Add the ability to get the peer certificate of an SSL connection; useful for IoT when the root/cert trust chain has a shorter lifecylce than the device itself. Includes example

libraries/WiFiClientSecure/src/WiFiClientSecure.h

@@ -31,7 +31,7 @@ protected:
     sslclient_context *sslclient;
  
     int _lastError = 0;
-	int _peek = -1;
+    int _peek = -1;
     int _timeout = 0;
     bool _use_insecure;
     const char *_CA_cert;
@@ -53,7 +53,7 @@ public:
     int connect(const char *host, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
     int connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey);
     int connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey);
-	int peek();
+    int peek();
     size_t write(uint8_t data);
     size_t write(const uint8_t *buf, size_t size);
     int available();
@@ -73,7 +73,8 @@ public:
     bool loadPrivateKey(Stream& stream, size_t size);
     bool verify(const char* fingerprint, const char* domain_name);
     void setHandshakeTimeout(unsigned long handshake_timeout);
-
+    const mbedtls_x509_crt* getPeerCertificate() { return mbedtls_ssl_get_peer_cert(&sslclient->ssl_ctx); };
+    bool getFingerprintSHA256(uint8_t sha256_result[32]) { return get_peer_fingerprint(sslclient, sha256_result); };
     int setTimeout(uint32_t seconds){ return 0; }
 
     operator bool()

libraries/WiFiClientSecure/src/ssl_client.cpp

@@ -418,22 +418,10 @@ bool verify_ssl_fingerprint(sslclient_context *ssl_client, const char* fp, const
         fingerprint_local[i] = low | (high << 4);
     }
 
-    // Get certificate provided by the peer
-    const mbedtls_x509_crt* crt = mbedtls_ssl_get_peer_cert(&ssl_client->ssl_ctx);
-
-    if (!crt)
-    {
-        log_d("could not fetch peer certificate");
-        return false;
-    }
-
     // Calculate certificate's SHA256 fingerprint
     uint8_t fingerprint_remote[32];
-    mbedtls_sha256_context sha256_ctx;
-    mbedtls_sha256_init(&sha256_ctx);
-    mbedtls_sha256_starts(&sha256_ctx, false);
-    mbedtls_sha256_update(&sha256_ctx, crt->raw.p, crt->raw.len);
-    mbedtls_sha256_finish(&sha256_ctx, fingerprint_remote);
+    if(!get_peer_fingerprint(ssl_client, fingerprint_remote)) 
+        return false;
 
     // Check if fingerprints match
     if (memcmp(fingerprint_local, fingerprint_remote, 32))
@@ -449,6 +437,28 @@ bool verify_ssl_fingerprint(sslclient_context *ssl_client, const char* fp, const
         return true;
 }
 
+bool get_peer_fingerprint(sslclient_context *ssl_client, uint8_t sha256[32]) 
+{
+    if (!ssl_client) {
+        log_d("Invalid ssl_client pointer");
+        return false;
+    };
+
+    const mbedtls_x509_crt* crt = mbedtls_ssl_get_peer_cert(&ssl_client->ssl_ctx);
+    if (!crt) {
+        log_d("Failed to get peer cert.");
+        return false;
+    };
+
+    mbedtls_sha256_context sha256_ctx;
+    mbedtls_sha256_init(&sha256_ctx);
+    mbedtls_sha256_starts(&sha256_ctx, false);
+    mbedtls_sha256_update(&sha256_ctx, crt->raw.p, crt->raw.len);
+    mbedtls_sha256_finish(&sha256_ctx, sha256);
+
+    return true;
+}
+
 // Checks if peer certificate has specified domain in CN or SANs
 bool verify_ssl_dn(sslclient_context *ssl_client, const char* domain_name)
 {

libraries/WiFiClientSecure/src/ssl_client.h

@@ -36,5 +36,5 @@ int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, size_t len
 int get_ssl_receive(sslclient_context *ssl_client, uint8_t *data, int length);
 bool verify_ssl_fingerprint(sslclient_context *ssl_client, const char* fp, const char* domain_name);
 bool verify_ssl_dn(sslclient_context *ssl_client, const char* domain_name);
-
+bool get_peer_fingerprint(sslclient_context *ssl_client, uint8_t sha256[32]);
 #endif