From 41a6ce49887fa620d2128829ec004283af4ce74b Mon Sep 17 00:00:00 2001 From: david gauchard Date: Tue, 19 Jul 2022 23:14:58 +0200 Subject: [PATCH 1/3] simplify SSL+ethernet example, reuse/include WiFi example --- .../EthSSLValidation/EthSSLValidation.ino | 189 +----------------- .../examples/EthSSLValidation/certUpdate | 2 - .../examples/EthSSLValidation/certs.h | 58 ------ 3 files changed, 4 insertions(+), 245 deletions(-) delete mode 100755 libraries/lwIP_Ethernet/examples/EthSSLValidation/certUpdate delete mode 100644 libraries/lwIP_Ethernet/examples/EthSSLValidation/certs.h diff --git a/libraries/lwIP_Ethernet/examples/EthSSLValidation/EthSSLValidation.ino b/libraries/lwIP_Ethernet/examples/EthSSLValidation/EthSSLValidation.ino index 04ed3e1c8a..2f8c36876c 100644 --- a/libraries/lwIP_Ethernet/examples/EthSSLValidation/EthSSLValidation.ino +++ b/libraries/lwIP_Ethernet/examples/EthSSLValidation/EthSSLValidation.ino @@ -11,185 +11,9 @@ Wiznet5500lwIP eth(/*SS*/ 16); // <== adapt to your hardware -#include -#include -#include -#include "certs.h" - -const char *path = "/"; - -// Set time via NTP, as required for x.509 validation -void setClock() { - configTime(3 * 3600, 0, "pool.ntp.org", "time.nist.gov"); - - Serial.print("Waiting for NTP time sync: "); - time_t now = time(nullptr); - while (now < 8 * 3600 * 2) { - delay(500); - Serial.print("."); - now = time(nullptr); - } - Serial.println(""); - struct tm timeinfo; - gmtime_r(&now, &timeinfo); - Serial.print("Current time: "); - Serial.print(asctime(&timeinfo)); -} - -// Try and connect using a WiFiClientBearSSL to specified host:port and dump HTTP response -void fetchURL(BearSSL::WiFiClientSecure *client, const char *host, const uint16_t port, const char *path) { - if (!path) { - path = "/"; - } - - ESP.resetFreeContStack(); - uint32_t freeStackStart = ESP.getFreeContStack(); - Serial.printf("Trying: %s:443...", host); - client->connect(host, port); - if (!client->connected()) { - Serial.printf("*** Can't connect. ***\n-------\n"); - return; - } - Serial.printf("Connected!\n-------\n"); - client->write("GET "); - client->write(path); - client->write(" HTTP/1.0\r\nHost: "); - client->write(host); - client->write("\r\nUser-Agent: ESP8266\r\n"); - client->write("\r\n"); - uint32_t to = millis() + 5000; - if (client->connected()) { - do { - char tmp[32]; - memset(tmp, 0, 32); - int rlen = client->read((uint8_t *)tmp, sizeof(tmp) - 1); - yield(); - if (rlen < 0) { - break; - } - // Only print out first line up to \r, then abort connection - char *nl = strchr(tmp, '\r'); - if (nl) { - *nl = 0; - Serial.print(tmp); - break; - } - Serial.print(tmp); - } while (millis() < to); - } - client->stop(); - uint32_t freeStackEnd = ESP.getFreeContStack(); - Serial.printf("\nCONT stack used: %d\n", freeStackStart - freeStackEnd); - Serial.printf("BSSL stack used: %d\n-------\n\n", stack_thunk_get_max_usage()); -} - -void fetchNoConfig() { - Serial.printf(R"EOF( -If there are no CAs or insecure options specified, BearSSL will not connect. -Expect the following call to fail as none have been configured. -)EOF"); - BearSSL::WiFiClientSecure client; - fetchURL(&client, gitlab_host, gitlab_port, path); -} - -void fetchInsecure() { - Serial.printf(R"EOF( -This is absolutely *insecure*, but you can tell BearSSL not to check the -certificate of the server. In this mode it will accept ANY certificate, -which is subject to man-in-the-middle (MITM) attacks. -)EOF"); - BearSSL::WiFiClientSecure client; - client.setInsecure(); - fetchURL(&client, gitlab_host, gitlab_port, path); -} - -void fetchFingerprint() { - Serial.printf(R"EOF( -The SHA-1 fingerprint of an X.509 certificate can be used to validate it -instead of the while certificate. This is not nearly as secure as real -X.509 validation, but is better than nothing. Also be aware that these -fingerprints will change if anything changes in the certificate chain -(i.e. re-generating the certificate for a new end date, any updates to -the root authorities, etc.). -)EOF"); - BearSSL::WiFiClientSecure client; - client.setFingerprint(fingerprint_sni_cloudflaressl_com); - fetchURL(&client, gitlab_host, gitlab_port, path); -} - -void fetchSelfSigned() { - Serial.printf(R"EOF( -It is