CA Certificate verification

diff --git a/components/esp-tls/esp-tls.c b/components/esp-tls/esp-tls.c
index d7599ed53b3dedd7584110c56fa284bb84f070f7..e327921759308f584143c9c8f120315ea7d71338 100644 (file)
--- a/components/esp-tls/esp-tls.c
+++ b/components/esp-tls/esp-tls.c
@@ -117,6 +117,27 @@ static int create_ssl_handle(struct esp_tls *tls, const char *hostname, size_t h
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
+
+    if (cfg->cacert_pem_buf != NULL) {
+        SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+
+        BIO *bio;
+        bio = BIO_new(BIO_s_mem());
+        BIO_write(bio, cfg->cacert_pem_buf, cfg->cacert_pem_bytes);
+
+        X509 *ca = PEM_read_bio_X509(bio, NULL, 0, NULL);
+
+        if (!ca) {
+            ESP_LOGE(TAG, "CA Error\n");                                                                                    
+        }
+        ESP_LOGD(TAG, "CA OK\n");
+            
+        X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx), ca);
+
+        X509_free(ca);
+        BIO_free(bio);
+    }
+
     if (cfg->alpn_protos) {
        SSL_CTX_set_alpn_protos(ssl_ctx, cfg->alpn_protos, strlen((char *)cfg->alpn_protos));
     }

diff --git a/components/esp-tls/esp-tls.h b/components/esp-tls/esp-tls.h
index f921a5e6f69a13eddf922de93ae2ffac8323698b..0327acc700250e65b12ed242e3f575b532ad71b6 100644 (file)
--- a/components/esp-tls/esp-tls.h
+++ b/components/esp-tls/esp-tls.h
@@ -19,6 +19,8 @@ struct esp_tls_cfg {
      * - the subsequent 'h2' is the protocol name
      */
     const unsigned char *alpn_protos;
+    const unsigned char *cacert_pem_buf;
+    const unsigned int cacert_pem_bytes;
 };
 
 struct esp_tls {