djsundog/circuitpython
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

picow: Add support of self-signed certificates.

Browse Source 
## Testing self-signed certificates and `load_verify_locations`

Obtain the badssl "self-signed" certificate in the correct form:

```sh
openssl s_client -servername self-signed.badssl.com -connect untrusted-root.badssl.com:443 < /dev/null | openssl x509 > self-signed.pem
```

Copy it and the script to CIRCUITPY:
```python
import os
import wifi
import socketpool
import ssl
import adafruit_requests

TEXT_URL = "https://self-signed.badssl.com/"
if not wifi.radio.ipv4_address:
    wifi.radio.connect(os.getenv('WIFI_SSID'), os.getenv('WIFI_PASSWORD'))

pool = socketpool.SocketPool(wifi.radio)
context = ssl.create_default_context()
requests = adafruit_requests.Session(pool, context)

print(f"Fetching from {TEXT_URL} without certificate (should fail)")
try:
    response = requests.get(TEXT_URL)
except Exception as e:
    print(f"Failed: {e}")
else:
    print(f"{response.status_code=}, should have failed with exception")

print("Loading server certificate")
with open("/self-signed.pem", "rb") as certfile:
    context.load_verify_locations(cadata=certfile.read())
requests = adafruit_requests.Session(pool, context)

print(f"Fetching from {TEXT_URL} with certificate (should succeed)")
try:
    response = requests.get(TEXT_URL)
except Exception as e:
    print(f"Unexpected exception: {e}")
else:
    print(f"{response.status_code=}, should be 200 OK")
```
This commit is contained in:
Jeff Epler 2022-10-10 15:53:56 -05:00
parent c98174eea5
commit 0c8b261ec9
No known key found for this signature in database
GPG Key ID: D5BF15AB975AB4DE
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ports/raspberrypi/common-hal/ssl/SSLSocket.c
View File

@ -174,7 +174,14 @@ ssl_sslsocket_obj_t *common_hal_ssl_sslcontext_wrap_socket(ssl_sslcontext_obj_t
if (self->crt_bundle_attach != NULL) {
mbedtls_ssl_conf_authmode(&o->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
self->crt_bundle_attach(&o->conf);
// } else if(self->cacert_buf && self->cacert_bytes) { // TODO: user bundle
} else if (self->cacert_buf && self->cacert_bytes) {
ret = mbedtls_x509_crt_parse(&o->cacert, self->cacert_buf, self->cacert_bytes);
if (ret != 0) {
goto cleanup;
}
mbedtls_ssl_conf_authmode(&o->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_ca_chain(&o->conf, &o->cacert, NULL);
} else {
mbedtls_ssl_conf_authmode(&o->conf, MBEDTLS_SSL_VERIFY_NONE);
}