Skip to content

Commit

Permalink
SSL examples: updates (#8643)
Browse files Browse the repository at this point in the history 
Simplify SSL+ethernet example, reuse/include WiFi example
  • Loading branch information
@d-a-v
d-a-v committed Jul 27, 2022
1 parent e2a36ed commit 646bdfc
Show file tree
Hide file tree
Showing 7 changed files with 107 additions and 297 deletions.
31 changes: 19 additions & 12 deletions libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@
#include <time.h>
#include "certs.h"

#define FINGERPRINT fingerprint_www_example_org
#define PUBKEY pubkey_www_example_org
#define CERT cert_DigiCert_TLS_RSA_SHA256_2020_CA1

#ifndef STASSID
#define STASSID "your-ssid"
#define STAPSK "your-password"
Expand Down Expand Up @@ -87,7 +91,7 @@ If there are no CAs or insecure options specified, BearSSL will not connect.
Expect the following call to fail as none have been configured.
)EOF");
BearSSL::WiFiClientSecure client;
fetchURL(&client, gitlab_host, gitlab_port, path);
fetchURL(&client, SSL_host, SSL_port, path);
}

void fetchInsecure() {
Expand All @@ -98,7 +102,7 @@ which is subject to man-in-the-middle (MITM) attacks.
)EOF");
BearSSL::WiFiClientSecure client;
client.setInsecure();
fetchURL(&client, gitlab_host, gitlab_port, path);
fetchURL(&client, SSL_host, SSL_port, path);
}

void fetchFingerprint() {
Expand All @@ -111,8 +115,8 @@ fingerprints will change if anything changes in the certificate chain
the root authorities, etc.).
)EOF");
BearSSL::WiFiClientSecure client;
client.setFingerprint(fingerprint_sni_cloudflaressl_com);
fetchURL(&client, gitlab_host, gitlab_port, path);
client.setFingerprint(FINGERPRINT);
fetchURL(&client, SSL_host, SSL_port, path);
}

void fetchSelfSigned() {
Expand All @@ -137,9 +141,9 @@ private and not shared. A MITM without the private key would not be
able to establish communications.
)EOF");
BearSSL::WiFiClientSecure client;
BearSSL::PublicKey key(pubkey_sni_cloudflaressl_com);
BearSSL::PublicKey key(PUBKEY);
client.setKnownKey(&key);
fetchURL(&client, gitlab_host, gitlab_port, path);
fetchURL(&client, SSL_host, SSL_port, path);
}

void fetchCertAuthority() {
Expand All @@ -153,14 +157,14 @@ BearSSL does verify the notValidBefore/After fields.
)EOF");

BearSSL::WiFiClientSecure client;
BearSSL::X509List cert(cert_Cloudflare_Inc_ECC_CA_3);
BearSSL::X509List cert(CERT);
client.setTrustAnchors(&cert);
Serial.printf("Try validating without setting the time (should fail)\n");
fetchURL(&client, gitlab_host, gitlab_port, path);
fetchURL(&client, SSL_host, SSL_port, path);

Serial.printf("Try again after setting NTP time (should pass)\n");
setClock();
fetchURL(&client, gitlab_host, gitlab_port, path);
fetchURL(&client, SSL_host, SSL_port, path);
}

void fetchFaster() {
Expand All @@ -171,20 +175,23 @@ you won't want to do this. If you need to maximize battery life, these
may make sense
)EOF");
BearSSL::WiFiClientSecure client;
Serial.printf("Insecure, all ciphers:\n");
client.setInsecure();
uint32_t now = millis();
fetchURL(&client, gitlab_host, gitlab_port, path);
fetchURL(&client, SSL_host, SSL_port, path);
uint32_t delta = millis() - now;
Serial.printf("Insecure, less secure ciphers:\n");
client.setInsecure();
client.setCiphersLessSecure();
now = millis();
fetchURL(&client, gitlab_host, gitlab_port, path);
fetchURL(&client, SSL_host, SSL_port, path);
uint32_t delta2 = millis() - now;
Serial.printf("Insecure, few ciphers:\n");
std::vector<uint16_t> myCustomList = { BR_TLS_RSA_WITH_AES_256_CBC_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA };
client.setInsecure();
client.setCiphers(myCustomList);
now = millis();
fetchURL(&client, gitlab_host, gitlab_port, path);
fetchURL(&client, SSL_host, SSL_port, path);
uint32_t delta3 = millis() - now;
Serial.printf("Using more secure: %dms\nUsing less secure ciphers: %dms\nUsing custom cipher list: %dms\n", delta, delta2, delta3);
}
Expand Down
2 changes: 1 addition & 1 deletion libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
cd ${0%/*} 2>/dev/null
python3 ../../../../tools/cert.py -s www.gitlab.com -n gitlab > certs.h
python3 ../../../../tools/cert.py -s www.example.com -n SSL > certs.h
118 changes: 79 additions & 39 deletions libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h
View file
Original file line number Diff line number Diff line change
@@ -1,58 +1,98 @@

// this file is autogenerated - any modification will be overwritten
// unused symbols will not be linked in the final binary
// generated on 2022-07-18 22:01:02
// by ['../../../../tools/cert.py', '-s', 'www.gitlab.com', '-n', 'gitlab']
// generated on 2022-07-20 14:09:01
// by ['../../../../tools/cert.py', '-s', 'www.example.com', '-n', 'SSL']

#pragma once

////////////////////////////////////////////////////////////
// certificate chain for www.gitlab.com:443
// certificate chain for www.example.com:443

const char* gitlab_host = "www.gitlab.com";
const uint16_t gitlab_port = 443;
const char* SSL_host = "www.example.com";
const uint16_t SSL_port = 443;

// CN: sni.cloudflaressl.com => name: sni_cloudflaressl_com
// not valid before: 2021-09-11 00:00:00
// not valid after: 2022-09-10 23:59:59
const char fingerprint_sni_cloudflaressl_com [] PROGMEM = "04:86:fa:e7:69:4e:7b:75:f4:fd:88:41:6e:42:7a:f1:b0:de:66:3c";
const char pubkey_sni_cloudflaressl_com [] PROGMEM = R"PUBKEY(
// CN: www.example.org => name: www_example_org
// not valid before: 2022-03-14 00:00:00
// not valid after: 2023-03-14 23:59:59
const char fingerprint_www_example_org [] PROGMEM = "df:81:df:a6:b6:1e:af:df:ff:fe:1a:25:02:40:db:5d:2e:6c:ee:25";
const char pubkey_www_example_org [] PROGMEM = R"PUBKEY(
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELIhZBDGe53N84LRh6Ng9qPCZ4VQ6
2yUXTqkR7C+0e3sd+8GGLp67mLuFOvtjcrv+tP5o8zCz+UpDHmj7n1n17A==
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlV2WY5rlGn1fpwvuBhj0
nVBcNxCxkHUG/pJG4HvaJen7YIZ1mLc7/P4snOJZiEfwWFTikHNbcUCcYiKG8JkF
ebZOYMc1U9PiEtVWGU4kuYuxiXpD8oMPin1B0SgrF7gKfO1//I2weJdAUjgZuXBC
PAlhz2EnHddzXUtwm9XuOLO/Y6LATVMsbp8/lXnfo/bX0UgJ7C0aVqOu07A0Vr6O
kPxwWmOvF3cRKhVCM7U4B51KK+IsWRLm8cVW1IaXjwhGzW7BR6EI3sxCQ4Wnc6HV
PSgmomLWWWkIGFPAwcWUB4NC12yhCO5iW/dxNMWNLMRVtnZAyq6FpZ8wFK6j4OMw
MwIDAQAB
-----END PUBLIC KEY-----
)PUBKEY";

// http://cacerts.digicert.com/CloudflareIncECCCA-3.crt
// CN: Cloudflare Inc ECC CA-3 => name: Cloudflare_Inc_ECC_CA_3
// not valid before: 2020-01-27 12:48:08
// not valid after: 2024-12-31 23:59:59
const char cert_Cloudflare_Inc_ECC_CA_3 [] PROGMEM = R"CERT(
// http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
// CN: DigiCert TLS RSA SHA256 2020 CA1 => name: DigiCert_TLS_RSA_SHA256_2020_CA1
// not valid before: 2021-04-14 00:00:00
// not valid after: 2031-04-13 23:59:59
const char cert_DigiCert_TLS_RSA_SHA256_2020_CA1 [] PROGMEM = R"CERT(
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
+ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
6DEdfgkfCv4+3ao8XnTSrLE=
MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
A7sKPPcw7+uvTPyLNhBzPvOk
-----END CERTIFICATE-----
)CERT";

// end of certificate chain for www.gitlab.com:443
// http://cacerts.digicert.com/DigiCertGlobalRootCA.crt
// CN: DigiCert Global Root CA => name: DigiCert_Global_Root_CA
// not valid before: 2006-11-10 00:00:00
// not valid after: 2031-11-10 00:00:00
const char cert_DigiCert_Global_Root_CA [] PROGMEM = R"CERT(
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
)CERT";


// end of certificate chain for www.example.com:443
////////////////////////////////////////////////////////////

Loading

0 comments on commit 646bdfc

Please sign in to comment.