feedc0de/arduino-esp32
1
0
Fork 0
forked from espressif/arduino-esp32
Code Pull Requests Activity

Add certificate bundle capability to WiFiClientSecure (#6106)

Browse Source 
* Add certificate bundle capability to WiFiClientSecure

Enable usage of the ESP32 IDF's certificate bundle for WiFiClientSecure connections.

Adds the ability to load a bundle or root certificates and use them for authenticating SSL servers.

Based on work from Onno-Dirkzwager, Duckle29, kubo6472, meltdown03, kinafu and others.

See also:
- https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/protocols/esp_crt_bundle.html
- https://github.com/espressif/arduino-esp32/issues/3646
- libraries/WiFiClientSecure/README.md

* Fix build issues

* Clean up old bundle index when NULL bundle is attached
This commit is contained in:
esp32wrangler
2022-01-19 14:42:36 +01:00
committed by GitHub
parent c9b0dc99d3
commit cbfcfbf970
9 changed files with 569 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libraries/WiFiClientSecure/src/ssl_client.cpp
View File

@ -17,6 +17,7 @@
#include <algorithm>
#include <string>
#include "ssl_client.h"
#include "esp_crt_bundle.h"
#include "WiFi.h"
#ifndef MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
@ -53,14 +54,14 @@ void ssl_init(sslclient_context *ssl_client)
}
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos)
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, bool useRootCABundle, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos)
{
char buf[512];
int ret, flags;
int enable = 1;
log_v("Free internal heap before TLS %u", ESP.getFreeHeap());
if (rootCABuff == NULL && pskIdent == NULL && psKey == NULL && !insecure) {
if (rootCABuff == NULL && pskIdent == NULL && psKey == NULL && !insecure && !useRootCABundle) {
return -1;
}
@ -183,6 +184,13 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
mbedtls_x509_crt_free(&ssl_client->ca_cert);
return handle_error(ret);
}
} else if (useRootCABundle) {
log_v("Attaching root CA cert bundle");
ret = esp_crt_bundle_attach(&ssl_client->ssl_conf);
if (ret < 0) {
return handle_error(ret);
}
} else if (pskIdent != NULL && psKey != NULL) {
log_v("Setting up PSK");
// convert PSK from hex to binary