arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-04-19 23:22:16 +03:00
Code

Make CertStore natively use File interface (#6131)

Browse Source 
__This is a breaking change, but the header and example did warn
everyone that this API was in flux due to the incompatible SD and SPIFFS
File implementations.__

BearSSL CertStores now simply need a filesystem and the names of the
data (generated on-chip) and archive (uploaded by user) files on it.
No more need to roll your own virtual CertStoreFile class.

Update the library, examples, and device test.
This commit is contained in:
Earle F. Philhower, III 2019-05-30 12:53:03 -07:00 committed by GitHub
parent 44bda41cf6
commit 8859b818d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 70 additions and 225 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
libraries/ESP8266WiFi/examples/BearSSL_CertStore/BearSSL_CertStore.ino
View File

@ -36,6 +36,7 @@
#include <ESP8266WiFi.h> #include <ESP8266WiFi.h>
#include <CertStoreBearSSL.h> #include <CertStoreBearSSL.h>
#include <time.h> #include <time.h>
#include <FS.h>
#ifndef STASSID #ifndef STASSID
#define STASSID "your-ssid" #define STASSID "your-ssid"
@ -50,87 +51,6 @@ const char *pass = STAPSK;
// the WiFiClientBearSSLs are present. // the WiFiClientBearSSLs are present.
BearSSL::CertStore certStore; BearSSL::CertStore certStore;
// Uncomment below to use the SD card to store the certs
// #define USE_SDCARD 1
// NOTE: The CertStoreFile virtual class may migrate to a templated
// model in a future release. Expect some changes to the interface,
// no matter what, as the SD and SPIFFS filesystem get unified.
#ifdef USE_SDCARD
#include <SD.h>
class SDCertStoreFile : public BearSSL::CertStoreFile {
public:
SDCertStoreFile(const char *name) {
_name = name;
};
virtual ~SDCertStoreFile() override {};
// The main API
virtual bool open(bool write = false) override {
_file = SD.open(_name, write ? FILE_WRITE : FILE_READ);
return _file;
}
virtual bool seek(size_t absolute_pos) override {
return _file.seek(absolute_pos);
}
virtual ssize_t read(void *dest, size_t bytes) override {
return _file.read(dest, bytes);
}
virtual ssize_t write(void *dest, size_t bytes) override {
return _file.write((const uint8_t*)dest, bytes);
}
virtual void close() override {
_file.close();
}
private:
File _file;
const char *_name;
};
SDCertStoreFile certs_idx("/certs.idx"); // Generated by the ESP8266
SDCertStoreFile certs_ar("/certs.ar"); // Uploaded by the user
#else
#include <FS.h>
class SPIFFSCertStoreFile : public BearSSL::CertStoreFile {
public:
SPIFFSCertStoreFile(const char *name) {
_name = name;
};
virtual ~SPIFFSCertStoreFile() override {};
// The main API
virtual bool open(bool write = false) override {
_file = SPIFFS.open(_name, write ? "w" : "r");
return _file;
}
virtual bool seek(size_t absolute_pos) override {
return _file.seek(absolute_pos, SeekSet);
}
virtual ssize_t read(void *dest, size_t bytes) override {
return _file.readBytes((char*)dest, bytes);
}
virtual ssize_t write(void *dest, size_t bytes) override {
return _file.write((uint8_t*)dest, bytes);
}
virtual void close() override {
_file.close();
}
private:
File _file;
const char *_name;
};
SPIFFSCertStoreFile certs_idx("/certs.idx"); // Generated by the ESP8266
SPIFFSCertStoreFile certs_ar("/certs.ar"); // Uploaded by the user
#endif
// Set time via NTP, as required for x.509 validation // Set time via NTP, as required for x.509 validation
void setClock() { void setClock() {
configTime(3 * 3600, 0, "pool.ntp.org", "time.nist.gov"); configTime(3 * 3600, 0, "pool.ntp.org", "time.nist.gov");
@ -197,11 +117,8 @@ void setup() {
Serial.println(); Serial.println();
Serial.println(); Serial.println();
#ifdef USE_SDCARD
SD.begin();
#else
SPIFFS.begin(); SPIFFS.begin();
#endif // If using a SD card or LittleFS, call the appropriate ::begin instead
// We start by connecting to a WiFi network // We start by connecting to a WiFi network
Serial.print("Connecting to "); Serial.print("Connecting to ");
@ -221,10 +138,10 @@ void setup() {
setClock(); // Required for X.509 validation setClock(); // Required for X.509 validation
int numCerts = certStore.initCertStore(&certs_idx, &certs_ar); int numCerts = certStore.initCertStore(SPIFFS, PSTR("/certs.idx"), PSTR("/certs.ar"));
Serial.printf("Number of CA certs read: %d\n", numCerts); Serial.printf("Number of CA certs read: %d\n", numCerts);
if (numCerts == 0) { if (numCerts == 0) {
Serial.printf("No certs found. Did you run certs-from-mozill.py and upload the SPIFFS directory before running?\n"); Serial.printf("No certs found. Did you run certs-from-mozilla.py and upload the SPIFFS directory before running?\n");
return; // Can't connect to anything w/o certs! return; // Can't connect to anything w/o certs!
} }
@ -242,6 +159,9 @@ void loop() {
do { do {
site = Serial.readString(); site = Serial.readString();
} while (site == ""); } while (site == "");
// Strip newline if present
site.replace(String("\r"), emptyString);
site.replace(String("\n"), emptyString);
Serial.printf("https://%s/\n", site.c_str()); Serial.printf("https://%s/\n", site.c_str());
BearSSL::WiFiClientSecure *bear = new BearSSL::WiFiClientSecure(); BearSSL::WiFiClientSecure *bear = new BearSSL::WiFiClientSecure();

