From 31f4203c43dba1baffcdf76a05af7e90bd2d45fb Mon Sep 17 00:00:00 2001 From: Pierre HUBERT Date: Thu, 29 Aug 2024 00:09:47 +0200 Subject: [PATCH] Request device certificate --- esp32_device/main/constants.h | 5 +++++ esp32_device/main/main.c | 27 +++++++++++++++++++++--- esp32_device/main/secure_api.c | 38 ++++++++++++++++++++++++++++++---- esp32_device/main/secure_api.h | 5 +++++ esp32_device/main/storage.c | 7 ++++++- esp32_device/main/storage.h | 10 +++++++++ 6 files changed, 84 insertions(+), 8 deletions(-) diff --git a/esp32_device/main/constants.h b/esp32_device/main/constants.h index cfe45a7..9304bcf 100644 --- a/esp32_device/main/constants.h +++ b/esp32_device/main/constants.h @@ -35,6 +35,11 @@ */ #define ROOT_CA_MAX_BYTES 3000 +/** + * Device certificate max length + */ +#define DEV_CERT_MAX_BYTES 3000 + /** * Secure origin len */ diff --git a/esp32_device/main/main.c b/esp32_device/main/main.c index 000e294..9e7996e 100755 --- a/esp32_device/main/main.c +++ b/esp32_device/main/main.c @@ -124,7 +124,8 @@ void app_main(void) case DevEnrollUnknown: ESP_LOGI(TAG, "Device unknown, need to enroll!"); - // TODO : remove certificate if present + // Remove certificate if present + storage_set_dev_cert(""); // Enroll device ESP_LOGI(TAG, "Enroll device"); @@ -138,10 +139,30 @@ void app_main(void) } // Wait before next try - system_sleep(60); + if (!validated) + system_sleep(60); }; - // TODO : retrieve certificate if missing + // Retrieve device certificate if missing + ESP_LOGI(TAG, "Check device certificate"); + if (storage_get_dev_cert(NULL) == 0) + { + char *dev_cert = secure_api_get_dev_certificate(); + if (!dev_cert) + { + ESP_LOGE(TAG, "Failed to fetch device certificate!"); + reboot(); + } + storage_set_dev_cert(dev_cert); + free(dev_cert); + } + + // Print device certificate for debugging purposes + ESP_LOGI(TAG, "Get device certificate"); + char *dev_certificate = calloc(DEV_CERT_MAX_BYTES, 1); + assert(storage_get_dev_cert(dev_certificate) > 0); + ESP_LOGI(TAG, "Current device certificate:\n%s", dev_certificate); + free(dev_certificate); ESP_LOGI(TAG, "Starting main loop"); system_sleep(120); diff --git a/esp32_device/main/secure_api.c b/esp32_device/main/secure_api.c index 9a25dff..156fd26 100644 --- a/esp32_device/main/secure_api.c +++ b/esp32_device/main/secure_api.c @@ -42,11 +42,8 @@ static char *process_secure_request(const char *uri, const char *body) return res; } -enum DevEnrollmentStatus secure_api_get_device_enrollment_status() +static char *dev_escaped_name() { - ESP_LOGI(TAG, "Will check device enrollment status"); - - // Prepare URI unsigned char *name = (unsigned char *)dev_name(); assert(name); size_t escaped_name_len = http_client_escape_uri(NULL, name, strlen((char *)name)); @@ -55,6 +52,15 @@ enum DevEnrollmentStatus secure_api_get_device_enrollment_status() http_client_escape_uri(escaped_name, name, strlen((char *)name)); free(name); + return (char *)escaped_name; +} + +enum DevEnrollmentStatus secure_api_get_device_enrollment_status() +{ + ESP_LOGI(TAG, "Will check device enrollment status"); + + // Prepare URI + char *escaped_name = dev_escaped_name(); char *uri = calloc(1, 255); assert(uri); sprintf(uri, "/devices_api/mgmt/enrollment_status?id=%s", escaped_name); @@ -162,4 +168,28 @@ int secure_api_enroll_device() free(res); return 0; +} + +char *secure_api_get_dev_certificate() +{ + ESP_LOGI(TAG, "Will request device certificate"); + + // Prepare URI + char *escaped_name = dev_escaped_name(); + char *uri = calloc(1, 255); + assert(uri); + sprintf(uri, "/devices_api/mgmt/get_certificate?id=%s", escaped_name); + free(escaped_name); + + char *res = process_secure_request(uri, NULL); + + free(uri); + + if (res == NULL) + { + ESP_LOGE(TAG, "Failed to query device certificate!"); + return NULL; + } + + return res; } \ No newline at end of file diff --git a/esp32_device/main/secure_api.h b/esp32_device/main/secure_api.h index 849328d..9546095 100644 --- a/esp32_device/main/secure_api.h +++ b/esp32_device/main/secure_api.h @@ -35,6 +35,11 @@ extern "C" */ int secure_api_enroll_device(); + /** + * Get device certificate + */ + char *secure_api_get_dev_certificate(); + #ifdef __cplusplus } #endif diff --git a/esp32_device/main/storage.c b/esp32_device/main/storage.c index d7fc540..1a90058 100644 --- a/esp32_device/main/storage.c +++ b/esp32_device/main/storage.c @@ -11,6 +11,7 @@ #define PRIVATE_KEY "prikey" #define SEC_ORIG_KEY "secureOrig" #define SEC_ROOT_CA_KEY "rootCA" +#define DEV_CERT_KEY "certKey" static const char *TAG = "storage"; @@ -106,4 +107,8 @@ size_t storage_get_secure_origin(char *dest) { return storage_get_str(SEC_ORIG_K void storage_set_root_ca(const char *ca) { storage_set_str(SEC_ROOT_CA_KEY, ca); } -size_t storage_get_root_ca(char *dest) { return storage_get_str(SEC_ROOT_CA_KEY, ROOT_CA_MAX_BYTES, dest); } \ No newline at end of file +size_t storage_get_root_ca(char *dest) { return storage_get_str(SEC_ROOT_CA_KEY, ROOT_CA_MAX_BYTES, dest); } + +void storage_set_dev_cert(const char *cert) { storage_set_str(DEV_CERT_KEY, cert); } + +size_t storage_get_dev_cert(char *dest) { return storage_get_str(DEV_CERT_KEY, DEV_CERT_MAX_BYTES, dest); } \ No newline at end of file diff --git a/esp32_device/main/storage.h b/esp32_device/main/storage.h index a36e0e7..f2850ea 100644 --- a/esp32_device/main/storage.h +++ b/esp32_device/main/storage.h @@ -57,6 +57,16 @@ extern "C" */ size_t storage_get_root_ca(char *dest); + /** + * Write device certificate + */ + void storage_set_dev_cert(const char *cert); + + /** + * Get current device certificate + */ + size_t storage_get_dev_cert(char *dest); + #ifdef __cplusplus } #endif