Merge pull request #15332 from aweatherguy/development

Enhance embedding of local root certificate
2025-07-23 18:56:38 +00:00 · 2022-05-05 18:01:43 +02:00 · 2022-05-05 18:01:43 +02:00 · 3da760c109
commit 3da760c109
parent 44a7e20a1b 08799e0760
3 changed files with 157 additions and 28 deletions
--- a/tasmota/local_ca_data_sample.h
+++ b/tasmota/local_ca_data_sample.h
@ -0,0 +1,51 @@
 /*
  local_ca_sample.h - sample file for embedding a local CA certificate
  Copyright (C) 2021  Theo Arends
  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  You should have received a copy of the GNU General Public License
  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 /*
 To generate a version of this file containing data for your root certificate, 
 run the following command from a Linux or Cygwin bash shell, assuming that a 
 copy of brssl (or brssl.exe) is in the directory where the EasyRSA shell script
 is located. 
 ./brssl ta pki/ca.crt | sed -e '/br_x509/,+999 d' >local_ca_data.h
 Then copy local_ca_data.h into the same directory as user_config_override.
 Add this line to user_config_override.h:
 #define INCLUDE_LOCAL_CERT
 Be sure to generate both files: local_ca_data.h, and local_ca_descriptor.h
 */
 //
 // this is what the result will look like, except there will be
 // a lot of data bytes defined in the first three arrays 
 //
 static const unsigned char PROGMEM TA0_DN[] = {
 	// variable number of bytes go here (typically 100-140 or so) for the DN
 };
 static const unsigned char PROGMEM TA0_RSA_N[] = {
 	// 256 bytes go here for the public key modulus
 };
 static const unsigned char PROGMEM TA0_RSA_E[] = {
 	// 3 bytes go here for the public key exponent
 };
--- a/tasmota/local_ca_descriptor_sample.h
+++ b/tasmota/local_ca_descriptor_sample.h
@ -0,0 +1,50 @@
 /*
  local-ca-sample.h - sample file for embedding a local CA certificate
  Copyright (C) 2021  Theo Arends
  This program is free software: you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.
  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  You should have received a copy of the GNU General Public License
  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 /*
 To generate a version of this file containing data for your root certificate, 
 run the following command from a Linux or Cygwin bash shell, assuming that a 
 copy of brssl (or brssl.exe) is in the directory where the EasyRSA shell script
 is located. 
 ./brssl ta pki/ca.crt | sed -e '1,/br_x509/ d' -e '/};/,+999 d' >local_ca_descriptor.h
 Then copy local_ca_descriptor.h into the same directory as user_config_override.
 Add this line to user_config_override.h:
 #define INCLUDE_LOCAL_CERT
 Be sure to generate both files: local_ca_data.h, and local_ca_descriptor.h
 */
 //
 // this is what the result will look like
 //
 	{
 		{ (unsigned char *)TA0_DN, sizeof TA0_DN },
 		BR_X509_TA_CA,
 		{
 			BR_KEYTYPE_RSA,
 			{ .rsa = {
 				(unsigned char *)TA0_RSA_N, sizeof TA0_RSA_N,
 				(unsigned char *)TA0_RSA_E, sizeof TA0_RSA_E,
 			} }
 		}
 	}
--- a/tasmota/tasmota_ca.ino
+++ b/tasmota/tasmota_ca.ino
@ -17,12 +17,30 @@
  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
-// The below is currenlty not used, CA validation takes too much memory and compute time.
+//
-// Please use fingerprint validation instead
+// Certificates are stored in flash (PROGMEM) to avoid consuming valuable RAM.
-// However, the CA are available below for future use if it appears to be useful
+//
-
+// To save space in flash, the Let's Encrypt and Amazon AWS certificates may be 
 // individually omitted if TLS is enabled, but the certificates are not used. 
 // This is typically the case when a locally generated root certificate is used 
 // for TLS authentication.
 // 
 // To omit these certificates, define one or both of the 
 // OMIT_LETS_ENCRYPT_CERT and/or OMIT_AWS_CERT macros in user_config_override.h.