82
libraries/ESP8266WiFi/src/CertStoreBearSSL.cpp
View File

@ -37,6 +37,12 @@ extern "C" {
} }
} }
CertStore::~CertStore() {
free(_indexName);
free(_dataName);
}
CertStore::CertInfo CertStore::_preprocessCert(uint32_t length, uint32_t offset, const void *raw) { CertStore::CertInfo CertStore::_preprocessCert(uint32_t length, uint32_t offset, const void *raw) {
CertStore::CertInfo ci; CertStore::CertInfo ci;
@ -70,46 +76,54 @@ CertStore::CertInfo CertStore::_preprocessCert(uint32_t length, uint32_t offset,
// The certs.ar file is a UNIX ar format file, concatenating all the // The certs.ar file is a UNIX ar format file, concatenating all the
// individual certificates into a single blob in a space-efficient way. // individual certificates into a single blob in a space-efficient way.
int CertStore::initCertStore(CertStoreFile *index, CertStoreFile *data) { int CertStore::initCertStore(FS &fs, const char *indexFileName, const char *dataFileName) {
int count = 0; int count = 0;
uint32_t offset = 0; uint32_t offset = 0;
_index = index; _fs = &fs;
_data = data;
if (!_index || !data) { // No strdup_P, so manually do it
_indexName = (char *)malloc(strlen_P(indexFileName) + 1);
_dataName = (char *)malloc(strlen_P(dataFileName) + 1);
if (!_indexName || !_dataName) {
free(_indexName);
free(_dataName);
return 0;
}
memcpy_P(_indexName, indexFileName, strlen_P(indexFileName) + 1);
memcpy_P(_dataName, dataFileName, strlen_P(dataFileName) + 1);
File index = _fs->open(_indexName, "w");
if (!index) {
return 0; return 0;
} }
if (!_index->open(true)) { File data = _fs->open(_dataName, "r");
if (!data) {
index.close();
return 0; return 0;
} }
if (!_data->open(false)) { uint8_t magic[8];
_index->close(); if (data.read(magic, sizeof(magic)) != sizeof(magic) ||
return 0;
}
char magic[8];
if (_data->read(magic, sizeof(magic)) != sizeof(magic) ||
memcmp(magic, "!<arch>\n", sizeof(magic)) ) { memcmp(magic, "!<arch>\n", sizeof(magic)) ) {
_data->close(); data.close();
_index->close(); index.close();
return 0; return 0;
} }
offset += sizeof(magic); offset += sizeof(magic);
while (true) { while (true) {
char fileHeader[60]; uint8_t fileHeader[60];
// 0..15 = filename in ASCII // 0..15 = filename in ASCII
// 48...57 = length in decimal ASCII // 48...57 = length in decimal ASCII
uint32_t length; uint32_t length;
if (data->read(fileHeader, sizeof(fileHeader)) != sizeof(fileHeader)) { if (data.read(fileHeader, sizeof(fileHeader)) != sizeof(fileHeader)) {
break; break;
} }
offset += sizeof(fileHeader); offset += sizeof(fileHeader);
fileHeader[58] = 0; fileHeader[58] = 0;
if (1 != sscanf(fileHeader + 48, "%d", &length) || !length) { if (1 != sscanf((char *)(fileHeader + 48), "%d", &length) || !length) {
break; break;
} }
@ -117,7 +131,7 @@ int CertStore::initCertStore(CertStoreFile *index, CertStoreFile *data) {
if (!raw) { if (!raw) {
break; break;
} }
if (_data->read(raw, length) != (ssize_t)length) { if (data.read((uint8_t *)raw, length) != length) {
