esp8266 · mcspr · Jul 27, 2022 · Jul 19, 2022 · Jul 19, 2022 · Jul 20, 2022
diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
@@ -10,6 +10,10 @@
 #include <time.h>
 #include "certs.h"
 
+#define FINGERPRINT fingerprint_www_example_org
+#define PUBKEY pubkey_www_example_org
+#define CERT cert_DigiCert_TLS_RSA_SHA256_2020_CA1
+
 #ifndef STASSID
 #define STASSID "your-ssid"
 #define STAPSK "your-password"
@@ -87,7 +91,7 @@ If there are no CAs or insecure options specified, BearSSL will not connect.
 Expect the following call to fail as none have been configured.
 )EOF");
   BearSSL::WiFiClientSecure client;
-  fetchURL(&client, gitlab_host, gitlab_port, path);
+  fetchURL(&client, SSL_host, SSL_port, path);
 }
 
 void fetchInsecure() {
@@ -98,7 +102,7 @@ which is subject to man-in-the-middle (MITM) attacks.
 )EOF");
   BearSSL::WiFiClientSecure client;
   client.setInsecure();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
+  fetchURL(&client, SSL_host, SSL_port, path);
 }
 
 void fetchFingerprint() {
@@ -111,8 +115,8 @@ fingerprints will change if anything changes in the certificate chain
 the root authorities, etc.).
 )EOF");
   BearSSL::WiFiClientSecure client;
-  client.setFingerprint(fingerprint_sni_cloudflaressl_com);
-  fetchURL(&client, gitlab_host, gitlab_port, path);
+  client.setFingerprint(FINGERPRINT);
+  fetchURL(&client, SSL_host, SSL_port, path);
 }
 
 void fetchSelfSigned() {
@@ -137,9 +141,9 @@ private and not shared.  A MITM without the private key would not be
 able to establish communications.
 )EOF");
   BearSSL::WiFiClientSecure client;
-  BearSSL::PublicKey key(pubkey_sni_cloudflaressl_com);
+  BearSSL::PublicKey key(PUBKEY);
   client.setKnownKey(&key);
-  fetchURL(&client, gitlab_host, gitlab_port, path);
+  fetchURL(&client, SSL_host, SSL_port, path);
 }
 
 void fetchCertAuthority() {
@@ -153,14 +157,14 @@ BearSSL does verify the notValidBefore/After fields.
 )EOF");
 
   BearSSL::WiFiClientSecure client;
-  BearSSL::X509List cert(cert_Cloudflare_Inc_ECC_CA_3);
+  BearSSL::X509List cert(CERT);
   client.setTrustAnchors(&cert);
   Serial.printf("Try validating without setting the time (should fail)\n");
-  fetchURL(&client, gitlab_host, gitlab_port, path);
+  fetchURL(&client, SSL_host, SSL_port, path);
 
   Serial.printf("Try again after setting NTP time (should pass)\n");
   setClock();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
+  fetchURL(&client, SSL_host, SSL_port, path);
 }
 
 void fetchFaster() {
@@ -171,20 +175,23 @@ you won't want to do this.  If you need to maximize battery life, these
 may make sense
 )EOF");
   BearSSL::WiFiClientSecure client;
+  Serial.printf("Insecure, all ciphers:\n");
   client.setInsecure();
   uint32_t now = millis();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
+  fetchURL(&client, SSL_host, SSL_port, path);
   uint32_t delta = millis() - now;
+  Serial.printf("Insecure, less secure ciphers:\n");
   client.setInsecure();
   client.setCiphersLessSecure();
   now = millis();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
+  fetchURL(&client, SSL_host, SSL_port, path);
   uint32_t delta2 = millis() - now;
+  Serial.printf("Insecure, few ciphers:\n");
   std::vector<uint16_t> myCustomList = { BR_TLS_RSA_WITH_AES_256_CBC_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA };
   client.setInsecure();
   client.setCiphers(myCustomList);
   now = millis();
-  fetchURL(&client, gitlab_host, gitlab_port, path);
+  fetchURL(&client, SSL_host, SSL_port, path);
   uint32_t delta3 = millis() - now;
   Serial.printf("Using more secure: %dms\nUsing less secure ciphers: %dms\nUsing custom cipher list: %dms\n", delta, delta2, delta3);
 }

diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate
@@ -1,2 +1,2 @@
 cd ${0%/*} 2>/dev/null
-python3 ../../../../tools/cert.py -s www.gitlab.com -n gitlab > certs.h
+python3 ../../../../tools/cert.py -s www.example.com -n SSL > certs.h
diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h
@@ -1,58 +1,98 @@
 
