From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001
From: Scott Murray <scott.murray@konsulko.com>
Date: Mon, 11 Jul 2022 16:23:56 -0400
Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server
 certificate

With the newer Python and OpenSSL in Yocto kirkstone, it seems that
server certificates need to have a valid Subject Alt Name extension
field, or trying to connect fails with errors of the form:

  certificate verify failed: IP address mismatch, certificate is not valid for localhost

To fix this, the generated server certificate should not rely on the
long deprecated CN field and add the now required extension field.
To facilitate this, the genCerts.sh script has been enhanced to
add a Subject Alt Name extension field of "DNS:localhost" (or
optionally some other hostname) to the server certificate, and to
also add the commonly used keyUsage and extendedKeyUsage extension
fields with appropriate values.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh
index d0ef767..dfb9458 100755
--- a/kuksa_certificates/genCerts.sh
+++ b/kuksa_certificates/genCerts.sh
@@ -1,5 +1,11 @@
 #!/bin/sh
 
+# Optional first argument is server hostname
+if [ $# -eq 1 ]; then
+    HOST=$1
+else
+    HOST="localhost"
+fi
 
 genCACert() {
     openssl genrsa -out CA.key 2048
@@ -10,7 +16,18 @@ genCACert() {
 genCert() {
     openssl genrsa -out $1.key 2048
     openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com"
-    openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
+    if [ "$1" = "Server" ]; then
+        extfile=`mktemp -p .`
+        cat > $extfile <<-EOF
+	subjectAltName=DNS:${HOST}
+	keyUsage=digitalSignature
+	extendedKeyUsage=serverAuth
+EOF
+        openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile
+        rm -f $extfile
+    else
+        openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
+    fi
     openssl verify -CAfile CA.pem $1.pem
 }
 
-- 
2.35.3