diff options
| author |   Scott Murray <scott.murray@konsulko.com> | 2022-07-11 19:29:53 -0400 |
|---|---|---|
| committer |   Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2022-07-13 21:58:38 +0000 |
| commit | 08977ac24f2d31b0955786824c9ff62eff981ee9 (patch) | |
| tree | 5315c8605e38eee12b164a9884891168900516d8 | |
| parent | ff1776b06bc54c36d199f9061f1ff78c7b3db027 (diff) | |
kuksa-val: add regenerated server certificateneedlefish_13.91.0needlefish/13.91.013.91.0
After fixing the issue with the SSL context purpose in the Python
client library, client connections were still failing with the
error:
certificate verify failed: IP address mismatch, certificate is not valid for localhost
To fix this, the certificate generation script has been patched to
create the now required Subject Alt Name extension field, as that has
effectively replaced using the CN field in most SSL implementations.
Replacement Server.key and Server.pem files generated with the
updated script have been added to give us a working configuration
while this is worked with upstream so their default configuration is
usable with newer Python + OpenSSL versions.
Bug-AGL: SPEC-4467
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: I9e8374fbbef6e8570b16d87f4e1800ceba8aacad
4 files changed, 128 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch new file mode 100644 index 00000000..90267df6 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch @@ -0,0 +1,64 @@ +From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001 +From: Scott Murray <scott.murray@konsulko.com> +Date: Mon, 11 Jul 2022 16:23:56 -0400 +Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server + certificate + +With the newer Python and OpenSSL in Yocto kirkstone, it seems that +server certificates need to have a valid Subject Alt Name extension +field, or trying to connect fails with errors of the form: + + certificate verify failed: IP address mismatch, certificate is not valid for localhost + +To fix this, the generated server certificate should not rely on the +long deprecated CN field and add the now required extension field. +To facilitate this, the genCerts.sh script has been enhanced to +add a Subject Alt Name extension field of "DNS:localhost" (or +optionally some other hostname) to the server certificate, and to +also add the commonly used keyUsage and extendedKeyUsage extension +fields with appropriate values. + +Signed-off-by: Scott Murray <scott.murray@konsulko.com> +--- + kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh +index d0ef767..dfb9458 100755 +--- a/kuksa_certificates/genCerts.sh ++++ b/kuksa_certificates/genCerts.sh +@@ -1,5 +1,11 @@ + #!/bin/sh + ++# Optional first argument is server hostname ++if [ $# -eq 1 ]; then ++ HOST=$1 ++else ++ HOST="localhost" ++fi + + genCACert() { + openssl genrsa -out CA.key 2048 +@@ -10,7 +16,18 @@ genCACert() { + genCert() { + openssl genrsa -out $1.key 2048 + openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com" +- openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem ++ if [ "$1" = "Server" ]; then ++ extfile=`mktemp -p .` ++ cat > $extfile <<-EOF ++ subjectAltName=DNS:${HOST} ++ keyUsage=digitalSignature ++ extendedKeyUsage=serverAuth ++EOF ++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile ++ rm -f $extfile ++ else ++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem ++ fi + openssl verify -CAfile CA.pem $1.pem + } + +-- +2.35.3 + diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.key b/recipes-connectivity/kuksa-val/kuksa-val/Server.key new file mode 100644 index 00000000..857eaf46 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-val/Server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAy9ZwmsRZWBotNQmPpLtM7m26IB49BsdKHqFx2ASbtvI3qAT8 +q0zVxx3//IipS9bMGdBGD0BimKk60ZpVXDkoRadk0H0EKnZZTQkv9qOmDLuUKjo3 +UmybGxCo4H3YSqcj+g3kjhOqMb7Mk7L/EPwfpTy1YSiO0vOejcCTQm3pZ8lvCMEn ++oDcIvLwx45aV4ZRpmKvSwVlup4SMMRoG+M3aw57iMIUoHNt/KZeeuyYsx2XSwWF +bnW6D38iKA1JQT3fFMmzBgGBTBbPY1aviG/XPImg04zBxQJgJPRjxFL2aMNuWjvo +sCUNAX40EaiuDaaG39yZJWjr3ALs0IuW3T3QiQIDAQABAoIBABpPTGt9inanskwV +NtgxYMWpnguFO6VDVdrMRdB3D842R17FfgNyQGmaAq+KyCdEy0VNr61KRy+jMDdb +r0bfDcany4hpin8clXwvAmTYTJd6Iq6sovVdlUuSA+ot9Bv2pNsirex0t1QCZ49s +3CVKFZ+TTWoD/SNXVJDBWYCKhUTi7QnLbaV6pGpOFRlShPM///09KerTsfJQiQss +K0ypOSXABawA0cK742FiCpAzqj2OusQZkGWwl86p1OhgpnYMMPcqu4/2nsZp3L3K +8+lCplJqg0C+Rl2tl+we1H5z1XrSSykZIdB9/vdsMjSg+8wxNEDIqQZvryEPG/qk +YIEwYl0CgYEA8CPo6qryc3TYiYd3el3TjQG2wSuip5n8DOLiO9TvXKZ4nPNmlajX +2kpoWxu1+KHoBwmO10U/6i0PDihvOzrBtIuRAJXr/hocnb5pR1oubfmgde3rwMMv +pPEyeTCGHW7UqMc1r78dBKFXyFwpAKCYJr0VKozD5K9IBHQ4oHjA2icCgYEA2UzB +f4fHAU0X2VT7mWCYnPXdQVFNWmiV0EqMTP9NgE+NBQw30oIijJs6p9Et5V07fEGy +GmBCkXkhnhXIo/2g2GPDpUCIy2c41b56qAAOZjunDTNcNh8HXy3dEw/ABJD8PViL +zwe8Hh9ZyhOFqB/iRJiokaN84aAWe/a/onwRHc8CgYEAr248aLsLtgblbcs2IIHM +21UmMoZzJCec97kD9xu+5ZuDv30dMzYOwpzbEbvzuzhkbkewP1mKsMPMHNazM7zf +58qR2rCrn41p3F9PP94Ezziu3Zg7Qy4Ub1X5PomRYI0n9Ejb0pE2XLyViXyyQ5AO +tzYo8VW2gij+3qoc+DZfBL8CgYEAgJ82Sc6MtPB1FWeAJaFPtFizxl3hc4pEYy49 +LbZQoYp05m/8+tWcra2UYpEmoYU2GK6qRYKE5KbWh0RNpwQRmQQ0YjR4xC0tLxe4 +cojV/R2CHAYyprZnHqd/HDFOb2WCaK1o0/q4FvxnoX08t+9nd0MFRG+JE+Q2atn7 +RKo7V3ECgYEA4Aqjw8xlTl24wv7Ofgt8TVXLf3xLah/Ypj7KGAxu+eCjgcV//ncj +E6qjldC+llo9oyCtYV3OSbCpigiyDAG2/OoEKv88xZOcno+at5+oPC1NrpR8oOrv +9ygYUGok61TrW1kw46eKPxVPYWcFtJXf1xxeULpy1/NwEzzAjR8CTBE= +-----END RSA PRIVATE KEY----- diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.pem b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem new file mode 100644 index 00000000..514e5a72 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5DCCAsygAwIBAgIUVcLiKaHJ7gzwvDCtzdobzWa1+PwwDQYJKoZIhvcNAQEL +BQAwgZAxCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzEMMAoGA1UEBwwDUm5nMRow +GAYDVQQKDBFSb2JlcnQgQm9zY2ggR21iSDELMAkGA1UECwwCQ1IxFTATBgNVBAMM +DGxvY2FsaG9zdC1jYTEmMCQGCSqGSIb3DQEJARYXQ0kuSG90bGluZUBkZS5ib3Nj +aC5jb20wHhcNMjIwNzA3MTg0MDQzWhcNMjMwNzA3MTg0MDQzWjCBijELMAkGA1UE +BhMCREUxCzAJBgNVBAgMAkJXMQwwCgYDVQQHDANSbmcxGjAYBgNVBAoMEVJvYmVy +dCBCb3NjaCBHbWJIMQswCQYDVQQLDAJDUjEPMA0GA1UEAwwGU2VydmVyMSYwJAYJ +KoZIhvcNAQkBFhdDSS5Ib3RsaW5lQGRlLmJvc2NoLmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMvWcJrEWVgaLTUJj6S7TO5tuiAePQbHSh6hcdgE +m7byN6gE/KtM1ccd//yIqUvWzBnQRg9AYpipOtGaVVw5KEWnZNB9BCp2WU0JL/aj +pgy7lCo6N1JsmxsQqOB92EqnI/oN5I4TqjG+zJOy/xD8H6U8tWEojtLzno3Ak0Jt +6WfJbwjBJ/qA3CLy8MeOWleGUaZir0sFZbqeEjDEaBvjN2sOe4jCFKBzbfymXnrs +mLMdl0sFhW51ug9/IigNSUE93xTJswYBgUwWz2NWr4hv1zyJoNOMwcUCYCT0Y8RS +9mjDblo76LAlDQF+NBGorg2mht/cmSVo69wC7NCLlt090IkCAwEAAaM6MDgwFAYD +VR0RBA0wC4IJbG9jYWxob3N0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF +BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAoWN/NkRBFgH7rypK+d1tToOQWvoGiqLa +1jSoe9ydSeNHUSVAq/nyOvvhI/0f7sfHND8tznCgcIlZdlpDmYndB6W0Fe6S9xOk +TAsibgUbiXSurfsGHxkoTHbcj6l/eHWao3J4mdocmC7wktdR+yTsIRFG2ob37CSU +zTJd9glPWg1ntXNDbP3MWhCOYlJuePHnDoa35KQJJDepNEKvGcQsFLG6PVVehHz4 +ol4iAn6awlMAstFmXHjurO/kW9xu5U+ri1IASaRuVj7Zs3Md/zaDTAAGi6jOLPjm +ovJSyBEl7XeE92c4HzfgSzoCyoV7gxV67SXgEYrrjLFrnVMyNRPFTQ== +-----END CERTIFICATE----- diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb index a8e2c31f..8bfa5ab6 100644 --- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb +++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb @@ -18,6 +18,9 @@ SRC_URI += "file://kuksa-val.service \ file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch \ file://0003-Make-install-locations-configurable.patch \ file://0004-Disable-default-fetch-and-build-of-googletest.patch \ + file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch \ + file://Server.key \ + file://Server.pem \ " inherit cmake pkgconfig systemd useradd @@ -48,6 +51,17 @@ do_install:append() { install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir} fi + # Install replacement server key + certificate + # These are AGL specific versions generated using a tweaked + # genCerts.sh script from the source tree that adds the now + # required subjectAltName extension field to make python3-ssl + # happy. This will be addressed with upstream and can hopefully + # be dropped in the future. + rm -f ${D}${sysconfdir}/kuksa-val/Server.key + install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/ + rm -f ${D}${sysconfdir}/kuksa-val/Server.pem + install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/ + # Restrict server certificate access # NOTE: The client certificates are left alone here for client # development convenience for now, but this will need to |