summaryrefslogtreecommitdiffstats
path: root/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch')
-rw-r--r--recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
new file mode 100644
index 00000000..90267df6
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
@@ -0,0 +1,64 @@
+From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001
+From: Scott Murray <scott.murray@konsulko.com>
+Date: Mon, 11 Jul 2022 16:23:56 -0400
+Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server
+ certificate
+
+With the newer Python and OpenSSL in Yocto kirkstone, it seems that
+server certificates need to have a valid Subject Alt Name extension
+field, or trying to connect fails with errors of the form:
+
+ certificate verify failed: IP address mismatch, certificate is not valid for localhost
+
+To fix this, the generated server certificate should not rely on the
+long deprecated CN field and add the now required extension field.
+To facilitate this, the genCerts.sh script has been enhanced to
+add a Subject Alt Name extension field of "DNS:localhost" (or
+optionally some other hostname) to the server certificate, and to
+also add the commonly used keyUsage and extendedKeyUsage extension
+fields with appropriate values.
+
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh
+index d0ef767..dfb9458 100755
+--- a/kuksa_certificates/genCerts.sh
++++ b/kuksa_certificates/genCerts.sh
+@@ -1,5 +1,11 @@
+ #!/bin/sh
+
++# Optional first argument is server hostname
++if [ $# -eq 1 ]; then
++ HOST=$1
++else
++ HOST="localhost"
++fi
+
+ genCACert() {
+ openssl genrsa -out CA.key 2048
+@@ -10,7 +16,18 @@ genCACert() {
+ genCert() {
+ openssl genrsa -out $1.key 2048
+ openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com"
+- openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
++ if [ "$1" = "Server" ]; then
++ extfile=`mktemp -p .`
++ cat > $extfile <<-EOF
++ subjectAltName=DNS:${HOST}
++ keyUsage=digitalSignature
++ extendedKeyUsage=serverAuth
++EOF
++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile
++ rm -f $extfile
++ else
++ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
++ fi
+ openssl verify -CAfile CA.pem $1.pem
+ }
+
+--
+2.35.3
+