SSLClient: add certificate loading from filesystem

Author: pennam

libraries/Ethernet/src/EthernetSSLClient.cpp

@@ -6,14 +6,17 @@ EthernetSSLClient::EthernetSSLClient()
 
   sslclient = new sslclient_context;
   _client = new EthernetClient;
-  ssl_init(sslclient, _client);
+
   _timeout = 1000;
   _CA_cert = NULL;
+  _CA_path = "/mbedtls";
   _cert = NULL;
   _private_key = NULL;
   _pskIdent = NULL;
   _psKey = NULL;
 
+  ssl_init(sslclient, _client, _CA_path);
+
   sslclient->handshake_timeout = 5000;
 }
 

libraries/SSLClient/src/SSLClient.cpp

@@ -31,15 +31,18 @@ SSLClient::SSLClient()
     _connected = false;
 
     sslclient = new sslclient_context;
-    ssl_init(sslclient, nullptr);
+
     _timeout = 1000;
     _use_insecure = false;
     _CA_cert = NULL;
+    _CA_path = NULL;
     _cert = NULL;
     _private_key = NULL;
     _pskIdent = NULL;
     _psKey = NULL;
 
+    ssl_init(sslclient, nullptr, _CA_path);
+
     sslclient->handshake_timeout = 5000;
 }
 
@@ -48,15 +51,38 @@ SSLClient::SSLClient(Client* client)
     _connected = false;
 
     sslclient = new sslclient_context;
-    ssl_init(sslclient, client);
+
+    _timeout = 1000;
+    _use_insecure = false;
+    _CA_cert = NULL;
+    _CA_path = "/mbedtls";
+    _cert = NULL;
+    _private_key = NULL;
+    _pskIdent = NULL;
+    _psKey = NULL;
+
+    ssl_init(sslclient, client, _CA_path);
+
+    sslclient->handshake_timeout = 5000;
+}
+
+SSLClient::SSLClient(Client* client, String ca_path)
+{
+    _connected = false;
+
+    sslclient = new sslclient_context;
+
     _timeout = 1000;
     _use_insecure = false;
     _CA_cert = NULL;
+    _CA_path = ca_path.c_str();
     _cert = NULL;
     _private_key = NULL;
     _pskIdent = NULL;
     _psKey = NULL;
 
+    ssl_init(sslclient, client, _CA_path);
+
     sslclient->handshake_timeout = 5000;
 }
 
@@ -80,7 +106,7 @@ int SSLClient::connect(IPAddress ip, uint16_t port)
 {
     if (_pskIdent && _psKey)
         return connect(ip, port, _pskIdent, _psKey);
-    return connect(ip, port, _CA_cert, _cert, _private_key);
+    return connect(ip, port, _CA_cert, _CA_path, _cert, _private_key);
 }
 
 int SSLClient::connect(IPAddress ip, uint16_t port, int32_t timeout){
@@ -92,23 +118,23 @@ int SSLClient::connect(const char *host, uint16_t port)
 {
     if (_pskIdent && _psKey)
         return connect(host, port, _pskIdent, _psKey);
-    return connect(host, port, _CA_cert, _cert, _private_key);
+    return connect(host, port, _CA_cert, _CA_path, _cert, _private_key);
 }
 
 int SSLClient::connect(const char *host, uint16_t port, int32_t timeout){
     _timeout = timeout;
     return connect(host, port);
 }
 
-int SSLClient::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
+int SSLClient::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_CA_path, const char *_cert, const char *_private_key)
 {
-    return connect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key);
+    return connect(ip.toString().c_str(), port, _CA_cert, _CA_path, _cert, _private_key);
 }
 
-int SSLClient::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
+int SSLClient::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_CA_path, const char *_cert, const char *_private_key)
 {
     log_d("Connecting to %s:%d", host, port);
-    int ret = start_ssl_client(sslclient, host, port, _timeout, _CA_cert, _cert, _private_key, NULL, NULL, _use_insecure);
+    int ret = start_ssl_client(sslclient, host, port, _timeout, _CA_cert, _CA_path, _cert, _private_key, NULL, NULL, _use_insecure);
     _lastError = ret;
     if (ret < 0) {
         log_e("start_ssl_client: %d", ret);
@@ -126,7 +152,7 @@ int SSLClient::connect(IPAddress ip, uint16_t port, const char *pskIdent, const
 
 int SSLClient::connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey) {
     log_v("start_ssl_client with PSK");
-    int ret = start_ssl_client(sslclient, host, port, _timeout, NULL, NULL, NULL, _pskIdent, _psKey, _use_insecure);
+    int ret = start_ssl_client(sslclient, host, port, _timeout, NULL, NULL, NULL, NULL, _pskIdent, _psKey, _use_insecure);
     _lastError = ret;
     if (ret < 0) {
         log_e("start_ssl_client: %d", ret);
@@ -241,6 +267,12 @@ void SSLClient::setCACert (const char *rootCA)
     _CA_cert = rootCA;
 }
 
