-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
esp_tls & esp_http_client : configure a certificate verify callback with user data parameter (IDFGH-10827) #12034
Comments
ESP-TLS provides few wrapper APIs to collect internal error codes from the TLS stack. They could help in this scenario, please see reference below: esp-idf/components/esp-tls/esp_tls.h Lines 595 to 638 in db43088
Regarding the specific errors related certificate verification in case of ESP-TLS certificate bundle feature, I see that it may require an additional fix as below:
Please check if this can meet your requirement and then I will create an internal fix for this. |
Is your feature request related to a problem?
Hi !
Here is the context:
I recently wanted to enable mbedtls certificate expiry check, from the mbedtls component embedded in esp-idf, so I enabled it in using menuconfig.
However, there are cases were I want to filter out error flags from the mbedtls verify certificate result so that the certificate is actually accepted, even if expired, but also even if "it starts in the future", because the system time is not set yet.
flags = (MBEDTLS_X509_BADCERT_FUTURE | MBEDTLS_X509_BADCERT_EXPIRED
It can simply be done when using directly mbedtls API. But when using the abstraction module that is esp_tls, which is used by the esp_http_client module, one cannot easily 'catch' the verify result to parse the flags.
The only entry I found there is through:
esp_http_client_config_t
:esp_err_t (*crt_bundle_attach)(void *conf); /*!< Function pointer to esp_crt_bundle_attach. Enables the use of certification bundle for server verification, must be enabled in menuconfig */
esp_tls_cfg_t
:esp_err_t (*crt_bundle_attach)(void *conf); /*!< Function pointer to esp_crt_bundle_attach. Enables the use of certification bundle for server verification, must be enabled in menuconfig */
Using this parameter, I can give my http_client a function called on initialization to set my own 'cert bundle' (which is directly the expected CA chain to verify the server with) and a verify callback:
So fare so good, I can do half of what I would like to do.
But now, the issue is I cannot populate the
void* param
paramter of my callback, since I cannot give it through the_my_crt_bundle_attach(void* conf)
function. Indeed, this function has a specific footprint given by the parameters from the config structure from esp_tls and esp_http, and only thembedtls_ssl_config* conf
is passed.Describe the solution you'd like.
As I am programming in C++, I just wrote the code snippets above to be in C so that it keeps things very simple. But I wished to be able to pass user data through the API so that these attach and callback functions can work using specific objects and use the benefits of object oriented programming.
For example, let's say I have 2 clients, but I want to filter out different flags, have a different
_remote_cert_chain
which is not static but a local member from my objects, etc ... The only way I can do this for now is by duplicating the functions and variables and modify their behavior.So, how about this:
esp_err_t (*crt_bundle_attach)(void *conf, void* user_data)
int(*)(void *, mbedtls_x509_crt *, int, uint32_t *) f_vrfy, void * p_vrfy
just like the mbedtls API._my_crt_bundle_attach
when callingmbedtls_ssl_conf_verify
can be done if those parameters are given.Depending on the solution, the 2 funcs can become
Describe alternatives you've considered.
I considered using directly mbedlts API and write my http_client from scratch, but that would take me ages to implement it and adapt my existing code (like https://github.com/espressif/esp-idf/tree/5eddb9e016/examples/protocols/https_mbedtls).
Why re-invent the wheel while esp_tls & esp_http_client exist ?
Additional context.
I know this would imply some modifications to the commonly used esp_tls & esp_http_client config structures, to a point where this is not a small change. Moreover, the first solution proposed here also makes mandatory to update the ESP x509 Certificate Bundle module.
Maybe these
esp_err_t (*crt_bundle_attach)(void *conf)
parameters were only meant to be used with this bundle module, with theesp_crt_bundle_attach
function, and I derived the expected behavior, but I feel like I am not doing something no one would do and my suggestion is meaningful.I hope readers understood my point well and that this suggestion is indeed relevant.
I look forward to reading any comment on that matter !
M. Pacheu
The text was updated successfully, but these errors were encountered: