WiFiClientSecure: add certificate fingerprint verification (#43)

2025-06-12 01:53:07 +03:00 · 2015-09-14 10:22:54 +03:00
parent c970dec6a7
commit f73d414f38
5 changed files with 65 additions and 2 deletions
--- a/libraries/ESP8266WiFi/src/WiFiClientSecure.cpp
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecure.cpp
@ -242,6 +242,50 @@ void WiFiClientSecure::stop() {
    return WiFiClient::stop();
 }

+static bool parseHexNibble(char pb, uint8_t* res) {
+    if (pb >= '0' && pb <= '9') {
+        *res = (uint8_t) (pb - '0'); return true;
+    }
+    else if (pb >= 'a' && pb <= 'f') {
+        *res = (uint8_t) (pb - 'a' + 10); return true;
+    }
+    else if (pb >= 'A' && pb <= 'F') {
+        *res = (uint8_t) (pb - 'A' + 10); return true;
+    }
+    return false;
+}
+
+bool WiFiClientSecure::verify(const char* fp, const char* url) {
+    uint8_t sha1[20];
+    int len = strlen(fp);
+    int pos = 0;
+    for (int i = 0; i < sizeof(sha1); ++i) {
+        while (pos < len && fp[pos] == ' ') {
+            ++pos;
+        }
+        DEBUGV("pos:%d ", pos);
+        if (pos > len - 2) {
+            DEBUGV("fingerprint too short\r\n");
+            return false;
+        }
+        uint8_t high, low;
+        if (!parseHexNibble(fp[pos], &high) || !parseHexNibble(fp[pos+1], &low)) {
+            DEBUGV("invalid hex sequence: %c%c\r\n", fp[pos], fp[pos+1]);
+            return false;
+        }
+        pos += 2;
+        sha1[i] = low | (high << 4);
+    }
+    if (ssl_match_fingerprint(*_ssl, sha1) != 0) {
+        DEBUGV("fingerprint doesn't match\r\n");
+        return false;
+    }
+
+    //TODO: check URL against certificate
+
+    return true;
+}
+
 extern "C" int ax_port_read(int fd, uint8_t* buffer, size_t count) {
    ClientContext* _client = reinterpret_cast<ClientContext*>(fd);
    if (_client->state() != ESTABLISHED && !_client->getSize()) {
--- a/libraries/ESP8266WiFi/src/WiFiClientSecure.h
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecure.h
@ -38,6 +38,8 @@ public:
  int connect(IPAddress ip, uint16_t port) override;
  int connect(const char* name, uint16_t port) override;

+  bool verify(const char* fingerprint, const char* url);
+
  size_t write(const uint8_t *buf, size_t size) override;
  int read(uint8_t *buf, size_t size) override;
  int available() override;
--- a/libraries/ESP8266WiFi/src/include/ssl.h
+++ b/libraries/ESP8266WiFi/src/include/ssl.h
@ -375,6 +375,15 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code);
 */
 EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl);

+/**
+ * @brief Check if certificate fingerprint (SHA1) matches the one given.
+ *
+ * @param ssl [in] An SSL object reference.
+ * @param fp [in] SHA1 fingerprint to match against
+ * @return SSL_OK if the certificate is verified.
+ */
+EXP_FUNC int STDCALL ssl_match_fingerprint(const SSL *ssl, const uint8_t* fp);
+
 /**
 * @brief Retrieve an X.509 distinguished name component.
 *