Bundle root certs and enable SSL cert validation

Author: sandeepmistry

src/GSMClient.cpp

@@ -29,6 +29,8 @@ enum {
   CLIENT_STATE_WAIT_CREATE_SOCKET_RESPONSE,
   CLIENT_STATE_ENABLE_SSL,
   CLIENT_STATE_WAIT_ENABLE_SSL_RESPONSE,
+  CLIENT_STATE_MANAGE_SSL_PROFILE,
+  CLIENT_STATE_WAIT_MANAGE_SSL_PROFILE_RESPONSE,
   CLIENT_STATE_CONNECT,
   CLIENT_STATE_WAIT_CONNECT_RESPONSE,
   CLIENT_STATE_CLOSE_SOCKET,
@@ -97,7 +99,7 @@ int GSMClient::ready()
     }
 
     case CLIENT_STATE_ENABLE_SSL: {
-      MODEM.sendf("AT+USOSEC=%d,1", _socket);
+      MODEM.sendf("AT+USOSEC=%d,1,0", _socket);
 
       _state = CLIENT_STATE_WAIT_ENABLE_SSL_RESPONSE;
       ready = 0;
@@ -108,12 +110,35 @@ int GSMClient::ready()
       if (ready > 1) {
         _state = CLIENT_STATE_CLOSE_SOCKET;
       } else {
-        _state = CLIENT_STATE_CONNECT;
+        _state = CLIENT_STATE_MANAGE_SSL_PROFILE;
+      }
+
+      ready = 0;
+      break;
+    }
+
+    case CLIENT_STATE_MANAGE_SSL_PROFILE: {
+      if (_host != NULL) {
+        MODEM.sendf("AT+USECPRF=0,0,1,4,\"%s\"", _host);
+      } else {
+        MODEM.send("AT+USECPRF=0,0,1");
       }
 
+      _state = CLIENT_STATE_WAIT_MANAGE_SSL_PROFILE_RESPONSE;
       ready = 0;
       break;
     }
+  
+    case CLIENT_STATE_WAIT_MANAGE_SSL_PROFILE_RESPONSE: {
+      if (ready > 1) {
+        _state = CLIENT_STATE_CLOSE_SOCKET;
+      } else {
+        _state = CLIENT_STATE_CONNECT;
+      }
+
+      ready = 0;
+      break;
+    } 
 
     case CLIENT_STATE_CONNECT: {
       if (_host != NULL) {

src/GSMClient.h

@@ -42,7 +42,7 @@ class GSMClient : public Client {
   /** Get last command status
       @return returns 0 if last command is still executing, 1 success, >1 error
   */
-  int ready();
+  virtual int ready();
 
   /** Connect to server by IP address
       @param (IPAddress)

src/GSMSSLClient.cpp

@@ -17,8 +17,19 @@
   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 */
 
+#include "utility/GSMRootCerts.h"
+
+#include "Modem.h"
+
 #include "GSMSSLClient.h"
 
+enum {
+  SSL_CLIENT_STATE_LOAD_ROOT_CERT,
+  SSL_CLIENT_STATE_WAIT_LOAD_ROOT_CERT_RESPONSE
+};
+
+bool GSMSSLClient::_rootCertsLoaded = false;
+
 GSMSSLClient::GSMSSLClient(bool synch) :
   GSMClient(synch)
 {
@@ -28,12 +39,72 @@ GSMSSLClient::~GSMSSLClient()
 {
 }
 
+int GSMSSLClient::ready()
+{
+  if (_rootCertsLoaded) {
+    // root certs loaded already, continue to regular GSMClient
+    return GSMClient::ready();
+  }
+
+  int ready = MODEM.ready();
+
+  if (ready == 0) {
+    // a command is still running
+    return 0;
+  }
+
+  switch (_state) {
+    case SSL_CLIENT_STATE_LOAD_ROOT_CERT: {
+      // load the next root cert
+      MODEM.sendf("AT+USECMNG=0,0,\"%s\",%d", GSM_ROOT_CERTS[_certIndex].name, GSM_ROOT_CERTS[_certIndex].size);
+      if (MODEM.waitForPrompt() != 1) {
+        // failure
+        ready = -1;
+      } else {
+        // send the cert contents
+        MODEM.write(GSM_ROOT_CERTS[_certIndex].data, GSM_ROOT_CERTS[_certIndex].size);
+
+        _state = SSL_CLIENT_STATE_WAIT_LOAD_ROOT_CERT_RESPONSE;
+        ready = 0;
+      } 
+      break;
+    }
+
+    case SSL_CLIENT_STATE_WAIT_LOAD_ROOT_CERT_RESPONSE: {
+      if (ready > 1) {
+        // error
+      } else {
+        _certIndex++;
+
+        if (_certIndex == GSM_NUM_ROOT_CERTS) {
+          // all certs loaded
+          _rootCertsLoaded = true;
+        } else {
+          // load next
+          _state = SSL_CLIENT_STATE_LOAD_ROOT_CERT;
+        }
+
+        ready = 0;
+      }
+      break;
+    }
+  }
+
+  return ready;
+}
+
 int GSMSSLClient::connect(IPAddress ip, uint16_t port)
 {
+  _certIndex = 0;
+  _state = SSL_CLIENT_STATE_LOAD_ROOT_CERT;
+
   return connectSSL(ip, port);
 }
 
 int GSMSSLClient::connect(const char* host, uint16_t port)
 {
+  _certIndex = 0;
+  _state = SSL_CLIENT_STATE_LOAD_ROOT_CERT;
+
   return connectSSL(host, port);
 }

src/GSMSSLClient.h

@@ -28,8 +28,15 @@ class GSMSSLClient : public GSMClient {
   GSMSSLClient(bool synch = true);
   virtual ~GSMSSLClient();
 
+  virtual int ready();
+
   virtual int connect(IPAddress ip, uint16_t port);
   virtual int connect(const char* host, uint16_t port);
+
+private:
+  static bool _rootCertsLoaded;
+  int _certIndex;
+  int _state;
 };
 
 #endif

src/Modem.cpp

@@ -167,6 +167,11 @@ size_t ModemClass::write(uint8_t c)
   return _uart->write(c);
 }
 
+size_t ModemClass::write(const uint8_t* buf, size_t size)
+{
+  return _uart->write(buf, size);
+}
+
 void ModemClass::send(const char* command)
 {
   if (_lowPowerMode) {
@@ -216,6 +221,19 @@ int ModemClass::waitForResponse(unsigned long timeout, String* responseDataStora
   return -1;
 }
 
+int ModemClass::waitForPrompt(unsigned long timeout)
+{
+  for (unsigned long start = millis(); (millis() - start) < timeout;) {
+    ready();
+
+    if (_buffer.endsWith(">")) {
+      return 1;
+    }
+  }
+
+  return -1;
+}
+
 int ModemClass::ready()
 {
   poll();

src/Modem.h

@@ -49,12 +49,14 @@ class ModemClass {
   int noLowPowerMode();
 
   size_t write(uint8_t c);
+  size_t write(const uint8_t*, size_t);
 
   void send(const char* command);
   void send(const String& command) { send(command.c_str()); }
   void sendf(const char *fmt, ...);
 
   int waitForResponse(unsigned long timeout = 100, String* responseDataStorage = NULL);
+  int waitForPrompt(unsigned long timeout = 500);
   int ready();
   void poll();
   void setResponseDataStorage(String* responseDataStorage);