also possible to accept *any* self-signed certificate. This is -absolutely insecure as anyone can make a self-signed certificate. -)EOF"); - BearSSL::WiFiClientSecure client; - Serial.printf("First, try and connect to a badssl.com self-signed website (will fail):\n"); - fetchURL(&client, "self-signed.badssl.com", 443, "/"); - Serial.printf("Now we'll enable self-signed certs (will pass)\n"); - client.allowSelfSignedCerts(); - fetchURL(&client, "self-signed.badssl.com", 443, "/"); -} - -void fetchKnownKey() { - Serial.printf(R"EOF( -The server certificate can be completely ignored and its public key -hardcoded in your application. This should be secure as the public key -needs to be paired with the private key of the site, which is obviously -private and not shared. A MITM without the private key would not be -able to establish communications. -)EOF"); - BearSSL::WiFiClientSecure client; - BearSSL::PublicKey key(pubkey_sni_cloudflaressl_com); - client.setKnownKey(&key); - fetchURL(&client, gitlab_host, gitlab_port, path); -} - -void fetchCertAuthority() { - Serial.printf(R"EOF( -A specific certification authority can be passed in and used to validate -a chain of certificates from a given server. These will be validated -using BearSSL's rules, which do NOT include certificate revocation lists. -A specific server's certificate, or your own self-signed root certificate -can also be used. ESP8266 time needs to be valid for checks to pass as -BearSSL does verify the notValidBefore/After fields. -)EOF"); - - BearSSL::WiFiClientSecure client; - BearSSL::X509List cert(cert_Cloudflare_Inc_ECC_CA_3); - client.setTrustAnchors(&cert); - Serial.printf("Try validating without setting the time (should fail)\n"); - fetchURL(&client, gitlab_host, gitlab_port, path); - - Serial.printf("Try again after setting NTP time (should pass)\n"); - setClock(); - fetchURL(&client, gitlab_host, gitlab_port, path); -} - -void fetchFaster() { - Serial.printf(R"EOF( -The ciphers used to set up the SSL connection can be configured to -only support faster but less secure ciphers. If you care about security -you won't want to do this. If you need to maximize battery life, these -may make sense -)EOF"); - BearSSL::WiFiClientSecure client; - client.setInsecure(); - uint32_t now = millis(); - fetchURL(&client, gitlab_host, gitlab_port, path); - uint32_t delta = millis() - now; - client.setInsecure(); - client.setCiphersLessSecure(); - now = millis(); - fetchURL(&client, gitlab_host, gitlab_port, path); - uint32_t delta2 = millis() - now; - std::vector myCustomList = { BR_TLS_RSA_WITH_AES_256_CBC_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA }; - client.setInsecure(); - client.setCiphers(myCustomList); - now = millis(); - fetchURL(&client, gitlab_host, gitlab_port, path); - uint32_t delta3 = millis() - now; - Serial.printf("Using more secure: %dms\nUsing less secure ciphers: %dms\nUsing custom cipher list: %dms\n", delta, delta2, delta3); -} +#define setup forgetMe +#include <../../libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino> +#undef setup void setup() { Serial.begin(115200); @@ -198,7 +22,7 @@ void setup() { Serial.println("\nEthernet\n"); - // 1. Currently when no default is set, esp8266-Arduino uses the first + // 1. Currently when no default route is set, esp8266-Arduino uses the first // DHCP client interface receiving a valid address and gateway to // become the new lwIP default interface. // 2. Otherwise - when using static addresses - lwIP for every packets by @@ -231,8 +55,3 @@ void setup() { fetchCertAuthority(); fetchFaster(); } - - -void loop() { - // Nothing to do here -} diff --git a/libraries/lwIP_Ethernet/examples/EthSSLValidation/certUpdate b/libraries/lwIP_Ethernet/examples/EthSSLValidation/certUpdate deleted file mode 100755 index 2162b78e97..0000000000 --- a/libraries/lwIP_Ethernet/examples/EthSSLValidation/certUpdate +++ /dev/null @@ -1,2 +0,0 @@ -cd ${0%/*} 2>/dev/null -python3 ../../../../tools/cert.py -s www.gitlab.com -n gitlab > certs.h diff --git a/libraries/lwIP_Ethernet/examples/EthSSLValidation/certs.h b/libraries/lwIP_Ethernet/examples/EthSSLValidation/certs.h deleted file mode 100644 index 373dc5fe15..0000000000 --- a/libraries/lwIP_Ethernet/examples/EthSSLValidation/certs.h +++ /dev/null @@ -1,58 +0,0 @@ - -// this file is autogenerated - any modification will be overwritten -// unused symbols will not be linked in the final binary -// generated on 2022-07-18 20:51:33 -// by ['../../../../tools/cert.py', '-s', 'www.gitlab.com', '-n', 'gitlab'] - -#pragma once - -//////////////////////////////////////////////////////////// -// certificate chain for www.gitlab.com:443 - -const char* gitlab_host = "www.gitlab.com"; -const uint16_t gitlab_port = 443; - -// CN: sni.cloudflaressl.com => name: sni_cloudflaressl_com -// not valid before: 2021-09-11 00:00:00 -// not valid after: 2022-09-10 23:59:59 -const char fingerprint_sni_cloudflaressl_com[] PROGMEM - = "04:86:fa:e7:69:4e:7b:75:f4:fd:88:41:6e:42:7a:f1:b0:de:66:3c"; -const char pubkey_sni_cloudflaressl_com[] PROGMEM = R"PUBKEY( ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELIhZBDGe53N84LRh6Ng9qPCZ4VQ6 -2yUXTqkR7C+0e3sd+8GGLp67mLuFOvtjcrv+tP5o8zCz+UpDHmj7n1n17A== ------END PUBLIC KEY----- -)PUBKEY"; - -// http://cacerts.digicert.com/CloudflareIncECCCA-3.crt -// CN: Cloudflare Inc ECC CA-3 => name: Cloudflare_Inc_ECC_CA_3 -// not valid before: 2020-01-27 12:48:08 -// not valid after: 2024-12-31 23:59:59 -const char cert_Cloudflare_Inc_ECC_CA_3[] PROGMEM = R"CERT( ------BEGIN CERTIFICATE----- -MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa -MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl -clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw -MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV -BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD -QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe -nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb -16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME -GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l -BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI -KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j -b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t -bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF -BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw -CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB -AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un -+ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe -lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H -goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1 -CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw -6DEdfgkfCv4+3ao8XnTSrLE= ------END CERTIFICATE----- -)CERT"; - -// end of certificate chain for www.gitlab.com:443 -//////////////////////////////////////////////////////////// From 057b2f394f12e5dc8c492a78a9f284d69ddca0c7 Mon Sep 17 00:00:00 2001 From: david gauchard Date: Tue, 19 Jul 2022 23:17:21 +0200 Subject: [PATCH 2/3] ssl validation: use ssllabs --- .../BearSSL_Validation/BearSSL_Validation.ino | 31 +++-- .../examples/BearSSL_Validation/certUpdate | 2 +- .../examples/BearSSL_Validation/certs.h | 118 ++++++++++++------ 3 files changed, 99 insertions(+), 52 deletions(-) diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino index b888da6c94..81cbbc2974 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino @@ -10,6 +10,10 @@ #include #include "certs.h" +#define FINGERPRINT fingerprint_ssllabs_com +#define PUBKEY pubkey_ssllabs_com +#define CERT cert_DigiCert_TLS_RSA_SHA256_2020_CA1 + #ifndef STASSID #define STASSID "your-ssid" #define STAPSK "your-password" @@ -87,7 +91,7 @@ If there are no CAs or insecure options specified, BearSSL will not connect. Expect the following call to fail as none have been configured. )EOF"); BearSSL::WiFiClientSecure client; - fetchURL(&client, gitlab_host, gitlab_port, path); + fetchURL(&client, SSL_host, SSL_port, path); } void fetchInsecure() { @@ -98,7 +102,7 @@ which is subject to man-in-the-middle (MITM) attacks. )EOF"); BearSSL::WiFiClientSecure client; client.setInsecure(); - fetchURL(&client, gitlab_host, gitlab_port, path); + fetchURL(&client, SSL_host, SSL_port, path); } void fetchFingerprint() { @@ -111,8 +115,8 @@ fingerprints will change if anything changes in the certificate chain the root authorities, etc.). )EOF"); BearSSL::WiFiClientSecure