Merge pull request #520 from johanstokking/feature/websocket/client_ds_data

david-cermak · web-flow · commit e069ae776210 · 2025-01-28T16:59:34.000+01:00
feat(websocket): Support DS peripheral for mutual TLS (IDFGH-12285)
diff --git a/components/esp_websocket_client/esp_websocket_client.c b/components/esp_websocket_client/esp_websocket_client.c
@@ -93,6 +93,9 @@ typedef struct {
     size_t                      client_cert_len;
     const char                  *client_key;
     size_t                      client_key_len;
+#if CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+    void                        *client_ds_data;
+#endif
     bool                        use_global_ca_store;
     bool                        skip_cert_common_name_check;
     const char                  *cert_common_name;
@@ -531,6 +534,10 @@ static esp_err_t esp_websocket_client_create_transport(esp_websocket_client_hand
             } else {
                 esp_transport_ssl_set_client_key_data_der(ssl, client->config->client_key, client->config->client_key_len);
             }
+#if CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+        } else if (client->config->client_ds_data) {
+            esp_transport_ssl_set_ds_data(ssl, client->config->client_ds_data);
+#endif
         }
         if (client->config->crt_bundle_attach) {
 #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
@@ -696,6 +703,9 @@ esp_websocket_client_handle_t esp_websocket_client_init(const esp_websocket_clie
     client->config->client_cert_len = config->client_cert_len;
     client->config->client_key = config->client_key;
     client->config->client_key_len = config->client_key_len;
+#if CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+    client->config->client_ds_data = config->client_ds_data;
+#endif
     client->config->skip_cert_common_name_check = config->skip_cert_common_name_check;
     client->config->cert_common_name = config->cert_common_name;
     client->config->crt_bundle_attach = config->crt_bundle_attach;
diff --git a/components/esp_websocket_client/include/esp_websocket_client.h b/components/esp_websocket_client/include/esp_websocket_client.h
@@ -108,10 +108,13 @@ typedef struct {
     int                         buffer_size;                /*!< Websocket buffer size */
     const char                  *cert_pem;                  /*!< Pointer to certificate data in PEM or DER format for server verify (with SSL), default is NULL, not required to verify the server. PEM-format must have a terminating NULL-character. DER-format requires the length to be passed in cert_len. */
     size_t                      cert_len;                   /*!< Length of the buffer pointed to by cert_pem. May be 0 for null-terminated pem */
-    const char                  *client_cert;               /*!< Pointer to certificate data in PEM or DER format for SSL mutual authentication, default is NULL, not required if mutual authentication is not needed. If it is not NULL, also `client_key` has to be provided. PEM-format must have a terminating NULL-character. DER-format requires the length to be passed in client_cert_len. */
+    const char                  *client_cert;               /*!< Pointer to certificate data in PEM or DER format for SSL mutual authentication, default is NULL, not required if mutual authentication is not needed. If it is not NULL, also `client_key` or `client_ds_data` (if supported) has to be provided. PEM-format must have a terminating NULL-character. DER-format requires the length to be passed in client_cert_len. */
     size_t                      client_cert_len;            /*!< Length of the buffer pointed to by client_cert. May be 0 for null-terminated pem */
-    const char                  *client_key;                /*!< Pointer to private key data in PEM or DER format for SSL mutual authentication, default is NULL, not required if mutual authentication is not needed. If it is not NULL, also `client_cert` has to be provided. PEM-format must have a terminating NULL-character. DER-format requires the length to be passed in client_key_len */
+    const char                  *client_key;                /*!< Pointer to private key data in PEM or DER format for SSL mutual authentication, default is NULL, not required if mutual authentication is not needed. If it is not NULL, also `client_cert` has to be provided and `client_ds_data` (if supported) gets ignored. PEM-format must have a terminating NULL-character. DER-format requires the length to be passed in client_key_len */
     size_t                      client_key_len;             /*!< Length of the buffer pointed to by client_key_pem. May be 0 for null-terminated pem */
+#if CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+    void                        *client_ds_data;            /*!< Pointer to the encrypted private key data for SSL mutual authentication using the DS peripheral, default is NULL, not required if mutual authentication is not needed. If it is not NULL, also `client_cert` has to be provided. It is ignored if `client_key` is provided */
+#endif
     esp_websocket_transport_t   transport;                  /*!< Websocket transport type, see `esp_websocket_transport_t */
     const char                  *subprotocol;               /*!< Websocket subprotocol */
     const char                  *user_agent;                /*!< Websocket user-agent */
diff --git a/docs/esp_websocket_client/en/index.rst b/docs/esp_websocket_client/en/index.rst
@@ -66,13 +66,43 @@ Configuration:
 .. note:: If you want to verify the server, then you need to provide a certificate in PEM format, and provide to ``cert_pem`` in :cpp:type:`websocket_client_config_t`. If no certficate is provided then the TLS connection will default to not requiring verification.
 
