CA Certificate verification

2018-02-12 23:38:51 +05:30 · 2018-02-12 23:38:51 +05:30 · 8a1dcc0765
commit 8a1dcc0765
parent 8211a16207
2 changed files with 23 additions and 0 deletions
--- a/components/esp-tls/esp-tls.c
+++ b/components/esp-tls/esp-tls.c
@ -117,6 +117,27 @@ static int create_ssl_handle(struct esp_tls *tls, const char *hostname, size_t h
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
    SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
+
+    if (cfg->cacert_pem_buf != NULL) {
+        SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+
+        BIO *bio;
+        bio = BIO_new(BIO_s_mem());
+        BIO_write(bio, cfg->cacert_pem_buf, cfg->cacert_pem_bytes);
+
+        X509 *ca = PEM_read_bio_X509(bio, NULL, 0, NULL);
+
+        if (!ca) {
+            ESP_LOGE(TAG, "CA Error\n");                                                                                    
+        }
+        ESP_LOGD(TAG, "CA OK\n");
+            
+        X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx), ca);
+
+        X509_free(ca);
+        BIO_free(bio);
+    }
+
    if (cfg->alpn_protos) {
 	SSL_CTX_set_alpn_protos(ssl_ctx, cfg->alpn_protos, strlen((char *)cfg->alpn_protos));
    }
--- a/components/esp-tls/esp-tls.h
+++ b/components/esp-tls/esp-tls.h
@ -19,6 +19,8 @@ struct esp_tls_cfg {
     * - the subsequent 'h2' is the protocol name
     */
    const unsigned char *alpn_protos;
+    const unsigned char *cacert_pem_buf;
+    const unsigned int cacert_pem_bytes;
 };

 struct esp_tls {