diff options
4 files changed, 128 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch new file mode 100644 index 000000000..90267df60 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch @@ -0,0 +1,64 @@ +From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001 +From: Scott Murray <scott.murray@konsulko.com> +Date: Mon, 11 Jul 2022 16:23:56 -0400 +Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server + certificate + +With the newer Python and OpenSSL in Yocto kirkstone, it seems that +server certificates need to have a valid Subject Alt Name extension +field, or trying to connect fails with errors of the form: + + certificate verify failed: IP address mismatch, certificate is not valid for localhost + +To fix this, the generated server certificate should not rely on the +long deprecated CN field and add the now required extension field. +To facilitate this, the genCerts.sh script has been enhanced to +add a Subject Alt Name extension field of "DNS:localhost" (or +optionally some other hostname) to the server certificate, and to +also add the commonly used keyUsage and extendedKeyUsage extension +fields with appropriate values. + +Signed-off-by: Scott Murray <scott.murray@konsulko.com> +--- + kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh +index d0ef767..dfb9458 100755 +--- a/kuksa_certificates/genCerts.sh ++++ b/kuksa_certificates/genCerts.sh +@@ -1,5 +1,11 @@ + #!/bin/sh + ++# Optional first argument is server hostname ++if [ $# -eq 1 ]; then ++ HOST=$1 ++else ++ HOST="localhost" ++fi + + genCACert() { + openssl genrsa -out CA.key 2048 +@@ -10,7 +16,18 @@ genCACert() { + genCert() { + openssl genrsa -out $1.key 2048 + openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com" +- openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem ++ if [ "$1" = "Server" ]; then ++ extfile=`mktemp -p .` ++ cat > $extfile <<-EOF ++ subjectAltName=DNS:${HOST} ++ keyUsage=digitalSignature ++ extendedKeyUsage=serverAuth ++EOF ++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile ++ rm -f $extfile ++ else ++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem ++ fi + openssl verify -CAfile CA.pem $1.pem + } + +-- +2.35.3 + diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.key b/recipes-connectivity/kuksa-val/kuksa-val/Server.key new file mode 100644 index 000000000..857eaf46d --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-val/Server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAy9ZwmsRZWBotNQmPpLtM7m26IB49BsdKHqFx2ASbtvI3qAT8 +q0zVxx3//IipS9bMGdBGD0BimKk60ZpVXDkoRadk0H0EKnZZTQkv9qOmDLuUKjo3 +UmybGxCo4H3YSqcj+g3kjhOqMb7Mk7L/EPwfpTy1YSiO0vOejcCTQm3pZ8lvCMEn ++oDcIvLwx45aV4ZRpmKvSwVlup4SMMRoG+M3aw57iMIUoHNt/KZeeuyYsx2XSwWF +bnW6D38iKA1JQT3fFMmzBgGBTBbPY1aviG/XPImg04zBxQJgJPRjxFL2aMNuWjvo +sCUNAX40EaiuDaaG39yZJWjr3ALs0IuW3T3QiQIDAQABAoIBABpPTGt9inanskwV +NtgxYMWpnguFO6VDVdrMRdB3D842R17FfgNyQGmaAq+KyCdEy0VNr61KRy+jMDdb +r0bfDcany4hpin8clXwvAmTYTJd6Iq6sovVdlUuSA+ot9Bv2pNsirex0t1QCZ49s +3CVKFZ+TTWoD/SNXVJDBWYCKhUTi7QnLbaV6pGpOFRlShPM///09KerTsfJQiQss +K0ypOSXABawA0cK742FiCpAzqj2OusQZkGWwl86p1OhgpnYMMPcqu4/2nsZp3L3K +8+lCplJqg0C+Rl2tl+we1H5z1XrSSykZIdB9/vdsMjSg+8wxNEDIqQZvryEPG/qk +YIEwYl0CgYEA8CPo6qryc3TYiYd3el3TjQG2wSuip5n8DOLiO9TvXKZ4nPNmlajX +2kpoWxu1+KHoBwmO10U/6i0PDihvOzrBtIuRAJXr/hocnb5pR1oubfmgde3rwMMv +pPEyeTCGHW7UqMc1r78dBKFXyFwpAKCYJr0VKozD5K9IBHQ4oHjA2icCgYEA2UzB +f4fHAU0X2VT7mWCYnPXdQVFNWmiV0EqMTP9NgE+NBQw30oIijJs6p9Et5V07fEGy +GmBCkXkhnhXIo/2g2GPDpUCIy2c41b56qAAOZjunDTNcNh8HXy3dEw/ABJD8PViL +zwe8Hh9ZyhOFqB/iRJiokaN84aAWe/a/onwRHc8CgYEAr248aLsLtgblbcs2IIHM +21UmMoZzJCec97kD9xu+5ZuDv30dMzYOwpzbEbvzuzhkbkewP1mKsMPMHNazM7zf +58qR2rCrn41p3F9PP94Ezziu3Zg7Qy4Ub1X5PomRYI0n9Ejb0pE2XLyViXyyQ5AO +tzYo8VW2gij+3qoc+DZfBL8CgYEAgJ82Sc6MtPB1FWeAJaFPtFizxl3hc4pEYy49 +LbZQoYp05m/8+tWcra2UYpEmoYU2GK6qRYKE5KbWh0RNpwQRmQQ0YjR4xC0tLxe4 +cojV/R2CHAYyprZnHqd/HDFOb2WCaK1o0/q4FvxnoX08t+9nd0MFRG+JE+Q2atn7 +RKo7V3ECgYEA4Aqjw8xlTl24wv7Ofgt8TVXLf3xLah/Ypj7KGAxu+eCjgcV//ncj +E6qjldC+llo9oyCtYV3OSbCpigiyDAG2/OoEKv88xZOcno+at5+oPC1NrpR8oOrv +9ygYUGok61TrW1kw46eKPxVPYWcFtJXf1xxeULpy1/NwEzzAjR8CTBE= +-----END RSA PRIVATE KEY----- diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.pem b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem new file mode 100644 index 000000000..514e5a725 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5DCCAsygAwIBAgIUVcLiKaHJ7gzwvDCtzdobzWa1+PwwDQYJKoZIhvcNAQEL +BQAwgZAxCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzEMMAoGA1UEBwwDUm5nMRow +GAYDVQQKDBFSb2JlcnQgQm9zY2ggR21iSDELMAkGA1UECwwCQ1IxFTATBgNVBAMM +DGxvY2FsaG9zdC1jYTEmMCQGCSqGSIb3DQEJARYXQ0kuSG90bGluZUBkZS5ib3Nj +aC5jb20wHhcNMjIwNzA3MTg0MDQzWhcNMjMwNzA3MTg0MDQzWjCBijELMAkGA1UE +BhMCREUxCzAJBgNVBAgMAkJXMQwwCgYDVQQHDANSbmcxGjAYBgNVBAoMEVJvYmVy +dCBCb3NjaCBHbWJIMQswCQYDVQQLDAJDUjEPMA0GA1UEAwwGU2VydmVyMSYwJAYJ +KoZIhvcNAQkBFhdDSS5Ib3RsaW5lQGRlLmJvc2NoLmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMvWcJrEWVgaLTUJj6S7TO5tuiAePQbHSh6hcdgE +m7byN6gE/KtM1ccd//yIqUvWzBnQRg9AYpipOtGaVVw5KEWnZNB9BCp2WU0JL/aj +pgy7lCo6N1JsmxsQqOB92EqnI/oN5I4TqjG+zJOy/xD8H6U8tWEojtLzno3Ak0Jt +6WfJbwjBJ/qA3CLy8MeOWleGUaZir0sFZbqeEjDEaBvjN2sOe4jCFKBzbfymXnrs +mLMdl0sFhW51ug9/IigNSUE93xTJswYBgUwWz2NWr4hv1zyJoNOMwcUCYCT0Y8RS +9mjDblo76LAlDQF+NBGorg2mht/cmSVo69wC7NCLlt090IkCAwEAAaM6MDgwFAYD +VR0RBA0wC4IJbG9jYWxob3N0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF +BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAoWN/NkRBFgH7rypK+d1tToOQWvoGiqLa +1jSoe9ydSeNHUSVAq/nyOvvhI/0f7sfHND8tznCgcIlZdlpDmYndB6W0Fe6S9xOk +TAsibgUbiXSurfsGHxkoTHbcj6l/eHWao3J4mdocmC7wktdR+yTsIRFG2ob37CSU +zTJd9glPWg1ntXNDbP3MWhCOYlJuePHnDoa35KQJJDepNEKvGcQsFLG6PVVehHz4 +ol4iAn6awlMAstFmXHjurO/kW9xu5U+ri1IASaRuVj7Zs3Md/zaDTAAGi6jOLPjm +ovJSyBEl7XeE92c4HzfgSzoCyoV7gxV67SXgEYrrjLFrnVMyNRPFTQ== +-----END CERTIFICATE----- diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb index a8e2c31f1..8bfa5ab67 100644 --- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb +++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb @@ -18,6 +18,9 @@ SRC_URI += "file://kuksa-val.service \ file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch \ file://0003-Make-install-locations-configurable.patch \ file://0004-Disable-default-fetch-and-build-of-googletest.patch \ + file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch \ + file://Server.key \ + file://Server.pem \ " inherit cmake pkgconfig systemd useradd @@ -48,6 +51,17 @@ do_install:append() { install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir} fi + # Install replacement server key + certificate + # These are AGL specific versions generated using a tweaked + # genCerts.sh script from the source tree that adds the now + # required subjectAltName extension field to make python3-ssl + # happy. This will be addressed with upstream and can hopefully + # be dropped in the future. + rm -f ${D}${sysconfdir}/kuksa-val/Server.key + install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/ + rm -f ${D}${sysconfdir}/kuksa-val/Server.pem + install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/ + # Restrict server certificate access # NOTE: The client certificates are left alone here for client # development convenience for now, but this will need to |