+void SSLClient::setCAPath (const char *rootCAPath)
+{
+    log_d("Set root CA Path");
+    _CA_path = rootCAPath;
+}
+
 void SSLClient::setCertificate (const char *client_ca)
 {
     log_d("Set client CA");

libraries/SSLClient/src/SSLClient.h

@@ -32,6 +32,7 @@ class SSLClient : public Client
     int _timeout = 0;
     bool _use_insecure;
     const char *_CA_cert;
+    const char *_CA_path;
     const char *_cert;
     const char *_private_key;
     const char *_pskIdent; // identity for PSK cipher suites
@@ -44,14 +45,15 @@ class SSLClient : public Client
 public:
     SSLClient();
     SSLClient(Client* client);
+    SSLClient(Client* client, String ca_path);
     ~SSLClient();
 
     int connect(IPAddress ip, uint16_t port);
     int connect(IPAddress ip, uint16_t port, int32_t timeout);
     int connect(const char *host, uint16_t port);
     int connect(const char *host, uint16_t port, int32_t timeout);
-    int connect(IPAddress ip, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
-    int connect(const char *host, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
+    int connect(IPAddress ip, uint16_t port, const char *rootCABuff, const char *rootCAPath, const char *cli_cert, const char *cli_key);
+    int connect(const char *host, uint16_t port, const char *rootCABuff, const char *rootCAPath, const char *cli_cert, const char *cli_key);
     int connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey);
     int connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey);
 
@@ -69,6 +71,7 @@ class SSLClient : public Client
 
     void setPreSharedKey(const char *pskIdent, const char *psKey); // psKey in Hex
     void setCACert(const char *rootCA);
+    void setCAPath(const char *rootCAPath);
     void setCertificate(const char *client_ca);
     void setPrivateKey (const char *private_key);
     bool loadCACert(Stream& stream, size_t size);

libraries/SSLClient/src/ssl_client.cpp

@@ -12,6 +12,7 @@
 #include <algorithm>
 #include <string>
 #include "ssl_client.h"
+#include "ssl_fs_io.h"
 
 
 #if !defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && !defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
@@ -59,7 +60,7 @@ static int client_net_recv( void *ctx, unsigned char *buf, size_t len ) {
     //if (!client->connected()) {
     //    log_e("Not connected!");
     //    return -2;
-   // }
+    //}
 
     int result = client->read(buf, len);
     log_d("SSL client RX res=%d len=%d", result, len);
@@ -139,7 +140,7 @@ static int client_net_send( void *ctx, const unsigned char *buf, size_t len ) {
 }
 
 
-void ssl_init(sslclient_context *ssl_client, Client *client)
+void ssl_init(sslclient_context *ssl_client, Client *client, const char * ca_path)
 {
     // reset embedded pointers to zero
     memset(ssl_client, 0, sizeof(sslclient_context));
@@ -152,10 +153,12 @@ void ssl_init(sslclient_context *ssl_client, Client *client)
 
     mbedtls_ssl_conf_dbg(&ssl_client->ssl_conf, mbedtls_debug_print, NULL);
     mbedtls_debug_set_threshold(DEBUG_LEVEL);
+
+    mbedtls_fs_init(ca_path);
 }
 
 
-int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure)
+int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *rootCAPath, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure)
 {
     char buf[512];
     int ret, flags;
@@ -243,6 +246,24 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
             log_e("mbedtls_ssl_conf_psk returned %d", ret);
             return handle_error(ret);
         }
+    } else if (rootCAPath != NULL){
+        log_v("Setting up filesystem default ca chain with path %s", rootCAPath);
+        mbedtls_x509_crt_init(&ssl_client->ca_cert);
+        mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+        ret = mbedtls_x509_crt_parse_path(&ssl_client->ca_cert, rootCAPath);
+        if(ret != 0) {
+            if(ret < 0) {
+                log_e("error parsing ca certs from filesystem");
+                return handle_error(ret);
+            } else {
+                log_w("partly parsed %d certs from filesystem", ret);
+            }
+        }
+        mbedtls_ssl_conf_ca_chain(&ssl_client->ssl_conf, &ssl_client->ca_cert, NULL);
+        if (ret < 0) {
+            mbedtls_x509_crt_free(&ssl_client->ca_cert);
+            return handle_error(ret);
+        }
     } else {
         return -1;
     }
@@ -316,12 +337,14 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
         mbedtls_x509_crt_verify_info(buf, sizeof(buf), "  ! ", flags);
         log_e("Failed to verify peer certificate! verification info: %s", buf);
         stop_ssl_socket(ssl_client, rootCABuff, cli_cert, cli_key);  //It's not safe continue.
+
         return handle_error(ret);
     } else {
         log_v("Certificate verified.");
     }
 
