Merge pull request #15332 from aweatherguy/development

Enhance embedding of local root certificate
2022-05-05 18:01:43 +02:00 · 2022-05-05 18:01:43 +02:00 · 3da760c109
parent 44a7e20a1b 08799e0760
commit 3da760c109
3 changed files with 157 additions and 28 deletions
--- a/tasmota/local_ca_data_sample.h
+++ b/tasmota/local_ca_data_sample.h
@ -0,0 +1,51 @@
+/*
+  local_ca_sample.h - sample file for embedding a local CA certificate
+
+  Copyright (C) 2021  Theo Arends
+
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation, either version 3 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+To generate a version of this file containing data for your root certificate, 
+run the following command from a Linux or Cygwin bash shell, assuming that a 
+copy of brssl (or brssl.exe) is in the directory where the EasyRSA shell script
+is located. 
+
+./brssl ta pki/ca.crt | sed -e '/br_x509/,+999 d' >local_ca_data.h
+
+Then copy local_ca_data.h into the same directory as user_config_override.
+
+Add this line to user_config_override.h:
+
+#define INCLUDE_LOCAL_CERT
+
+Be sure to generate both files: local_ca_data.h, and local_ca_descriptor.h
+*/
+
+//
+// this is what the result will look like, except there will be
+// a lot of data bytes defined in the first three arrays 
+//
+static const unsigned char PROGMEM TA0_DN[] = {
+	// variable number of bytes go here (typically 100-140 or so) for the DN
+};
+
+static const unsigned char PROGMEM TA0_RSA_N[] = {
+	// 256 bytes go here for the public key modulus
+};
+
+static const unsigned char PROGMEM TA0_RSA_E[] = {
+	// 3 bytes go here for the public key exponent
+};
--- a/tasmota/local_ca_descriptor_sample.h
+++ b/tasmota/local_ca_descriptor_sample.h
@ -0,0 +1,50 @@
+/*
+  local-ca-sample.h - sample file for embedding a local CA certificate
+
+  Copyright (C) 2021  Theo Arends
+
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation, either version 3 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+To generate a version of this file containing data for your root certificate, 
+run the following command from a Linux or Cygwin bash shell, assuming that a 
+copy of brssl (or brssl.exe) is in the directory where the EasyRSA shell script
+is located. 
+
+./brssl ta pki/ca.crt | sed -e '1,/br_x509/ d' -e '/};/,+999 d' >local_ca_descriptor.h
+
+Then copy local_ca_descriptor.h into the same directory as user_config_override.
+
+Add this line to user_config_override.h:
+
+#define INCLUDE_LOCAL_CERT
+
+Be sure to generate both files: local_ca_data.h, and local_ca_descriptor.h
+*/
+
+//
+// this is what the result will look like
+//
+	{
+		{ (unsigned char *)TA0_DN, sizeof TA0_DN },
+		BR_X509_TA_CA,
+		{
+			BR_KEYTYPE_RSA,
+			{ .rsa = {
+				(unsigned char *)TA0_RSA_N, sizeof TA0_RSA_N,
+				(unsigned char *)TA0_RSA_E, sizeof TA0_RSA_E,
+			} }
+		}
+	}
--- a/tasmota/tasmota_ca.ino
+++ b/tasmota/tasmota_ca.ino
@ -17,12 +17,30 @@
  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

-// The below is currenlty not used, CA validation takes too much memory and compute time.
-// Please use fingerprint validation instead
-// However, the CA are available below for future use if it appears to be useful
-
+//
+// Certificates are stored in flash (PROGMEM) to avoid consuming valuable RAM.
+//
+// To save space in flash, the Let's Encrypt and Amazon AWS certificates may be 
+// individually omitted if TLS is enabled, but the certificates are not used. 
+// This is typically the case when a locally generated root certificate is used 
+// for TLS authentication.
+// 
+// To omit these certificates, define one or both of the 
+// OMIT_LETS_ENCRYPT_CERT and/or OMIT_AWS_CERT macros in user_config_override.h.
+//
+// To include a locally generated root certificate, define the
+// INCLUDE_LOCAL_CERT macro in user_config_override.h.
+// 
+// See the files tasmota/local_ca_data_sample.h and tasmota/local_ca_descriptor_sample.h
+// in the Tasmota source for instructions for generating them from a local root
+// certificate in .crt format.
+//
+// Note: Using full certificate verification increases the amount of time
+//       required to create a TLS connection, compared to fingerprint validation.
+//
 #if defined(USE_TLS)

