From 549b7215b78cb43082d108ade12edff991561f2b Mon Sep 17 00:00:00 2001
From: Sebastien Merle <s.merle@gmail.com>
Date: Wed, 19 Nov 2025 15:44:02 +0100
Subject: [PATCH 1/3] Fix the configuration to support grisp_keychain

---
 README.md           |  8 +++++---
 config/braid.config |  6 ++++++
 config/dev.config   |  3 +++
 config/local.config | 13 ++++++++-----
 config/sys.config   |  6 ++++++
 5 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 956b436..c8a5731 100644
--- a/README.md
+++ b/README.md
@@ -64,9 +64,11 @@ e.g.
 
 The local development release runs on the host itself and connects to a local server.
 
-Add an entry in your local hosts file so the domain www.seawater.local points
-to your local development server. Remember to configure the local server to
-check the client certificate against the `grisp_connect` test CA.
+Add a hosts file in 'grisp/grisp2/common/deploy/files/etc/hosts' so the domain
+www.seawater.local points to your local development server. Add the server
+certificate chain in `priv/certificates/servers/www.seawater.local.pem`.
+Remember to configure the local server to check the client certificate against
+the `grisp_connect` test CA.
 
 For the default configuration to work, the grisp_connect dependency must be
 in your `_checkouts` directory.
diff --git a/config/braid.config b/config/braid.config
index b92c8c2..7a8e563 100644
--- a/config/braid.config
+++ b/config/braid.config
@@ -29,6 +29,12 @@
             }
         ]}
     ]},
+    {grisp_cryptoauth, [
+        {tls_server_trusted_certs_cb, {certifi, cacerts}}
+    ]},
+    {grisp_keychain, [
+        {api_module, grisp_cryptoauth}
+    ]},
     {grisp_connect, [
         {domain, "devices.braid.grisp.io"},
         {ntp, true},
diff --git a/config/dev.config b/config/dev.config
index 45692c1..971b453 100644
--- a/config/dev.config
+++ b/config/dev.config
@@ -2,6 +2,9 @@
     {grisp_cryptoauth, [
         {tls_server_trusted_certs, {priv, grisp_demo, "certificates/servers"}}
     ]},
+    {grisp_keychain, [
+        {api_module, grisp_cryptoauth}
+    ]},
     {kernel, [
         {logger_level, info},
         {logger, [
diff --git a/config/local.config b/config/local.config
index 5f793ae..bc245f8 100644
--- a/config/local.config
+++ b/config/local.config
@@ -2,11 +2,13 @@
     {grisp, [
         {emulation, {grisp2, grisp_emulation}}
     ]},
-    {grisp_cryptoauth, [
-        {tls_server_trusted_certs, {priv, grisp_demo, "certificates/servers"}},
-        {tls_client_trusted_certs, {test, grisp_connect, "certs/CA.crt"}},
+    {grisp_keychain, [
+        {api_module, grisp_keychain_filesystem},
         {client_certs, {test, grisp_connect, "certs/client.crt"}},
-        {client_key, {test, grisp_connect, "certs/client.key"}}
+        {client_key, {test, grisp_connect, "certs/client.key"}},
+        {tls_client_trusted_certs, {test, grisp_connect, "certs/CA.crt"}},
+        {tls_server_trusted_certs, {priv, grisp_demo, "certificates/servers"}},
+        {tls_verify, verify_none}
     ]},
     {kernel, [
         {logger_level, debug},
@@ -45,7 +47,8 @@
         % configuration, as it was explicitly started in kernel configuration
         % in order to catch the log entries before grisp_connect is started.
         {logger, []},
-        {allowed_ca_chain, "local/peers.CA.pem"}
+        {allowed_ca_chain, "grisp/grisp2/common/deploy/files/etc/peers.CA.pem"},
+        {board_certificate, "/tmp/board.pem"}
     ]},
     {grisp_updater, [
         {signature_check, false},
diff --git a/config/sys.config b/config/sys.config
index f7ad262..01a15bc 100644
--- a/config/sys.config
+++ b/config/sys.config
@@ -29,6 +29,12 @@
             }
         ]}
     ]},
+    {grisp_cryptoauth, [
+        {tls_server_trusted_certs_cb, {certifi, cacerts}}
+    ]},
+    {grisp_keychain, [
+        {api_module, grisp_cryptoauth}
+    ]},
     {grisp_connect, [
         {ntp, true},
         % Disable the log handler defined in grisp_connect application default

