From f05c765e8b15116a07f56c69087e756c47140ab0 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Mon, 20 May 2024 12:24:41 +0200 Subject: [PATCH] fix(wifi_remote): Do not restrict EPPP config to RSA keys only Now we can use any kind of certificate and keys, as long as they're in PEM format. Closes https://github.com/espressif/esp-protocols/issues/570 --- .../eppp/wifi_remote_rpc_client.cpp | 2 +- .../eppp/wifi_remote_rpc_server.cpp | 2 +- .../test_certs/generate_test_certs.sh | 51 +++++++++++-------- 3 files changed, 33 insertions(+), 22 deletions(-) diff --git a/components/esp_wifi_remote/eppp/wifi_remote_rpc_client.cpp b/components/esp_wifi_remote/eppp/wifi_remote_rpc_client.cpp index f2de628f8..53fd5c903 100644 --- a/components/esp_wifi_remote/eppp/wifi_remote_rpc_client.cpp +++ b/components/esp_wifi_remote/eppp/wifi_remote_rpc_client.cpp @@ -25,7 +25,7 @@ const char *TAG = "rpc_client"; const unsigned char ca_crt[] = "-----BEGIN CERTIFICATE-----\n" CONFIG_ESP_WIFI_REMOTE_EPPP_SERVER_CA "\n-----END CERTIFICATE-----"; const unsigned char crt[] = "-----BEGIN CERTIFICATE-----\n" CONFIG_ESP_WIFI_REMOTE_EPPP_CLIENT_CRT "\n-----END CERTIFICATE-----"; -const unsigned char key[] = "-----BEGIN RSA PRIVATE KEY-----\n" CONFIG_ESP_WIFI_REMOTE_EPPP_CLIENT_KEY "\n-----END RSA PRIVATE KEY-----"; +const unsigned char key[] = "-----BEGIN PRIVATE KEY-----\n" CONFIG_ESP_WIFI_REMOTE_EPPP_CLIENT_KEY "\n-----END PRIVATE KEY-----"; // TODO: Add option to supply keys and certs via a global symbol (file) } diff --git a/components/esp_wifi_remote/eppp/wifi_remote_rpc_server.cpp b/components/esp_wifi_remote/eppp/wifi_remote_rpc_server.cpp index 9665e5cc3..376b2490f 100644 --- a/components/esp_wifi_remote/eppp/wifi_remote_rpc_server.cpp +++ b/components/esp_wifi_remote/eppp/wifi_remote_rpc_server.cpp @@ -25,7 +25,7 @@ const char *TAG = "rpc_server"; const unsigned char ca_crt[] = "-----BEGIN CERTIFICATE-----\n" CONFIG_ESP_WIFI_REMOTE_EPPP_CLIENT_CA "\n-----END CERTIFICATE-----"; const unsigned char crt[] = "-----BEGIN CERTIFICATE-----\n" CONFIG_ESP_WIFI_REMOTE_EPPP_SERVER_CRT "\n-----END CERTIFICATE-----"; -const unsigned char key[] = "-----BEGIN RSA PRIVATE KEY-----\n" CONFIG_ESP_WIFI_REMOTE_EPPP_SERVER_KEY "\n-----END RSA PRIVATE KEY-----"; +const unsigned char key[] = "-----BEGIN PRIVATE KEY-----\n" CONFIG_ESP_WIFI_REMOTE_EPPP_SERVER_KEY "\n-----END PRIVATE KEY-----"; // TODO: Add option to supply keys and certs via a global symbol (file) } diff --git a/components/esp_wifi_remote/examples/test_certs/generate_test_certs.sh b/components/esp_wifi_remote/examples/test_certs/generate_test_certs.sh index e67249016..330b3211f 100755 --- a/components/esp_wifi_remote/examples/test_certs/generate_test_certs.sh +++ b/components/esp_wifi_remote/examples/test_certs/generate_test_certs.sh @@ -1,5 +1,19 @@ #!/usr/bin/env bash +function gen_pkey { # Params: [KEY_FILE] + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 | openssl pkcs8 -topk8 -outform PEM -nocrypt -out $1 +} + +function sign_with_ca { # Params: [KEY_FILE] [CN] [CRT_FILE] + openssl req -out request.csr -key $1 -subj "/CN=$2" -new -sha256 + openssl x509 -req -in request.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $3 -days 365 -sha256 +} + +function export_config { # Params: [FILE/CONFIG_NAME] + content=`cat $1 | sed '/---/d' | tr -d '\n'` + echo "CONFIG_ESP_WIFI_REMOTE_EPPP_$1=\"${content}\"" +} + if [ -z "$1" ]; then echo "Usage $0 [CLIENT_CN]" exit 1; @@ -12,30 +26,27 @@ echo "Server's CN: $SERVER_CN" echo "Client's CN: $CLIENT_CN" ## First create our own CA -openssl genrsa -out ca.key 2048 +gen_pkey ca.key openssl req -new -x509 -subj "/C=CZ/CN=Espressif" -days 365 -key ca.key -out ca.crt +# will use the same CA for both server and client side +cp ca.crt SERVER_CA +cp ca.crt CLIENT_CA # Server side -openssl genrsa -out srv.key 2048 -openssl req -out srv.csr -key srv.key -subj "/CN=$SERVER_CN" -new -sha256 -openssl x509 -req -in srv.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out srv.crt -days 365 -sha256 +gen_pkey SERVER_KEY +sign_with_ca SERVER_KEY $SERVER_CN SERVER_CRT # Client side -openssl genrsa -out client.key 2048 -openssl req -out client.csr -key client.key -subj "/CN=$CLIENT_CN" -new -sha256 -openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256 +gen_pkey CLIENT_KEY +sign_with_ca CLIENT_KEY $CLIENT_CN CLIENT_CRT ## Generate config options -# Client side: -CA_CRT=`cat ca.crt | sed '/---/d' | tr -d '\n'` -echo "CONFIG_ESP_WIFI_REMOTE_EPPP_SERVER_CA=\"$CA_CRT\"" -CLIENT_CRT=`cat client.crt | sed '/---/d' | tr -d '\n'` -echo "CONFIG_ESP_WIFI_REMOTE_EPPP_CLIENT_CRT=\"$CLIENT_CRT\"" -CLIENT_KEY=`cat client.key | sed '/---/d' | tr -d '\n'` -echo "CONFIG_ESP_WIFI_REMOTE_EPPP_CLIENT_KEY=\"$CLIENT_KEY\"" -## Server side (here it uses the same CA) -echo "CONFIG_ESP_WIFI_REMOTE_EPPP_CLIENT_CA=\"$CA_CRT\"" -SERVER_CRT=`cat srv.crt | sed '/---/d' | tr -d '\n'` -echo "CONFIG_ESP_WIFI_REMOTE_EPPP_SERVER_CRT=\"$SERVER_CRT\"" -SERVER_KEY=`cat srv.key | sed '/---/d' | tr -d '\n'` -echo "CONFIG_ESP_WIFI_REMOTE_EPPP_SERVER_KEY=\"$SERVER_KEY\"" +echo -e "\n# Client side: need own cert and key and ca-cert for server validation" +for f in SERVER_CA CLIENT_CRT CLIENT_KEY; do + export_config $f +done + +echo -e "\n# Server side: need own cert and key and ca-cert for client validation" +for f in CLIENT_CA SERVER_CRT SERVER_KEY; do + export_config $f +done