+#if ! defined(OMIT_LETS_ENCRYPT_CERT)
 /*********************************************************************************************\
 * LetsEncrypt R3 certificate, RSA 2048 bits SHA 256, valid until 20250915
 *
@ -71,18 +89,10 @@ static const unsigned char LetsEncryptR3_RSA_E[] = {
 	0x01, 0x00, 0x01
 };

-static const br_x509_trust_anchor PROGMEM LetsEncryptR3_TA = {
-	{ (unsigned char *)LetsEncryptR3_DN, sizeof LetsEncryptR3_DN },
-	BR_X509_TA_CA,
-	{
-		BR_KEYTYPE_RSA,
-		{ .rsa = {
-			(unsigned char *)LetsEncryptR3_RSA_N, sizeof LetsEncryptR3_RSA_N,
-			(unsigned char *)LetsEncryptR3_RSA_E, sizeof LetsEncryptR3_RSA_E,
-		} }
-	}
-};

+#endif
+
+#if ! defined(OMIT_AWS_CERT)
 /*********************************************************************************************\
 * Amazon Root CA, RSA 2048 bits SHA 256, valid until 20380117
 *
@ -132,20 +142,16 @@ static const unsigned char PROGMEM AmazonRootCA1_RSA_E[] = {
 	0x01, 0x00, 0x01
 };

-const br_x509_trust_anchor PROGMEM AmazonRootCA1_TA = {
-	{ (unsigned char *)AmazonRootCA1_DN, sizeof AmazonRootCA1_DN },
-	BR_X509_TA_CA,
-	{
-		BR_KEYTYPE_RSA,
-		{ .rsa = {
-			(unsigned char *)AmazonRootCA1_RSA_N, sizeof AmazonRootCA1_RSA_N,
-			(unsigned char *)AmazonRootCA1_RSA_E, sizeof AmazonRootCA1_RSA_E,
-		} }
-	}
-};
+#endif

-// cumulative CA
+#if  defined(INCLUDE_LOCAL_CERT)
+#include <local_ca_data.h>
+#endif
+//
+//  ========== cumulative CA =================
+//
 const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
+#if ! defined(OMIT_LETS_ENCRYPT_CERT)
 	{
 		{ (unsigned char *)LetsEncryptR3_DN, sizeof LetsEncryptR3_DN },
 		BR_X509_TA_CA,
@ -157,7 +163,13 @@ const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
 			} }
 		}
 	}
-	,
+
+#if ! defined(OMIT_AWS_CERT) || defined(INCLUDE_LOCAL_CERT)
+    ,
+#endif
+#endif
+
+#if ! defined(OMIT_AWS_CERT)
 	{
 		{ (unsigned char *)AmazonRootCA1_DN, sizeof AmazonRootCA1_DN },
 		BR_X509_TA_CA,
@ -169,11 +181,26 @@ const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
 			} }
 		}
 	}
+
+#if defined(INCLUDE_LOCAL_CERT)
+    ,
+#endif
+#endif
+
+
+#if defined(INCLUDE_LOCAL_CERT)
+#include <local_ca_descriptor.h>
+#endif
+
 };

 const size_t Tasmota_TA_size = nitems(Tasmota_TA);

+
+#if defined(USE_TELEGRAM)
+
 // we add a separate CA for telegram
+
 /*********************************************************************************************\
 * GoDaddy Daddy Secure Certificate Authority - G2, RSA 2048 bits SHA 256, valid until 20220523
 *
@ -231,5 +258,6 @@ const br_x509_trust_anchor GoDaddyCAG2_TA PROGMEM = {
 		} }
 	}
 };
+#endif

 #endif // defined(USE_TLS)