search

golioth / golioth-zephyr-sdk

Golioth SDK For Zephyr
https://www.golioth.io
Apache License 2.0
65 stars 20 forks source link

Move hardcoded certificates from Golioth subsystem into samples #398

Closed sam-golioth closed 1 year ago

sam-golioth commented 1 year ago

This PR removes the management of TLS certificates from the Golioth library. Clients are now responsible for setting TLS certificate credentials in the TLS Credential subsystem before starting the Golioth system, as well as persisting them on the device. In order to facilitate prototyping and experimentation, a new hardcoded_credentials module has been added to samples/common to provide the same functionality that used to be baked directly into the SDK. This gives application developers the flexibility to implement their own provisioning and storage mechanisms, while maintaining the same low-effort experience for users of the samples.

Note that this doesn't actually provide any facility for provisioning certificates, it only removes the parts of the SDK that prevented a customer from implementing provisioning themselves. In a future PR, I'll add a sample that shows one way a developer could provision certificates onto the device. This PR was getting larger than I initially expected, so I decided to break it into parts.

Note too that the new hardcoded_credentials module is also where I plan to put hardcoded PSK credentials for the samples after we remove that from the SDK. Bringing the hardcoded credentials code up into the samples should make it more obvious to users when they need to set credentials in Kconfig vs provisioned, as well as make the SDK itself cleaner.

github-actions[bot] commented 1 year ago

Visit the preview URL for this PR (updated for commit bee50d8):

https://golioth-zephyr-sdk-doxygen-dev--pr398-certificate-prov-egk9u7x2.web.app

(expires Wed, 28 Jun 2023 17:07:23 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: a389eefadf4b4b68a539327b3459dd66c142cf49

sam-golioth commented 1 year ago

We need something similar for PSK auth as well, so that user (or in our case samples/ implementation) will be responsible for setting credentials.

Yup. In the PR description I talk about using the same hardcoded_credentials module to handle PSKs. It will be done as part of https://github.com/golioth/firmware-issue-tracker/issues/145