2.2.3 updated GitHub root CA certificate

- since the new certificates use EllipticCurve, versions prior to 2.2.1
crash when checking cert
- note that the usage of EC makes the TLS process a lot slower

Changelog.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.2.3 updated GitHub root CA certificate
+- since the new certificates use EllipticCurve, versions prior to 2.2.1 crash when checking cert
+- note that the usage of EC makes the TLS process a lot slower
+
 ## 2.2.2 updated README and fixed wifi-config repo commit
 - removed now outdated info from README
 - the commit to wifi-config was not synced to github and got rolled back

README.md

@@ -2,6 +2,15 @@
 Initial install, WiFi settings and over the air firmware upgrades for any esp-open-rtos repository on GitHub  
 (c) 2018-2022 HomeAccessoryKid
 
+## ISSUE with GitHub introduction of Elliptic Curve based certificates
+#### starting 1 April 2022
+Since the new certificates use EllipticCurve, versions prior to v2.2.1 crash when checking certificate validity.
+This means the need to use the EMERGENCY MODE to repair your LCM deployment.
+v2.2.3 will already provide a working LCM.  
+But check back later because next I want to make a version that will
+make the update of LCM or bootloader itself not depend on certificate validation but only on signature.  
+The verification of the GitHub certificate remains a necessity to validate the user main.bin file.
+
 ## Version
 [Changelog](https://github.com/HomeACcessoryKid/life-cycle-manager/blob/master/Changelog.md)  
 With version 2.0.0 LCM has arrived to a new stage with its own adaptation of rboot - rboot4lcm - which counts powercycles.

deploy.md

@@ -1,4 +1,4 @@
-(c) 2018-2021 HomeAccessoryKid
+(c) 2018-2022 HomeAccessoryKid
 
 ### Instructions for end users:
 TBD
@@ -10,33 +10,33 @@ cd life-cycle-manager
 - initial steps to be expanded
 
 #### These are the steps if not introducing a new key pair
-- create/update the file versions1/latest-pre-release without new-line and setup 2.2.2 version folder
+- create/update the file versions1/latest-pre-release without new-line and setup 2.2.3 version folder
 ```
-mkdir versions1/2.2.2v
-echo -n 2.2.2 > versions1/2.2.2v/latest-pre-release
-cp versions1/certs.sector versions1/certs.sector.sig versions1/2.2.2v
-cp versions1/public*key*   versions1/2.2.2v
+mkdir versions1/2.2.3v
+echo -n 2.2.3 > versions1/2.2.3v/latest-pre-release
+cp versions1/certs.sector versions1/certs.sector.sig versions1/2.2.3v
+cp versions1/public*key*   versions1/2.2.3v
 ```
 - set local.mk to the ota-main program
 ```
-make -j6 rebuild OTAVERSION=2.2.2
-mv firmware/otamain.bin versions1/2.2.2v
+make -j6 rebuild OTAVERSION=2.2.3
+mv firmware/otamain.bin versions1/2.2.3v
 ```
 - set local.mk back to ota-boot program
 ```
-make -j6 rebuild OTAVERSION=2.2.2
-mv firmware/otaboot.bin versions1/2.2.2v
-make -j6 rebuild OTAVERSION=2.2.2 OTABETA=1
-cp firmware/otaboot.bin versions1/2.2.2v/otabootbeta.bin
+make -j6 rebuild OTAVERSION=2.2.3
+mv firmware/otaboot.bin versions1/2.2.3v
+make -j6 rebuild OTAVERSION=2.2.3 OTABETA=1
+cp firmware/otaboot.bin versions1/2.2.3v/otabootbeta.bin
 ```
 - remove the older version files
 #
 - update Changelog
 - if you can sign the binaries locally, do so, else follow later steps
 - test otaboot for basic behaviour
 - commit and sync submodules
-- commit and sync this as version 2.2.2  
-- set up a new github release 2.2.2 as a pre-release using the just commited master...  
+- commit and sync this as version 2.2.3  
+- set up a new github release 2.2.3 as a pre-release using the just commited master...  
 - upload the certs and binaries to the pre-release assets on github  
 #
 - erase the flash and upload the privatekey
@@ -46,18 +46,18 @@ esptool.py -p /dev/cu.usbserial-* --baud 230400 write_flash 0xf9000 versions1-pr
 ```
 - upload the ota-boot BETA program to the device that contains the private key
 ```
-make flash OTAVERSION=2.2.2 OTABETA=1
+make flash OTAVERSION=2.2.3 OTABETA=1
 ```
 - power cycle to prevent the bug for software reset after flash  
 - setup wifi and select the ota-demo repo without pre-release checkbox  
 - create the 2 signature files next to the bin file and upload to github one by one  
 - verify the hashes on the computer  
 ```
-openssl sha384 versions1/2.2.2v/otamain.bin
-xxd versions1/2.2.2v/otamain.bin.sig
+openssl sha384 versions1/2.2.3v/otamain.bin
+xxd versions1/2.2.3v/otamain.bin.sig
 ```
 
-- upload the file versions1/2.2.2v/latest-pre-release to the 'latest release' assets on github
+- upload the file versions1/2.2.3v/latest-pre-release to the 'latest release' assets on github
 
 #### Testing
 
@@ -110,14 +110,14 @@ esptool.py -p /dev/cu.usbserial-* --baud 230400 write_flash 0xf9000 versionsN-1-
 ```
 - collect public-1.key.sig and store it in the new version folder and copy it to versions1
 ```
-cp  versions1/2.2.2v/public-1.key.sig versions1
+cp  versions1/2.2.3v/public-1.key.sig versions1
 ```
 - then flash the new private key
 ```
 esptool.py -p /dev/cu.usbserial-* --baud 230400 write_flash 0xf9000 versions1-privatekey.der
 ```
 - collect cert.sector.sig and store it in the new version folder and copy it to versions1 
 ```
-cp  versions1/2.2.2v/certs.sector.sig versions1
+cp  versions1/2.2.3v/certs.sector.sig versions1
 ```
 - continue with a normal deployment to create the 2 signature files next to the bin files

main.c

@@ -1,4 +1,4 @@
-/* (c) 2018-2021 HomeAccessoryKid
+/* (c) 2018-2022 HomeAccessoryKid
  * LifeCycleManager dual app
  * use local.mk to turn it into the LCM otamain.bin app or the otaboot.bin app
  */

ota.c

@@ -1,4 +1,4 @@
-/*  (c) 2018-2021 HomeAccessoryKid */
+/*  (c) 2018-2022 HomeAccessoryKid */
 #include <stdlib.h>  //for UDPLGP
 #include <stdio.h>
 #include <string.h>

ota.h

@@ -1,4 +1,4 @@
-/*  (c) 2018-2021 HomeAccessoryKid */
+/*  (c) 2018-2022 HomeAccessoryKid */
 #ifndef __OTA_H__
 #define __OTA_H__
 

versions1/2.2.3v/latest-pre-release

@@ -0,0 +1 @@
+2.2.3

versions1/DigiCertGlobalRootCA.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
+CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
+nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
+43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
+T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
+gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
+TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
+DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
+hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
+06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
+PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
+YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
+CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
+-----END CERTIFICATE-----