free(raw); free(raw);
break; break;
} }
@ -125,7 +139,7 @@ int CertStore::initCertStore(CertStoreFile *index, CertStoreFile *data) {
// If the filename starts with "//" then this is a rename file, skip it // If the filename starts with "//" then this is a rename file, skip it
if (fileHeader[0] != '/' || fileHeader[1] != '/') { if (fileHeader[0] != '/' || fileHeader[1] != '/') {
CertStore::CertInfo ci = _preprocessCert(length, offset, raw); CertStore::CertInfo ci = _preprocessCert(length, offset, raw);
if (_index->write(&ci, sizeof(ci)) != (ssize_t)sizeof(ci)) { if (index.write((uint8_t *)&ci, sizeof(ci)) != (ssize_t)sizeof(ci)) {
free(raw); free(raw);
break; break;
} }
@ -135,13 +149,13 @@ int CertStore::initCertStore(CertStoreFile *index, CertStoreFile *data) {
offset += length; offset += length;
free(raw); free(raw);
if (offset & 1) { if (offset & 1) {
char x; uint8_t x;
_data->read(&x, 1); data.read(&x, 1);
offset++; offset++;
} }
} }
_data->close(); data.close();
_index->close(); index.close();
return count; return count;
} }
@ -153,35 +167,37 @@ const br_x509_trust_anchor *CertStore::findHashedTA(void *ctx, void *hashed_dn,
CertStore *cs = static_cast<CertStore*>(ctx); CertStore *cs = static_cast<CertStore*>(ctx);
CertStore::CertInfo ci; CertStore::CertInfo ci;
if (!cs || len != sizeof(ci.sha256) || !cs->_index || !cs->_data) { if (!cs || len != sizeof(ci.sha256) || !cs->_indexName || !cs->_dataName || !cs->_fs) {
return nullptr; return nullptr;
} }
if (!cs->_index->open(false)) { File index = cs->_fs->open(cs->_indexName, "r");
if (!index) {
return nullptr; return nullptr;
} }
while (cs->_index->read(&ci, sizeof(ci)) == sizeof(ci)) { while (index.read((uint8_t *)&ci, sizeof(ci)) == sizeof(ci)) {
if (!memcmp(ci.sha256, hashed_dn, sizeof(ci.sha256))) { if (!memcmp(ci.sha256, hashed_dn, sizeof(ci.sha256))) {
cs->_index->close(); index.close();
uint8_t *der = (uint8_t*)malloc(ci.length); uint8_t *der = (uint8_t*)malloc(ci.length);
if (!der) { if (!der) {
return nullptr; return nullptr;
} }
if (!cs->_data->open(false)) { File data = cs->_fs->open(cs->_dataName, "r");
if (!data) {
free(der); free(der);
return nullptr; return nullptr;
} }
if (!cs->_data->seek(ci.offset)) { if (!data.seek(ci.offset, SeekSet)) {
cs->_data->close(); data.close();
free(der); free(der);
return nullptr; return nullptr;
} }
if (cs->_data->read(der, ci.length) != (ssize_t)ci.length) { if (data.read((uint8_t *)der, ci.length) != ci.length) {
free(der); free(der);
return nullptr; return nullptr;
} }
cs->_data->close(); data.close();
cs->_x509 = new X509List(der, ci.length); cs->_x509 = new X509List(der, ci.length);
free(der); free(der);
if (!cs->_x509) { if (!cs->_x509) {
@ -196,7 +212,7 @@ const br_x509_trust_anchor *CertStore::findHashedTA(void *ctx, void *hashed_dn,
return ta; return ta;
} }
} }
cs->_index->close(); index.close();
return nullptr; return nullptr;
} }

33
libraries/ESP8266WiFi/src/CertStoreBearSSL.h
View File

@ -23,6 +23,7 @@
#include <Arduino.h> #include <Arduino.h>
#include <BearSSLHelpers.h> #include <BearSSLHelpers.h>
#include <bearssl/bearssl.h> #include <bearssl/bearssl.h>
#include <FS.h>
// Base class for the certificate stores, which allow use // Base class for the certificate stores, which allow use
// of a large set of certificates stored on SPIFFS of SD card to // of a large set of certificates stored on SPIFFS of SD card to
@ -30,43 +31,21 @@
namespace BearSSL { namespace BearSSL {
// Subclass this and provide virtual functions appropriate for your storage.
// Required because there are conflicting definitions for a "File" in the
// Arduino setup, and there is no simple way to work around the minor
// differences.
// See the examples for implementations to use in your own code.
//
// NOTE: This virtual class may migrate to a templated model in a future
// release. Expect some changes to the interface, no matter what, as the
// SD and SPIFFS filesystem get unified.
class CertStoreFile {
public:
CertStoreFile() {};
virtual ~CertStoreFile() {};
// The main API
virtual bool open(bool write=false) = 0;
virtual bool seek(size_t absolute_pos) = 0;
virtual ssize_t read(void *dest, size_t bytes) = 0;
virtual ssize_t write(void *dest, size_t bytes) = 0;
virtual void close() = 0;
};
class CertStore { class CertStore {
public: public:
CertStore() { }; CertStore() { };
~CertStore() { }; ~CertStore();
// Set the file interface instances, do preprocessing // Set the file interface instances, do preprocessing
int initCertStore(CertStoreFile *index, CertStoreFile *data); int initCertStore(FS &fs, const char *indexFileName, const char *dataFileName);
// Installs the cert store into the X509 decoder (normally via static function callbacks) // Installs the cert store into the X509 decoder (normally via static function callbacks)
void installCertStore(br_x509_minimal_context *ctx); void installCertStore(br_x509_minimal_context *ctx);
protected: protected:
CertStoreFile *_index = nullptr; FS *_fs = nullptr;
CertStoreFile *_data = nullptr; char *_indexName = nullptr;
char *_dataName = nullptr;
X509List *_x509 = nullptr; X509List *_x509 = nullptr;
// These need to be static as they are callbacks from BearSSL C code // These need to be static as they are callbacks from BearSSL C code