 //
 // To include a locally generated root certificate, define the
 // INCLUDE_LOCAL_CERT macro in user_config_override.h.
 // 
 // See the files tasmota/local_ca_data_sample.h and tasmota/local_ca_descriptor_sample.h
 // in the Tasmota source for instructions for generating them from a local root
 // certificate in .crt format.
 //
 // Note: Using full certificate verification increases the amount of time
 //       required to create a TLS connection, compared to fingerprint validation.
 //
 #if defined(USE_TLS)
 #if ! defined(OMIT_LETS_ENCRYPT_CERT)
 /*********************************************************************************************\
 * LetsEncrypt R3 certificate, RSA 2048 bits SHA 256, valid until 20250915
 *
@ -71,18 +89,10 @@ static const unsigned char LetsEncryptR3_RSA_E[] = {
 	0x01, 0x00, 0x01
 };
 static const br_x509_trust_anchor PROGMEM LetsEncryptR3_TA = {
 	{ (unsigned char *)LetsEncryptR3_DN, sizeof LetsEncryptR3_DN },
 	BR_X509_TA_CA,
 	{
 		BR_KEYTYPE_RSA,
 		{ .rsa = {
 			(unsigned char *)LetsEncryptR3_RSA_N, sizeof LetsEncryptR3_RSA_N,
 			(unsigned char *)LetsEncryptR3_RSA_E, sizeof LetsEncryptR3_RSA_E,
 		} }
 	}
 };
 #endif
 #if ! defined(OMIT_AWS_CERT)
 /*********************************************************************************************\
 * Amazon Root CA, RSA 2048 bits SHA 256, valid until 20380117
 *
@ -132,20 +142,16 @@ static const unsigned char PROGMEM AmazonRootCA1_RSA_E[] = {
 	0x01, 0x00, 0x01
 };
-const br_x509_trust_anchor PROGMEM AmazonRootCA1_TA = {
+#endif
 	{ (unsigned char *)AmazonRootCA1_DN, sizeof AmazonRootCA1_DN },
 	BR_X509_TA_CA,
 	{
 		BR_KEYTYPE_RSA,
 		{ .rsa = {
 			(unsigned char *)AmazonRootCA1_RSA_N, sizeof AmazonRootCA1_RSA_N,
 			(unsigned char *)AmazonRootCA1_RSA_E, sizeof AmazonRootCA1_RSA_E,
 		} }
 	}
 };
-// cumulative CA
+#if  defined(INCLUDE_LOCAL_CERT)
 #include <local_ca_data.h>
 #endif
 //
 //  ========== cumulative CA =================
 //
 const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
 #if ! defined(OMIT_LETS_ENCRYPT_CERT)
 	{
 		{ (unsigned char *)LetsEncryptR3_DN, sizeof LetsEncryptR3_DN },
 		BR_X509_TA_CA,
@ -157,7 +163,13 @@ const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
 			} }
 		}
 	}
-	,
+
 #if ! defined(OMIT_AWS_CERT) || defined(INCLUDE_LOCAL_CERT)
    ,
 #endif
 #endif
 #if ! defined(OMIT_AWS_CERT)
 	{
 		{ (unsigned char *)AmazonRootCA1_DN, sizeof AmazonRootCA1_DN },
 		BR_X509_TA_CA,
@ -169,11 +181,26 @@ const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
 			} }
 		}
 	}
 #if defined(INCLUDE_LOCAL_CERT)
    ,
 #endif
 #endif
 #if defined(INCLUDE_LOCAL_CERT)
 #include <local_ca_descriptor.h>
 #endif
 };
 const size_t Tasmota_TA_size = nitems(Tasmota_TA);
 #if defined(USE_TELEGRAM)
 // we add a separate CA for telegram
 /*********************************************************************************************\
 * GoDaddy Daddy Secure Certificate Authority - G2, RSA 2048 bits SHA 256, valid until 20220523
 *
@ -231,5 +258,6 @@ const br_x509_trust_anchor GoDaddyCAG2_TA PROGMEM = {
 		} }
 	}
 };
 #endif
 #endif // defined(USE_TLS)