 // this file is autogenerated - any modification will be overwritten
 // unused symbols will not be linked in the final binary
-// generated on 2022-07-18 22:01:02
-// by ['../../../../tools/cert.py', '-s', 'www.gitlab.com', '-n', 'gitlab']
+// generated on 2022-07-20 14:09:01
+// by ['../../../../tools/cert.py', '-s', 'www.example.com', '-n', 'SSL']
 
 #pragma once
 
 ////////////////////////////////////////////////////////////
-// certificate chain for www.gitlab.com:443
+// certificate chain for www.example.com:443
 
-const char* gitlab_host = "www.gitlab.com";
-const uint16_t gitlab_port = 443;
+const char* SSL_host = "www.example.com";
+const uint16_t SSL_port = 443;
 
-// CN: sni.cloudflaressl.com => name: sni_cloudflaressl_com
-// not valid before: 2021-09-11 00:00:00
-// not valid after:  2022-09-10 23:59:59
-const char fingerprint_sni_cloudflaressl_com [] PROGMEM = "04:86:fa:e7:69:4e:7b:75:f4:fd:88:41:6e:42:7a:f1:b0:de:66:3c";
-const char pubkey_sni_cloudflaressl_com [] PROGMEM = R"PUBKEY(
+// CN: www.example.org => name: www_example_org
+// not valid before: 2022-03-14 00:00:00
+// not valid after:  2023-03-14 23:59:59
+const char fingerprint_www_example_org [] PROGMEM = "df:81:df:a6:b6:1e:af:df:ff:fe:1a:25:02:40:db:5d:2e:6c:ee:25";
+const char pubkey_www_example_org [] PROGMEM = R"PUBKEY(
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELIhZBDGe53N84LRh6Ng9qPCZ4VQ6
-2yUXTqkR7C+0e3sd+8GGLp67mLuFOvtjcrv+tP5o8zCz+UpDHmj7n1n17A==
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlV2WY5rlGn1fpwvuBhj0
+nVBcNxCxkHUG/pJG4HvaJen7YIZ1mLc7/P4snOJZiEfwWFTikHNbcUCcYiKG8JkF
+ebZOYMc1U9PiEtVWGU4kuYuxiXpD8oMPin1B0SgrF7gKfO1//I2weJdAUjgZuXBC
+PAlhz2EnHddzXUtwm9XuOLO/Y6LATVMsbp8/lXnfo/bX0UgJ7C0aVqOu07A0Vr6O
+kPxwWmOvF3cRKhVCM7U4B51KK+IsWRLm8cVW1IaXjwhGzW7BR6EI3sxCQ4Wnc6HV
+PSgmomLWWWkIGFPAwcWUB4NC12yhCO5iW/dxNMWNLMRVtnZAyq6FpZ8wFK6j4OMw
+MwIDAQAB
 -----END PUBLIC KEY-----
 )PUBKEY";
 
-// http://cacerts.digicert.com/CloudflareIncECCCA-3.crt
-// CN: Cloudflare Inc ECC CA-3 => name: Cloudflare_Inc_ECC_CA_3
-// not valid before: 2020-01-27 12:48:08
-// not valid after:  2024-12-31 23:59:59
-const char cert_Cloudflare_Inc_ECC_CA_3 [] PROGMEM = R"CERT(
+// http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
+// CN: DigiCert TLS RSA SHA256 2020 CA1 => name: DigiCert_TLS_RSA_SHA256_2020_CA1
+// not valid before: 2021-04-14 00:00:00
+// not valid after:  2031-04-13 23:59:59
+const char cert_DigiCert_TLS_RSA_SHA256_2020_CA1 [] PROGMEM = R"CERT(
 -----BEGIN CERTIFICATE-----
-MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
-MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
-clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
-MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
-BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
-QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
-nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
-16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
-GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
-BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
-KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
-b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
-bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
-BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
-CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
-AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
-+ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
-lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
-goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
-CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
-6DEdfgkfCv4+3ao8XnTSrLE=
+MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
+U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
+qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
+g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
+raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
+Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
+eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
+/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
+A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
+GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
+Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
+HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
+bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
+MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
+AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
+ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
+qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
+EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
+ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
+A7sKPPcw7+uvTPyLNhBzPvOk
 -----END CERTIFICATE-----
 )CERT";
 
-// end of certificate chain for www.gitlab.com:443
+// http://cacerts.digicert.com/DigiCertGlobalRootCA.crt
+// CN: DigiCert Global Root CA => name: DigiCert_Global_Root_CA
+// not valid before: 2006-11-10 00:00:00
+// not valid after:  2031-11-10 00:00:00
+const char cert_DigiCert_Global_Root_CA [] PROGMEM = R"CERT(
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
+CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
+nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
+43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
+T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
+gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
+TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
+DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
+hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
+06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
+PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
+YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
+CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
+-----END CERTIFICATE-----
+)CERT";
+
+
+// end of certificate chain for www.example.com:443
 ////////////////////////////////////////////////////////////