38
libraries/ESP8266httpUpdate/examples/httpUpdateSecure/httpUpdateSecure.ino
View File

@ -13,6 +13,8 @@
#include <time.h> #include <time.h>
#include <FS.h>
#define USE_SERIAL Serial #define USE_SERIAL Serial
#ifndef APSSID #ifndef APSSID
@ -28,40 +30,6 @@ ESP8266WiFiMulti WiFiMulti;
#include <CertStoreBearSSL.h> #include <CertStoreBearSSL.h>
BearSSL::CertStore certStore; BearSSL::CertStore certStore;
#include <FS.h>
class SPIFFSCertStoreFile : public BearSSL::CertStoreFile {
public:
SPIFFSCertStoreFile(const char *name) {
_name = name;
};
virtual ~SPIFFSCertStoreFile() override {};
// The main API
virtual bool open(bool write = false) override {
_file = SPIFFS.open(_name, write ? "w" : "r");
return _file;
}
virtual bool seek(size_t absolute_pos) override {
return _file.seek(absolute_pos, SeekSet);
}
virtual ssize_t read(void *dest, size_t bytes) override {
return _file.readBytes((char*)dest, bytes);
}
virtual ssize_t write(void *dest, size_t bytes) override {
return _file.write((uint8_t*)dest, bytes);
}
virtual void close() override {
_file.close();
}
private:
File _file;
const char *_name;
};
SPIFFSCertStoreFile certs_idx("/certs.idx");
SPIFFSCertStoreFile certs_ar("/certs.ar");
// Set time via NTP, as required for x.509 validation // Set time via NTP, as required for x.509 validation
void setClock() { void setClock() {
configTime(0, 0, "pool.ntp.org", "time.nist.gov"); // UTC configTime(0, 0, "pool.ntp.org", "time.nist.gov"); // UTC
@ -102,7 +70,7 @@ void setup() {
SPIFFS.begin(); SPIFFS.begin();
int numCerts = certStore.initCertStore(&certs_idx, &certs_ar); int numCerts = certStore.initCertStore(SPIFFS, PSTR("/certs.idx"), PSTR("/certs.ar"));
USE_SERIAL.print(F("Number of CA certs read: ")); USE_SERIAL.println(numCerts); USE_SERIAL.print(F("Number of CA certs read: ")); USE_SERIAL.println(numCerts);
if (numCerts == 0) { if (numCerts == 0) {
USE_SERIAL.println(F("No certs found. Did you run certs-from-mozill.py and upload the SPIFFS directory before running?")); USE_SERIAL.println(F("No certs found. Did you run certs-from-mozill.py and upload the SPIFFS directory before running?"));

6
tests/device/Makefile
View File

@ -1,7 +1,7 @@
SHELL := /bin/bash SHELL := /bin/bash
V ?= 0 V ?= 0
TEST_LIST ?= $(wildcard test_*/*.ino) TEST_LIST ?= $(wildcard test_*/*.ino)
ESP8266_CORE_PATH ?= ../.. ESP8266_CORE_PATH ?= $(realpath ../..)
BUILD_DIR ?= $(PWD)/.build BUILD_DIR ?= $(PWD)/.build
HARDWARE_DIR ?= $(PWD)/.hardware HARDWARE_DIR ?= $(PWD)/.hardware
#PYTHON ?= python3 #PYTHON ?= python3
@ -60,9 +60,9 @@ ifneq ("$(NO_UPLOAD)","1")
@test -n "$(UPLOAD_PORT)" || (echo "Failed to detect upload port, please export UPLOAD_PORT manually" && exit 1) @test -n "$(UPLOAD_PORT)" || (echo "Failed to detect upload port, please export UPLOAD_PORT manually" && exit 1)
@test -e $(dir $@)/make_spiffs.py && (echo "Generating and uploading SPIFFS" && \ @test -e $(dir $@)/make_spiffs.py && (echo "Generating and uploading SPIFFS" && \
(cd $(dir $@) && $(PYTHON) ./make_spiffs.py) && \ (cd $(dir $@) && $(PYTHON) ./make_spiffs.py) && \
$(SILENT)$(MKSPIFFS) --create $(dir $@)data/ --size 0xFB000 \ $(MKSPIFFS) --create $(dir $@)data/ --size 0xFB000 \
--block 8192 --page 256 $(LOCAL_BUILD_DIR)/spiffs.img && \ --block 8192 --page 256 $(LOCAL_BUILD_DIR)/spiffs.img && \
$(SILENT)$(ESPTOOL) $(UPLOAD_VERBOSE_FLAG) \ $(ESPTOOL) $(UPLOAD_VERBOSE_FLAG) \
--chip esp8266 \ --chip esp8266 \
--port $(UPLOAD_PORT) \ --port $(UPLOAD_PORT) \
--baud $(UPLOAD_BAUD) \ --baud $(UPLOAD_BAUD) \

