Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support client key passwords for HTTPS connections (IDFGH-5698) #7418

Closed
joncmaloney opened this issue Aug 14, 2021 · 3 comments
Closed

Support client key passwords for HTTPS connections (IDFGH-5698) #7418

joncmaloney opened this issue Aug 14, 2021 · 3 comments
Labels
Resolution: Done Issue is done internally Status: Done Issue is done internally Type: Feature Request Feature request for IDF

Comments

@joncmaloney
Copy link
Contributor

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Please give as many details as you can. Include suggestions for useful APIs or interfaces if relevant.

Additional context

Add any other context or screenshots about the feature request here.
@joncmaloney joncmaloney added the Type: Feature Request Feature request for IDF label Aug 14, 2021
@espressif-bot espressif-bot added the Status: Opened Issue is new label Aug 14, 2021
@github-actions github-actions bot changed the title Support client key passwords for HTTPS connections Support client key passwords for HTTPS connections (IDFGH-5698) Aug 14, 2021
@joncmaloney
Copy link
Contributor Author

I don't know how to add a key into an esp32 bin image securely. We have a requirement that all secrets are encrypted at rest and in transit. If the key is not password protected it is in plain text and anyone with access to the bin image is able to view the key. Therefore the key is not encrypted at rest. If a build server was to secure the image by encrypting it needs to be decrypted to be transported via UART bootloader and hence not encrypted in transit. This is unless we use host generated key (not recommended). Further if host generated keys are use the keys need to be transmitted to ESP32 in plain text on first program. This is also doesn't meet our security requirements.

We are currently using password protected keys then manually removing the password from these key using the mbedtls libraries.

@joncmaloney joncmaloney mentioned this issue Aug 14, 2021
Closed
@negativekelvin
Copy link
Contributor

How do you protect the passphrase?

@joncmaloney
Copy link
Contributor Author

joncmaloney commented Aug 15, 2021
edited
Loading

It's not cryptography secure. It can only be obfuscated.

@espressif-bot espressif-bot added Status: In Progress Work is in progress Resolution: NA Issue resolution is unavailable Status: Done Issue is done internally Resolution: Done Issue is done internally and removed Status: Opened Issue is new Status: In Progress Work is in progress Resolution: NA Issue resolution is unavailable labels Aug 26, 2021
espressif-bot pushed a commit that referenced this issue Oct 12, 2021
@jonmaloney @espressif-bot
esp_http_client: Support client key password for HTTPS connections.
57042ab 
Closes #7420
Closes #7418

Signed-off-by: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Resolution: Done Issue is done internally Status: Done Issue is done internally Type: Feature Request Feature request for IDF
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joncmaloney @negativekelvin @espressif-bot