Difuse/difos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

utils/px5g-wolfssl: make selfsigned certicates compatible with chromium

Browse source 
Chromium based web-browsers (version >58) checks x509v3 extended attributes.
If this check fails then chromium does not allow to click "Proceed to ...
(unsafe)" link. This patch add three x509v3 extended attributes to self-signed
certificate:
1. SAN (Subject Alternative Name) (DNS Name) = CN (common name)
2. Key Usage = Digital Signature, Non Repudiation, Key Encipherment
3. Extended Key Usage = TLS Web Server Authentication

SAN will be added only if CONFIG_WOLFSSL_ALT_NAMES=y

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
This commit is contained in:
Sergey V. Lobanov 2021-12-25 02:05:35 +03:00 committed by Christian Lamparter
parent dfd695f4b9
commit 6bfc8bb4a3
2 changed files with 21 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
package/utils/px5g-wolfssl/Makefile
View file

@ -12,6 +12,8 @@ PKG_USE_MIPS16:=0
PKG_MAINTAINER:=Paul Spooren <mail@aparcar.org> PKG_MAINTAINER:=Paul Spooren <mail@aparcar.org>
PKG_CONFIG_DEPENDS:=CONFIG_WOLFSSL_ALT_NAMES
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
define Package/px5g-wolfssl define Package/px5g-wolfssl

20
package/utils/px5g-wolfssl/px5g-wolfssl.c
View file

@ -203,8 +203,23 @@ int selfsigned(WC_RNG *rng, char **arg) {
strncpy(newCert.subject.org, val, CTC_NAME_SIZE); strncpy(newCert.subject.org, val, CTC_NAME_SIZE);
else if (!strcmp(key, "OU")) else if (!strcmp(key, "OU"))
strncpy(newCert.subject.unit, val, CTC_NAME_SIZE); strncpy(newCert.subject.unit, val, CTC_NAME_SIZE);
else if (!strcmp(key, "CN")) else if (!strcmp(key, "CN")) {
strncpy(newCert.subject.commonName, val, CTC_NAME_SIZE); strncpy(newCert.subject.commonName, val, CTC_NAME_SIZE);
#ifdef WOLFSSL_ALT_NAMES
if(strlen(val) + 2 > 256) {
fprintf(stderr, "error: CN is too long: %s\n", val);
return 1;
}
newCert.altNames[0] = 0x30; //Sequence with one element
newCert.altNames[1] = strlen(val) + 2; // Length of entire sequence
newCert.altNames[2] = 0x82; //8 - String, 2 - DNS Name
newCert.altNames[3] = strlen(val); //DNS Name length
memcpy(newCert.altNames + 4, val, strlen(val)); //DNS Name
newCert.altNamesSz = strlen(val) + 4;
#endif
}
else if (!strcmp(key, "EMAIL")) else if (!strcmp(key, "EMAIL"))
strncpy(newCert.subject.email, val, CTC_NAME_SIZE); strncpy(newCert.subject.email, val, CTC_NAME_SIZE);
else else
@ -216,6 +231,9 @@ int selfsigned(WC_RNG *rng, char **arg) {
} }
newCert.daysValid = days; newCert.daysValid = days;
newCert.keyUsage = KEYUSE_DIGITAL_SIG | KEYUSE_CONTENT_COMMIT | KEYUSE_KEY_ENCIPHER;
newCert.extKeyUsage = EXTKEYUSE_SERVER_AUTH;
gen_key(rng, &ecKey, &rsaKey, type, keySz, exp, curve); gen_key(rng, &ecKey, &rsaKey, type, keySz, exp, curve);
write_key(&ecKey, &rsaKey, type, keySz, keypath, pem); write_key(&ecKey, &rsaKey, type, keySz, keypath, pem);