From 60004266a21740140378cce7ea6229e6e9d5f291 Mon Sep 17 00:00:00 2001 From: aweatherguy Date: Sat, 9 Apr 2022 10:37:23 -0700 Subject: [PATCH 1/2] Update tasmota_ca.ino --- tasmota/tasmota_ca.ino | 84 ++++++++++++++++++++++++++++-------------- 1 file changed, 56 insertions(+), 28 deletions(-) diff --git a/tasmota/tasmota_ca.ino b/tasmota/tasmota_ca.ino index ce78760b6..007685863 100644 --- a/tasmota/tasmota_ca.ino +++ b/tasmota/tasmota_ca.ino @@ -17,12 +17,30 @@ along with this program. If not, see . */ -// The below is currenlty not used, CA validation takes too much memory and compute time. -// Please use fingerprint validation instead -// However, the CA are available below for future use if it appears to be useful - +// +// Certificates are stored in flash (PROGMEM) to avoid consuming valuable RAM. +// +// To save space in flash, the Let's Encrypt and Amazon AWS certificates may be +// individually omitted if TLS is enabled, but the certificates are not used. +// This is typically the case when a locally generated root certificate is used +// for TLS authentication. +// +// To omit these certificates, define one or both of the +// OMIT_LETS_ENCRYPT_CERT and/or OMIT_AWS_CERT macros in user_config_override.h. +// +// To include a locally generated root certificate, define the +// INCLUDE_LOCAL_CERT macro in user_config_override.h. +// +// See the files tasmota/local_ca_data_sample.h and tasmota/local_ca_descriptor_sample.h +// in the Tasmota source for instructions for generating them from a local root +// certificate in .crt format. +// +// Note: Using full certificate verification increases the amount of time +// required to create a TLS connection, compared to fingerprint validation. +// #if defined(USE_TLS) +#if ! defined(OMIT_LETS_ENCRYPT_CERT) /*********************************************************************************************\ * LetsEncrypt R3 certificate, RSA 2048 bits SHA 256, valid until 20250915 * @@ -71,18 +89,10 @@ static const unsigned char LetsEncryptR3_RSA_E[] = { 0x01, 0x00, 0x01 }; -static const br_x509_trust_anchor PROGMEM LetsEncryptR3_TA = { - { (unsigned char *)LetsEncryptR3_DN, sizeof LetsEncryptR3_DN }, - BR_X509_TA_CA, - { - BR_KEYTYPE_RSA, - { .rsa = { - (unsigned char *)LetsEncryptR3_RSA_N, sizeof LetsEncryptR3_RSA_N, - (unsigned char *)LetsEncryptR3_RSA_E, sizeof LetsEncryptR3_RSA_E, - } } - } -}; +#endif + +#if ! defined(OMIT_AWS_CERT) /*********************************************************************************************\ * Amazon Root CA, RSA 2048 bits SHA 256, valid until 20380117 * @@ -132,20 +142,16 @@ static const unsigned char PROGMEM AmazonRootCA1_RSA_E[] = { 0x01, 0x00, 0x01 }; -const br_x509_trust_anchor PROGMEM AmazonRootCA1_TA = { - { (unsigned char *)AmazonRootCA1_DN, sizeof AmazonRootCA1_DN }, - BR_X509_TA_CA, - { - BR_KEYTYPE_RSA, - { .rsa = { - (unsigned char *)AmazonRootCA1_RSA_N, sizeof AmazonRootCA1_RSA_N, - (unsigned char *)AmazonRootCA1_RSA_E, sizeof AmazonRootCA1_RSA_E, - } } - } -}; +#endif -// cumulative CA +#if defined(INCLUDE_LOCAL_CERT) +#include +#endif +// +// ========== cumulative CA ================= +// const br_x509_trust_anchor PROGMEM Tasmota_TA[] = { +#if ! defined(OMIT_LETS_ENCRYPT_CERT) { { (unsigned char *)LetsEncryptR3_DN, sizeof LetsEncryptR3_DN }, BR_X509_TA_CA, @@ -157,7 +163,13 @@ const br_x509_trust_anchor PROGMEM Tasmota_TA[] = { } } } } - , + +#if ! defined(OMIT_AWS_CERT) || defined(INCLUDE_LOCAL_CERT) + , +#endif +#endif + +#if ! defined(OMIT_AWS_CERT) { { (unsigned char *)AmazonRootCA1_DN, sizeof AmazonRootCA1_DN }, BR_X509_TA_CA, @@ -169,11 +181,26 @@ const br_x509_trust_anchor