OVMS3-idf/examples/protocols/esp_local_ctrl/README.md

# ESP Local Control using HTTPS server

This example creates a `esp_local_ctrl` service over HTTPS transport, for securely controlling the device over local network. In this case the device name is resolved through `mDNS`, which in this example is `my_esp_ctrl_device.local`.

See the `esp_local_ctrl` component documentation for details.

Before using the example, run `make menuconfig` (or `idf.py menuconfig` if using CMake build system) to configure Wi-Fi or Ethernet. See "Establishing Wi-Fi or Ethernet Connection" section in [examples/protocols/README.md](../README.md) for more details.

## Client Side Implementation

A python test script `scripts/esp_local_ctrl.py` has been provided for as a client side application for controlling the device over the same Wi-Fi network. The script relies on a pre-generated `main/certs/rootCA.pem` to verify the server certificate. The server side private key and certificate can also be found under `main/certs`, namely `prvtkey.pem` and `cacert.pem`.

After configuring the Wi-Fi, flashing and booting the device, run:

```
python scripts/esp_local_ctrl.py
```
Sample output:

```
python2 scripts/esp_local_ctrl.py

==== Acquiring properties information ====

==== Acquired properties information ====

==== Available Properties ====
S.N. Name             Type       Flags            Value
[ 1] timestamp (us)   TIME(us)   Read-Only        168561481
[ 2] property1        INT32                       123456
[ 3] property2        BOOLEAN    Read-Only        True
[ 4] property3        STRING

Select properties to set (0 to re-read, 'q' to quit) : 0

==== Available Properties ====
S.N. Name             Type       Flags            Value
[ 1] timestamp (us)   TIME(us)   Read-Only        22380117
[ 2] property1        INT32                       123456
[ 3] property2        BOOLEAN    Read-Only        False
[ 4] property3        STRING

Select properties to set (0 to re-read, 'q' to quit) : 2,4
Enter value to set for property (property1) : -5555
Enter value to set for property (property3) : hello world!

==== Available Properties ====
S.N. Name             Type       Flags            Value
[ 1] timestamp (us)   TIME(us)   Read-Only        55110859
[ 2] property1        INT32                       -5555
[ 3] property2        BOOLEAN    Read-Only        False
[ 4] property3        STRING                      hello world!

Select properties to set (0 to re-read, 'q' to quit) : q
Quitting...
```

The script also allows to connect over BLE, and provide a custom service name. To display the list of supported parameters, run:

```
python scripts/esp_local_ctrl.py --help
```

## Certificates

You can generate a new server certificate using the OpenSSL command line tool.

For the purpose of this example, lets generate a rootCA, which we will use to sign the server certificates and which the client will use to verify the server certificate during SSL handshake. You will need to set a password for encrypting the generated `rootkey.pem`.

```
openssl req -new -x509 -subj "/CN=root" -days 3650 -sha256 -out rootCA.pem -keyout rootkey.pem
```

Now generate a certificate signing request for the server, along with its private key `prvtkey.pem`.

```
openssl req -newkey rsa:2048 -nodes -keyout prvtkey.pem -days 3650 -out server.csr -subj "/CN=my_esp_ctrl_device.local"
```

Now use the previously generated rootCA to process the server's certificate signing request, and generate a signed certificate `cacert.pem`. The password set for encrypting `rootkey.pem` earlier, has to be entered during this step.

```
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootkey.pem -CAcreateserial -out cacert.pem -days 500 -sha256
```

Now that we have `rootCA.pem`, `cacert.pem` and `prvtkey.pem`, copy these into main/certs. Note that only the server related files (`cacert.pem` and `prvtkey.pem`) are embedded into the firmware.

Expiry time and metadata fields can be adjusted in the invocation.

Please see the `openssl` man pages (man `openssl-req`) for more details.

It is **strongly recommended** to not reuse the example certificate in your application;
it is included only for demonstration.
ESP Local Control Feature Added List of changes: * New component esp_local_ctrl added * Example added under examples/protocols/esp_local_ctrl * Documentation added under protocols/esp_local_ctrl * Demo client side app esp_local_ctrl.py added under examples/protocols/esp_local_ctrl/scripts * protocomm_ble : protocomm_ble_config_t given struct name for allowing forward declaration * esp_prov/transport_softap renamed to transport_http * transport_http module supports verification of server certificate * transport_http module performs name resolution before connection 2019-06-25 19:33:55 +00:00			`# ESP Local Control using HTTPS server`

			This example creates a `esp_local_ctrl` service over HTTPS transport, for securely controlling the device over local network. In this case the device name is resolved through `mDNS`, which in this example is `my_esp_ctrl_device.local`.

			See the `esp_local_ctrl` component documentation for details.

			Before using the example, run `make menuconfig` (or `idf.py menuconfig` if using CMake build system) to configure Wi-Fi or Ethernet. See "Establishing Wi-Fi or Ethernet Connection" section in [examples/protocols/README.md](../README.md) for more details.

			`## Client Side Implementation`

			A python test script `scripts/esp_local_ctrl.py` has been provided for as a client side application for controlling the device over the same Wi-Fi network. The script relies on a pre-generated `main/certs/rootCA.pem` to verify the server certificate. The server side private key and certificate can also be found under `main/certs`, namely `prvtkey.pem` and `cacert.pem`.

			`After configuring the Wi-Fi, flashing and booting the device, run:`

			```
			`python scripts/esp_local_ctrl.py`
			```
			`Sample output:`

			```
			`python2 scripts/esp_local_ctrl.py`

			`==== Acquiring properties information ====`

			`==== Acquired properties information ====`

			`==== Available Properties ====`
			`S.N. Name Type Flags Value`
			`[ 1] timestamp (us) TIME(us) Read-Only 168561481`
			`[ 2] property1 INT32 123456`
			`[ 3] property2 BOOLEAN Read-Only True`
			`[ 4] property3 STRING`

			`Select properties to set (0 to re-read, 'q' to quit) : 0`

			`==== Available Properties ====`
			`S.N. Name Type Flags Value`
			`[ 1] timestamp (us) TIME(us) Read-Only 22380117`
			`[ 2] property1 INT32 123456`
			`[ 3] property2 BOOLEAN Read-Only False`
			`[ 4] property3 STRING`

			`Select properties to set (0 to re-read, 'q' to quit) : 2,4`
			`Enter value to set for property (property1) : -5555`
			`Enter value to set for property (property3) : hello world!`

			`==== Available Properties ====`
			`S.N. Name Type Flags Value`
			`[ 1] timestamp (us) TIME(us) Read-Only 55110859`
			`[ 2] property1 INT32 -5555`
			`[ 3] property2 BOOLEAN Read-Only False`
			`[ 4] property3 STRING hello world!`

			`Select properties to set (0 to re-read, 'q' to quit) : q`
			`Quitting...`
			```

			`The script also allows to connect over BLE, and provide a custom service name. To display the list of supported parameters, run:`

			```
			`python scripts/esp_local_ctrl.py --help`
			```

			`## Certificates`

			`You can generate a new server certificate using the OpenSSL command line tool.`

			For the purpose of this example, lets generate a rootCA, which we will use to sign the server certificates and which the client will use to verify the server certificate during SSL handshake. You will need to set a password for encrypting the generated `rootkey.pem`.

			```
			`openssl req -new -x509 -subj "/CN=root" -days 3650 -sha256 -out rootCA.pem -keyout rootkey.pem`
			```

			Now generate a certificate signing request for the server, along with its private key `prvtkey.pem`.

			```
			`openssl req -newkey rsa:2048 -nodes -keyout prvtkey.pem -days 3650 -out server.csr -subj "/CN=my_esp_ctrl_device.local"`
			```

			Now use the previously generated rootCA to process the server's certificate signing request, and generate a signed certificate `cacert.pem`. The password set for encrypting `rootkey.pem` earlier, has to be entered during this step.

			```
			`openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootkey.pem -CAcreateserial -out cacert.pem -days 500 -sha256`
			```

			Now that we have `rootCA.pem`, `cacert.pem` and `prvtkey.pem`, copy these into main/certs. Note that only the server related files (`cacert.pem` and `prvtkey.pem`) are embedded into the firmware.

			`Expiry time and metadata fields can be adjusted in the invocation.`

			Please see the `openssl` man pages (man `openssl-req`) for more details.

			`It is strongly recommended to not reuse the example certificate in your application;`
			`it is included only for demonstration.`