Add the ability to get the peer certificate of an SSL connection; useful for IoT when the root/cert trust chain has a shorter lifecylce than the device itself. Includes example

2025-07-03 05:46:32 +02:00 · 2021-10-08 14:20:43 +02:00
parent bd54ee442b
commit 1706af4656
4 changed files with 126 additions and 18 deletions
--- a/libraries/WiFiClientSecure/src/WiFiClientSecure.h
+++ b/libraries/WiFiClientSecure/src/WiFiClientSecure.h
@ -31,7 +31,7 @@ protected:
    sslclient_context *sslclient;
 
    int _lastError = 0;
-	int _peek = -1;
+    int _peek = -1;
    int _timeout = 0;
    bool _use_insecure;
    const char *_CA_cert;
@ -53,7 +53,7 @@ public:
    int connect(const char *host, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
    int connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey);
    int connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey);
-	int peek();
+    int peek();
    size_t write(uint8_t data);
    size_t write(const uint8_t *buf, size_t size);
    int available();
@ -73,7 +73,8 @@ public:
    bool loadPrivateKey(Stream& stream, size_t size);
    bool verify(const char* fingerprint, const char* domain_name);
    void setHandshakeTimeout(unsigned long handshake_timeout);
-
+    const mbedtls_x509_crt* getPeerCertificate() { return mbedtls_ssl_get_peer_cert(&sslclient->ssl_ctx); };
+    bool getFingerprintSHA256(uint8_t sha256_result[32]) { return get_peer_fingerprint(sslclient, sha256_result); };
    int setTimeout(uint32_t seconds){ return 0; }

    operator bool()