aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch64
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/Server.key27
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/Server.pem23
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val_git.bb14
4 files changed, 128 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
new file mode 100644
index 000000000..90267df60
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
@@ -0,0 +1,64 @@
+From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001
+From: Scott Murray <scott.murray@konsulko.com>
+Date: Mon, 11 Jul 2022 16:23:56 -0400
+Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server
+ certificate
+
+With the newer Python and OpenSSL in Yocto kirkstone, it seems that
+server certificates need to have a valid Subject Alt Name extension
+field, or trying to connect fails with errors of the form:
+
+ certificate verify failed: IP address mismatch, certificate is not valid for localhost
+
+To fix this, the generated server certificate should not rely on the
+long deprecated CN field and add the now required extension field.
+To facilitate this, the genCerts.sh script has been enhanced to
+add a Subject Alt Name extension field of "DNS:localhost" (or
+optionally some other hostname) to the server certificate, and to
+also add the commonly used keyUsage and extendedKeyUsage extension
+fields with appropriate values.
+
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh
+index d0ef767..dfb9458 100755
+--- a/kuksa_certificates/genCerts.sh
++++ b/kuksa_certificates/genCerts.sh
+@@ -1,5 +1,11 @@
+ #!/bin/sh
+
++# Optional first argument is server hostname
++if [ $# -eq 1 ]; then
++ HOST=$1
++else
++ HOST="localhost"
++fi
+
+ genCACert() {
+ openssl genrsa -out CA.key 2048
+@@ -10,7 +16,18 @@ genCACert() {
+ genCert() {
+ openssl genrsa -out $1.key 2048
+ openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com"
+- openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
++ if [ "$1" = "Server" ]; then
++ extfile=`mktemp -p .`
++ cat > $extfile <<-EOF
++ subjectAltName=DNS:${HOST}
++ keyUsage=digitalSignature
++ extendedKeyUsage=serverAuth
++EOF
++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile
++ rm -f $extfile
++ else
++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
++ fi
+ openssl verify -CAfile CA.pem $1.pem
+ }
+
+--
+2.35.3
+
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.key b/recipes-connectivity/kuksa-val/kuksa-val/Server.key
new file mode 100644
index 000000000..857eaf46d
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-val/Server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAy9ZwmsRZWBotNQmPpLtM7m26IB49BsdKHqFx2ASbtvI3qAT8
+q0zVxx3//IipS9bMGdBGD0BimKk60ZpVXDkoRadk0H0EKnZZTQkv9qOmDLuUKjo3
+UmybGxCo4H3YSqcj+g3kjhOqMb7Mk7L/EPwfpTy1YSiO0vOejcCTQm3pZ8lvCMEn
++oDcIvLwx45aV4ZRpmKvSwVlup4SMMRoG+M3aw57iMIUoHNt/KZeeuyYsx2XSwWF
+bnW6D38iKA1JQT3fFMmzBgGBTBbPY1aviG/XPImg04zBxQJgJPRjxFL2aMNuWjvo
+sCUNAX40EaiuDaaG39yZJWjr3ALs0IuW3T3QiQIDAQABAoIBABpPTGt9inanskwV
+NtgxYMWpnguFO6VDVdrMRdB3D842R17FfgNyQGmaAq+KyCdEy0VNr61KRy+jMDdb
+r0bfDcany4hpin8clXwvAmTYTJd6Iq6sovVdlUuSA+ot9Bv2pNsirex0t1QCZ49s
+3CVKFZ+TTWoD/SNXVJDBWYCKhUTi7QnLbaV6pGpOFRlShPM///09KerTsfJQiQss
+K0ypOSXABawA0cK742FiCpAzqj2OusQZkGWwl86p1OhgpnYMMPcqu4/2nsZp3L3K
+8+lCplJqg0C+Rl2tl+we1H5z1XrSSykZIdB9/vdsMjSg+8wxNEDIqQZvryEPG/qk
+YIEwYl0CgYEA8CPo6qryc3TYiYd3el3TjQG2wSuip5n8DOLiO9TvXKZ4nPNmlajX
+2kpoWxu1+KHoBwmO10U/6i0PDihvOzrBtIuRAJXr/hocnb5pR1oubfmgde3rwMMv
+pPEyeTCGHW7UqMc1r78dBKFXyFwpAKCYJr0VKozD5K9IBHQ4oHjA2icCgYEA2UzB
+f4fHAU0X2VT7mWCYnPXdQVFNWmiV0EqMTP9NgE+NBQw30oIijJs6p9Et5V07fEGy
+GmBCkXkhnhXIo/2g2GPDpUCIy2c41b56qAAOZjunDTNcNh8HXy3dEw/ABJD8PViL
