.tw>	2025-07-30 09:04:52 +02:00
John Crispin	acca9737e4	ucentral-schema: update to latest HEAD 30c7374 Add 'access-token' to AFC server config Fixes: WIFI-14427 Signed-off-by: John Crispin <john@phrozen.org>	2025-07-30 09:02:17 +02:00
Tanya Singh	6d2fd1de0d	afc: Use curl instead of uclient to send/receive AFC request/response using hostapd Fixes: WIFI-14427 Signed-off-by: Tanya Singh <tanya_singh@accton.com>	2025-07-30 09:02:05 +02:00