-
Notifications
You must be signed in to change notification settings - Fork 13.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No support for reading client certificate and private key from LittleFS (ESP8266WiFi - WiFiClientSecure/BearSSL) #7671
Comments
I think there's a little misunderstanding here. Once you create the So your code could become (hacking in editor, please excuse any typos!):
Note that the cert and key need to be long-lived, so they should be stored as a global so connections in your There's no add'l memory savings possible. The cert/key you're using need to be in RAM when a connection is made (and while it's live, because there can be renegotiation at any time per the SSL protocol) so the X509List and PrivateKey need to live forever. So, while I think making the Cert/Key constructors create from a |
Fixes esp8266#7671 Allows for code to do things like read certs from LittleFS or even HTTP connections with code like: File cert = LittleFS.open("/client-crt.pem", "r"); clientCert = new X509List(cert, cert.size()); cert.close();
Thanks for the clarification! this solves the issue for me. |
Fixes #7671 Allows for code to do things like read certs from LittleFS or even HTTP connections with code like: File cert = LittleFS.open("/client-crt.pem", "r"); clientCert = new X509List(cert, cert.size()); cert.close();
Basic Infos
Platform
Problem Description
Currently, when using WiFiClientSecure (BearSSL), certificate stores can be loaded from LittleFS or SD.
But there is no documented way or code to load a client certificate and private key in a similar manner.
(The X509List and PrivateKey do not take files/streams as arguments)
Old issues and examples show that older versions used to have this feature:
Specifically it seems like the old functions
loadCertificate()
andloadPrivateKey()
(which are deprecated) could load files.My current solution is to copy the certificate and key to a global variable, which wastes several KB's RAM:
This sketch works well but wastes 4096*2 = 8192 bytes of RAM which is 10% of total RAM.
My assumption is, when using
CertStoreBearSSL.h
, the certificates are not copied to the RAM for most of the time, but loaded in a different way.Same thing goes when loading a certificate which is saved in PROGMEM (sketch ROM).
Therefore, it should be possible to use a client certificates and a private key which are stored as .pem or .der in the file system, without copying the whole file content to the RAM, for the whole lifetime of the program.
I tried understanding the code in
CertStoreBearSSL.cpp
but it's too complicated for me.Thanks in advance and Best regards!
The text was updated successfully, but these errors were encountered: