From: Sergey V. Lobanov Date: Fri, 24 Dec 2021 23:05:35 +0000 (+0300) Subject: utils/px5g-wolfssl: make selfsigned certicates compatible with chromium X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=6bfc8bb4a37903bd1d3bb7e7824d89f3a2cca6a1;p=openwrt%2Fstaging%2Fthess.git utils/px5g-wolfssl: make selfsigned certicates compatible with chromium Chromium based web-browsers (version >58) checks x509v3 extended attributes. If this check fails then chromium does not allow to click "Proceed to ... (unsafe)" link. This patch add three x509v3 extended attributes to self-signed certificate: 1. SAN (Subject Alternative Name) (DNS Name) = CN (common name) 2. Key Usage = Digital Signature, Non Repudiation, Key Encipherment 3. Extended Key Usage = TLS Web Server Authentication SAN will be added only if CONFIG_WOLFSSL_ALT_NAMES=y Signed-off-by: Sergey V. Lobanov --- diff --git a/package/utils/px5g-wolfssl/Makefile b/package/utils/px5g-wolfssl/Makefile index 90296008d6..95517c5c00 100644 --- a/package/utils/px5g-wolfssl/Makefile +++ b/package/utils/px5g-wolfssl/Makefile @@ -12,6 +12,8 @@ PKG_USE_MIPS16:=0 PKG_MAINTAINER:=Paul Spooren +PKG_CONFIG_DEPENDS:=CONFIG_WOLFSSL_ALT_NAMES + include $(INCLUDE_DIR)/package.mk define Package/px5g-wolfssl diff --git a/package/utils/px5g-wolfssl/px5g-wolfssl.c b/package/utils/px5g-wolfssl/px5g-wolfssl.c index 763d7b4b71..86227d6afd 100644 --- a/package/utils/px5g-wolfssl/px5g-wolfssl.c +++ b/package/utils/px5g-wolfssl/px5g-wolfssl.c @@ -203,8 +203,23 @@ int selfsigned(WC_RNG *rng, char **arg) { strncpy(newCert.subject.org, val, CTC_NAME_SIZE); else if (!strcmp(key, "OU")) strncpy(newCert.subject.unit, val, CTC_NAME_SIZE); - else if (!strcmp(key, "CN")) + else if (!strcmp(key, "CN")) { strncpy(newCert.subject.commonName, val, CTC_NAME_SIZE); + +#ifdef WOLFSSL_ALT_NAMES + if(strlen(val) + 2 > 256) { + fprintf(stderr, "error: CN is too long: %s\n", val); + return 1; + } + + newCert.altNames[0] = 0x30; //Sequence with one element + newCert.altNames[1] = strlen(val) + 2; // Length of entire sequence + newCert.altNames[2] = 0x82; //8 - String, 2 - DNS Name + newCert.altNames[3] = strlen(val); //DNS Name length + memcpy(newCert.altNames + 4, val, strlen(val)); //DNS Name + newCert.altNamesSz = strlen(val) + 4; +#endif + } else if (!strcmp(key, "EMAIL")) strncpy(newCert.subject.email, val, CTC_NAME_SIZE); else @@ -216,6 +231,9 @@ int selfsigned(WC_RNG *rng, char **arg) { } newCert.daysValid = days; + newCert.keyUsage = KEYUSE_DIGITAL_SIG | KEYUSE_CONTENT_COMMIT | KEYUSE_KEY_ENCIPHER; + newCert.extKeyUsage = EXTKEYUSE_SERVER_AUTH; + gen_key(rng, &ecKey, &rsaKey, type, keySz, exp, curve); write_key(&ecKey, &rsaKey, type, keySz, keypath, pem);