mbedtls_x509_crt_free(tls->cacert_ptr);
}
tls->cacert_ptr = NULL;
+ mbedtls_x509_crt_free(&tls->cacert);
+ mbedtls_x509_crt_free(&tls->clientcert);
+ mbedtls_pk_free(&tls->clientkey);
mbedtls_entropy_free(&tls->entropy);
mbedtls_ssl_config_free(&tls->conf);
mbedtls_ctr_drbg_free(&tls->ctr_drbg);
} else {
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
}
-
+
+ if (cfg->clientcert_pem_buf != NULL && cfg->clientkey_pem_buf != NULL) {
+ mbedtls_x509_crt_init(&tls->clientcert);
+ mbedtls_pk_init(&tls->clientkey);
+
+ ret = mbedtls_x509_crt_parse(&tls->clientcert, cfg->clientcert_pem_buf, cfg->clientcert_pem_bytes);
+ if (ret < 0) {
+ ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret);
+ goto exit;
+ }
+
+ ret = mbedtls_pk_parse_key(&tls->clientkey, cfg->clientkey_pem_buf, cfg->clientkey_pem_bytes,
+ cfg->clientkey_password, cfg->clientkey_password_len);
+ if (ret < 0) {
+ ESP_LOGE(TAG, "mbedtls_pk_parse_keyfile returned -0x%x\n\n", -ret);
+ goto exit;
+ }
+
+ ret = mbedtls_ssl_conf_own_cert(&tls->conf, &tls->clientcert, &tls->clientkey);
+ if (ret < 0) {
+ ESP_LOGE(TAG, "mbedtls_ssl_conf_own_cert returned -0x%x\n\n", -ret);
+ goto exit;
+ }
+ } else if (cfg->clientcert_pem_buf != NULL || cfg->clientkey_pem_buf != NULL) {
+ ESP_LOGE(TAG, "You have to provide both clientcert_pem_buf and clientkey_pem_buf for mutual authentication\n\n");
+ goto exit;
+ }
+
mbedtls_ssl_conf_rng(&tls->conf, mbedtls_ctr_drbg_random, &tls->ctr_drbg);
#ifdef CONFIG_MBEDTLS_DEBUG
/* Connect to host */
return esp_tls_conn_new_async(&url[u.field_data[UF_HOST].off], u.field_data[UF_HOST].len,
get_port(url, &u), cfg, tls);
-}
\ No newline at end of file
+}
unsigned int cacert_pem_bytes; /*!< Size of Certificate Authority certificate
pointed to by cacert_pem_buf */
+
+ const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer */
+ unsigned int clientcert_pem_bytes; /*!< Size of client certificate pointed to by
+ clientcert_pem_buf */
+
+ const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer */
+
+ unsigned int clientkey_pem_bytes; /*!< Size of client key pointed to by
+ clientkey_pem_buf */
+
+ const unsigned char *clientkey_password;/*!< Client key decryption password string */
+
+ unsigned int clientkey_password_len; /*!< String length of the password pointed to by
+ clientkey_password */
+
bool non_block; /*!< Configure non-blocking mode. If set to true the
underneath socket will be configured in non
blocking mode after tls session is established */
mbedtls_net_context server_fd; /*!< mbedTLS wrapper type for sockets */
- mbedtls_x509_crt cacert; /*!< Container for an X.509 certificate */
+ mbedtls_x509_crt cacert; /*!< Container for the X.509 CA certificate */
+
+ mbedtls_x509_crt clientcert; /*!< Container for the X.509 client certificate */
+
+ mbedtls_pk_context clientkey; /*!< Container for the private key of the client
+ certificate */
mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */
projects / esp-idf / commitdiff