aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2022-07-11 19:29:53 -0400
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2022-07-13 21:58:38 +0000
commit08977ac24f2d31b0955786824c9ff62eff981ee9 (patch)
tree5315c8605e38eee12b164a9884891168900516d8
parentff1776b06bc54c36d199f9061f1ff78c7b3db027 (diff)
kuksa-val: add regenerated server certificateneedlefish_13.91.0needlefish/13.91.013.91.0
After fixing the issue with the SSL context purpose in the Python client library, client connections were still failing with the error: certificate verify failed: IP address mismatch, certificate is not valid for localhost To fix this, the certificate generation script has been patched to create the now required Subject Alt Name extension field, as that has effectively replaced using the CN field in most SSL implementations. Replacement Server.key and Server.pem files generated with the updated script have been added to give us a working configuration while this is worked with upstream so their default configuration is usable with newer Python + OpenSSL versions. Bug-AGL: SPEC-4467 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I9e8374fbbef6e8570b16d87f4e1800ceba8aacad
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch64
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/Server.key27
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/Server.pem23
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val_git.bb14
4 files changed, 128 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
new file mode 100644
index 000000000..90267df60
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
@@ -0,0 +1,64 @@
+From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001
+From: Scott Murray <scott.murray@konsulko.com>
+Date: Mon, 11 Jul 2022 16:23:56 -0400
+Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server
+ certificate
+
+With the newer Python and OpenSSL in Yocto kirkstone, it seems that
+server certificates need to have a valid Subject Alt Name extension
+field, or trying to connect fails with errors of the form:
+
+ certificate verify failed: IP address mismatch, certificate is not valid for localhost
+
+To fix this, the generated server certificate should not rely on the
+long deprecated CN field and add the now required extension field.
+To facilitate this, the genCerts.sh script has been enhanced to
+add a Subject Alt Name extension field of "DNS:localhost" (or
+optionally some other hostname) to the server certificate, and to
+also add the commonly used keyUsage and extendedKeyUsage extension
+fields with appropriate values.
+
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh
+index d0ef767..dfb9458 100755
+--- a/kuksa_certificates/genCerts.sh
++++ b/kuksa_certificates/genCerts.sh
+@@ -1,5 +1,11 @@
+ #!/bin/sh
+
++# Optional first argument is server hostname
++if [ $# -eq 1 ]; then
++ HOST=$1
++else
++ HOST="localhost"
++fi
+
+ genCACert() {
+ openssl genrsa -out CA.key 2048
+@@ -10,7 +16,18 @@ genCACert() {
+ genCert() {
+ openssl genrsa -out $1.key 2048
+ openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com"
+- openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
++ if [ "$1" = "Server" ]; then
++ extfile=`mktemp -p .`
++ cat > $extfile <<-EOF
++ subjectAltName=DNS:${HOST}
++ keyUsage=digitalSignature
++ extendedKeyUsage=serverAuth
++EOF
++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile
++ rm -f $extfile
++ else
++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
++ fi
+ openssl verify -CAfile CA.pem $1.pem
+ }
+
+--
+2.35.3
+
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.key b/recipes-connectivity/kuksa-val/kuksa-val/Server.key
new file mode 100644
index 000000000..857eaf46d
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-val/Server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAy9ZwmsRZWBotNQmPpLtM7m26IB49BsdKHqFx2ASbtvI3qAT8
+q0zVxx3//IipS9bMGdBGD0BimKk60ZpVXDkoRadk0H0EKnZZTQkv9qOmDLuUKjo3
+UmybGxCo4H3YSqcj+g3kjhOqMb7Mk7L/EPwfpTy1YSiO0vOejcCTQm3pZ8lvCMEn
++oDcIvLwx45aV4ZRpmKvSwVlup4SMMRoG+M3aw57iMIUoHNt/KZeeuyYsx2XSwWF
+bnW6D38iKA1JQT3fFMmzBgGBTBbPY1aviG/XPImg04zBxQJgJPRjxFL2aMNuWjvo
+sCUNAX40EaiuDaaG39yZJWjr3ALs0IuW3T3QiQIDAQABAoIBABpPTGt9inanskwV
+NtgxYMWpnguFO6VDVdrMRdB3D842R17FfgNyQGmaAq+KyCdEy0VNr61KRy+jMDdb
