Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions components/wendy_server/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,3 @@ idf_component_register(
REQUIRES
wendy_com wendy_conf esp-tls freertos log mdns
)

target_include_directories(${COMPONENT_LIB} PRIVATE
"${IDF_PATH}/components/esp-tls/private_include")
20 changes: 0 additions & 20 deletions components/wendy_server/src/wendy_server.c
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
// Temp EKU workaround
#define MBEDTLS_ALLOW_PRIVATE_ACCESS // allow access to mbedtls private struct fields (needed by _strip_server_eku)
#define WENDY_SERVER_SKIP_EKU_CHECK 1

#include "wendy_server.h"
#include "wendy_conf.h"
#include "wendy_com_link.h"
Expand Down Expand Up @@ -142,18 +138,6 @@ static void _add_link_exec(struct wcom_operation *op)
free(aop);
}

#if WENDY_SERVER_SKIP_EKU_CHECK
#include "esp_tls_private.h"

static void _strip_server_eku(esp_tls_t *tls)
{
// Clear the EKU extension bit so mbedtls_x509_crt_check_extended_key_usage
// treats the cert as having no EKU restriction (absent = no restriction).
tls->servercert.ext_types &= ~MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE;
ESP_LOGW(TAG, "EKU check bypassed (temp workaround)");
}
#endif

static void _server_task(void *arg)
{
struct wendy_conf_span key = wendy_conf_get_private_key();
Expand Down Expand Up @@ -264,10 +248,6 @@ static void _server_task(void *arg)
continue;
}

#if WENDY_SERVER_SKIP_EKU_CHECK
_strip_server_eku(tls);
#endif

// Register the verify callback before the handshake so it fires for every
// certificate in the peer's chain (leaf at depth 0, intermediates at depth 1+).
mbedtls_ssl_set_verify(esp_tls_get_ssl_context(tls), _tls_verify_cb, NULL);
Expand Down
38 changes: 12 additions & 26 deletions tools/conf_util.py
Original file line number Diff line number Diff line change
Expand Up @@ -74,35 +74,21 @@ def _split_der_sequence(data: bytes) -> list[bytes]:


def _dump_cert(der: bytes, label: str) -> None:
with tempfile.NamedTemporaryFile(suffix=".der", delete=False) as fh:
fh.write(der)
tmp = fh.name
try:
from cryptography import x509
from cryptography.hazmat.primitives import hashes
except ImportError:
sys.exit("pip install cryptography — needed to decode DER certificates")

cert = x509.load_der_x509_certificate(der)
fp = cert.fingerprint(hashes.SHA256()).hex(":")
r = subprocess.run(
["openssl", "x509", "-text", "-noout", "-fingerprint", "-sha256",
"-inform", "DER", "-in", tmp],
capture_output=True, text=True,
)
finally:
os.unlink(tmp)

print(f"\n {label}:")
print(f" subject: {cert.subject.rfc4514_string()}")
print(f" issuer: {cert.issuer.rfc4514_string()}")
print(f" serial: {cert.serial_number:#x}")
print(f" not_before: {cert.not_valid_before_utc.isoformat()}")
print(f" not_after: {cert.not_valid_after_utc.isoformat()}")
pub = cert.public_key()
from cryptography.hazmat.primitives.asymmetric import ec, rsa
if isinstance(pub, ec.EllipticCurvePublicKey):
print(f" public_key: EC {pub.curve.name} ({pub.key_size} bit)")
elif isinstance(pub, rsa.RSAPublicKey):
print(f" public_key: RSA {pub.key_size} bit")
else:
print(f" public_key: {type(pub).__name__}")
try:
san = cert.extensions.get_extension_for_class(x509.SubjectAlternativeName)
print(f" san: {', '.join(str(n) for n in san.value)}")
except x509.ExtensionNotFound:
pass
print(f" sha256: {fp}")
for line in (r.stdout + r.stderr).splitlines():
print(f" {line}")


def _dump_key(der: bytes) -> None:
Expand Down
Loading