diff --git a/TrustAnchors.md b/TrustAnchors.md index 05cfa30..f9b7eb6 100644 --- a/TrustAnchors.md +++ b/TrustAnchors.md @@ -43,11 +43,11 @@ A full example of a trust anchor header can be found in [this file](./readme/cer For HTTPS, there a couple of tools you can use. Ordered from easiest to hardest: * [This website, written to simplify the creation of trust anchor headers](https://openslab-osu.github.io/bearssl-certificate-utility/). Simply plug and play. * [pycert_bearssl](./tools/pycert_bearssl/pycert_bearssl.py), a command line utility based on a [pycert](https://learn.adafruit.com/introducing-the-adafruit-wiced-feather-wifi/pycert-dot-py). You will need to install Python 3, and follow the instructions in the [pycert_bearssl.py file](./tools/pycert_bearssl/pycert_bearssl.py). You'll want to use the `pycert_bearssl.py download` command once the utility is set up. -* The brssl command line utility, included in the [BearSSL source](https://bearssl.org/gitweb/?p=BearSSL;a=blob_plain;f=tools/brssl.h;hb=HEAD). You will need to compile this file yourself. +* The `brssl` command line utility, included in the [BearSSL source](https://bearssl.org/gitweb/?p=BearSSL;a=blob_plain;f=tools/brssl.h;hb=HEAD). You will need to compile this file yourself. ### Other Connections -For other kinds of SSL connections, you will need to find the root certificate being used by your host. You can check out [this StackExchange post](https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file) for numerous methods of acquiring this certificate from a server. If these methods are not sufficient, you may need to request this certificate from your network administrator. Once you have the certificate, convert it to PEM format if needed (I use [this website](https://www.sslshopper.com/ssl-converter.html)), and use the `pycert_bearssl.py convert` command to convert the certificate into a trust anchor header. +For other kinds of SSL connections, you will need to find the root certificate being used by your host. You can check out [this StackExchange post](https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file) for numerous methods of acquiring this certificate from a server. If these methods are not sufficient, you may need to request this certificate from your network administrator. Once you have the certificate, convert it to PEM format if needed (I use [this website](https://www.sslshopper.com/ssl-converter.html)), and use the `pycert_bearssl.py convet --no-search` command to convert the certificate into a trust anchor header. ## Using Trust Anchors @@ -55,7 +55,7 @@ Once you've generated a trust anchor array, add it to your Arduino sketch using ```C++ #include "yourtrustanchorfile.h" // ... -SSLClient client(SomeClient, TAs, (size_t)TAs_NUM, SomePin); +SSLClient client(SomeClient, TAs, (size_t)TAs_NUM, SomePin); // ... ``` Where `yourtrustanchorfile.h` contains a generated trust anchor array names `TAs`, with length `TAs_NUM`. BearSSL will now automatically use these trust anchors when `SSLClient::connect` is called. \ No newline at end of file diff --git a/tools/pycert_bearssl/pycert_bearssl.py b/tools/pycert_bearssl/pycert_bearssl.py index 392838e..475c59c 100644 --- a/tools/pycert_bearssl/pycert_bearssl.py +++ b/tools/pycert_bearssl/pycert_bearssl.py @@ -69,7 +69,7 @@ def download(port, cert_var, cert_length_var, output, use_store, keep_dupes, dom Note that the certificates will be validated before they are downloaded! """ # if array is emptey, exit - if len(domain) is 0: + if len(domain) == 0: return # prepare the root certificate store cert_obj_store = cert_util.parse_root_certificate_store(use_store) @@ -100,8 +100,8 @@ def download(port, cert_var, cert_length_var, output, use_store, keep_dupes, dom help='the location of the .pem file containing a list of trusted root certificates (default: use certifi.where())') @click.option('--keep-dupes', '-d', is_flag=True, default=False, help='write all certs including any duplicates (default: remove duplicates)') -@click.option('--no-verify', '-n', is_flag=True, default=False, - help='Do not attempt to match a root certificate to the provided PEM files') +@click.option('--no-search', '-n', is_flag=True, default=False, + help='Do not attempt to search for a root certificate to the provided PEM files, instead treat the PEM files as the root certificates') @click.argument('cert', type=click.File('r'), nargs=-1) def convert(cert_var, cert_length_var, output, use_store, keep_dupes, no_verify, cert): """Convert PEM certificates into a C header that can be imported into a @@ -117,7 +117,7 @@ def convert(cert_var, cert_length_var, output, use_store, keep_dupes, no_verify, pycert convert foo.pem bar.pem """ # if array is emptey, exit - if len(cert) is 0: + if len(cert) == 0: return # prepare root certificate store cert_obj_store = cert_util.parse_root_certificate_store(use_store)