Skip to content

Fix wrong scrape of Root Certificates #216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 31, 2023
Merged

Fix wrong scrape of Root Certificates #216

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7c13b50
Correctly lookup for RootCA
alessio-perugini Aug 30, 2023
246c80c
update docs
alessio-perugini Aug 30, 2023
7dc0404
Scrape all possible root certificate
alessio-perugini Aug 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Scrape all possible root certificate 
In the uno r4 we're using mbedtls which has a strange behaviour. And some root certificates won't work. Therfore the most simple solution is using all the possible ones, found during the handshake.
  • Loading branch information
@alessio-perugini
alessio-perugini committed Aug 30, 2023
commit 7dc04044155381b386f722465e4bd3a61f4e823c
11 changes: 6 additions & 5 deletions certificates/certutils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ import (

// ScrapeRootCertificatesFromURL downloads from a webserver the root certificate
// required to connect to that server from the TLS handshake response.
func ScrapeRootCertificatesFromURL(URL string) (*x509.Certificate, error) {
func ScrapeRootCertificatesFromURL(URL string) ([]*x509.Certificate, error) {
conn, err := tls.Dial("tcp", URL, &tls.Config{
InsecureSkipVerify: false,
})
Expand All @@ -49,11 +49,12 @@ func ScrapeRootCertificatesFromURL(URL string) (*x509.Certificate, error) {
if len(chains) == 0 {
return nil, fmt.Errorf("no certificates found at %s", URL)
}
rootCertificate := chains[len(chains)-1]
if len(rootCertificate) == 0 {
return nil, fmt.Errorf("no certificates found at %s", URL)
rootCertificates := make([]*x509.Certificate, len(chains))
for i, chain := range chains {
// The last certificate of the chain is always the Root Certificate
rootCertificates[i] = chain[len(chain)-1]
}
return rootCertificate[len(rootCertificate)-1], nil
return rootCertificates, nil
}

// LoadCertificatesFromFile read certificates from the given file. PEM and CER formats
Expand Down
6 changes: 4 additions & 2 deletions certificates/certutils_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ import (
)

func TestScrapeRootCertificatesFromURL(t *testing.T) {
cert, err := certificates.ScrapeRootCertificatesFromURL("www.arduino.cc:443")
rootCerts, err := certificates.ScrapeRootCertificatesFromURL("www.arduino.cc:443")
require.NoError(t, err)
require.Equal(t, cert.Issuer, cert.Subject)
for _, cert := range rootCerts {
require.Equal(t, cert.Issuer, cert.Subject)
}
}
4 changes: 2 additions & 2 deletions cli/certificates/flash.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,11 +121,11 @@ func flashCertificates(uploader *plugin.FwUploader, certificateURLs, certificate
for _, URL := range certificateURLs {
logrus.Infof("Converting and flashing certificate from %s", URL)
stdout.Write([]byte(fmt.Sprintf("Converting and flashing certificate from %s\n", URL)))
rootCert, err := certificates.ScrapeRootCertificatesFromURL(URL)
rootCerts, err := certificates.ScrapeRootCertificatesFromURL(URL)
if err != nil {
return nil, err
}
allCerts = append(allCerts, rootCert)
allCerts = append(allCerts, rootCerts...)
}

f, err := certsBundle.Create()
Expand Down