client; - client.setFingerprint(fingerprint_sni_cloudflaressl_com); - fetchURL(&client, gitlab_host, gitlab_port, path); + client.setFingerprint(FINGERPRINT); + fetchURL(&client, SSL_host, SSL_port, path); } void fetchSelfSigned() { @@ -137,9 +141,9 @@ private and not shared. A MITM without the private key would not be able to establish communications. )EOF"); BearSSL::WiFiClientSecure client; - BearSSL::PublicKey key(pubkey_sni_cloudflaressl_com); + BearSSL::PublicKey key(PUBKEY); client.setKnownKey(&key); - fetchURL(&client, gitlab_host, gitlab_port, path); + fetchURL(&client, SSL_host, SSL_port, path); } void fetchCertAuthority() { @@ -153,14 +157,14 @@ BearSSL does verify the notValidBefore/After fields. )EOF"); BearSSL::WiFiClientSecure client; - BearSSL::X509List cert(cert_Cloudflare_Inc_ECC_CA_3); + BearSSL::X509List cert(CERT); client.setTrustAnchors(&cert); Serial.printf("Try validating without setting the time (should fail)\n"); - fetchURL(&client, gitlab_host, gitlab_port, path); + fetchURL(&client, SSL_host, SSL_port, path); Serial.printf("Try again after setting NTP time (should pass)\n"); setClock(); - fetchURL(&client, gitlab_host, gitlab_port, path); + fetchURL(&client, SSL_host, SSL_port, path); } void fetchFaster() { @@ -171,20 +175,23 @@ you won't want to do this. If you need to maximize battery life, these may make sense )EOF"); BearSSL::WiFiClientSecure client; + Serial.printf("Insecure, all ciphers:\n"); client.setInsecure(); uint32_t now = millis(); - fetchURL(&client, gitlab_host, gitlab_port, path); + fetchURL(&client, SSL_host, SSL_port, path); uint32_t delta = millis() - now; + Serial.printf("Insecure, less secure ciphers:\n"); client.setInsecure(); client.setCiphersLessSecure(); now = millis(); - fetchURL(&client, gitlab_host, gitlab_port, path); + fetchURL(&client, SSL_host, SSL_port, path); uint32_t delta2 = millis() - now; + Serial.printf("Insecure, few ciphers:\n"); std::vector myCustomList = { BR_TLS_RSA_WITH_AES_256_CBC_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA }; client.setInsecure(); client.setCiphers(myCustomList); now = millis(); - fetchURL(&client, gitlab_host, gitlab_port, path); + fetchURL(&client, SSL_host, SSL_port, path); uint32_t delta3 = millis() - now; Serial.printf("Using more secure: %dms\nUsing less secure ciphers: %dms\nUsing custom cipher list: %dms\n", delta, delta2, delta3); } diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate index 2162b78e97..22986b79aa 100755 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate @@ -1,2 +1,2 @@ cd ${0%/*} 2>/dev/null -python3 ../../../../tools/cert.py -s www.gitlab.com -n gitlab > certs.h +python3 ../../../../tools/cert.py -s www.ssllabs.com -n SSL > certs.h diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h index fe55e95211..de9628f596 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h @@ -1,58 +1,98 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2022-07-18 22:01:02 -// by ['../../../../tools/cert.py', '-s', 'www.gitlab.com', '-n', 'gitlab'] +// generated on 2022-07-19 22:44:00 +// by ['../../../../tools/cert.py', '-s', 'www.ssllabs.com', '-n', 'SSL'] #pragma once //////////////////////////////////////////////////////////// -// certificate chain for www.gitlab.com:443 +// certificate chain for www.ssllabs.com:443 -const char* gitlab_host = "www.gitlab.com"; -const uint16_t gitlab_port = 443; +const char* SSL_host = "www.ssllabs.com"; +const uint16_t SSL_port = 443; -// CN: sni.cloudflaressl.com => name: sni_cloudflaressl_com -// not valid before: 2021-09-11 00:00:00 -// not valid after: 2022-09-10 23:59:59 -const char fingerprint_sni_cloudflaressl_com [] PROGMEM = "04:86:fa:e7:69:4e:7b:75:f4:fd:88:41:6e:42:7a:f1:b0:de:66:3c"; -const char pubkey_sni_cloudflaressl_com [] PROGMEM = R"PUBKEY( +// CN: ssllabs.com => name: ssllabs_com +// not valid before: 2022-03-15 00:00:00 +// not valid after: 2023-03-15 23:59:59 +const char fingerprint_ssllabs_com [] PROGMEM = "ce:72:5c:29:81:ab:f6:0e:18:5c:b6:4f:95:48:62:b6:7e:c3:2e:84"; +const char pubkey_ssllabs_com [] PROGMEM = R"PUBKEY( -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELIhZBDGe53N84LRh6Ng9qPCZ4VQ6 -2yUXTqkR7C+0e3sd+8GGLp67mLuFOvtjcrv+tP5o8zCz+UpDHmj7n1n17A== +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv7ssUIIQLMvsInsYv6gF +vaJaPR5SuK7erJV57HkaQA3LTkW1PwEaB/R8oyHFtRG+xzc32EajGjB+olXM9Mdo +ekFm37tNXGY728e5nwrj1xJkel3mabEEfVa70A1OFEXVi4Hz/lE3bD5GmOcg4546 +218JcXKA7PNuhP/O18C7k9XL03NyswGkFgoBSF/+i90P/PCEK72mvibgJcSTueht +mT0M+z5W1rnqyjatwsBwGX0vWchTXGtPm9PvE3gwatbweCeD8ng8/H1sTR+/wJdZ +96avXpeaOxLXWjNe09i6Wwlk3SFebqzmMPNREsEKnjxaNUhkLpVpWoiQi8soSTqD +6wIDAQAB -----END PUBLIC KEY----- )PUBKEY"; -// http://cacerts.digicert.com/CloudflareIncECCCA-3.crt -// CN: Cloudflare Inc ECC CA-3 => name: Cloudflare_Inc_ECC_CA_3 -// not valid before: 2020-01-27 12:48:08 -// not valid after: 2024-12-31 23:59:59 -const char cert_Cloudflare_Inc_ECC_CA_3 [] PROGMEM = R"CERT( +// http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt +// CN: DigiCert TLS RSA SHA256 2020 CA1 => name: DigiCert_TLS_RSA_SHA256_2020_CA1 +// not valid before: 2021-04-14 00:00:00 +// not valid after: 2031-04-13 23:59:59 +const char cert_DigiCert_TLS_RSA_SHA256_2020_CA1 [] PROGMEM = R"CERT( -----BEGIN CERTIFICATE----- -MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa -MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl -clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw -MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV -BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD -QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe -nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb -16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME -GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l -BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI -KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j -b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t -bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF -BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw -CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB -AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un -+ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe -lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H -goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1 -CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw -6DEdfgkfCv4+3ao8XnTSrLE= +MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS +U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a +qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn +g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW +raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB +Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r +eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB +/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU +A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG +GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh +Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV +HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH +bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB +MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB +AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z +ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h +qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC +EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6 +ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E +A7sKPPcw7+uvTPyLNhBzPvOk -----END CERTIFICATE----- )CERT"; -// end of certificate chain for www.gitlab.com:443 +// http://cacerts.digicert.com/DigiCertGlobalRootCA.crt +// CN: DigiCert Global Root CA => name: DigiCert_Global_Root_CA +// not valid before: 2006-11-10 00:00:00 +// not valid after: 2031-11-10 00:00:00 +const char cert_DigiCert_Global_Root_CA [] PROGMEM = R"CERT( +-----BEGIN CERTIFICATE----- +MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB +CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 +nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt +43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P +T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 +gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO +BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR +TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw +DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr +hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg +06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF +PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls +YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk +CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= +-----END CERTIFICATE----- +)CERT"; + + +// end of certificate chain for www.ssllabs.com:443 //////////////////////////////////////////////////////////// From 41fcaf80c50d04db7d122a1649eb65c52034019e Mon Sep 17 00:00:00 2001 From: David Gauchard Date: Wed, 20 Jul 2022 14:11:20 +0200 Subject: [PATCH 3/3] ssllabs->example --- .../BearSSL_Validation/BearSSL_Validation.ino | 4 +-- .../examples/BearSSL_Validation/certUpdate | 2 +- .../examples/BearSSL_Validation/certs.h | 34 +++++++++---------- tests/ci/host_test.sh | 4 +++ 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino index 81cbbc2974..f1bc55e411 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino @@ -10,8 +10,8 @@ #include #include "certs.h" -#define FINGERPRINT fingerprint_ssllabs_com -#define PUBKEY pubkey_ssllabs_com +#define FINGERPRINT fingerprint_www_example_org +#define PUBKEY pubkey_www_example_org #define CERT cert_DigiCert_TLS_RSA_SHA256_2020_CA1 #ifndef STASSID diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate index 22986b79aa..58468ae7a7 100755 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate @@ -1,2 +1,2 @@ cd ${0%/*} 2>/dev/null -python3 ../../../../tools/cert.py -s www.ssllabs.com -n SSL > certs.h +python3 ../../../../tools/cert.py -s www.example.com -n SSL > certs.h diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h index de9628f596..ead62edbd5 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h @@ -1,30 +1,30 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2022-07-19 22:44:00 -// by ['../../../../tools/cert.py', '-s', 'www.ssllabs.com', '-n', 'SSL'] +// generated on 2022-07-20 14:09:01 +// by ['../../../../tools/cert.py', '-s', 'www.example.com', '-n', 'SSL'] #pragma once //////////////////////////////////////////////////////////// -// certificate chain for www.ssllabs.com:443 +// certificate chain for www.example.com:443 -const char* SSL_host = "www.ssllabs.com"; +const char* SSL_host = "www.example.com"; const uint16_t SSL_port = 443; -// CN: ssllabs.com => name: ssllabs_com -// not valid before: 2022-03-15 00:00:00 -// not valid after: 2023-03-15 23:59:59 -const char fingerprint_ssllabs_com [] PROGMEM = "ce:72:5c:29:81:ab:f6:0e:18:5c:b6:4f:95:48:62:b6:7e:c3:2e:84"; -const char pubkey_ssllabs_com [] PROGMEM = R"PUBKEY( +// CN: www.example.org => name: www_example_org +// not valid before: 2022-03-14 00:00:00 +// not valid after: 2023-03-14 23:59:59 +const char fingerprint_www_example_org [] PROGMEM = "df:81:df:a6:b6:1e:af:df:ff:fe:1a:25:02:40:db:5d:2e:6c:ee:25"; +const char pubkey_www_example_org [] PROGMEM = R"PUBKEY( -----BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv7ssUIIQLMvsInsYv6gF -vaJaPR5SuK7erJV57HkaQA3LTkW1PwEaB/R8oyHFtRG+xzc32EajGjB+olXM9Mdo -ekFm37tNXGY728e5nwrj1xJkel3mabEEfVa70A1OFEXVi4Hz/lE3bD5GmOcg4546 -218JcXKA7PNuhP/O18C7k9XL03NyswGkFgoBSF/+i90P/PCEK72mvibgJcSTueht -mT0M+z5W1rnqyjatwsBwGX0vWchTXGtPm9PvE3gwatbweCeD8ng8/H1sTR+/wJdZ -96avXpeaOxLXWjNe09i6Wwlk3SFebqzmMPNREsEKnjxaNUhkLpVpWoiQi8soSTqD -6wIDAQAB +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlV2WY5rlGn1fpwvuBhj0 +nVBcNxCxkHUG/pJG4HvaJen7YIZ1mLc7/P4snOJZiEfwWFTikHNbcUCcYiKG8JkF +ebZOYMc1U9PiEtVWGU4kuYuxiXpD8oMPin1B0SgrF7gKfO1//I2weJdAUjgZuXBC +PAlhz2EnHddzXUtwm9XuOLO/Y6LATVMsbp8/lXnfo/bX0UgJ7C0aVqOu07A0Vr6O +kPxwWmOvF3cRKhVCM7U4B51KK+IsWRLm8cVW1IaXjwhGzW7BR6EI3sxCQ4Wnc6HV +PSgmomLWWWkIGFPAwcWUB4NC12yhCO5iW/dxNMWNLMRVtnZAyq6FpZ8wFK6j4OMw +MwIDAQAB -----END PUBLIC KEY----- )PUBKEY"; @@ -93,6 +93,6 @@ CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= )CERT"; -// end of certificate chain for www.ssllabs.com:443 +// end of certificate chain for www.example.com:443 //////////////////////////////////////////////////////////// diff --git a/tests/ci/host_test.sh b/tests/ci/host_test.sh index 44d7517be0..c24cd8e331 100755 --- a/tests/ci/host_test.sh +++ b/tests/ci/host_test.sh @@ -4,6 +4,10 @@ set -ev +if [ -z "$TRAVIS_BUILD_DIR" ]; then + export TRAVIS_BUILD_DIR=$(cd ${PWD%/*}/..; pwd) +fi + cd $TRAVIS_BUILD_DIR/tests/host