From 2549951498485f27844f0f1372d56a35f87bf8c9 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Wed, 20 Feb 2019 12:48:45 +0530 Subject: [PATCH] esp_http_client: add support for using certs from global ca store Closes https://github.com/espressif/esp-idf/issues/3062 (cherry picked from commit 27e00cf7aa4611201ca6582ef20236291dc7ee58) --- components/esp_http_client/esp_http_client.c | 4 +++- components/esp_http_client/include/esp_http_client.h | 1 + components/esp_https_ota/src/esp_https_ota.c | 6 +++--- components/tcp_transport/include/esp_transport_ssl.h | 7 +++++++ components/tcp_transport/transport_ssl.c | 8 ++++++++ 5 files changed, 22 insertions(+), 4 deletions(-) diff --git a/components/esp_http_client/esp_http_client.c b/components/esp_http_client/esp_http_client.c index 4a82a50e3..d71415b84 100644 --- a/components/esp_http_client/esp_http_client.c +++ b/components/esp_http_client/esp_http_client.c @@ -490,7 +490,9 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co return NULL; } - if (config->cert_pem) { + if (config->use_global_ca_store == true) { + esp_transport_ssl_enable_global_ca_store(ssl); + } else if (config->cert_pem) { esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem)); } #endif diff --git a/components/esp_http_client/include/esp_http_client.h b/components/esp_http_client/include/esp_http_client.h index 4e940a6d1..ce368de52 100644 --- a/components/esp_http_client/include/esp_http_client.h +++ b/components/esp_http_client/include/esp_http_client.h @@ -115,6 +115,7 @@ typedef struct { int buffer_size; /*!< HTTP buffer size (both send and receive) */ void *user_data; /*!< HTTP user_data context */ bool is_async; /*!< Set asynchronous mode, only supported with HTTPS for now */ + bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which this bool is set. */ } esp_http_client_config_t; diff --git a/components/esp_https_ota/src/esp_https_ota.c b/components/esp_https_ota/src/esp_https_ota.c index 9929a1856..d3f4ad3c8 100644 --- a/components/esp_https_ota/src/esp_https_ota.c +++ b/components/esp_https_ota/src/esp_https_ota.c @@ -35,9 +35,9 @@ esp_err_t esp_https_ota(const esp_http_client_config_t *config) return ESP_ERR_INVALID_ARG; } - if (!config->cert_pem) { - ESP_LOGE(TAG, "Server certificate not found in esp_http_client config"); - return ESP_FAIL; + if (!config->cert_pem && !config->use_global_ca_store) { + ESP_LOGE(TAG, "Server certificate not found, either through configuration or global CA store"); + return ESP_ERR_INVALID_ARG; } esp_http_client_handle_t client = esp_http_client_init(config); diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h index 34045ae77..c42fd0935 100644 --- a/components/tcp_transport/include/esp_transport_ssl.h +++ b/components/tcp_transport/include/esp_transport_ssl.h @@ -40,6 +40,13 @@ esp_transport_handle_t esp_transport_ssl_init(); */ void esp_transport_ssl_set_cert_data(esp_transport_handle_t t, const char *data, int len); +/** + * @brief Enable global CA store for SSL connection + * + * @param t ssl transport + */ +void esp_transport_ssl_enable_global_ca_store(esp_transport_handle_t t); + /** * @brief Set SSL client certificate data for mutual authentication (as PEM format). * Note that, this function stores the pointer to data, rather than making a copy. diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c index 436f8a943..12a9d3d85 100644 --- a/components/tcp_transport/transport_ssl.c +++ b/components/tcp_transport/transport_ssl.c @@ -152,6 +152,14 @@ static int ssl_destroy(esp_transport_handle_t t) return 0; } +void esp_transport_ssl_enable_global_ca_store(esp_transport_handle_t t) +{ + transport_ssl_t *ssl = esp_transport_get_context_data(t); + if (t && ssl) { + ssl->cfg.use_global_ca_store = true; + } +} + void esp_transport_ssl_set_cert_data(esp_transport_handle_t t, const char *data, int len) { transport_ssl_t *ssl = esp_transport_get_context_data(t);