28 Feb 2024 |
@greengenie:matrix.org | yeah that fixed it! | 23:09:34 |
@greengenie:matrix.org | Thanks so much! | 23:11:08 |
@greengenie:matrix.org | Are there any examples of setting up a TLS connection using a X509 cert? | 23:38:24 |
@greengenie:matrix.org | Using embedded-tls | 23:38:44 |
29 Feb 2024 |
lulf | Adam Hott: On no-std you have to provide your own CertVerifier implementation (see https://docs.rs/embedded-tls/0.17.0/embedded_tls/trait.TlsVerifier.html) combined with passing the certificates you're going to use in the TlsConfig (https://docs.rs/embedded-tls/0.17.0/embedded_tls/struct.TlsConfig.html) using with_cert (also see https://docs.rs/embedded-tls/0.17.0/embedded_tls/blocking/enum.Certificate.html). | 04:17:55 |
@greengenie:matrix.org | thanks lulf ! Here's what I've landed on so far, but I need a host url for the new() function in the implementation. Is there a service that can verify via the internet? Also I'm running into an error with CertificateVerify not existing in the embedded-tls crate. I tried to import it via the handshake module, but it says it's private and for internals only.
struct MyCertVerifier;
impl MyCertVerifier { pub fn new() -> Self { MyCertVerifier {} } }
impl<'a, CipherSuite> TlsVerifier<'a, CipherSuite> for MyCertVerifier where CipherSuite: embedded_tls::TlsCipherSuite + 'a, // This bounds CipherSuite to the trait and the lifetime {
fn new (host: Option<&'a str>) -> Self {
MyCertVerifier {}
}
fn verify_signature(
&mut self,
verify: CertificateVerify<'_>
) -> Result<(), TlsError> {
Ok(())
}
fn verify_certificate(
&self,
transcript: &CipherSuite::Hash,
ca: &Option<Certificate<'_>>,
cert: Certificate<'_>
) -> Result<(), TlsError> {
// Need certificate verification logic here
Ok(())
}
}
| 08:24:13 |
lulf | In reply to @greengenie:matrix.org
thanks lulf ! Here's what I've landed on so far, but I need a host url for the new() function in the implementation. Is there a service that can verify via the internet? Also I'm running into an error with CertificateVerify not existing in the embedded-tls crate. I tried to import it via the handshake module, but it says it's private and for internals only.
struct MyCertVerifier;
impl MyCertVerifier { pub fn new() -> Self { MyCertVerifier {} } }
impl<'a, CipherSuite> TlsVerifier<'a, CipherSuite> for MyCertVerifier where CipherSuite: embedded_tls::TlsCipherSuite + 'a, // This bounds CipherSuite to the trait and the lifetime {
fn new (host: Option<&'a str>) -> Self {
MyCertVerifier {}
}
fn verify_signature(
&mut self,
verify: CertificateVerify<'_>
) -> Result<(), TlsError> {
Ok(())
}
fn verify_certificate(
&self,
transcript: &CipherSuite::Hash,
ca: &Option<Certificate<'_>>,
cert: Certificate<'_>
) -> Result<(), TlsError> {
// Need certificate verification logic here
Ok(())
}
}
Ah, the handshake mod should be public, that's a bug. Not sure what you mean by 'verify via the internet'. You basically need to implement the verification yourself (or if you're just playing, you can use the embedded_tls::NoVerify 'verifier'). | 08:29:25 |
@greengenie:matrix.org | * thanks lulf ! Here's what I've landed on so far, but I need a host url for the new() function in the implementation. Is there a service that can verify via the internet? Also I'm running into an error with CertificateVerify not existing in the embedded-tls crate. I tried to import it via the handshake module, but it says it's private and for internals only.
struct MyCertVerifier;
impl MyCertVerifier {
pub fn new() -> Self {
MyCertVerifier {}
}
}
impl<'a, CipherSuite> TlsVerifier<'a, CipherSuite> for MyCertVerifier
where
CipherSuite: embedded_tls::TlsCipherSuite + 'a, // This bounds CipherSuite to the trait and the lifetime
{
fn new (host: Option<&'a str>) -> Self {
MyCertVerifier {}
}
fn verify_signature(
&mut self,
verify: CertificateVerify<'_>
) -> Result<(), TlsError> {
Ok(())
}
fn verify_certificate(
&self,
transcript: &CipherSuite::Hash,
ca: &Option<Certificate<'_>>,
cert: Certificate<'_>
) -> Result<(), TlsError> {
// Need certificate verification logic here
Ok(())
}
}
| 08:36:12 |
@greengenie:matrix.org | Do you need me to open an issue on the bug? | 08:36:51 |
lulf | Sure, either issue or PR if you want. | 08:37:41 |
@greengenie:matrix.org | Ok! so I'm just playing around, HiveMQ requires a TLS connection to connect to their MQTT broker service. | 08:38:25 |
lulf | Right... you can use the NoVerify then if you don't care about verifying :) | 08:38:52 |
@greengenie:matrix.org | Ok thanks I'll look into it and I'm working on that PR | 08:40:39 |
lulf | adding a pub use handshake::CertificateVerify in the config.rs should do it I think | 08:41:23 |
@greengenie:matrix.org | thanks, this is my first PR ever | 08:42:44 |
@greengenie:matrix.org | I really don't know what I'm doin | 08:42:53 |
@greengenie:matrix.org | you mean:
pub use crate::handshake::certificate_verify::CertificateVerify; | 08:43:55 |
@greengenie:matrix.org | ? | 08:44:04 |
@greengenie:matrix.org | ok so I forked the repo, cloned it to my local computer, created a "bug-fix" branch. Now what should I do? | 08:47:34 |
lulf | push it to your fork, use the github UI to create a pull request against the embedded-tls main branch | 08:48:05 |
@greengenie:matrix.org | ok thanks! | 08:48:14 |
@greengenie:matrix.org | Is this an appropriate comment for the PR? When trying to implement CertificateVerify, the compiler notified me that it is not a public. This should be a public Trait lulf. | 08:59:42 |
@greengenie:matrix.org | * Is this an appropriate comment for the PR?