PROGMEM Tasmota_TA[] = { } } } } + +#if defined(INCLUDE_LOCAL_CERT) + , +#endif +#endif + + +#if defined(INCLUDE_LOCAL_CERT) +#include +#endif + }; const size_t Tasmota_TA_size = nitems(Tasmota_TA); + +#if defined(USE_TELEGRAM) + // we add a separate CA for telegram + /*********************************************************************************************\ * GoDaddy Daddy Secure Certificate Authority - G2, RSA 2048 bits SHA 256, valid until 20220523 * @@ -231,5 +258,6 @@ const br_x509_trust_anchor GoDaddyCAG2_TA PROGMEM = { } } } }; +#endif #endif // defined(USE_TLS) From 08799e0760a38e07905a73f27675d1872b4e298f Mon Sep 17 00:00:00 2001 From: aweatherguy Date: Sat, 9 Apr 2022 10:40:09 -0700 Subject: [PATCH 2/2] New sample files for local root cert. --- tasmota/local_ca_data_sample.h | 51 ++++++++++++++++++++++++++++ tasmota/local_ca_descriptor_sample.h | 50 +++++++++++++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100644 tasmota/local_ca_data_sample.h create mode 100644 tasmota/local_ca_descriptor_sample.h diff --git a/tasmota/local_ca_data_sample.h b/tasmota/local_ca_data_sample.h new file mode 100644 index 000000000..160e362ad --- /dev/null +++ b/tasmota/local_ca_data_sample.h @@ -0,0 +1,51 @@ +/* + local_ca_sample.h - sample file for embedding a local CA certificate + + Copyright (C) 2021 Theo Arends + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* +To generate a version of this file containing data for your root certificate, +run the following command from a Linux or Cygwin bash shell, assuming that a +copy of brssl (or brssl.exe) is in the directory where the EasyRSA shell script +is located. + +./brssl ta pki/ca.crt | sed -e '/br_x509/,+999 d' >local_ca_data.h + +Then copy local_ca_data.h into the same directory as user_config_override. + +Add this line to user_config_override.h: + +#define INCLUDE_LOCAL_CERT + +Be sure to generate both files: local_ca_data.h, and local_ca_descriptor.h +*/ + +// +// this is what the result will look like, except there will be +// a lot of data bytes defined in the first three arrays +// +static const unsigned char PROGMEM TA0_DN[] = { + // variable number of bytes go here (typically 100-140 or so) for the DN +}; + +static const unsigned char PROGMEM TA0_RSA_N[] = { + // 256 bytes go here for the public key modulus +}; + +static const unsigned char PROGMEM TA0_RSA_E[] = { + // 3 bytes go here for the public key exponent +}; diff --git a/tasmota/local_ca_descriptor_sample.h b/tasmota/local_ca_descriptor_sample.h new file mode 100644 index 000000000..3d4481981 --- /dev/null +++ b/tasmota/local_ca_descriptor_sample.h @@ -0,0 +1,50 @@ +/* + local-ca-sample.h - sample file for embedding a local CA certificate + + Copyright (C) 2021 Theo Arends + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* +To generate a version of this file containing data for your root certificate, +run the following command from a Linux or Cygwin bash shell, assuming that a +copy of brssl (or brssl.exe) is in the directory where the EasyRSA shell script +is located. + +./brssl ta pki/ca.crt | sed -e '1,/br_x509/ d' -e '/};/,+999 d' >local_ca_descriptor.h + +Then copy local_ca_descriptor.h into the same directory as user_config_override. + +Add this line to user_config_override.h: + +#define INCLUDE_LOCAL_CERT + +Be sure to generate both files: local_ca_data.h, and local_ca_descriptor.h +*/ + +// +// this is what the result will look like +// + { + { (unsigned char *)TA0_DN, sizeof TA0_DN }, + BR_X509_TA_CA, + { + BR_KEYTYPE_RSA, + { .rsa = { + (unsigned char *)TA0_RSA_N, sizeof TA0_RSA_N, + (unsigned char *)TA0_RSA_E, sizeof TA0_RSA_E, + } } + } + }