search

FirebaseExtended / firebase-arduino

Arduino samples for Firebase.
Apache License 2.0
943 stars 494 forks source link

add support for CACert validation #341

Open proppy opened 6 years ago

proppy commented 6 years ago

Rather than using fingerprint we could embed firebase cacert and validate against it.

WifiClientSecure seems to have support for this, not sure if it's implemented yet in the esp8266 HttpClient

proppy commented 5 years ago

We should also make sure we support multiple certs, so that we can add upcoming certs in advance if given an heads up from the firebase team.

Ideally we would have a "safe place" to fetch the next certs using the current certs so that developer don't have to flash their firmware and serialize it to EEPROM so that it can survive reboot after the current cert expire.

tonymeng commented 5 years ago

correct. the main situation i would like to address is:

when a certificate is updated (root, intermediate, or leaf), the device is able to swap over to support/trust the new certificate immediately without downtime.

I believe the approach of supporting at least 2 certificates will help us avoid this scenario by allowing the device to be pre-populated with the new certificate well in advance of the actual change in the server.

yhua537 commented 5 years ago

Only one cert might be enough, considering we will have fingerprint of leaf cert as the primary and root cert as backup solution. The root cert which change every few years, we can help us to stay connect when fingerprint doesn't work. We can update finger print and fetch it from firebase on successful connection. And with changes of root cert, which happens every years, if we can fatch the new fingerprint (prefer in advance) to allow esp stay connected and update the cert on first connection.

When they both gets updated at the same time, and we don't know it in advance, then we will need to have another safe place which likely be out of scope for this library.

I actually think the management of certificate/finger print should be manage by us and we will need to inject WiFiClientSecure from outside the library to httpclient as i notice the current function all to "http_.begin(host.c_str(), kFirebasePort, path.c_str(), kFirebaseFingerprint);" is deprecated as of 2.5.0.