 PEM certificate for this example could be extracted from an openssl `s_client` command connecting to websocket.org.
-In case a host operating system has `openssl` and `sed` packages installed, one could execute the following command to download and save the root or intermediate root certificate to a file (Note for Windows users: Both Linux like environment or Windows native packages may be used).
-```
-echo "" | openssl s_client -showcerts -connect websocket.org:443 | sed -n "1,/Root/d; /BEGIN/,/END/p" | openssl x509 -outform PEM >websocket_org.pem
-```
+In case a host operating system has `openssl` and `sed` packages installed, one could execute the following command to download and save the root or intermediate root certificate to a file (Note for Windows users: Both Linux like environment or Windows native packages may be used). ::
+
+    echo "" | openssl s_client -showcerts -connect websocket.org:443 \
+        | sed -n "1,/Root/d; /BEGIN/,/END/p" \
+        | openssl x509 -outform PEM \
+        > websocket_org.pem
 
 This command will extract the second certificate in the chain and save it as a pem-file.
 
+Mutual TLS with DS Peripheral
+"""""""""""""""""""""""""""""
+
+To leverage the Digital Signature (DS) peripheral on supported targets, use `esp_secure_cert_mgr <https://github.com/espressif/esp_secure_cert_mgr/>`_ to flash an encrypted client certificate. In your project, add the dependency: ::
+
+    idf.py add-dependency esp_secure_cert_mgr
+
+Set ``client_cert`` and ``client_ds_data`` in the config struct:
+
+.. code:: c
+
+    char *client_cert = NULL;
+    uint32_t client_cert_len = 0;
+    esp_err_t err = esp_secure_cert_get_device_cert(&client_cert, &client_cert_len);
+    assert(err == ESP_OK);
+
+    esp_ds_data_ctx_t *ds_data = esp_secure_cert_get_ds_ctx();
+    assert(ds_data != NULL);
+
+    esp_websocket_client_config_t config = {
+        .uri = "wss://echo.websocket.org",
+        .cert_pem = (const char *)websocket_org_pem_start,
+        .client_cert = client_cert,
+        .client_ds_data = ds_data,
+    };
+
+.. note:: ``client_cert`` provided by `esp_secure_cert_mgr` is a null-terminated PEM; so ``client_cert_len`` (DER format) should not be set.
+
 Subprotocol
 ^^^^^^^^^^^
 
@@ -91,14 +121,14 @@ For more options on :cpp:type:`esp_websocket_client_config_t`, please refer to A
 
 Events
 ------
-* `WEBSOCKET_EVENT_BEGIN': The client thread is running.
+* `WEBSOCKET_EVENT_BEGIN`: The client thread is running.
 * `WEBSOCKET_EVENT_BEFORE_CONNECT`: The client is about to connect.
 * `WEBSOCKET_EVENT_CONNECTED`: The client has successfully established a connection to the server. The client is now ready to send and receive data. Contains no event data.
 * `WEBSOCKET_EVENT_DATA`: The client has successfully received and parsed a WebSocket frame. The event data contains a pointer to the payload data, the length of the payload data as well as the opcode of the received frame. A message may be fragmented into multiple events if the length exceeds the buffer size. This event will also be posted for non-payload frames, e.g. pong or connection close frames.
 * `WEBSOCKET_EVENT_ERROR`: The client has experienced an error. Examples include transport write or read failures.
 * `WEBSOCKET_EVENT_DISCONNECTED`: The client has aborted the connection due to the transport layer failing to read data, e.g. because the server is unavailable. Contains no event data.
 * `WEBSOCKET_EVENT_CLOSED`: The connection has been closed cleanly.
-* `WEBSOCKET_EVENT_FINISH': The client thread is about to exit.
+* `WEBSOCKET_EVENT_FINISH`: The client thread is about to exit.
 
 If the client handle is needed in the event handler it can be accessed through the pointer passed to the event handler:
 
