diff options
Diffstat (limited to 'recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch')
-rw-r--r-- | recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch new file mode 100644 index 000000000..90267df60 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch @@ -0,0 +1,64 @@ +From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001 +From: Scott Murray <scott.murray@konsulko.com> +Date: Mon, 11 Jul 2022 16:23:56 -0400 +Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server + certificate + +With the newer Python and OpenSSL in Yocto kirkstone, it seems that +server certificates need to have a valid Subject Alt Name extension +field, or trying to connect fails with errors of the form: + + certificate verify failed: IP address mismatch, certificate is not valid for localhost + +To fix this, the generated server certificate should not rely on the +long deprecated CN field and add the now required extension field. +To facilitate this, the genCerts.sh script has been enhanced to +add a Subject Alt Name extension field of "DNS:localhost" (or +optionally some other hostname) to the server certificate, and to +also add the commonly used keyUsage and extendedKeyUsage extension +fields with appropriate values. + +Signed-off-by: Scott Murray <scott.murray@konsulko.com> +--- + kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh +index d0ef767..dfb9458 100755 +--- a/kuksa_certificates/genCerts.sh ++++ b/kuksa_certificates/genCerts.sh +@@ -1,5 +1,11 @@ + #!/bin/sh + ++# Optional first argument is server hostname ++if [ $# -eq 1 ]; then ++ HOST=$1 ++else ++ HOST="localhost" ++fi + + genCACert() { + openssl genrsa -out CA.key 2048 +@@ -10,7 +16,18 @@ genCACert() { + genCert() { + openssl genrsa -out $1.key 2048 + openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com" +- openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem ++ if [ "$1" = "Server" ]; then ++ extfile=`mktemp -p .` ++ cat > $extfile <<-EOF ++ subjectAltName=DNS:${HOST} ++ keyUsage=digitalSignature ++ extendedKeyUsage=serverAuth ++EOF ++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile ++ rm -f $extfile ++ else ++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem ++ fi + openssl verify -CAfile CA.pem $1.pem + } + +-- +2.35.3 + |