+r0bfDcany4hpin8clXwvAmTYTJd6Iq6sovVdlUuSA+ot9Bv2pNsirex0t1QCZ49s
+3CVKFZ+TTWoD/SNXVJDBWYCKhUTi7QnLbaV6pGpOFRlShPM///09KerTsfJQiQss
+K0ypOSXABawA0cK742FiCpAzqj2OusQZkGWwl86p1OhgpnYMMPcqu4/2nsZp3L3K
+8+lCplJqg0C+Rl2tl+we1H5z1XrSSykZIdB9/vdsMjSg+8wxNEDIqQZvryEPG/qk
+YIEwYl0CgYEA8CPo6qryc3TYiYd3el3TjQG2wSuip5n8DOLiO9TvXKZ4nPNmlajX
+2kpoWxu1+KHoBwmO10U/6i0PDihvOzrBtIuRAJXr/hocnb5pR1oubfmgde3rwMMv
+pPEyeTCGHW7UqMc1r78dBKFXyFwpAKCYJr0VKozD5K9IBHQ4oHjA2icCgYEA2UzB
+f4fHAU0X2VT7mWCYnPXdQVFNWmiV0EqMTP9NgE+NBQw30oIijJs6p9Et5V07fEGy
+GmBCkXkhnhXIo/2g2GPDpUCIy2c41b56qAAOZjunDTNcNh8HXy3dEw/ABJD8PViL
+zwe8Hh9ZyhOFqB/iRJiokaN84aAWe/a/onwRHc8CgYEAr248aLsLtgblbcs2IIHM
+21UmMoZzJCec97kD9xu+5ZuDv30dMzYOwpzbEbvzuzhkbkewP1mKsMPMHNazM7zf
+58qR2rCrn41p3F9PP94Ezziu3Zg7Qy4Ub1X5PomRYI0n9Ejb0pE2XLyViXyyQ5AO
+tzYo8VW2gij+3qoc+DZfBL8CgYEAgJ82Sc6MtPB1FWeAJaFPtFizxl3hc4pEYy49
+LbZQoYp05m/8+tWcra2UYpEmoYU2GK6qRYKE5KbWh0RNpwQRmQQ0YjR4xC0tLxe4
+cojV/R2CHAYyprZnHqd/HDFOb2WCaK1o0/q4FvxnoX08t+9nd0MFRG+JE+Q2atn7
+RKo7V3ECgYEA4Aqjw8xlTl24wv7Ofgt8TVXLf3xLah/Ypj7KGAxu+eCjgcV//ncj
+E6qjldC+llo9oyCtYV3OSbCpigiyDAG2/OoEKv88xZOcno+at5+oPC1NrpR8oOrv
+9ygYUGok61TrW1kw46eKPxVPYWcFtJXf1xxeULpy1/NwEzzAjR8CTBE=
+-----END RSA PRIVATE KEY-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.pem b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem
new file mode 100644
index 000000000..514e5a725
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIUVcLiKaHJ7gzwvDCtzdobzWa1+PwwDQYJKoZIhvcNAQEL
+BQAwgZAxCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzEMMAoGA1UEBwwDUm5nMRow
+GAYDVQQKDBFSb2JlcnQgQm9zY2ggR21iSDELMAkGA1UECwwCQ1IxFTATBgNVBAMM
+DGxvY2FsaG9zdC1jYTEmMCQGCSqGSIb3DQEJARYXQ0kuSG90bGluZUBkZS5ib3Nj
+aC5jb20wHhcNMjIwNzA3MTg0MDQzWhcNMjMwNzA3MTg0MDQzWjCBijELMAkGA1UE
+BhMCREUxCzAJBgNVBAgMAkJXMQwwCgYDVQQHDANSbmcxGjAYBgNVBAoMEVJvYmVy
+dCBCb3NjaCBHbWJIMQswCQYDVQQLDAJDUjEPMA0GA1UEAwwGU2VydmVyMSYwJAYJ
+KoZIhvcNAQkBFhdDSS5Ib3RsaW5lQGRlLmJvc2NoLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMvWcJrEWVgaLTUJj6S7TO5tuiAePQbHSh6hcdgE
+m7byN6gE/KtM1ccd//yIqUvWzBnQRg9AYpipOtGaVVw5KEWnZNB9BCp2WU0JL/aj
+pgy7lCo6N1JsmxsQqOB92EqnI/oN5I4TqjG+zJOy/xD8H6U8tWEojtLzno3Ak0Jt
+6WfJbwjBJ/qA3CLy8MeOWleGUaZir0sFZbqeEjDEaBvjN2sOe4jCFKBzbfymXnrs
+mLMdl0sFhW51ug9/IigNSUE93xTJswYBgUwWz2NWr4hv1zyJoNOMwcUCYCT0Y8RS
+9mjDblo76LAlDQF+NBGorg2mht/cmSVo69wC7NCLlt090IkCAwEAAaM6MDgwFAYD
+VR0RBA0wC4IJbG9jYWxob3N0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF
+BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAoWN/NkRBFgH7rypK+d1tToOQWvoGiqLa
+1jSoe9ydSeNHUSVAq/nyOvvhI/0f7sfHND8tznCgcIlZdlpDmYndB6W0Fe6S9xOk
+TAsibgUbiXSurfsGHxkoTHbcj6l/eHWao3J4mdocmC7wktdR+yTsIRFG2ob37CSU
+zTJd9glPWg1ntXNDbP3MWhCOYlJuePHnDoa35KQJJDepNEKvGcQsFLG6PVVehHz4
+ol4iAn6awlMAstFmXHjurO/kW9xu5U+ri1IASaRuVj7Zs3Md/zaDTAAGi6jOLPjm
+ovJSyBEl7XeE92c4HzfgSzoCyoV7gxV67SXgEYrrjLFrnVMyNRPFTQ==
+-----END CERTIFICATE-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
index a8e2c31f1..8bfa5ab67 100644
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -18,6 +18,9 @@ SRC_URI += "file://kuksa-val.service \
file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch \
file://0003-Make-install-locations-configurable.patch \
file://0004-Disable-default-fetch-and-build-of-googletest.patch \
+ file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch \
+ file://Server.key \
+ file://Server.pem \
"
inherit cmake pkgconfig systemd useradd
@@ -48,6 +51,17 @@ do_install:append() {
install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir}
fi
+ # Install replacement server key + certificate
+ # These are AGL specific versions generated using a tweaked
+ # genCerts.sh script from the source tree that adds the now
+ # required subjectAltName extension field to make python3-ssl
+ # happy. This will be addressed with upstream and can hopefully
+ # be dropped in the future.
+ rm -f ${D}${sysconfdir}/kuksa-val/Server.key
+ install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/
+ rm -f ${D}${sysconfdir}/kuksa-val/Server.pem
+ install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/
+
# Restrict server certificate access
# NOTE: The client certificates are left alone here for client
# development convenience for now, but this will need to