X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=recipes-connectivity%2Fkuksa-val%2Fkuksa-val%2F0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch;fp=recipes-connectivity%2Fkuksa-val%2Fkuksa-val%2F0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch;h=0000000000000000000000000000000000000000;hb=fdb58afacf2dff95cca48a772d653e45a1b577f3;hp=90267df6070f60e20ad58f34f58581cdb3144fec;hpb=34fd1612e443164364287894f50bde3de693eeb1;p=AGL%2Fmeta-agl-demo.git diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch deleted file mode 100644 index 90267df60..000000000 --- a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch +++ /dev/null @@ -1,64 +0,0 @@ -From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001 -From: Scott Murray -Date: Mon, 11 Jul 2022 16:23:56 -0400 -Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server - certificate - -With the newer Python and OpenSSL in Yocto kirkstone, it seems that -server certificates need to have a valid Subject Alt Name extension -field, or trying to connect fails with errors of the form: - - certificate verify failed: IP address mismatch, certificate is not valid for localhost - -To fix this, the generated server certificate should not rely on the -long deprecated CN field and add the now required extension field. -To facilitate this, the genCerts.sh script has been enhanced to -add a Subject Alt Name extension field of "DNS:localhost" (or -optionally some other hostname) to the server certificate, and to -also add the commonly used keyUsage and extendedKeyUsage extension -fields with appropriate values. - -Signed-off-by: Scott Murray ---- - kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh -index d0ef767..dfb9458 100755 ---- a/kuksa_certificates/genCerts.sh -+++ b/kuksa_certificates/genCerts.sh -@@ -1,5 +1,11 @@ - #!/bin/sh - -+# Optional first argument is server hostname -+if [ $# -eq 1 ]; then -+ HOST=$1 -+else -+ HOST="localhost" -+fi - - genCACert() { - openssl genrsa -out CA.key 2048 -@@ -10,7 +16,18 @@ genCACert() { - genCert() { - openssl genrsa -out $1.key 2048 - openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com" -- openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -+ if [ "$1" = "Server" ]; then -+ extfile=`mktemp -p .` -+ cat > $extfile <<-EOF -+ subjectAltName=DNS:${HOST} -+ keyUsage=digitalSignature -+ extendedKeyUsage=serverAuth -+EOF -+ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile -+ rm -f $extfile -+ else -+ openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -+ fi - openssl verify -CAfile CA.pem $1.pem - } - --- -2.35.3 -