-    if (rootCABuff != NULL) {
+    if ((rootCABuff != NULL) || ((rootCAPath != NULL))) {
+        log_e("free buffer");
         mbedtls_x509_crt_free(&ssl_client->ca_cert);
     }
 

libraries/SSLClient/src/ssl_client.h

@@ -35,12 +35,14 @@ typedef struct sslclient_context {
     mbedtls_x509_crt client_cert;
     mbedtls_pk_context client_key;
 
+    char* ca_path;
+
     unsigned long handshake_timeout;
 } sslclient_context;
 
 
-void ssl_init(sslclient_context *ssl_client, Client *client);
-int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure);
+void ssl_init(sslclient_context *ssl_client, Client *client, const char *ca_path);
+int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *rootCAPath, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure);
 void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
 int data_to_read(sslclient_context *ssl_client);
 int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);

libraries/SSLClient/src/ssl_fs_io.cpp

@@ -0,0 +1,50 @@
+/*
+  ssl_fs_io.cpp
+  Copyright (c) 2023 Arduino SA.  All right reserved.
+
+  This library is free software; you can redistribute it and/or
+  modify it under the terms of the GNU Lesser General Public
+  License as published by the Free Software Foundation; either
+  version 2.1 of the License, or (at your option) any later version.
+
+  This library is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public
+  License along with this library; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#include "Arduino.h"
+#include "QSPIFlashBlockDevice.h"
+#include "FATFileSystem.h"
+#include "ssl_fs_io.h"
+#include "ssl_debug.h"
+
+static BlockDevice * get_mbedtls_bd()
+{
+  static QSPIFlashBlockDevice root(PIN_QSPI_CLK, PIN_QSPI_SS, PIN_QSPI_D0, PIN_QSPI_D1, PIN_QSPI_D2, PIN_QSPI_D3);
+  return &root;
+}
+
+static FATFileSystem * get_mbedtls_fs()
+{
+  static FATFileSystem mbedtls_fs("mbedtls");
+  return &mbedtls_fs;
+}
+
+void mbedtls_fs_init(const char * path)
+{
+  if(!path) {
+    return;
+  }
+  
+  BlockDevice * bd = get_mbedtls_bd();
+  FATFileSystem *fs = get_mbedtls_fs();
+
+  if(!fs->mount(bd)) {
+    //log_e("Failed to mount mbedtls fs");
+  }
+}

libraries/SSLClient/src/ssl_fs_io.h

@@ -0,0 +1,31 @@
+/*
+  ssl_fs_io.h
+  Copyright (c) 2023 Arduino SA.  All right reserved.
+
+  This library is free software; you can redistribute it and/or
+  modify it under the terms of the GNU Lesser General Public
+  License as published by the Free Software Foundation; either
+  version 2.1 of the License, or (at your option) any later version.
+
+  This library is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public
+  License along with this library; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#ifndef SSL_FS_IO_H_INC
+#define SSL_FS_IO_H_INC
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+void mbedtls_fs_init(const char * path);
+#ifdef __cplusplus
+}
+#endif
+
+#endif // #ifndef SSL_FS_IO_H_INC

libraries/WiFi/src/WiFiSSLClient.cpp

@@ -6,14 +6,17 @@ WiFiSSLClient::WiFiSSLClient()
 
   sslclient = new sslclient_context;
   _client = new WiFiClient;
-  ssl_init(sslclient, _client);
+
   _timeout = 1000;
   _CA_cert = NULL;
+  _CA_path = "/mbedtls";
   _cert = NULL;
   _private_key = NULL;
   _pskIdent = NULL;
   _psKey = NULL;
 
+  ssl_init(sslclient, _client, _CA_path);
+
   sslclient->handshake_timeout = 5000;
 }