HTTPS certificate checking for Micropython

[renzenicolai]

Try to offer a bit more security by adding options for checking certificates used when setting up a connection with ussl from within Micropython.

Added functions:

ussl.verify_letsencrypt True) # Verify the certificate against Letsencrypt root
ussl.disable_warning(True)  # Disable the new warning
ussl.debug_level(4) # Set MBEDTLS debug level (0-4)

Also: the "cert" keyword argument that can be given to ussl.wrap_socket() can now be used to supply either an ASCII (base64) or DER encoded CA certificate to check against.

the "urequests" module has been updated to allow passing through the certificate.

For example: the code down below verifies the against the DigiCert global root CA certificate.

cacert = "-----BEGIN CERTIFICATE-----\nMIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\nQTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\nMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\nb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\nCSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\nnh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\nT19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\ngdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\nBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\nTLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\nDQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\nhMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\nPnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\nYSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\nCAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n-----END CERTIFICATE-----\n"

r = urequests_test.get("https://sha256.badssl.com/", cacert=cacert)

[renzenicolai]

Note: I'm going to check that urequests.py file a bit better as our sha2017 variant differes a bit from "upstream" and I used the upstream version as a base for the version with the new certificate argument.

[lgtm-com]

This pull request introduces 5 alerts and fixes 5 when merging ec36f8f into 87b7b3e - view on LGTM.com

new alerts:

• 5 for Variable defined multiple times

fixed alerts:

• 5 for Variable defined multiple times

[kliment]

If you are doing certificate checking you should note that the LE X3 certificate we are currently shipping is going to expire a year from now. To prevent permanent breakage of OTA, we should ship both X3 and the ISRG root certificate, which is what they will use to sign the next certificate after X3 expires.

[renzenicolai]

Changed cert parameter to cacert as per request on Telegram

[lgtm-com]

This pull request introduces 5 alerts and fixes 5 when merging c73cb58 into 87b7b3e - view on LGTM.com

new alerts:

• 5 for Variable defined multiple times

fixed alerts:

• 5 for Variable defined multiple times