Code Review / AGL / meta-agl-demo.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
kuksa-val: Rework to support updated SSL certificates
[AGL/meta-agl-demo.git] / recipes-connectivity / kuksa-val / kuksa-val / 0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
diff --git a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch b/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
deleted file mode 100644 (file)
index 90267df..0000000
--- a/recipes-connectivity/kuksa-val/kuksa-val/0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From da4e6c439921b3225ae1af172185d709a368e4b1 Mon Sep 17 00:00:00 2001
-From: Scott Murray <scott.murray@konsulko.com>
-Date: Mon, 11 Jul 2022 16:23:56 -0400
-Subject: [PATCH] genCerts.sh: add Subject Alt Name extension to server
- certificate
-
-With the newer Python and OpenSSL in Yocto kirkstone, it seems that
-server certificates need to have a valid Subject Alt Name extension
-field, or trying to connect fails with errors of the form:
-
-  certificate verify failed: IP address mismatch, certificate is not valid for localhost
-
-To fix this, the generated server certificate should not rely on the
-long deprecated CN field and add the now required extension field.
-To facilitate this, the genCerts.sh script has been enhanced to
-add a Subject Alt Name extension field of "DNS:localhost" (or
-optionally some other hostname) to the server certificate, and to
-also add the commonly used keyUsage and extendedKeyUsage extension
-fields with appropriate values.
-
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
----
- kuksa_certificates/genCerts.sh | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh
-index d0ef767..dfb9458 100755
---- a/kuksa_certificates/genCerts.sh
-+++ b/kuksa_certificates/genCerts.sh
-@@ -1,5 +1,11 @@
- #!/bin/sh
-+# Optional first argument is server hostname
-+if [ $# -eq 1 ]; then
-+    HOST=$1
-+else
-+    HOST="localhost"
-+fi
- genCACert() {
-     openssl genrsa -out CA.key 2048
-@@ -10,7 +16,18 @@ genCACert() {
- genCert() {
-     openssl genrsa -out $1.key 2048
-     openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=DE/ST=BW/L=Rng/O=Robert Bosch GmbH/OU=CR/CN=$1/emailAddress=CI.Hotline@de.bosch.com"
--    openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
-+    if [ "$1" = "Server" ]; then
-+        extfile=`mktemp -p .`
-+        cat > $extfile <<-EOF
-+      subjectAltName=DNS:${HOST}
-+      keyUsage=digitalSignature
-+      extendedKeyUsage=serverAuth
-+EOF
-+        openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem -extfile $extfile
-+        rm -f $extfile
-+    else
-+        openssl x509 -req -in $1.csr -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem
-+    fi
-     openssl verify -CAfile CA.pem $1.pem
- }
--- 
-2.35.3
-
meta-agl-demo layer (demo/staging/"one-shot")