When trying to implement CertificateVerify, the compiler notified me that it is not a public. This should be a public Trait lulf. | 08:59:51 |
@greengenie:matrix.org | ok I did it, cool! | 09:00:21 |
@greengenie:matrix.org | thanks for approving, now I can use it! | 09:01:33 |
@greengenie:matrix.org | I'm getting some errors that I don't understand:
the traitRngCore is not implemented for Rng
the trait CryptoRng is not implemented for Rng
this is how I'm generating my hardware rng:
//Generate RNG for TLS Encryption
let rng_peripherals = Peripherals::take();
let mut rng_system = rng_peripherals.SYSTEM.split();
let rng_clocks = ClockControl::boot_defaults(rng_system.clock_control).freeze();
let mut rng_rtc = Rtc::new(rng_peripherals.LPWR);
let rng_timer_group0 = TimerGroup::new(
rng_peripherals.TIMG0,
&rng_clocks,
);
let mut wdt0 = rng_timer_group0.wdt;
let rng_timer_group1 = TimerGroup::new(
rng_peripherals.TIMG1,
&rng_clocks,
);
let mut wdt1 = rng_timer_group1.wdt;
rng_rtc.swd.disable();
rng_rtc.rwdt.disable();
wdt0.disable();
wdt1.disable();
let mut rng = Rng::new(rng_peripherals.RNG);
and this is my implementation of the ring:
let tls_context = TlsContext::new(&tls_config, &mut rng);
| 09:23:05 |
@greengenie:matrix.org | * I'm getting some errors that I don't understand:
the traitRngCore is not implemented for Rng
the trait CryptoRng is not implemented for Rng
this is how I'm generating my hardware rng:
//Generate RNG for TLS Encryption
let rng_peripherals = Peripherals::take();
let mut rng_system = rng_peripherals.SYSTEM.split();
let rng_clocks = ClockControl::boot_defaults(rng_system.clock_control).freeze();
let mut rng_rtc = Rtc::new(rng_peripherals.LPWR);
let rng_timer_group0 = TimerGroup::new(
rng_peripherals.TIMG0,
&rng_clocks,
);
let mut wdt0 = rng_timer_group0.wdt;
let rng_timer_group1 = TimerGroup::new(
rng_peripherals.TIMG1,
&rng_clocks,
);
let mut wdt1 = rng_timer_group1.wdt;
rng_rtc.swd.disable();
rng_rtc.rwdt.disable();
wdt0.disable();
wdt1.disable();
let mut rng = Rng::new(rng_peripherals.RNG);
and this is my implementation of the ring:
let tls\_context = TlsContext::new(&tls\_config, &mut rng);
| 09:23:26 |
@greengenie:matrix.org | * I'm getting some errors that I don't understand:
the traitRngCore is not implemented for Rng
the trait CryptoRng is not implemented for Rng
this is how I'm generating my hardware rng:
//Generate RNG for TLS Encryption
let rng_peripherals = Peripherals::take();
let mut rng_system = rng_peripherals.SYSTEM.split();
let rng_clocks = ClockControl::boot_defaults(rng_system.clock_control).freeze();
let mut rng_rtc = Rtc::new(rng_peripherals.LPWR);
let rng_timer_group0 = TimerGroup::new(
rng_peripherals.TIMG0,
&rng_clocks,
);
let mut wdt0 = rng_timer_group0.wdt;
let rng_timer_group1 = TimerGroup::new(
rng_peripherals.TIMG1,
&rng_clocks,
);
let mut wdt1 = rng_timer_group1.wdt;
rng_rtc.swd.disable();
rng_rtc.rwdt.disable();
wdt0.disable();
wdt1.disable();
let mut rng = Rng::new(rng_peripherals.RNG);
and this is my implementation of the ring:
let tls_context = TlsContext::new(&tls_config, &mut rng);
| 09:23:49 |
@greengenie:matrix.org | the full code is here: https://github.com/CodingInGreen/esp32c3-robot-wifi-mqtt-tls/blob/master/bin/robotwifi.rs | 09:24:07 |
@greengenie:matrix.org | * I'm getting some errors that I don't understand:
the traitRngCore is not implemented for Rng
the trait CryptoRng is not implemented for Rng
this is how I'm generating my hardware rng:
//Generate RNG for TLS Encryption
let rng_peripherals = Peripherals::take();
let mut rng_system = rng_peripherals.SYSTEM.split();
let rng_clocks = ClockControl::boot_defaults(rng_system.clock_control).freeze();
let mut rng_rtc = Rtc::new(rng_peripherals.LPWR);
let rng_timer_group0 = TimerGroup::new(
rng_peripherals.TIMG0,
&rng_clocks,
);
let mut wdt0 = rng_timer_group0.wdt;
let rng_timer_group1 = TimerGroup::new(
rng_peripherals.TIMG1,
&rng_clocks,
);
let mut wdt1 = rng_timer_group1.wdt;
rng_rtc.swd.disable();
rng_rtc.rwdt.disable();
wdt0.disable();
wdt1.disable();
let mut rng = Rng::new(rng_peripherals.RNG);
and this is my implementation of the rng:
let tls_context = TlsContext::new(&tls_config, &mut rng);
| 09:24:46 |