Clarification edits for trust anchor generation
This commit is contained in:
Noah Laptop
parent
576e34487e
commit
c045607b39
2 changed files with 7 additions and 7 deletions
|
|
@ -43,11 +43,11 @@ A full example of a trust anchor header can be found in [this file](./readme/cer
|
|||
For HTTPS, there a couple of tools you can use. Ordered from easiest to hardest:
|
||||
* [This website, written to simplify the creation of trust anchor headers](https://openslab-osu.github.io/bearssl-certificate-utility/). Simply plug and play.
|
||||
* [pycert_bearssl](./tools/pycert_bearssl/pycert_bearssl.py), a command line utility based on a [pycert](https://learn.adafruit.com/introducing-the-adafruit-wiced-feather-wifi/pycert-dot-py). You will need to install Python 3, and follow the instructions in the [pycert_bearssl.py file](./tools/pycert_bearssl/pycert_bearssl.py). You'll want to use the `pycert_bearssl.py download` command once the utility is set up.
|
||||
* The brssl command line utility, included in the [BearSSL source](https://bearssl.org/gitweb/?p=BearSSL;a=blob_plain;f=tools/brssl.h;hb=HEAD). You will need to compile this file yourself.
|
||||
* The `brssl` command line utility, included in the [BearSSL source](https://bearssl.org/gitweb/?p=BearSSL;a=blob_plain;f=tools/brssl.h;hb=HEAD). You will need to compile this file yourself.
|
||||
|
||||
### Other Connections
|
||||
|
||||
For other kinds of SSL connections, you will need to find the root certificate being used by your host. You can check out [this StackExchange post](https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file) for numerous methods of acquiring this certificate from a server. If these methods are not sufficient, you may need to request this certificate from your network administrator. Once you have the certificate, convert it to PEM format if needed (I use [this website](https://www.sslshopper.com/ssl-converter.html)), and use the `pycert_bearssl.py convert` command to convert the certificate into a trust anchor header.
|
||||
For other kinds of SSL connections, you will need to find the root certificate being used by your host. You can check out [this StackExchange post](https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file) for numerous methods of acquiring this certificate from a server. If these methods are not sufficient, you may need to request this certificate from your network administrator. Once you have the certificate, convert it to PEM format if needed (I use [this website](https://www.sslshopper.com/ssl-converter.html)), and use the `pycert_bearssl.py convet --no-search` command to convert the certificate into a trust anchor header.
|
||||
|
||||
## Using Trust Anchors
|
||||
|
||||
|
|
@ -55,7 +55,7 @@ Once you've generated a trust anchor array, add it to your Arduino sketch using
|
|||
```C++
|
||||
#include "yourtrustanchorfile.h"
|
||||
// ...
|
||||
SSLClient client(SomeClient, TAs, (size_t)TAs_NUM, SomePin);
|
||||
SSLClient<SomeClientType> client(SomeClient, TAs, (size_t)TAs_NUM, SomePin);
|
||||
// ...
|
||||
```
|
||||
Where `yourtrustanchorfile.h` contains a generated trust anchor array names `TAs`, with length `TAs_NUM`. BearSSL will now automatically use these trust anchors when `SSLClient::connect` is called.
|
||||
|
|
@ -69,7 +69,7 @@ def download(port, cert_var, cert_length_var, output, use_store, keep_dupes, dom
|
|||
Note that the certificates will be validated before they are downloaded!
|
||||
"""
|
||||
# if array is emptey, exit
|
||||
if len(domain) is 0:
|
||||
if len(domain) == 0:
|
||||
return
|
||||
# prepare the root certificate store
|
||||
cert_obj_store = cert_util.parse_root_certificate_store(use_store)
|
||||
|
|
@ -100,8 +100,8 @@ def download(port, cert_var, cert_length_var, output, use_store, keep_dupes, dom
|
|||
help='the location of the .pem file containing a list of trusted root certificates (default: use certifi.where())')
|
||||
@click.option('--keep-dupes', '-d', is_flag=True, default=False,
|
||||
help='write all certs including any duplicates (default: remove duplicates)')
|
||||
@click.option('--no-verify', '-n', is_flag=True, default=False,
|
||||
help='Do not attempt to match a root certificate to the provided PEM files')
|
||||
@click.option('--no-search', '-n', is_flag=True, default=False,
|
||||
help='Do not attempt to search for a root certificate to the provided PEM files, instead treat the PEM files as the root certificates')
|
||||
@click.argument('cert', type=click.File('r'), nargs=-1)
|
||||
def convert(cert_var, cert_length_var, output, use_store, keep_dupes, no_verify, cert):
|
||||
"""Convert PEM certificates into a C header that can be imported into a
|
||||
|
|
@ -117,7 +117,7 @@ def convert(cert_var, cert_length_var, output, use_store, keep_dupes, no_verify,
|
|||
pycert convert foo.pem bar.pem
|
||||
"""
|
||||
# if array is emptey, exit
|
||||
if len(cert) is 0:
|
||||
if len(cert) == 0:
|
||||
return
|
||||
# prepare root certificate store
|
||||
cert_obj_store = cert_util.parse_root_certificate_store(use_store)
|
||||
|
|
|
|||
Loading…
Reference in a new issue