From: Jitin George <jitin@espressif.com>
Date: Mon, 12 Feb 2018 18:08:51 +0000 (+0530)
Subject: CA Certificate verification
X-Git-Tag: v3.1-beta1~286^2~7
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8a1dcc076577a101a3cda266ea4b61d113a6b687;p=esp-idf

CA Certificate verification
---

diff --git a/components/esp-tls/esp-tls.c b/components/esp-tls/esp-tls.c
index d7599ed53b..e327921759 100644
--- a/components/esp-tls/esp-tls.c
+++ b/components/esp-tls/esp-tls.c
@@ -117,6 +117,27 @@ static int create_ssl_handle(struct esp_tls *tls, const char *hostname, size_t h
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
+
+    if (cfg->cacert_pem_buf != NULL) {
+        SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+
+        BIO *bio;
+        bio = BIO_new(BIO_s_mem());
+        BIO_write(bio, cfg->cacert_pem_buf, cfg->cacert_pem_bytes);
+
+        X509 *ca = PEM_read_bio_X509(bio, NULL, 0, NULL);
+
+        if (!ca) {
+            ESP_LOGE(TAG, "CA Error\n");                                                                                    
+        }
+        ESP_LOGD(TAG, "CA OK\n");
+            
+        X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx), ca);
+
+        X509_free(ca);
+        BIO_free(bio);
+    }
+
     if (cfg->alpn_protos) {
 	SSL_CTX_set_alpn_protos(ssl_ctx, cfg->alpn_protos, strlen((char *)cfg->alpn_protos));
     }
diff --git a/components/esp-tls/esp-tls.h b/components/esp-tls/esp-tls.h
index f921a5e6f6..0327acc700 100644
--- a/components/esp-tls/esp-tls.h
+++ b/components/esp-tls/esp-tls.h
@@ -19,6 +19,8 @@ struct esp_tls_cfg {
      * - the subsequent 'h2' is the protocol name
      */
     const unsigned char *alpn_protos;
+    const unsigned char *cacert_pem_buf;
+    const unsigned int cacert_pem_bytes;
 };
 
 struct esp_tls {