search

maakbaas / esp8266-iot-framework

Framework for IoT projects implementing HTTPS requests, a React web interface, WiFi manager, live dashboard, configuration manager, file manager and OTA updates.
GNU General Public License v3.0
416 stars 113 forks source link

How to add a custom certificate? #106

Closed Mudr0003 closed 3 years ago

Mudr0003 commented 3 years ago

Can you provide the steps required to include a custom certificate for use with mqtt?

The documentation from the following site indicates appending to the certificates, except with the modified process for the framework it is not clear how to do it because the framework automates the process, I would like to understand where and at what point in time to append the custom certificate. The following documentation mentions mqtt as needing this and I am trying to do this for amazon web. I can see some options, such as modifying the python script which generates the certificates, but I could not find enough documentation explaining how to do that. Because the framework handles all of the networking internally, it is not obvious where to add in a custom hook.

I am attempting to use within my setup code just before starting the framework which connects wifi: WiFiClientSecure wifiSecClient; wifiSecClient.setTrustAnchors(&cert); wifiSecClient.setClientRSACert(&client_crt, &key);

https://arduino-esp8266.readthedocs.io/en/latest/esp8266wifi/bearssl-client-secure-class.html

X.509 Certificate(s) X509 certificates are used to identify peers in TLS connections. Normally only the server identifies itself, but the client can also supply an X509 certificate if desired (this is often done in MQTT applications). The certificate contains many fields, but the most interesting in our applications are the name, the public key, and potentially a chain of signing that leads back to a trusted authority (like a global internet CA or a company-wide private certificate authority).

Any call that takes an X509 certificate can also take a list of X509 certificates, so there is no special X509 class, simply BearSSL::X509List (which may only contain a single certificate).

Generating a certificate to be used to validate using the constructor

BearSSL::X509List(const char pemX509); ...or... BearSSL::X509List(const uint8_t derCert, size_t derLen); If you need to add additional certificates (unlikely in normal operation), the ::append() operation can be used.

Thanks you.

maakbaas commented 3 years ago

Thanks for this issue, it seems to be a duplicate to #105

As stated there:

Right now, no MQTT related functionality is implemented. However, this framework does not prevent you from using any code, default functions or libraries, so whatever you aim to do should be possible with your own code on top of or next to the framework.

You are always welcome to propose new added functionality to add MQTT for instance.

Personally I don't yet have experience with MQTT so I struggle to understand the exact issue. Also, if there are ways to implement this MQTT certificate without my Framework, it should still be possible to do it with the framework side by side?

Unless you can show a specific example where this framework causes an issue I will close this thread for now.