+zwe8Hh9ZyhOFqB/iRJiokaN84aAWe/a/onwRHc8CgYEAr248aLsLtgblbcs2IIHM
+21UmMoZzJCec97kD9xu+5ZuDv30dMzYOwpzbEbvzuzhkbkewP1mKsMPMHNazM7zf
+58qR2rCrn41p3F9PP94Ezziu3Zg7Qy4Ub1X5PomRYI0n9Ejb0pE2XLyViXyyQ5AO
+tzYo8VW2gij+3qoc+DZfBL8CgYEAgJ82Sc6MtPB1FWeAJaFPtFizxl3hc4pEYy49
+LbZQoYp05m/8+tWcra2UYpEmoYU2GK6qRYKE5KbWh0RNpwQRmQQ0YjR4xC0tLxe4
+cojV/R2CHAYyprZnHqd/HDFOb2WCaK1o0/q4FvxnoX08t+9nd0MFRG+JE+Q2atn7
+RKo7V3ECgYEA4Aqjw8xlTl24wv7Ofgt8TVXLf3xLah/Ypj7KGAxu+eCjgcV//ncj
+E6qjldC+llo9oyCtYV3OSbCpigiyDAG2/OoEKv88xZOcno+at5+oPC1NrpR8oOrv
+9ygYUGok61TrW1kw46eKPxVPYWcFtJXf1xxeULpy1/NwEzzAjR8CTBE=
+-----END RSA PRIVATE KEY-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/Server.pem b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem
new file mode 100644
index 000000000..514e5a725
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-val/Server.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5DCCAsygAwIBAgIUVcLiKaHJ7gzwvDCtzdobzWa1+PwwDQYJKoZIhvcNAQEL
+BQAwgZAxCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzEMMAoGA1UEBwwDUm5nMRow
+GAYDVQQKDBFSb2JlcnQgQm9zY2ggR21iSDELMAkGA1UECwwCQ1IxFTATBgNVBAMM
+DGxvY2FsaG9zdC1jYTEmMCQGCSqGSIb3DQEJARYXQ0kuSG90bGluZUBkZS5ib3Nj
+aC5jb20wHhcNMjIwNzA3MTg0MDQzWhcNMjMwNzA3MTg0MDQzWjCBijELMAkGA1UE
+BhMCREUxCzAJBgNVBAgMAkJXMQwwCgYDVQQHDANSbmcxGjAYBgNVBAoMEVJvYmVy
+dCBCb3NjaCBHbWJIMQswCQYDVQQLDAJDUjEPMA0GA1UEAwwGU2VydmVyMSYwJAYJ
+KoZIhvcNAQkBFhdDSS5Ib3RsaW5lQGRlLmJvc2NoLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMvWcJrEWVgaLTUJj6S7TO5tuiAePQbHSh6hcdgE
+m7byN6gE/KtM1ccd//yIqUvWzBnQRg9AYpipOtGaVVw5KEWnZNB9BCp2WU0JL/aj
+pgy7lCo6N1JsmxsQqOB92EqnI/oN5I4TqjG+zJOy/xD8H6U8tWEojtLzno3Ak0Jt
+6WfJbwjBJ/qA3CLy8MeOWleGUaZir0sFZbqeEjDEaBvjN2sOe4jCFKBzbfymXnrs
+mLMdl0sFhW51ug9/IigNSUE93xTJswYBgUwWz2NWr4hv1zyJoNOMwcUCYCT0Y8RS
+9mjDblo76LAlDQF+NBGorg2mht/cmSVo69wC7NCLlt090IkCAwEAAaM6MDgwFAYD
+VR0RBA0wC4IJbG9jYWxob3N0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF
+BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAoWN/NkRBFgH7rypK+d1tToOQWvoGiqLa
+1jSoe9ydSeNHUSVAq/nyOvvhI/0f7sfHND8tznCgcIlZdlpDmYndB6W0Fe6S9xOk
+TAsibgUbiXSurfsGHxkoTHbcj6l/eHWao3J4mdocmC7wktdR+yTsIRFG2ob37CSU
+zTJd9glPWg1ntXNDbP3MWhCOYlJuePHnDoa35KQJJDepNEKvGcQsFLG6PVVehHz4
+ol4iAn6awlMAstFmXHjurO/kW9xu5U+ri1IASaRuVj7Zs3Md/zaDTAAGi6jOLPjm
+ovJSyBEl7XeE92c4HzfgSzoCyoV7gxV67SXgEYrrjLFrnVMyNRPFTQ==
+-----END CERTIFICATE-----
diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
index a8e2c31f1..8bfa5ab67 100644
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -18,6 +18,9 @@ SRC_URI += "file://kuksa-val.service \
file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch \
file://0003-Make-install-locations-configurable.patch \
file://0004-Disable-default-fetch-and-build-of-googletest.patch \
+ file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch \
+ file://Server.key \
+ file://Server.pem \
"
inherit cmake pkgconfig systemd useradd
@@ -48,6 +51,17 @@ do_install:append() {
install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir}
fi
+ # Install replacement server key + certificate
+ # These are AGL specific versions generated using a tweaked
+ # genCerts.sh script from the source tree that adds the now
+ # required subjectAltName extension field to make python3-ssl
+ # happy. This will be addressed with upstream and can hopefully
+ # be dropped in the future.
+ rm -f ${D}${sysconfdir}/kuksa-val/Server.key
+ install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/
+ rm -f ${D}${sysconfdir}/kuksa-val/Server.pem
+ install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/
+
# Restrict server certificate access
# NOTE: The client certificates are left alone here for client
# development convenience for now, but this will need to