From: Riccardo Binetti Date: Fri, 28 Sep 2018 16:45:11 +0000 (+0200) Subject: esp-tls: add support for mutual SSL authentication X-Git-Tag: v3.2-beta1~4^2~3 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dec70a760120d3c6d1d63ac0257dce6a8561879c;p=esp-idf esp-tls: add support for mutual SSL authentication Signed-off-by: David Cermak --- diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c index 2cd7a44717..d8411c6190 100644 --- a/components/esp-tls/esp_tls.c +++ b/components/esp-tls/esp_tls.c @@ -204,6 +204,9 @@ static void mbedtls_cleanup(esp_tls_t *tls) mbedtls_x509_crt_free(tls->cacert_ptr); } tls->cacert_ptr = NULL; + mbedtls_x509_crt_free(&tls->cacert); + mbedtls_x509_crt_free(&tls->clientcert); + mbedtls_pk_free(&tls->clientkey); mbedtls_entropy_free(&tls->entropy); mbedtls_ssl_config_free(&tls->conf); mbedtls_ctr_drbg_free(&tls->ctr_drbg); @@ -274,7 +277,34 @@ static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostle } else { mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE); } - + + if (cfg->clientcert_pem_buf != NULL && cfg->clientkey_pem_buf != NULL) { + mbedtls_x509_crt_init(&tls->clientcert); + mbedtls_pk_init(&tls->clientkey); + + ret = mbedtls_x509_crt_parse(&tls->clientcert, cfg->clientcert_pem_buf, cfg->clientcert_pem_bytes); + if (ret < 0) { + ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret); + goto exit; + } + + ret = mbedtls_pk_parse_key(&tls->clientkey, cfg->clientkey_pem_buf, cfg->clientkey_pem_bytes, + cfg->clientkey_password, cfg->clientkey_password_len); + if (ret < 0) { + ESP_LOGE(TAG, "mbedtls_pk_parse_keyfile returned -0x%x\n\n", -ret); + goto exit; + } + + ret = mbedtls_ssl_conf_own_cert(&tls->conf, &tls->clientcert, &tls->clientkey); + if (ret < 0) { + ESP_LOGE(TAG, "mbedtls_ssl_conf_own_cert returned -0x%x\n\n", -ret); + goto exit; + } + } else if (cfg->clientcert_pem_buf != NULL || cfg->clientkey_pem_buf != NULL) { + ESP_LOGE(TAG, "You have to provide both clientcert_pem_buf and clientkey_pem_buf for mutual authentication\n\n"); + goto exit; + } + mbedtls_ssl_conf_rng(&tls->conf, mbedtls_ctr_drbg_random, &tls->ctr_drbg); #ifdef CONFIG_MBEDTLS_DEBUG @@ -502,4 +532,4 @@ int esp_tls_conn_http_new_async(const char *url, const esp_tls_cfg_t *cfg, esp_t /* Connect to host */ return esp_tls_conn_new_async(&url[u.field_data[UF_HOST].off], u.field_data[UF_HOST].len, get_port(url, &u), cfg, tls); -} \ No newline at end of file +} diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index eaa0353122..d6982b740a 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -60,7 +60,22 @@ typedef struct esp_tls_cfg { unsigned int cacert_pem_bytes; /*!< Size of Certificate Authority certificate pointed to by cacert_pem_buf */ + + const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer */ + unsigned int clientcert_pem_bytes; /*!< Size of client certificate pointed to by + clientcert_pem_buf */ + + const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer */ + + unsigned int clientkey_pem_bytes; /*!< Size of client key pointed to by + clientkey_pem_buf */ + + const unsigned char *clientkey_password;/*!< Client key decryption password string */ + + unsigned int clientkey_password_len; /*!< String length of the password pointed to by + clientkey_password */ + bool non_block; /*!< Configure non-blocking mode. If set to true the underneath socket will be configured in non blocking mode after tls session is established */ @@ -89,7 +104,12 @@ typedef struct esp_tls { mbedtls_net_context server_fd; /*!< mbedTLS wrapper type for sockets */ - mbedtls_x509_crt cacert; /*!< Container for an X.509 certificate */ + mbedtls_x509_crt cacert; /*!< Container for the X.509 CA certificate */ + + mbedtls_x509_crt clientcert; /*!< Container for the X.509 client certificate */ + + mbedtls_pk_context clientkey; /*!< Container for the private key of the client + certificate */ mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */