Question on certificate in BasicHttpsClient example

[RickSeiden]

Hello,

I'm looking at the example in the BasicHttpsClient example, and I understand what it is doing and how it is doing it. What is not clear to me is how to make this work for an arbitrary site.

For example, if I wanted to connect to https://io.adafruit.com/, what certificate would I use? Do I need to somehow get a certificate for every site I plan on going to, and if so, how do I do that?

Or do I need to generate my own certificate to use to secure the transaction?

Thank you

[earlephilhower]

You need to get their certificate and find the trust root (last cert in line).

openssl s_client -showcerts -servername io.adafruit.com  -connect io.adafruit.com:443

You can then take the last one,

-----BEGIN CERTIFICATE-----
MIIEizCCA3OgAwIBAgIQBUb+GCP34ZQdo5/OFMRhczANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMDYxMjIzNDVaFw0yNzExMDYxMjIzNDVaMF4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xHTAbBgNVBAMTFEdlb1RydXN0IFJTQSBDQSAyMDE4MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAv4rRY03hGOqHXegWPI9/tr6HFzekDPgxP59FVEAh
150Hm8oDI0q9m+2FAmM/n4W57Cjv8oYi2/hNVEHFtEJ/zzMXAQ6CkFLTxzSkwaEB
2jKgQK0fWeQz/KDDlqxobNPomXOMJhB3y7c/OTLo0lko7geG4gk7hfiqafapa59Y
rXLIW4dmrgjgdPstU0Nigz2PhUwRl9we/FAwuIMIMl5cXMThdSBK66XWdS3cLX18
4ND+fHWhTkAChJrZDVouoKzzNYoq6tZaWmyOLKv23v14RyZ5eqoi6qnmcRID0/i6
U9J5nL1krPYbY7tNjzgC+PBXXcWqJVoMXcUw/iBTGWzpwwIDAQABo4IBQDCCATww
HQYDVR0OBBYEFJBY/7CcdahRVHex7fKjQxY4nmzFMB8GA1UdIwQYMBaAFAPeUDVW
0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo
MCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E
OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i
YWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo
dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEBCwUAA4IBAQAw
8YdVPYQI/C5earp80s3VLOO+AtpdiXft9OlWwJLwKlUtRfccKj8QW/Pp4b7h6QAl
ufejwQMb455OjpIbCZVS+awY/R8pAYsXCnM09GcSVe4ivMswyoCZP/vPEn/LPRhH
hdgUPk8MlD979RGoUWz7qGAwqJChi28uRds3thx+vRZZIbEyZ62No0tJPzsSGSz8
nQ//jP8BIwrzBAUH5WcBAbmvgWfrKcuv+PyGPqRcc4T55TlzrBnzAzZ3oClo9fTv
O9PuiHMKrC6V6mgi0s2sa/gbXlPCD9Z24XUMxJElwIVTDuKB0Q4YMMlnpN/QChJ4
B0AFsQ+DU0NCO+f78Xf7
-----END CERTIFICATE-----

which is the root DigiCert CA. and use that.

(you can decode the CERT using

/tmp $ openssl x509 -noout -text -in prm
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:46:fe:18:23:f7:e1:94:1d:a3:9f:ce:14:c4:61:73
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
        Validity
            Not Before: Nov  6 12:23:45 2017 GMT
            Not After : Nov  6 12:23:45 2027 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
....

You need to do the same thing for every site your Pico will be connecting to, or look at the BearSSL_CertStore example which handles this more like your web browser (by storing ~100 trusted root CAs on the Pico's filesystem).

[RickSeiden]

Follow up question. Is there a way to do that on the Pico at run time? BearSSL_CertStore sounds like it will work, but will take up some memory that it really doesn't need to. If I can get the Pico to get the cert, then make the query, that would be perfect.

[earlephilhower]

That would defeat the purpose of the whole certificate infrastructure. You need to choose beforehand what certs to trust, not pull them in at runtime. The CertStore is on the filesystem, not in memory, FWIW, so memory usage is not really an issue.

You could, if you don't care about verifying th other party, just do setInsecure() on the connection and then the certs will be completely ignored. Encryption will still happen, but you won't be able to say that you're actually talking w/who you think you are.

[RickSeiden]

OH! I thought that setInsecure() stopped the encryption. In my particular use case I'm not too worried about matching the certificate, just the encryption.

Thank you!