summaryrefslogtreecommitdiffstats
path: root/recipes-connectivity/kuksa-val/kuksa-val_git.bb
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2022-07-11 19:29:53 -0400
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2022-07-13 21:58:38 +0000
commit08977ac24f2d31b0955786824c9ff62eff981ee9 (patch)
tree5315c8605e38eee12b164a9884891168900516d8 /recipes-connectivity/kuksa-val/kuksa-val_git.bb
parentff1776b06bc54c36d199f9061f1ff78c7b3db027 (diff)
kuksa-val: add regenerated server certificateneedlefish_13.91.0needlefish/13.91.013.91.0
After fixing the issue with the SSL context purpose in the Python client library, client connections were still failing with the error: certificate verify failed: IP address mismatch, certificate is not valid for localhost To fix this, the certificate generation script has been patched to create the now required Subject Alt Name extension field, as that has effectively replaced using the CN field in most SSL implementations. Replacement Server.key and Server.pem files generated with the updated script have been added to give us a working configuration while this is worked with upstream so their default configuration is usable with newer Python + OpenSSL versions. Bug-AGL: SPEC-4467 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I9e8374fbbef6e8570b16d87f4e1800ceba8aacad
Diffstat (limited to 'recipes-connectivity/kuksa-val/kuksa-val_git.bb')
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val_git.bb14
1 files changed, 14 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
index a8e2c31f1..8bfa5ab67 100644
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -18,6 +18,9 @@ SRC_URI += "file://kuksa-val.service \
file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch \
file://0003-Make-install-locations-configurable.patch \
file://0004-Disable-default-fetch-and-build-of-googletest.patch \
+ file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch \
+ file://Server.key \
+ file://Server.pem \
"
inherit cmake pkgconfig systemd useradd
@@ -48,6 +51,17 @@ do_install:append() {
install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir}
fi
+ # Install replacement server key + certificate
+ # These are AGL specific versions generated using a tweaked
+ # genCerts.sh script from the source tree that adds the now
+ # required subjectAltName extension field to make python3-ssl
+ # happy. This will be addressed with upstream and can hopefully
+ # be dropped in the future.
+ rm -f ${D}${sysconfdir}/kuksa-val/Server.key
+ install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/
+ rm -f ${D}${sysconfdir}/kuksa-val/Server.pem
+ install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/
+
# Restrict server certificate access
# NOTE: The client certificates are left alone here for client
# development convenience for now, but this will need to