From 07a4fec1ba1cc4f77128afefd1bda31f8afbd50c Mon Sep 17 00:00:00 2001
From: Sebastien Merle <s.merle@gmail.com>
Date: Thu, 20 Nov 2025 14:15:58 +0100
Subject: [PATCH 2/3] Add grisp_cryptoauth and unlock deps until released

---
 rebar.config |  1 +
 rebar.lock   | 13 ++++---------
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/rebar.config b/rebar.config
index fbe5d01..3f64f10 100644
--- a/rebar.config
+++ b/rebar.config
@@ -3,6 +3,7 @@
     {epmd, {git, "https://github.com/erlang/epmd", {ref, "4d1a59"}}},
     certifi,
     grisp_updater_grisp2,
+    grisp_cryptoauth,
     grisp_connect
 ]}.
 
diff --git a/rebar.lock b/rebar.lock
index b9d1bb6..b86ee13 100644
--- a/rebar.lock
+++ b/rebar.lock
@@ -6,9 +6,10 @@
        {ref,"4d1a595b9d5c32fc0e55f462da381de62de23bf0"}},
   0},
  {<<"grisp">>,{pkg,<<"grisp">>,<<"2.8.0">>},0},
- {<<"grisp_connect">>,{pkg,<<"grisp_connect">>,<<"2.1.0">>},0},
- {<<"grisp_cryptoauth">>,{pkg,<<"grisp_cryptoauth">>,<<"2.4.2">>},1},
- {<<"grisp_updater">>,{pkg,<<"grisp_updater">>,<<"2.1.1">>},1},
+ {<<"grisp_keychain">>,
+  {git,"https://github.com/grisp/grisp_keychain.git",
+       {ref,"4590293b7c0502638ca225f47e7849aa3bb004c1"}},
+  1},
  {<<"grisp_updater_grisp2">>,{pkg,<<"grisp_updater_grisp2">>,<<"0.2.1">>},0},
  {<<"gun">>,{pkg,<<"gun">>,<<"2.1.0">>},1},
  {<<"jarl">>,{pkg,<<"jarl">>,<<"1.1.0">>},1},
@@ -22,9 +23,6 @@
  {<<"certifi">>, <<"ED3BEF654E69CDE5E6C022DF8070A579A79E8BA2368A00ACF3D75B82D9ACEEED">>},
  {<<"cowlib">>, <<"DB8F7505D8332D98EF50A3EF34B34C1AFDDEC7506E4EE4DD4A3A266285D282CA">>},
  {<<"grisp">>, <<"E0B7D4C3464702DBD62A867EDE76488226B0772B29DF7DBAE4E08E474F2B81F5">>},
- {<<"grisp_connect">>, <<"9E7960BABA195E3056E50C5EDDF4F456F84F52CFA66DF9F84477D4B7869157FD">>},
- {<<"grisp_cryptoauth">>, <<"D3D5EED97D6A008A7A3201AB45A3388EFDA2FD693092FCCDF4FE304E02D64DE5">>},
- {<<"grisp_updater">>, <<"471744D14F756ED0DF22414EA752A9E943EC0CB996E1596F708DCA52D2F9C527">>},
  {<<"grisp_updater_grisp2">>, <<"15E0688465C9CD7FE24A4CF47E48FD939B51B175EC74BDD4BF8B33417E8CACC3">>},
  {<<"gun">>, <<"B4E4CBBF3026D21981C447E9E7CA856766046EFF693720BA43114D7F5DE36E87">>},
  {<<"jarl">>, <<"C5C9DE664449C6EE11AAAE44E516DA40D611224056DFB7D3FA16CC6538BC0EB8">>},
@@ -37,9 +35,6 @@
  {<<"certifi">>, <<"EA59D87EF89DA429B8E905264FDEC3419F84F2215BB3D81E07A18AAC919026C3">>},
  {<<"cowlib">>, <<"E1E1284DC3FC030A64B1AD0D8382AE7E99DA46C3246B815318A4B848873800A4">>},
  {<<"grisp">>, <<"4BF7D6E31B03884C13402694D8CDC9B5ECADB53EA1B405453581FD2248D38928">>},
- {<<"grisp_connect">>, <<"B7D217C79805B2D3678956EADD7FCC14C1AC99B682A3F79F1EBEA8A8C0995DC6">>},
- {<<"grisp_cryptoauth">>, <<"F20B1321D7982492974F651726B069B9A13E6A6879B57FCBEC306FCDCFCB54BD">>},
- {<<"grisp_updater">>, <<"00B114255B84F85B71E95C5BD05C42D4C2F64839819DF3BA78B1FB6F2AB01A6E">>},
  {<<"grisp_updater_grisp2">>, <<"4927ECA45BC98E7D49050737C6885E7C5CD86CD634317FE4B14BC1EBE9F843C1">>},
  {<<"gun">>, <<"52FC7FC246BFC3B00E01AEA1C2854C70A366348574AB50C57DFE796D24A0101D">>},
  {<<"jarl">>, <<"8FAC300C5FFB2DACE218BA069B7099F2B874E6190640AA739B12C41C2B1C05AA">>},