2
tests/device/test_BearSSL/make_spiffs.py
View File

@ -30,7 +30,7 @@ csvData = response.read()
csvReader = csv.reader(StringIO(csvData)) csvReader = csv.reader(StringIO(csvData))
for row in csvReader: for row in csvReader:
names.append(row[0]+":"+row[1]+":"+row[2]) names.append(row[0]+":"+row[1]+":"+row[2])
pems.append(row[28]) pems.append(row[30])
del names[0] # Remove headers del names[0] # Remove headers
del pems[0] # Remove headers del pems[0] # Remove headers

40
tests/device/test_BearSSL/test_BearSSL.ino
View File

@ -29,44 +29,6 @@ void setClock();
// the WiFiClientBearSSLs are present. // the WiFiClientBearSSLs are present.
BearSSL::CertStore certStore; BearSSL::CertStore certStore;
// NOTE: The CertStoreFile virtual class may migrate to a templated
// model in a future release. Expect some changes to the interface,
// no matter what, as the SD and SPIFFS filesystem get unified.
class SPIFFSCertStoreFile : public BearSSL::CertStoreFile {
public:
SPIFFSCertStoreFile(const char *name) {
_name = name;
};
virtual ~SPIFFSCertStoreFile() override {};
// The main API
virtual bool open(bool write = false) override {
_file = SPIFFS.open(_name, write ? "w" : "r");
return _file;
}
virtual bool seek(size_t absolute_pos) override {
return _file.seek(absolute_pos, SeekSet);
}
virtual ssize_t read(void *dest, size_t bytes) override {
return _file.readBytes((char*)dest, bytes);
}
virtual ssize_t write(void *dest, size_t bytes) override {
return _file.write((uint8_t*)dest, bytes);
}
virtual void close() override {
_file.close();
}
private:
File _file;
const char *_name;
};
SPIFFSCertStoreFile certs_idx("/certs.idx"); // Generated by the ESP8266
SPIFFSCertStoreFile certs_ar("/certs.ar"); // Uploaded by the user
void setup() void setup()
{ {
Serial.begin(115200); Serial.begin(115200);
@ -79,7 +41,7 @@ void setup()
} }
setClock(); setClock();
SPIFFS.begin(); SPIFFS.begin();
int numCerts = certStore.initCertStore(&certs_idx, &certs_ar); int numCerts = certStore.initCertStore(SPIFFS, "/certs.idx", "/certs.ar");
Serial.printf("Number of CA certs read: %d\n", numCerts); Serial.printf("Number of CA certs read: %d\n", numCerts);
if (numCerts == 0) { if (numCerts == 0) {
Serial.printf("No certs found. Did you run certs-from-mozill.py and upload the SPIFFS directory before running?\n"); Serial.printf("No certs found. Did you run certs-from-mozill.py and upload the SPIFFS directory before running?\n");