Skip to content

Commit

Permalink
feat(websocket): Enhance ds-peripherial
Browse files Browse the repository at this point in the history
  • Loading branch information
suren-gabrielyan-espressif authored and surengab committed Jul 24, 2024
1 parent 3057765 commit d65d30e
Show file tree
Hide file tree
Showing 4 changed files with 127 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,10 @@ cmake_minimum_required(VERSION 3.5)

include($ENV{IDF_PATH}/tools/cmake/project.cmake)
project(websocket_example)

# Flash the custom partition named `esp_secure_cert`.
set(partition esp_secure_cert)
idf_build_get_property(project_dir PROJECT_DIR)
set(image_file ${project_dir}/esp_secure_cert_data/${partition}.bin)
partition_table_get_partition_info(offset "--partition-name ${partition}" "offset")
esptool_py_flash_target_image(flash "${partition}" "${offset}" "${image_file}")
36 changes: 36 additions & 0 deletions components/esp_websocket_client/examples/target/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,42 @@ Please see the openssl man pages (man openssl) for more details.
It is **strongly recommended** to not reuse the example certificate in your application;
it is included only for demonstration.

#### 3) Configure the DS peripheral

* i) Install the [esp_secure_cert configuration utility](https://github.com/espressif/esp_secure_cert_mgr/tree/main/tools#esp_secure_cert-configuration-tool) with following comma nd:
```
pip install esp-secure-cert-tool
```
* ii) The DS peripheral can be configured by executing the following command:

```
configure_esp_secure_cert.py -p /* Serial port */ --device-cert /* Device cert */ --private-key /* RSA priv key */ --target_chip /* target chip */ --configure_ds --skip_flash
```
This command shall generate a partition named `esp_secure_cert.bin` in the `esp_secure_cert_data` directory. This partition would be aumatically detected by the build system and flashed at appropriate offset when `idf.py flash` command is used. For this process, the command must be executed in the current folder only.

In the command USB COM port is nothing but the serial port to which the ESP chip is connected. see
[check serial port](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/establish-serial-connection.html#check-port-on-windows) for more details.
RSA private key is nothing but the client private key ( RSA ) generated in Step 2.

> Note: More details about the `esp-secure-cert-tool` utility can be found [here](https://github.com/espressif/esp_secure_cert_mgr/tree/main/tools).
#### 4) Connection cofiguration
* Open the project configuration menu (`idf.py menuconfig`)
* Configure Wi-Fi or Ethernet under "Example Connection Configuration" menu. See "Establishing Wi-Fi or Ethernet Connection" section in [examples/protocols/README.md](../../READM E.md) for more details.

### Build and Flash

Build the project and flash it to the board, then run monitor tool to view serial output:

```
idf.py -p PORT flash monitor
```

(To exit the serial monitor, type ``Ctrl-]``.)

See the Getting Started Guide for full steps to configure and use ESP-IDF to build projects.


### Build and Flash

Build the project and flash it to the board, then run monitor tool to view serial output:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
dependencies:
espressif/esp_secure_cert_mgr: "^2.4.1"
## Required IDF version
idf: ">=5.0"
espressif/esp_websocket_client:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,18 @@
#include "esp_event.h"
#include <cJSON.h>

#ifdef CONFIG_ESP_SECURE_CERT_DS_PERIPHERAL
#include "mbedtls/ssl.h"
#include "mbedtls/pk.h"
#include "mbedtls/x509.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "esp_idf_version.h"
#include "esp_secure_cert_read.h"
#include "esp_crt_bundle.h"
#endif

#define NO_DATA_TIMEOUT_SEC 5

static const char *TAG = "websocket";
Expand Down Expand Up @@ -69,6 +81,34 @@ static void get_string(char *line, size_t size)

#endif /* CONFIG_WEBSOCKET_URI_FROM_STDIN */

#ifdef CONFIG_ESP_SECURE_CERT_DS_PERIPHERAL
static esp_err_t test_ciphertext_validity(esp_ds_data_ctx_t *ds_data, unsigned char *dev_cert, size_t dev_cert_len)
{
mbedtls_x509_crt crt;
mbedtls_x509_crt_init(&crt);
unsigned char *sig = NULL;

if (ds_data == NULL || dev_cert == NULL) {
return ESP_ERR_INVALID_ARG;
}

int ret = mbedtls_x509_crt_parse(&crt, dev_cert, dev_cert_len);
if (ret < 0) {
ESP_LOGE(TAG, "Parsing of device certificate failed, returned %02X", ret);
}

esp_err_t esp_ret = esp_ds_init_data_ctx(ds_data);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to initialze the DS context");
return esp_ret;
}

const size_t sig_len = 256;
uint32_t hash[8] = {[0 ... 7] = 0xAABBCCDD};
return esp_ret;
}
#endif

static void websocket_event_handler(void *handler_args, esp_event_base_t base, int32_t event_id, void *event_data)
{
esp_websocket_event_data_t *data = (esp_websocket_event_data_t *)event_data;
Expand Down Expand Up @@ -163,6 +203,49 @@ static void websocket_app_start(void)
websocket_cfg.cert_pem = cacert_start;
#endif

#ifdef CONFIG_ESP_SECURE_CERT_DS_PERIPHERAL
uint32_t len = 0;
char *addr = NULL;
esp_err_t esp_ret = ESP_FAIL;

esp_ds_data_ctx_t *ds_data = NULL;
ESP_LOGI(TAG, "Successfully obtained the ds context before");
ds_data = esp_secure_cert_get_ds_ctx();
ESP_LOGI(TAG, "Successfully obtained the ds context after");
if (ds_data != NULL) {
ESP_LOGI(TAG, "Successfully obtained the ds context");
ESP_LOG_BUFFER_HEX_LEVEL(TAG, ds_data->esp_ds_data->c, ESP_DS_C_LEN, ESP_LOG_DEBUG);
ESP_LOG_BUFFER_HEX_LEVEL(TAG, ds_data->esp_ds_data->iv, ESP_DS_IV_LEN, ESP_LOG_DEBUG);
ESP_LOGI(TAG, "The value of rsa length is %d", ds_data->rsa_length_bits);
ESP_LOGI(TAG, "The value of efuse key id is %d", ds_data->efuse_key_id);
} else {
ESP_LOGE(TAG, "Failed to obtain the ds context");
}

/* Read the dev_cert addr again */
esp_ret = esp_secure_cert_get_device_cert(&addr, &len);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to obtain the dev cert flash address");
}

esp_ret = test_ciphertext_validity(ds_data, (unsigned char *)addr, len);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to validate ciphertext");
} else {
ESP_LOGI(TAG, "Ciphertext validated succcessfully");
}
websocket_cfg.client_cert = addr;
websocket_cfg.client_ds_data = ds_data;
// websocket_cfg.crt_bundle_attach = esp_crt_bundle_attach;
websocket_cfg.cert_pem = addr;
// extern const char cacert_start[] asm("_binary_ca_cert_pem_start"); // CA certificate
// websocket_cfg.cert_pem = cacert_start;
// websocket_cfg.client_key = NULL;

// extern const char cacert_start[] asm("_binary_ca_certificate_public_domain_pem_start"); // CA cert of wss://echo.websocket.event, modify it if using another server
// websocket_cfg.cert_pem = cacert_start;
#endif

#if CONFIG_WS_OVER_TLS_SKIP_COMMON_NAME_CHECK
websocket_cfg.skip_cert_common_name_check = true;
#endif
Expand Down

0 comments on commit d65d30e

Please sign in to comment.