From a189055ef9c940ae4b422dd07ea2b1eb6e473599 Mon Sep 17 00:00:00 2001
From: Luca Succi <luca.succi@stritzinger.com>
Date: Thu, 27 Nov 2025 17:28:02 +0100
Subject: [PATCH 3/3] Upgrade grisp_cryptoauth

---
 rebar.lock | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rebar.lock b/rebar.lock
index b86ee13..7fb7865 100644
--- a/rebar.lock
+++ b/rebar.lock
@@ -6,6 +6,7 @@
        {ref,"4d1a595b9d5c32fc0e55f462da381de62de23bf0"}},
   0},
  {<<"grisp">>,{pkg,<<"grisp">>,<<"2.8.0">>},0},
+ {<<"grisp_cryptoauth">>,{pkg,<<"grisp_cryptoauth">>,<<"2.5.0">>},0},
  {<<"grisp_keychain">>,
   {git,"https://github.com/grisp/grisp_keychain.git",
        {ref,"4590293b7c0502638ca225f47e7849aa3bb004c1"}},
@@ -23,6 +24,7 @@
  {<<"certifi">>, <<"ED3BEF654E69CDE5E6C022DF8070A579A79E8BA2368A00ACF3D75B82D9ACEEED">>},
  {<<"cowlib">>, <<"DB8F7505D8332D98EF50A3EF34B34C1AFDDEC7506E4EE4DD4A3A266285D282CA">>},
  {<<"grisp">>, <<"E0B7D4C3464702DBD62A867EDE76488226B0772B29DF7DBAE4E08E474F2B81F5">>},
+ {<<"grisp_cryptoauth">>, <<"F4E883AB0B697174333378C48525E576F63121205448180986EEF598C46ED40A">>},
  {<<"grisp_updater_grisp2">>, <<"15E0688465C9CD7FE24A4CF47E48FD939B51B175EC74BDD4BF8B33417E8CACC3">>},
  {<<"gun">>, <<"B4E4CBBF3026D21981C447E9E7CA856766046EFF693720BA43114D7F5DE36E87">>},
  {<<"jarl">>, <<"C5C9DE664449C6EE11AAAE44E516DA40D611224056DFB7D3FA16CC6538BC0EB8">>},
@@ -35,6 +37,7 @@
  {<<"certifi">>, <<"EA59D87EF89DA429B8E905264FDEC3419F84F2215BB3D81E07A18AAC919026C3">>},
  {<<"cowlib">>, <<"E1E1284DC3FC030A64B1AD0D8382AE7E99DA46C3246B815318A4B848873800A4">>},
  {<<"grisp">>, <<"4BF7D6E31B03884C13402694D8CDC9B5ECADB53EA1B405453581FD2248D38928">>},
+ {<<"grisp_cryptoauth">>, <<"15052372B745FEA532A5E14C9B75A316C4D5528A284140C2159A5014178C8683">>},
  {<<"grisp_updater_grisp2">>, <<"4927ECA45BC98E7D49050737C6885E7C5CD86CD634317FE4B14BC1EBE9F843C1">>},
  {<<"gun">>, <<"52FC7FC246BFC3B00E01AEA1C2854C70A366348574AB50C57DFE796D24A0101D">>},
  {<<"jarl">>, <<"8FAC300C5FFB2DACE218BA069B7099F2B874E6190640AA739B12C41C2B1C05AA">>},