utils/px5g-wolfssl: make selfsigned certicates compatible with chromium
authorSergey V. Lobanov <sergey@lobanov.in>
Fri, 24 Dec 2021 23:05:35 +0000 (02:05 +0300)
committerChristian Lamparter <chunkeey@gmail.com>
Wed, 29 Dec 2021 21:55:16 +0000 (22:55 +0100)
Chromium based web-browsers (version >58) checks x509v3 extended attributes.
If this check fails then chromium does not allow to click "Proceed to ...
(unsafe)" link. This patch add three x509v3 extended attributes to self-signed
certificate:
1. SAN (Subject Alternative Name) (DNS Name) = CN (common name)
2. Key Usage = Digital Signature, Non Repudiation, Key Encipherment
3. Extended Key Usage = TLS Web Server Authentication

SAN will be added only if CONFIG_WOLFSSL_ALT_NAMES=y

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
package/utils/px5g-wolfssl/Makefile
package/utils/px5g-wolfssl/px5g-wolfssl.c

index 90296008d687b463b3777dabc7e177083b11ac82..95517c5c00b26bae84c35f63c298eda4c8047a14 100644 (file)
@@ -12,6 +12,8 @@ PKG_USE_MIPS16:=0
 
 PKG_MAINTAINER:=Paul Spooren <mail@aparcar.org>
 
+PKG_CONFIG_DEPENDS:=CONFIG_WOLFSSL_ALT_NAMES
+
 include $(INCLUDE_DIR)/package.mk
 
 define Package/px5g-wolfssl
index 763d7b4b710f96062a55cc2d690fb5b54d3c8828..86227d6afdd7d3f6df8eaf966b9928848a1f6d50 100644 (file)
@@ -203,8 +203,23 @@ int selfsigned(WC_RNG *rng, char **arg) {
             strncpy(newCert.subject.org, val, CTC_NAME_SIZE);
           else if (!strcmp(key, "OU"))
             strncpy(newCert.subject.unit, val, CTC_NAME_SIZE);
-          else if (!strcmp(key, "CN"))
+          else if (!strcmp(key, "CN")) {
             strncpy(newCert.subject.commonName, val, CTC_NAME_SIZE);
+
+#ifdef WOLFSSL_ALT_NAMES
+            if(strlen(val) + 2 > 256) {
+              fprintf(stderr, "error: CN is too long: %s\n", val);
+              return 1;
+            }
+
+            newCert.altNames[0] = 0x30; //Sequence with one element
+            newCert.altNames[1] = strlen(val) + 2; // Length of entire sequence
+            newCert.altNames[2] = 0x82; //8 - String, 2 - DNS Name
+            newCert.altNames[3] = strlen(val); //DNS Name length
+            memcpy(newCert.altNames + 4, val, strlen(val)); //DNS Name
+            newCert.altNamesSz = strlen(val) + 4;
+#endif
+          }
           else if (!strcmp(key, "EMAIL"))
             strncpy(newCert.subject.email, val, CTC_NAME_SIZE);
           else
@@ -216,6 +231,9 @@ int selfsigned(WC_RNG *rng, char **arg) {
   }
   newCert.daysValid = days;
 
+  newCert.keyUsage = KEYUSE_DIGITAL_SIG | KEYUSE_CONTENT_COMMIT | KEYUSE_KEY_ENCIPHER;
+  newCert.extKeyUsage = EXTKEYUSE_SERVER_AUTH;
+
   gen_key(rng, &ecKey, &rsaKey, type, keySz, exp, curve);
   write_key(&ecKey, &rsaKey, type, keySz, keypath, pem);