From dea4e6677a462f048b925773a3a7da3ca8e21357 Mon Sep 17 00:00:00 2001 From: david gauchard Date: Thu, 15 Jul 2021 02:33:48 +0200 Subject: [PATCH 01/10] certificated updater --- .../BearSSL_Validation/BearSSL_Validation.ino | 66 +++--------- .../examples/BearSSL_Validation/certs.h | 58 ++++++++++ .../examples/BearSSL_Validation/makecert | 1 + tools/cert.py | 101 ++++++++++++++++++ 4 files changed, 173 insertions(+), 53 deletions(-) create mode 100644 libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h create mode 100755 libraries/ESP8266WiFi/examples/BearSSL_Validation/makecert create mode 100644 tools/cert.py diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino index 9b02afd986..759c4e1c7a 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino @@ -8,6 +8,7 @@ #include #include #include +#include "certs.h" #ifndef STASSID #define STASSID "your-ssid" @@ -17,8 +18,6 @@ const char *ssid = STASSID; const char *pass = STAPSK; -const char * host = "api.github.com"; -const uint16_t port = 443; const char * path = "/"; // Set time via NTP, as required for x.509 validation @@ -92,7 +91,7 @@ If there are no CAs or insecure options specified, BearSSL will not connect. Expect the following call to fail as none have been configured. )EOF"); BearSSL::WiFiClientSecure client; - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); } void fetchInsecure() { @@ -103,7 +102,7 @@ which is subject to man-in-the-middle (MITM) attacks. )EOF"); BearSSL::WiFiClientSecure client; client.setInsecure(); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); } void fetchFingerprint() { @@ -116,9 +115,8 @@ fingerprints will change if anything changes in the certificate chain the root authorities, etc.). )EOF"); BearSSL::WiFiClientSecure client; - static const char fp[] PROGMEM = "59:74:61:88:13:CA:12:34:15:4D:11:0A:C1:7F:E6:67:07:69:42:F5"; - client.setFingerprint(fp); - fetchURL(&client, host, port, path); + client.setFingerprint(fingerprint___github_com); + fetchURL(&client, github_host, github_port, path); } void fetchSelfSigned() { @@ -142,51 +140,13 @@ needs to be paired with the private key of the site, which is obviously private and not shared. A MITM without the private key would not be able to establish communications. )EOF"); - // Extracted by: openssl x509 -pubkey -noout -in servercert.pem - static const char pubkey[] PROGMEM = R"KEY( ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+3Up8qBkIn/7S9AfWlH -Od8SdXmnWx+JCIHvnWzjFcLeLvQb2rMqqCDL5XDlvkyC5SZ8ZyLITemej5aJYuBv -zcKPzyZ0QfYZiskU9nzL2qBQj8alzJJ/Cc32AWuuWrPrzVxBmOEW9gRCGFCD3m0z -53y6GjcmBS2wcX7RagqbD7g2frEGko4G7kmW96H6dyh2j9Rou8TwAK6CnbiXPAM/ -5Q6dyfdYlHOCgP75F7hhdKB5gpprm9A/OnQsmZjUPzy4u0EKCxE8MfhBerZrZdod -88ZdDG3CvTgm050bc+lGlbsT+s09lp0dgxSZIeI8+syV2Owt4YF/PdjeeymtzQdI -wQIDAQAB ------END PUBLIC KEY----- -)KEY"; BearSSL::WiFiClientSecure client; - BearSSL::PublicKey key(pubkey); + BearSSL::PublicKey key(pubkey___github_com); client.setKnownKey(&key); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); } void fetchCertAuthority() { - static const char digicert[] PROGMEM = R"EOF( ------BEGIN CERTIFICATE----- -MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j -ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL -MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 -LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug -RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm -+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW -PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM -xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB -Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 -hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg -EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF -MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA -FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec -nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z -eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF -hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 -Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe -vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep -+OkuE6N36B9K ------END CERTIFICATE----- -)EOF"; - Serial.printf(R"EOF( A specific certification authority can be passed in and used to validate a chain of certificates from a given server. These will be validated @@ -197,14 +157,14 @@ BearSSL does verify the notValidBefore/After fields. )EOF"); BearSSL::WiFiClientSecure client; - BearSSL::X509List cert(digicert); + BearSSL::X509List cert(pubkey_DigiCert_High_Assurance_EV_Root_CA); client.setTrustAnchors(&cert); Serial.printf("Try validating without setting the time (should fail)\n"); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); Serial.printf("Try again after setting NTP time (should pass)\n"); setClock(); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); } void fetchFaster() { @@ -217,18 +177,18 @@ may make sense BearSSL::WiFiClientSecure client; client.setInsecure(); uint32_t now = millis(); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); uint32_t delta = millis() - now; client.setInsecure(); client.setCiphersLessSecure(); now = millis(); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); uint32_t delta2 = millis() - now; std::vector myCustomList = { BR_TLS_RSA_WITH_AES_256_CBC_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA }; client.setInsecure(); client.setCiphers(myCustomList); now = millis(); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); uint32_t delta3 = millis() - now; Serial.printf("Using more secure: %dms\nUsing less secure ciphers: %dms\nUsing custom cipher list: %dms\n", delta, delta2, delta3); } diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h new file mode 100644 index 0000000000..f6630b6daa --- /dev/null +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h @@ -0,0 +1,58 @@ + +// this file is autogenerated - any modification will be overwritten +// unused symbols will not be linked in the final binary +// generated on 2021-07-15 02:30:37 +// by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] + +#pragma once + +//////////////////////////////////////////////////////////// +// certificate chain for api.github.com:443 + +const char* github_host = "api.github.com"; +const uint16_t github_port = 443; + +// CN: *.github.com => name: __github_com +const char fingerprint___github_com [] PROGMEM = "96:84:07:df:0b:1c:f6:58:14:df:d7:33:35:57:51:9b:15:4d:8c:e7"; +// not valid before: 2021-03-25 00:00:00 +// not valid after: 2022-03-30 23:59:59 +const char pubkey___github_com [] PROGMEM = R"PUBKEY( +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElL9/+0TidTIALPfU/tiS6pI8zAIk +rU4pohUldVc0bb6O3FARl3cnqIDK9SoF65z3xiR6XsnFS8F0Oy/chXR/kQ== +-----END PUBLIC KEY----- +)PUBKEY"; + +// http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt +// CN: DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1 => name: DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 +const char fingerprint_DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 [] PROGMEM = "30:c1:79:c0:79:09:e2:c4:cf:d5:25:32:21:4e:c8:86:e2:02:70:6a"; +// not valid before: 2020-12-17 00:00:00 +// not valid after: 2030-12-16 23:59:59 +const char pubkey_DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 [] PROGMEM = R"PUBKEY( +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZ71v8Tzrnb7QtudsE6vXn+n23RXl +j5DrHH6UU5HIrh4+1HLpkEh95c5DxCMdCqXrFmvHqbJLO0MJGeH1P05H/Q== +-----END PUBLIC KEY----- +)PUBKEY"; + +// http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt +// CN: DigiCert High Assurance EV Root CA => name: DigiCert_High_Assurance_EV_Root_CA +const char fingerprint_DigiCert_High_Assurance_EV_Root_CA [] PROGMEM = "5f:b7:ee:06:33:e2:59:db:ad:0c:4c:9a:e6:d3:8f:1a:61:c7:dc:25"; +// not valid before: 2006-11-10 00:00:00 +// not valid after: 2031-11-10 00:00:00 +const char pubkey_DigiCert_High_Assurance_EV_Root_CA [] PROGMEM = R"PUBKEY( +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/l +gT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC +90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ +ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5 +XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS +8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhL +ywIDAQAB +-----END PUBLIC KEY----- +)PUBKEY"; + + +// end of certificate chain for api.github.com:443 +//////////////////////////////////////////////////////////// + diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/makecert b/libraries/ESP8266WiFi/examples/BearSSL_Validation/makecert new file mode 100755 index 0000000000..7b3cc22c8f --- /dev/null +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/makecert @@ -0,0 +1 @@ +python3 ../../../../tools/cert.py -s api.github.com -n github > certs.h diff --git a/tools/cert.py b/tools/cert.py new file mode 100644 index 0000000000..bb3f600021 --- /dev/null +++ b/tools/cert.py @@ -0,0 +1,101 @@ + +import urllib.request +import re +import ssl +import sys +import socket +import argparse +import datetime + +from cryptography import x509 +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.serialization import pkcs7 +from cryptography.hazmat.primitives.serialization import Encoding +from cryptography.hazmat.primitives.serialization import PublicFormat + +def printDer(der): + try: + xcert = x509.load_der_x509_certificate(der) + except: + xcert = pkcs7.load_der_pkcs7_certificates(der) + if len(xcert) > 1: + print('// Warning: TODO: pkcs7 has {} entries'.format(len(xcert))) + xcert = xcert[0] + cn = '' + for dn in xcert.subject.rfc4514_string().split(','): + keyval = dn.split('=') + if keyval[0] == 'CN': + cn += keyval[1] + name = re.sub('[^a-zA-Z0-9_]', '_', cn) + print('// CN: {} => name: {}'.format(cn, name)) + fingerprint = xcert.fingerprint(hashes.SHA1()).hex(':') + print('const char fingerprint_{} [] PROGMEM = "{}";'.format(name, fingerprint)) + print('// not valid before:', xcert.not_valid_before) + print('// not valid after: ', xcert.not_valid_after) + pem = xcert.public_key().public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo).decode('utf-8') + print('const char pubkey_{} [] PROGMEM = R"PUBKEY('.format(name)) + print(pem + ')PUBKEY";') + + cas = [] + for ext in xcert.extensions: + if ext.oid == x509.ObjectIdentifier("1.3.6.1.5.5.7.1.1"): + for desc in ext.value: + if desc.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS: + cas.append(desc.access_location.value) + for ca in cas: + with urllib.request.urlopen(ca) as crt: + print() + print('// ' + ca) + printDer(crt.read()) + print() + +def get_certificate(hostname, port, name): + context = ssl.create_default_context() + context.check_hostname = False + context.verify_mode = ssl.CERT_NONE + with socket.create_connection((hostname, port)) as sock: + with context.wrap_socket(sock, server_hostname=hostname) as ssock: + print('////////////////////////////////////////////////////////////') + print('// certificate chain for {}:{}'.format(hostname, port)) + print() + if name: + print('const char* {}_host = "{}";'.format(name, hostname)); + print('const uint16_t {}_port = {};'.format(name, port)); + print() + printDer(ssock.getpeercert(binary_form=True)) + print('// end of certificate chain for {}:{}'.format(hostname, port)) + print('////////////////////////////////////////////////////////////') + print() + return 0 + +def main(): + parser = argparse.ArgumentParser(description='Report the different segment sizes of a compiled ELF file') + parser.add_argument('-s', '--server', action='store', required=True, help='TLS server dns name') + parser.add_argument('-p', '--port', action='store', required=False, help='TLS server port') + parser.add_argument('-n', '--name', action='store', required=False, help='variable name') + port = 443 + print() + print('// this file is autogenerated - any modification will be overwritten') + print('// unused symbols will not be linked in the final binary') + print('// generated on {}'.format(datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))) + print('// by {}'.format(sys.argv)) + print() + print('#pragma once') + print() + args = parser.parse_args() + server = args.server + port = 443 + try: + split = server.split(':') + server = split[0] + port = int(split[1]) + except: + pass + try: + port = int(args.port) + except: + pass + return get_certificate(server, port, args.name) + +if __name__ == '__main__': + sys.exit(main()) From 873da9c84927709058dea1f605e92c4d41e2d746 Mon Sep 17 00:00:00 2001 From: david gauchard Date: Thu, 15 Jul 2021 16:28:47 +0200 Subject: [PATCH 02/10] make it executable --- tools/cert.py | 1 + 1 file changed, 1 insertion(+) mode change 100644 => 100755 tools/cert.py diff --git a/tools/cert.py b/tools/cert.py old mode 100644 new mode 100755 index bb3f600021..d376190e73 --- a/tools/cert.py +++ b/tools/cert.py @@ -1,3 +1,4 @@ +#!/usr/bin/env python3 import urllib.request import re From bf8c888262dae65cb7e3911525ad42bfb0fef420 Mon Sep 17 00:00:00 2001 From: david gauchard Date: Fri, 16 Jul 2021 01:24:04 +0200 Subject: [PATCH 03/10] load certificates for authorities, not only pubkeys --- tools/cert.py | 44 +++++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/tools/cert.py b/tools/cert.py index d376190e73..3f75313740 100755 --- a/tools/cert.py +++ b/tools/cert.py @@ -14,14 +14,21 @@ from cryptography.hazmat.primitives.serialization import Encoding from cryptography.hazmat.primitives.serialization import PublicFormat -def printDer(der): +def printData(data, showPub = True): try: - xcert = x509.load_der_x509_certificate(der) + xcert = x509.load_der_x509_certificate(data) except: - xcert = pkcs7.load_der_pkcs7_certificates(der) - if len(xcert) > 1: - print('// Warning: TODO: pkcs7 has {} entries'.format(len(xcert))) - xcert = xcert[0] + try: + xcert = x509.load_pem_x509_certificate(data) + except: + try: + xcert = pkcs7.load_der_pkcs7_certificates(data) + except: + xcert = pkcs7.load_pem_pkcs7_certificates(data) + if len(xcert) > 1: + print('// Warning: TODO: pkcs7 has {} entries'.format(len(xcert))) + xcert = xcert[0] + cn = '' for dn in xcert.subject.rfc4514_string().split(','): keyval = dn.split('=') @@ -29,14 +36,25 @@ def printDer(der): cn += keyval[1] name = re.sub('[^a-zA-Z0-9_]', '_', cn) print('// CN: {} => name: {}'.format(cn, name)) - fingerprint = xcert.fingerprint(hashes.SHA1()).hex(':') - print('const char fingerprint_{} [] PROGMEM = "{}";'.format(name, fingerprint)) + print('// not valid before:', xcert.not_valid_before) print('// not valid after: ', xcert.not_valid_after) - pem = xcert.public_key().public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo).decode('utf-8') - print('const char pubkey_{} [] PROGMEM = R"PUBKEY('.format(name)) - print(pem + ')PUBKEY";') + + if showPub: + + fingerprint = xcert.fingerprint(hashes.SHA1()).hex(':') + print('const char fingerprint_{} [] PROGMEM = "{}";'.format(name, fingerprint)) + + pem = xcert.public_key().public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo).decode('utf-8') + print('const char pubkey_{} [] PROGMEM = R"PUBKEY('.format(name)) + print(pem + ')PUBKEY";') + else: + + cert = xcert.public_bytes(Encoding.PEM).decode('utf-8') + print('const char cert_{} [] PROGMEM = R"CERT('.format(name)) + print(cert + ')CERT";') + cas = [] for ext in xcert.extensions: if ext.oid == x509.ObjectIdentifier("1.3.6.1.5.5.7.1.1"): @@ -47,7 +65,7 @@ def printDer(der): with urllib.request.urlopen(ca) as crt: print() print('// ' + ca) - printDer(crt.read()) + printData(crt.read(), False) print() def get_certificate(hostname, port, name): @@ -63,7 +81,7 @@ def get_certificate(hostname, port, name): print('const char* {}_host = "{}";'.format(name, hostname)); print('const uint16_t {}_port = {};'.format(name, port)); print() - printDer(ssock.getpeercert(binary_form=True)) + printData(ssock.getpeercert(binary_form=True)) print('// end of certificate chain for {}:{}'.format(hostname, port)) print('////////////////////////////////////////////////////////////') print() From b8f1b2f8ec6b7b811a35553243a05097fc2e2c87 Mon Sep 17 00:00:00 2001 From: david gauchard Date: Fri, 16 Jul 2021 01:45:40 +0200 Subject: [PATCH 04/10] certify bearssl-sessions example --- .../BearSSL_Sessions/BearSSL_Sessions.ino | 38 ++------ .../examples/BearSSL_Sessions/certs.h | 90 +++++++++++++++++++ .../examples/BearSSL_Sessions/makecert | 1 + .../BearSSL_Validation/BearSSL_Validation.ino | 2 +- .../examples/BearSSL_Validation/certs.h | 74 ++++++++++----- .../examples/HTTPSRequest/HTTPSRequest.ino | 46 ++-------- .../ESP8266WiFi/examples/HTTPSRequest/certs.h | 90 +++++++++++++++++++ .../examples/HTTPSRequest/makecert | 1 + 8 files changed, 248 insertions(+), 94 deletions(-) create mode 100644 libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h create mode 100755 libraries/ESP8266WiFi/examples/BearSSL_Sessions/makecert create mode 100644 libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h create mode 100755 libraries/ESP8266WiFi/examples/HTTPSRequest/makecert diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/BearSSL_Sessions.ino b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/BearSSL_Sessions.ino index da36647d31..fa03c7fa38 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/BearSSL_Sessions.ino +++ b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/BearSSL_Sessions.ino @@ -5,6 +5,7 @@ #include #include +#include "certs.h" #ifndef STASSID #define STASSID "your-ssid" @@ -14,8 +15,6 @@ const char *ssid = STASSID; const char *pass = STAPSK; -const char * host = "api.github.com"; -const uint16_t port = 443; const char * path = "/"; void setup() { @@ -97,39 +96,14 @@ void fetchURL(BearSSL::WiFiClientSecure *client, const char *host, const uint16_ void loop() { - static const char digicert[] PROGMEM = R"EOF( ------BEGIN CERTIFICATE----- -MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j -ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL -MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 -LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug -RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm -+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW -PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM -xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB -Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 -hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg -EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF -MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA -FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec -nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z -eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF -hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 -Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe -vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep -+OkuE6N36B9K ------END CERTIFICATE----- -)EOF"; uint32_t start, finish; BearSSL::WiFiClientSecure client; - BearSSL::X509List cert(digicert); + BearSSL::X509List cert(cert_DigiCert_High_Assurance_EV_Root_CA); Serial.printf("Connecting without sessions..."); start = millis(); client.setTrustAnchors(&cert); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); finish = millis(); Serial.printf("Total time: %dms\n", finish - start); @@ -138,21 +112,21 @@ vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep Serial.printf("Connecting with an uninitialized session..."); start = millis(); client.setTrustAnchors(&cert); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); finish = millis(); Serial.printf("Total time: %dms\n", finish - start); Serial.printf("Connecting with the just initialized session..."); start = millis(); client.setTrustAnchors(&cert); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); finish = millis(); Serial.printf("Total time: %dms\n", finish - start); Serial.printf("Connecting again with the initialized session..."); start = millis(); client.setTrustAnchors(&cert); - fetchURL(&client, host, port, path); + fetchURL(&client, github_host, github_port, path); finish = millis(); Serial.printf("Total time: %dms\n", finish - start); diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h new file mode 100644 index 0000000000..0f5fa339dc --- /dev/null +++ b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h @@ -0,0 +1,90 @@ + +// this file is autogenerated - any modification will be overwritten +// unused symbols will not be linked in the final binary +// generated on 2021-07-16 01:36:22 +// by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] + +#pragma once + +//////////////////////////////////////////////////////////// +// certificate chain for api.github.com:443 + +const char* github_host = "api.github.com"; +const uint16_t github_port = 443; + +// CN: *.github.com => name: __github_com +// not valid before: 2021-03-25 00:00:00 +// not valid after: 2022-03-30 23:59:59 +const char fingerprint___github_com [] PROGMEM = "96:84:07:df:0b:1c:f6:58:14:df:d7:33:35:57:51:9b:15:4d:8c:e7"; +const char pubkey___github_com [] PROGMEM = R"PUBKEY( +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElL9/+0TidTIALPfU/tiS6pI8zAIk +rU4pohUldVc0bb6O3FARl3cnqIDK9SoF65z3xiR6XsnFS8F0Oy/chXR/kQ== +-----END PUBLIC KEY----- +)PUBKEY"; + +// http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt +// CN: DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1 => name: DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 +// not valid before: 2020-12-17 00:00:00 +// not valid after: 2030-12-16 23:59:59 +const char cert_DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 [] PROGMEM = R"CERT( +-----BEGIN CERTIFICATE----- +MIIEGzCCAwOgAwIBAgIQBmcDW7sU/WOvwNaoU07+FjANBgkqhkiG9w0BAQsFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTIwMTIxNzAwMDAwMFoXDTMwMTIxNjIzNTk1OVowZzEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMT8wPQYDVQQDEzZE +aWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBUTFMgSHlicmlkIEVDQyBTSEEyNTYgMjAy +MCBDQTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARnvW/xPOudvtC252wTq9ef +6fbdFeWPkOscfpRTkciuHj7UcumQSH3lzkPEIx0KpesWa8epsks7QwkZ4fU/Tkf9 +o4IBhzCCAYMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUUGGmoNI1xBEq +II0fD6xC8M0pz0swHwYDVR0jBBgwFoAUsT7DaQP4v0cB1JgmGggC72NkK8MwDgYD +VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB/Bggr +BgEFBQcBAQRzMHEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv +bTBJBggrBgEFBQcwAoY9aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD +ZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNydDBLBgNVHR8ERDBCMECgPqA8hjpo +dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZS +b290Q0EuY3JsMDAGA1UdIAQpMCcwCAYGZ4EMAQICMAgGBmeBDAECAzAHBgVngQwB +ATAIBgZngQwBAgEwDQYJKoZIhvcNAQELBQADggEBAHMQH8hhiBfNbxwEwxbbTAnu +jPyUh/oi0JrfZI3u9JuiLqca720D6foS/AB5+4EIxpm7CMG4MdN/l7oAiDipaCPv +mOmpYUpnT7A63Cr0q4g84rI1ZmdqA40lVUUf6qC6E34tC73qDQF8TJSrfscWFdCl +RXR9J4QGrkZ2VNMSDzlDRzWCaA95MfO8x01l+ZdopdE8FvM78gGd4zxeWb8v991+ +mBxTDepqKuy/jF5Rm6Bhfxr33ADRs60s1t16dtZ3pOYLALBTPD5KhZ6a+/dk5dnh +6c4PaeZQYBUAh+GuxfaBlU4qQ8EtjBMCQHreMIwXHYHW5FRYGjgR4NMuaIw2jD0= +-----END CERTIFICATE----- +)CERT"; + +// http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt +// CN: DigiCert High Assurance EV Root CA => name: DigiCert_High_Assurance_EV_Root_CA +// not valid before: 2006-11-10 00:00:00 +// not valid after: 2031-11-10 00:00:00 +const char cert_DigiCert_High_Assurance_EV_Root_CA [] PROGMEM = R"CERT( +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL +MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug +RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm ++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW +PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM +xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB +Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 +hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg +EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF +MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA +FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec +nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z +eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF +hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 +Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe +vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep ++OkuE6N36B9K +-----END CERTIFICATE----- +)CERT"; + + +// end of certificate chain for api.github.com:443 +//////////////////////////////////////////////////////////// + diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/makecert b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/makecert new file mode 100755 index 0000000000..7b3cc22c8f --- /dev/null +++ b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/makecert @@ -0,0 +1 @@ +python3 ../../../../tools/cert.py -s api.github.com -n github > certs.h diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino index 759c4e1c7a..ff8f735548 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino @@ -157,7 +157,7 @@ BearSSL does verify the notValidBefore/After fields. )EOF"); BearSSL::WiFiClientSecure client; - BearSSL::X509List cert(pubkey_DigiCert_High_Assurance_EV_Root_CA); + BearSSL::X509List cert(cert_DigiCert_High_Assurance_EV_Root_CA); client.setTrustAnchors(&cert); Serial.printf("Try validating without setting the time (should fail)\n"); fetchURL(&client, github_host, github_port, path); diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h index f6630b6daa..44d7ac7260 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h @@ -1,7 +1,7 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2021-07-15 02:30:37 +// generated on 2021-07-16 00:48:39 // by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] #pragma once @@ -13,9 +13,9 @@ const char* github_host = "api.github.com"; const uint16_t github_port = 443; // CN: *.github.com => name: __github_com -const char fingerprint___github_com [] PROGMEM = "96:84:07:df:0b:1c:f6:58:14:df:d7:33:35:57:51:9b:15:4d:8c:e7"; // not valid before: 2021-03-25 00:00:00 // not valid after: 2022-03-30 23:59:59 +const char fingerprint___github_com [] PROGMEM = "96:84:07:df:0b:1c:f6:58:14:df:d7:33:35:57:51:9b:15:4d:8c:e7"; const char pubkey___github_com [] PROGMEM = R"PUBKEY( -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElL9/+0TidTIALPfU/tiS6pI8zAIk @@ -25,32 +25,64 @@ rU4pohUldVc0bb6O3FARl3cnqIDK9SoF65z3xiR6XsnFS8F0Oy/chXR/kQ== // http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt // CN: DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1 => name: DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 -const char fingerprint_DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 [] PROGMEM = "30:c1:79:c0:79:09:e2:c4:cf:d5:25:32:21:4e:c8:86:e2:02:70:6a"; // not valid before: 2020-12-17 00:00:00 // not valid after: 2030-12-16 23:59:59 -const char pubkey_DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 [] PROGMEM = R"PUBKEY( ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZ71v8Tzrnb7QtudsE6vXn+n23RXl -j5DrHH6UU5HIrh4+1HLpkEh95c5DxCMdCqXrFmvHqbJLO0MJGeH1P05H/Q== ------END PUBLIC KEY----- -)PUBKEY"; +const char cert_DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 [] PROGMEM = R"CERT( +-----BEGIN CERTIFICATE----- +MIIEGzCCAwOgAwIBAgIQBmcDW7sU/WOvwNaoU07+FjANBgkqhkiG9w0BAQsFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTIwMTIxNzAwMDAwMFoXDTMwMTIxNjIzNTk1OVowZzEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMT8wPQYDVQQDEzZE +aWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBUTFMgSHlicmlkIEVDQyBTSEEyNTYgMjAy +MCBDQTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARnvW/xPOudvtC252wTq9ef +6fbdFeWPkOscfpRTkciuHj7UcumQSH3lzkPEIx0KpesWa8epsks7QwkZ4fU/Tkf9 +o4IBhzCCAYMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUUGGmoNI1xBEq +II0fD6xC8M0pz0swHwYDVR0jBBgwFoAUsT7DaQP4v0cB1JgmGggC72NkK8MwDgYD +VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB/Bggr +BgEFBQcBAQRzMHEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv +bTBJBggrBgEFBQcwAoY9aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD +ZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNydDBLBgNVHR8ERDBCMECgPqA8hjpo +dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZS +b290Q0EuY3JsMDAGA1UdIAQpMCcwCAYGZ4EMAQICMAgGBmeBDAECAzAHBgVngQwB +ATAIBgZngQwBAgEwDQYJKoZIhvcNAQELBQADggEBAHMQH8hhiBfNbxwEwxbbTAnu +jPyUh/oi0JrfZI3u9JuiLqca720D6foS/AB5+4EIxpm7CMG4MdN/l7oAiDipaCPv +mOmpYUpnT7A63Cr0q4g84rI1ZmdqA40lVUUf6qC6E34tC73qDQF8TJSrfscWFdCl +RXR9J4QGrkZ2VNMSDzlDRzWCaA95MfO8x01l+ZdopdE8FvM78gGd4zxeWb8v991+ +mBxTDepqKuy/jF5Rm6Bhfxr33ADRs60s1t16dtZ3pOYLALBTPD5KhZ6a+/dk5dnh +6c4PaeZQYBUAh+GuxfaBlU4qQ8EtjBMCQHreMIwXHYHW5FRYGjgR4NMuaIw2jD0= +-----END CERTIFICATE----- +)CERT"; // http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt // CN: DigiCert High Assurance EV Root CA => name: DigiCert_High_Assurance_EV_Root_CA -const char fingerprint_DigiCert_High_Assurance_EV_Root_CA [] PROGMEM = "5f:b7:ee:06:33:e2:59:db:ad:0c:4c:9a:e6:d3:8f:1a:61:c7:dc:25"; // not valid before: 2006-11-10 00:00:00 // not valid after: 2031-11-10 00:00:00 -const char pubkey_DigiCert_High_Assurance_EV_Root_CA [] PROGMEM = R"PUBKEY( ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/l -gT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC -90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ -ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5 -XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS -8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhL -ywIDAQAB ------END PUBLIC KEY----- -)PUBKEY"; +const char cert_DigiCert_High_Assurance_EV_Root_CA [] PROGMEM = R"CERT( +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL +MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug +RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm ++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW +PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM +xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB +Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 +hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg +EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF +MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA +FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec +nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z +eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF +hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 +Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe +vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep ++OkuE6N36B9K +-----END CERTIFICATE----- +)CERT"; // end of certificate chain for api.github.com:443 diff --git a/libraries/ESP8266WiFi/examples/HTTPSRequest/HTTPSRequest.ino b/libraries/ESP8266WiFi/examples/HTTPSRequest/HTTPSRequest.ino index 3767d1dbb1..9ccf3b6b37 100644 --- a/libraries/ESP8266WiFi/examples/HTTPSRequest/HTTPSRequest.ino +++ b/libraries/ESP8266WiFi/examples/HTTPSRequest/HTTPSRequest.ino @@ -13,6 +13,7 @@ #include #include +#include "certs.h" #ifndef STASSID #define STASSID "your-ssid" @@ -22,42 +23,7 @@ const char* ssid = STASSID; const char* password = STAPSK; -const char* host = "api.github.com"; -const int httpsPort = 443; - -// DigiCert High Assurance EV Root CA -const char trustRoot[] PROGMEM = R"EOF( ------BEGIN CERTIFICATE----- -MIIE6zCCBHGgAwIBAgIQAtX25VXj+RoJlA3D2bWkgzAKBggqhkjOPQQDAzBWMQsw -CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp -Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjEwMzA0MDAw -MDAwWhcNMjIwMzA5MjM1OTU5WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs -aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHVi -LCBJbmMuMRUwEwYDVQQDDAwqLmdpdGh1Yi5jb20wWTATBgcqhkjOPQIBBggqhkjO -PQMBBwNCAAQf8SePhtD7JeGm0YuTQ4HihyeENuvsNFdYPPIxIx6Lj9iOu2ECkgy4 -52UR+mhIF24OvPizDveyCFOqmG/MI7kwo4IDDTCCAwkwHwYDVR0jBBgwFoAUCrwI -KReMpTlteg7OM8cus+37w3owHQYDVR0OBBYEFP5TUYtiCp+N3FISu3CqxMlJhdG1 -MCMGA1UdEQQcMBqCDCouZ2l0aHViLmNvbYIKZ2l0aHViLmNvbTAOBgNVHQ8BAf8E -BAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGXBgNVHR8EgY8w -gYwwRKBCoECGPmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5 -YnJpZEVDQ1NIQTM4NDIwMjBDQTEuY3JsMESgQqBAhj5odHRwOi8vY3JsNC5kaWdp -Y2VydC5jb20vRGlnaUNlcnRUTFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0ExLmNybDA+ -BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRp -Z2ljZXJ0LmNvbS9DUFMwgYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0 -cDovL29jc3AuZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0 -cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0Ex -LmNydDAMBgNVHRMBAf8EAjAAMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAKXm+ -8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF3/bWc4AAABAMARjBEAiBm -IdofaKj+XfeISM/2tjap1nQY1afFSBAcdw/YtgjmSQIgMqWoDyfO66suyk2VFcld -1C+WHUNGvXsCRPof5HG5QQgAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNc -buIPAgAAAXf9tZ0CAAAEAwBHMEUCIQCJzwZRfAvv0izotFx2KE0sgV8O+NfuHUpa -1866RqKEtwIgc65P+xToSqPbp/J1gSFBJgySI/a1YoB+3p8xXTYaDsAwCgYIKoZI -zj0EAwMDaAAwZQIxAL8fIlMNWdeKHalpm9z+ksCuYT4tSN1ubXeNvDywr56me+yT -+fr42MnEcBdUtLOVOAIwPNC9fAJjyHHTL2vaRW1JRnrovLKDQVbZpZNIZnlY3WFu -kmxiBWDOpyfJrG9vQ25K ------END CERTIFICATE----- -)EOF"; -X509List cert(trustRoot); +X509List cert(cert_DigiCert_High_Assurance_EV_Root_CA); void setup() { Serial.begin(115200); @@ -94,12 +60,12 @@ void setup() { // Use WiFiClientSecure class to create TLS connection WiFiClientSecure client; Serial.print("Connecting to "); - Serial.println(host); + Serial.println(github_host); - Serial.printf("Using certificate: %s\n", trustRoot); + Serial.printf("Using certificate: %s\n", cert_DigiCert_High_Assurance_EV_Root_CA); client.setTrustAnchors(&cert); - if (!client.connect(host, httpsPort)) { + if (!client.connect(github_host, github_port)) { Serial.println("Connection failed"); return; } @@ -109,7 +75,7 @@ void setup() { Serial.println(url); client.print(String("GET ") + url + " HTTP/1.1\r\n" + - "Host: " + host + "\r\n" + + "Host: " + github_host + "\r\n" + "User-Agent: BuildFailureDetectorESP8266\r\n" + "Connection: close\r\n\r\n"); diff --git a/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h b/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h new file mode 100644 index 0000000000..51bada6f29 --- /dev/null +++ b/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h @@ -0,0 +1,90 @@ + +// this file is autogenerated - any modification will be overwritten +// unused symbols will not be linked in the final binary +// generated on 2021-07-16 01:18:56 +// by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] + +#pragma once + +//////////////////////////////////////////////////////////// +// certificate chain for api.github.com:443 + +const char* github_host = "api.github.com"; +const uint16_t github_port = 443; + +// CN: *.github.com => name: __github_com +// not valid before: 2021-03-25 00:00:00 +// not valid after: 2022-03-30 23:59:59 +const char fingerprint___github_com [] PROGMEM = "96:84:07:df:0b:1c:f6:58:14:df:d7:33:35:57:51:9b:15:4d:8c:e7"; +const char pubkey___github_com [] PROGMEM = R"PUBKEY( +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElL9/+0TidTIALPfU/tiS6pI8zAIk +rU4pohUldVc0bb6O3FARl3cnqIDK9SoF65z3xiR6XsnFS8F0Oy/chXR/kQ== +-----END PUBLIC KEY----- +)PUBKEY"; + +// http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt +// CN: DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1 => name: DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 +// not valid before: 2020-12-17 00:00:00 +// not valid after: 2030-12-16 23:59:59 +const char cert_DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 [] PROGMEM = R"CERT( +-----BEGIN CERTIFICATE----- +MIIEGzCCAwOgAwIBAgIQBmcDW7sU/WOvwNaoU07+FjANBgkqhkiG9w0BAQsFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTIwMTIxNzAwMDAwMFoXDTMwMTIxNjIzNTk1OVowZzEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMT8wPQYDVQQDEzZE +aWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBUTFMgSHlicmlkIEVDQyBTSEEyNTYgMjAy +MCBDQTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARnvW/xPOudvtC252wTq9ef +6fbdFeWPkOscfpRTkciuHj7UcumQSH3lzkPEIx0KpesWa8epsks7QwkZ4fU/Tkf9 +o4IBhzCCAYMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUUGGmoNI1xBEq +II0fD6xC8M0pz0swHwYDVR0jBBgwFoAUsT7DaQP4v0cB1JgmGggC72NkK8MwDgYD +VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB/Bggr +BgEFBQcBAQRzMHEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv +bTBJBggrBgEFBQcwAoY9aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD +ZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNydDBLBgNVHR8ERDBCMECgPqA8hjpo +dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZS +b290Q0EuY3JsMDAGA1UdIAQpMCcwCAYGZ4EMAQICMAgGBmeBDAECAzAHBgVngQwB +ATAIBgZngQwBAgEwDQYJKoZIhvcNAQELBQADggEBAHMQH8hhiBfNbxwEwxbbTAnu +jPyUh/oi0JrfZI3u9JuiLqca720D6foS/AB5+4EIxpm7CMG4MdN/l7oAiDipaCPv +mOmpYUpnT7A63Cr0q4g84rI1ZmdqA40lVUUf6qC6E34tC73qDQF8TJSrfscWFdCl +RXR9J4QGrkZ2VNMSDzlDRzWCaA95MfO8x01l+ZdopdE8FvM78gGd4zxeWb8v991+ +mBxTDepqKuy/jF5Rm6Bhfxr33ADRs60s1t16dtZ3pOYLALBTPD5KhZ6a+/dk5dnh +6c4PaeZQYBUAh+GuxfaBlU4qQ8EtjBMCQHreMIwXHYHW5FRYGjgR4NMuaIw2jD0= +-----END CERTIFICATE----- +)CERT"; + +// http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt +// CN: DigiCert High Assurance EV Root CA => name: DigiCert_High_Assurance_EV_Root_CA +// not valid before: 2006-11-10 00:00:00 +// not valid after: 2031-11-10 00:00:00 +const char cert_DigiCert_High_Assurance_EV_Root_CA [] PROGMEM = R"CERT( +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL +MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug +RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm ++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW +PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM +xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB +Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 +hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg +EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF +MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA +FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec +nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z +eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF +hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 +Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe +vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep ++OkuE6N36B9K +-----END CERTIFICATE----- +)CERT"; + + +// end of certificate chain for api.github.com:443 +//////////////////////////////////////////////////////////// + diff --git a/libraries/ESP8266WiFi/examples/HTTPSRequest/makecert b/libraries/ESP8266WiFi/examples/HTTPSRequest/makecert new file mode 100755 index 0000000000..7b3cc22c8f --- /dev/null +++ b/libraries/ESP8266WiFi/examples/HTTPSRequest/makecert @@ -0,0 +1 @@ +python3 ../../../../tools/cert.py -s api.github.com -n github > certs.h From b6cb634c0fdfd0e7a7a0ff0a16608929a7830709 Mon Sep 17 00:00:00 2001 From: david gauchard Date: Fri, 16 Jul 2021 02:12:17 +0200 Subject: [PATCH 05/10] update scripts, update release document to run the script --- .../examples/BearSSL_CertStore/certUpdate | 2 ++ .../BearSSL_Sessions/{makecert => certUpdate} | 1 + .../examples/BearSSL_Sessions/certs.h | 2 +- .../{makecert => certUpdate} | 1 + .../examples/BearSSL_Validation/certs.h | 2 +- .../HTTPSRequest/{makecert => certUpdate} | 1 + .../ESP8266WiFi/examples/HTTPSRequest/certs.h | 2 +- package/README.md | 5 ++++- tools/cert.py | 19 ++++++++++--------- tools/certsUpdate | 6 ++++++ 10 files changed, 28 insertions(+), 13 deletions(-) create mode 100755 libraries/ESP8266WiFi/examples/BearSSL_CertStore/certUpdate rename libraries/ESP8266WiFi/examples/BearSSL_Sessions/{makecert => certUpdate} (75%) rename libraries/ESP8266WiFi/examples/BearSSL_Validation/{makecert => certUpdate} (75%) rename libraries/ESP8266WiFi/examples/HTTPSRequest/{makecert => certUpdate} (75%) create mode 100755 tools/certsUpdate diff --git a/libraries/ESP8266WiFi/examples/BearSSL_CertStore/certUpdate b/libraries/ESP8266WiFi/examples/BearSSL_CertStore/certUpdate new file mode 100755 index 0000000000..b6b48a95f1 --- /dev/null +++ b/libraries/ESP8266WiFi/examples/BearSSL_CertStore/certUpdate @@ -0,0 +1,2 @@ +cd ${0%/*} 2>/dev/null +./certs-from-mozilla.py diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/makecert b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certUpdate similarity index 75% rename from libraries/ESP8266WiFi/examples/BearSSL_Sessions/makecert rename to libraries/ESP8266WiFi/examples/BearSSL_Sessions/certUpdate index 7b3cc22c8f..ba08b87c32 100755 --- a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/makecert +++ b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certUpdate @@ -1 +1,2 @@ +cd ${0%/*} 2>/dev/null python3 ../../../../tools/cert.py -s api.github.com -n github > certs.h diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h index 0f5fa339dc..ae420d4867 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h +++ b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h @@ -1,7 +1,7 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2021-07-16 01:36:22 +// generated on 2021-07-16 02:10:32 // by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] #pragma once diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/makecert b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate similarity index 75% rename from libraries/ESP8266WiFi/examples/BearSSL_Validation/makecert rename to libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate index 7b3cc22c8f..ba08b87c32 100755 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/makecert +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate @@ -1 +1,2 @@ +cd ${0%/*} 2>/dev/null python3 ../../../../tools/cert.py -s api.github.com -n github > certs.h diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h index 44d7ac7260..652caf36fb 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h @@ -1,7 +1,7 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2021-07-16 00:48:39 +// generated on 2021-07-16 02:10:31 // by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] #pragma once diff --git a/libraries/ESP8266WiFi/examples/HTTPSRequest/makecert b/libraries/ESP8266WiFi/examples/HTTPSRequest/certUpdate similarity index 75% rename from libraries/ESP8266WiFi/examples/HTTPSRequest/makecert rename to libraries/ESP8266WiFi/examples/HTTPSRequest/certUpdate index 7b3cc22c8f..ba08b87c32 100755 --- a/libraries/ESP8266WiFi/examples/HTTPSRequest/makecert +++ b/libraries/ESP8266WiFi/examples/HTTPSRequest/certUpdate @@ -1 +1,2 @@ +cd ${0%/*} 2>/dev/null python3 ../../../../tools/cert.py -s api.github.com -n github > certs.h diff --git a/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h b/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h index 51bada6f29..ae420d4867 100644 --- a/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h +++ b/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h @@ -1,7 +1,7 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2021-07-16 01:18:56 +// generated on 2021-07-16 02:10:32 // by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] #pragma once diff --git a/package/README.md b/package/README.md index a56a11f5d9..9f0772c55f 100644 --- a/package/README.md +++ b/package/README.md @@ -112,7 +112,10 @@ The following points assume work in a direct clone of the repository, and not in * [platform.txt](https://github.com/esp8266/Arduino/blob/master/platform.txt) and [package.json](https://github.com/esp8266/Arduino/blob/master/package.json): update `version` to the release E.g. `3.0.0`, * [cores/esp8266/TZ.h](https://github.com/esp8266/Arduino/blob/master/cores/esp8266/TZ.h): import the latest database with the following shell command:\ - `$ cd tools; sh TZupdate.sh`. + `$ cd tools; sh TZupdate.sh` + + * certificates and public keys + `$ cd tools; sh certsUpdate` 5. Wait until the release notes have been checked by other maintainers diff --git a/tools/cert.py b/tools/cert.py index 3f75313740..fb6accd002 100755 --- a/tools/cert.py +++ b/tools/cert.py @@ -88,19 +88,11 @@ def get_certificate(hostname, port, name): return 0 def main(): - parser = argparse.ArgumentParser(description='Report the different segment sizes of a compiled ELF file') + parser = argparse.ArgumentParser(description='download certificate chain and public keys under a C++/Arduino compilable form') parser.add_argument('-s', '--server', action='store', required=True, help='TLS server dns name') parser.add_argument('-p', '--port', action='store', required=False, help='TLS server port') parser.add_argument('-n', '--name', action='store', required=False, help='variable name') port = 443 - print() - print('// this file is autogenerated - any modification will be overwritten') - print('// unused symbols will not be linked in the final binary') - print('// generated on {}'.format(datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))) - print('// by {}'.format(sys.argv)) - print() - print('#pragma once') - print() args = parser.parse_args() server = args.server port = 443 @@ -114,6 +106,15 @@ def main(): port = int(args.port) except: pass + + print() + print('// this file is autogenerated - any modification will be overwritten') + print('// unused symbols will not be linked in the final binary') + print('// generated on {}'.format(datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))) + print('// by {}'.format(sys.argv)) + print() + print('#pragma once') + print() return get_certificate(server, port, args.name) if __name__ == '__main__': diff --git a/tools/certsUpdate b/tools/certsUpdate new file mode 100755 index 0000000000..98f42bb62c --- /dev/null +++ b/tools/certsUpdate @@ -0,0 +1,6 @@ + +# find `certUpdate` scripts in libraries, and execute them + +cd ${0%/*} 2>/dev/null +find ../libraries -name certUpdate -exec bash -c "echo 'updating {}...'; {};" \; +echo done From 9dca1da6b095a9353d57c8e49f9c72a265362141 Mon Sep 17 00:00:00 2001 From: david gauchard Date: Fri, 16 Jul 2021 02:13:11 +0200 Subject: [PATCH 06/10] remove useless script --- libraries/ESP8266WiFi/examples/BearSSL_CertStore/certUpdate | 2 -- libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h | 2 +- libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h | 2 +- libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h | 2 +- 4 files changed, 3 insertions(+), 5 deletions(-) delete mode 100755 libraries/ESP8266WiFi/examples/BearSSL_CertStore/certUpdate diff --git a/libraries/ESP8266WiFi/examples/BearSSL_CertStore/certUpdate b/libraries/ESP8266WiFi/examples/BearSSL_CertStore/certUpdate deleted file mode 100755 index b6b48a95f1..0000000000 --- a/libraries/ESP8266WiFi/examples/BearSSL_CertStore/certUpdate +++ /dev/null @@ -1,2 +0,0 @@ -cd ${0%/*} 2>/dev/null -./certs-from-mozilla.py diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h index ae420d4867..c35a6d0db4 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h +++ b/libraries/ESP8266WiFi/examples/BearSSL_Sessions/certs.h @@ -1,7 +1,7 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2021-07-16 02:10:32 +// generated on 2021-07-16 02:12:55 // by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] #pragma once diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h index 652caf36fb..5e8afe355f 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h @@ -1,7 +1,7 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2021-07-16 02:10:31 +// generated on 2021-07-16 02:12:54 // by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] #pragma once diff --git a/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h b/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h index ae420d4867..5e8afe355f 100644 --- a/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h +++ b/libraries/ESP8266WiFi/examples/HTTPSRequest/certs.h @@ -1,7 +1,7 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2021-07-16 02:10:32 +// generated on 2021-07-16 02:12:54 // by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] #pragma once From daf4535dc3102835e6e6dfac483193fa8899fbb2 Mon Sep 17 00:00:00 2001 From: david gauchard Date: Fri, 16 Jul 2021 02:20:08 +0200 Subject: [PATCH 07/10] public domain in main script --- tools/cert.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/cert.py b/tools/cert.py index fb6accd002..7498d5ee62 100755 --- a/tools/cert.py +++ b/tools/cert.py @@ -1,5 +1,9 @@ #!/usr/bin/env python3 +# Script to download/update certificates and public keys +# and generate compilable source files for c++/Arduino. +# released to public domain + import urllib.request import re import ssl From e2cc02943b3360b2f6ba12e67a9caf0506db1433 Mon Sep 17 00:00:00 2001 From: david gauchard Date: Fri, 16 Jul 2021 21:30:05 +0200 Subject: [PATCH 08/10] fix missing EC curve initialization --- libraries/ESP8266WiFi/src/BearSSLHelpers.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/libraries/ESP8266WiFi/src/BearSSLHelpers.cpp b/libraries/ESP8266WiFi/src/BearSSLHelpers.cpp index 331ee5fd7f..08549cc99a 100644 --- a/libraries/ESP8266WiFi/src/BearSSLHelpers.cpp +++ b/libraries/ESP8266WiFi/src/BearSSLHelpers.cpp @@ -457,6 +457,7 @@ namespace brssl { } memcpy(pk->key.ec.q, ek->q, ek->qlen); pk->key.ec.qlen = ek->qlen; + pk->key.ec.curve = ek->curve; return pk; default: From 4d17d7b64ede6ab26b2fa8eeb877dd4bfbbc74de Mon Sep 17 00:00:00 2001 From: david gauchard Date: Sun, 18 Jul 2021 00:05:35 +0200 Subject: [PATCH 09/10] temporary workaround for EC keys issue: using gitlab instead of github in the example --- .../BearSSL_Validation/BearSSL_Validation.ino | 24 +-- .../examples/BearSSL_Validation/certUpdate | 2 +- .../examples/BearSSL_Validation/certs.h | 157 ++++++++++-------- 3 files changed, 104 insertions(+), 79 deletions(-) diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino index ff8f735548..b91570da11 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino @@ -91,7 +91,7 @@ If there are no CAs or insecure options specified, BearSSL will not connect. Expect the following call to fail as none have been configured. )EOF"); BearSSL::WiFiClientSecure client; - fetchURL(&client, github_host, github_port, path); + fetchURL(&client, gitlab_host, gitlab_port, path); } void fetchInsecure() { @@ -102,7 +102,7 @@ which is subject to man-in-the-middle (MITM) attacks. )EOF"); BearSSL::WiFiClientSecure client; client.setInsecure(); - fetchURL(&client, github_host, github_port, path); + fetchURL(&client, gitlab_host, gitlab_port, path); } void fetchFingerprint() { @@ -115,8 +115,8 @@ fingerprints will change if anything changes in the certificate chain the root authorities, etc.). )EOF"); BearSSL::WiFiClientSecure client; - client.setFingerprint(fingerprint___github_com); - fetchURL(&client, github_host, github_port, path); + client.setFingerprint(fingerprint_gitlab_com); + fetchURL(&client, gitlab_host, gitlab_port, path); } void fetchSelfSigned() { @@ -141,9 +141,9 @@ private and not shared. A MITM without the private key would not be able to establish communications. )EOF"); BearSSL::WiFiClientSecure client; - BearSSL::PublicKey key(pubkey___github_com); + BearSSL::PublicKey key(pubkey_gitlab_com); client.setKnownKey(&key); - fetchURL(&client, github_host, github_port, path); + fetchURL(&client, gitlab_host, gitlab_port, path); } void fetchCertAuthority() { @@ -157,14 +157,14 @@ BearSSL does verify the notValidBefore/After fields. )EOF"); BearSSL::WiFiClientSecure client; - BearSSL::X509List cert(cert_DigiCert_High_Assurance_EV_Root_CA); + BearSSL::X509List cert(cert_USERTrust_RSA_Certification_Authority); client.setTrustAnchors(&cert); Serial.printf("Try validating without setting the time (should fail)\n"); - fetchURL(&client, github_host, github_port, path); + fetchURL(&client, gitlab_host, gitlab_port, path); Serial.printf("Try again after setting NTP time (should pass)\n"); setClock(); - fetchURL(&client, github_host, github_port, path); + fetchURL(&client, gitlab_host, gitlab_port, path); } void fetchFaster() { @@ -177,18 +177,18 @@ may make sense BearSSL::WiFiClientSecure client; client.setInsecure(); uint32_t now = millis(); - fetchURL(&client, github_host, github_port, path); + fetchURL(&client, gitlab_host, gitlab_port, path); uint32_t delta = millis() - now; client.setInsecure(); client.setCiphersLessSecure(); now = millis(); - fetchURL(&client, github_host, github_port, path); + fetchURL(&client, gitlab_host, gitlab_port, path); uint32_t delta2 = millis() - now; std::vector myCustomList = { BR_TLS_RSA_WITH_AES_256_CBC_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA }; client.setInsecure(); client.setCiphers(myCustomList); now = millis(); - fetchURL(&client, github_host, github_port, path); + fetchURL(&client, gitlab_host, gitlab_port, path); uint32_t delta3 = millis() - now; Serial.printf("Using more secure: %dms\nUsing less secure ciphers: %dms\nUsing custom cipher list: %dms\n", delta, delta2, delta3); } diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate index ba08b87c32..2162b78e97 100755 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certUpdate @@ -1,2 +1,2 @@ cd ${0%/*} 2>/dev/null -python3 ../../../../tools/cert.py -s api.github.com -n github > certs.h +python3 ../../../../tools/cert.py -s www.gitlab.com -n gitlab > certs.h diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h index 5e8afe355f..994aec713d 100644 --- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h +++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/certs.h @@ -1,90 +1,115 @@ // this file is autogenerated - any modification will be overwritten // unused symbols will not be linked in the final binary -// generated on 2021-07-16 02:12:54 -// by ['../../../../tools/cert.py', '-s', 'api.github.com', '-n', 'github'] +// generated on 2021-07-18 00:02:22 +// by ['../../../../tools/cert.py', '-s', 'www.gitlab.com', '-n', 'gitlab'] #pragma once //////////////////////////////////////////////////////////// -// certificate chain for api.github.com:443 +// certificate chain for www.gitlab.com:443 -const char* github_host = "api.github.com"; -const uint16_t github_port = 443; +const char* gitlab_host = "www.gitlab.com"; +const uint16_t gitlab_port = 443; -// CN: *.github.com => name: __github_com -// not valid before: 2021-03-25 00:00:00 -// not valid after: 2022-03-30 23:59:59 -const char fingerprint___github_com [] PROGMEM = "96:84:07:df:0b:1c:f6:58:14:df:d7:33:35:57:51:9b:15:4d:8c:e7"; -const char pubkey___github_com [] PROGMEM = R"PUBKEY( +// CN: gitlab.com => name: gitlab_com +// not valid before: 2021-04-12 00:00:00 +// not valid after: 2022-05-11 23:59:59 +const char fingerprint_gitlab_com [] PROGMEM = "71:55:5e:29:68:99:43:98:c8:85:35:bd:4c:10:4c:f5:cf:17:09:e6"; +const char pubkey_gitlab_com [] PROGMEM = R"PUBKEY( -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElL9/+0TidTIALPfU/tiS6pI8zAIk -rU4pohUldVc0bb6O3FARl3cnqIDK9SoF65z3xiR6XsnFS8F0Oy/chXR/kQ== +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1eeFy86Xbz3ygyCVprHp +sPP3zyg0yldkIfqwjsXPH0b+KwQ85s3pzI/5+MVrR2/BGY4ed6mTZ6hvNwQJ2B0E +sJrsTb2nuUsXQ0UVO4hvnZ7Dnx8r/bT1cndqa+Mn+bms8/TS4etP72+TLaORBRCz +O4L1Hi8r61+zZLnP3DqqHeHAgl5wKHNYpx7yFFl2I71LuLH/pk2ICDBjaHwCIbRW +u484no9s1c4VROxqMrQQ/wDMl80MiO9YeNQ5rBHfnabh4rFe9eb2Sd0H/DWBj3SO +YBD0kiLI6b5CWYfA76pBSlZg7G3ledvQ+n9FEcS3EOCPKBBZqMDCzEahvHqwJ/r6 +pwIDAQAB -----END PUBLIC KEY----- )PUBKEY"; -// http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt -// CN: DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1 => name: DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 -// not valid before: 2020-12-17 00:00:00 -// not valid after: 2030-12-16 23:59:59 -const char cert_DigiCert_High_Assurance_TLS_Hybrid_ECC_SHA256_2020_CA1 [] PROGMEM = R"CERT( +// http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt +// CN: Sectigo RSA Domain Validation Secure Server CA => name: Sectigo_RSA_Domain_Validation_Secure_Server_CA +// not valid before: 2018-11-02 00:00:00 +// not valid after: 2030-12-31 23:59:59 +const char cert_Sectigo_RSA_Domain_Validation_Secure_Server_CA [] PROGMEM = R"CERT( -----BEGIN CERTIFICATE----- -MIIEGzCCAwOgAwIBAgIQBmcDW7sU/WOvwNaoU07+FjANBgkqhkiG9w0BAQsFADBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j -ZSBFViBSb290IENBMB4XDTIwMTIxNzAwMDAwMFoXDTMwMTIxNjIzNTk1OVowZzEL -MAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMT8wPQYDVQQDEzZE -aWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBUTFMgSHlicmlkIEVDQyBTSEEyNTYgMjAy -MCBDQTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARnvW/xPOudvtC252wTq9ef -6fbdFeWPkOscfpRTkciuHj7UcumQSH3lzkPEIx0KpesWa8epsks7QwkZ4fU/Tkf9 -o4IBhzCCAYMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUUGGmoNI1xBEq -II0fD6xC8M0pz0swHwYDVR0jBBgwFoAUsT7DaQP4v0cB1JgmGggC72NkK8MwDgYD -VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB/Bggr -BgEFBQcBAQRzMHEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv -bTBJBggrBgEFBQcwAoY9aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD -ZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNydDBLBgNVHR8ERDBCMECgPqA8hjpo -dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZS -b290Q0EuY3JsMDAGA1UdIAQpMCcwCAYGZ4EMAQICMAgGBmeBDAECAzAHBgVngQwB -ATAIBgZngQwBAgEwDQYJKoZIhvcNAQELBQADggEBAHMQH8hhiBfNbxwEwxbbTAnu -jPyUh/oi0JrfZI3u9JuiLqca720D6foS/AB5+4EIxpm7CMG4MdN/l7oAiDipaCPv -mOmpYUpnT7A63Cr0q4g84rI1ZmdqA40lVUUf6qC6E34tC73qDQF8TJSrfscWFdCl -RXR9J4QGrkZ2VNMSDzlDRzWCaA95MfO8x01l+ZdopdE8FvM78gGd4zxeWb8v991+ -mBxTDepqKuy/jF5Rm6Bhfxr33ADRs60s1t16dtZ3pOYLALBTPD5KhZ6a+/dk5dnh -6c4PaeZQYBUAh+GuxfaBlU4qQ8EtjBMCQHreMIwXHYHW5FRYGjgR4NMuaIw2jD0= +MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB +iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl +cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV +BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx +MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV +BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE +ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g +VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N +TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj +eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E +oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk +Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY +uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j +BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb ++ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw +CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0 +LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr +BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv +bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov +L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H +ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH +7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi +H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx +RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv +xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38 +sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL +l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq +6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY +LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5 +yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K +00u/I5sUKUErmgQfky3xxzlIPK1aEn8= -----END CERTIFICATE----- )CERT"; -// http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt -// CN: DigiCert High Assurance EV Root CA => name: DigiCert_High_Assurance_EV_Root_CA -// not valid before: 2006-11-10 00:00:00 -// not valid after: 2031-11-10 00:00:00 -const char cert_DigiCert_High_Assurance_EV_Root_CA [] PROGMEM = R"CERT( +// http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt +// CN: USERTrust RSA Certification Authority => name: USERTrust_RSA_Certification_Authority +// not valid before: 2019-03-12 00:00:00 +// not valid after: 2028-12-31 23:59:59 +const char cert_USERTrust_RSA_Certification_Authority [] PROGMEM = R"CERT( -----BEGIN CERTIFICATE----- -MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j -ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL -MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 -LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug -RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm -+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW -PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM -xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB -Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 -hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg -EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF -MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA -FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec -nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z -eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF -hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 -Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe -vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep -+OkuE6N36B9K +MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7 +MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD +VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE +AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4 +MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5 +MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO +ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI +s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG +vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ +Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb +IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0 +tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E +xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV +icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5 +D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ +WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ +5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG +KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg +EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID +ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG +BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t +L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr +BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA +A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+ +rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+ +/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA +CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F +zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA +vGp4z7h/jnZymQyd/teRCBaho1+V -----END CERTIFICATE----- )CERT"; -// end of certificate chain for api.github.com:443 +// end of certificate chain for www.gitlab.com:443 //////////////////////////////////////////////////////////// From 764edc768c1f381cbe5edf67769bb7563fd7d47d Mon Sep 17 00:00:00 2001 From: david gauchard Date: Sun, 18 Jul 2021 00:13:17 +0200 Subject: [PATCH 10/10] add a `.sh` extension for coherency with TZUpdate and other scripts --- package/README.md | 4 ++-- tools/{certsUpdate => certsUpdate.sh} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename tools/{certsUpdate => certsUpdate.sh} (100%) diff --git a/package/README.md b/package/README.md index 9f0772c55f..4925454b96 100644 --- a/package/README.md +++ b/package/README.md @@ -114,8 +114,8 @@ The following points assume work in a direct clone of the repository, and not in * [cores/esp8266/TZ.h](https://github.com/esp8266/Arduino/blob/master/cores/esp8266/TZ.h): import the latest database with the following shell command:\ `$ cd tools; sh TZupdate.sh` - * certificates and public keys - `$ cd tools; sh certsUpdate` + * Update SSL/TLS certificates and public keys in examples:\ + `$ cd tools; sh certsUpdate.sh` 5. Wait until the release notes have been checked by other maintainers diff --git a/tools/certsUpdate b/tools/certsUpdate.sh similarity index 100% rename from tools/certsUpdate rename to tools/certsUpdate.sh