Use per device self signed cert #163

- Make cert unique for firefox
- Key length 2048bit
- Create key in dedicated task to get a properly sized stack
- Use a feature branch of the https lib to get the hostname listed in thr subjectAltName
- progress bar during key creation in display

Author: amandel

platformio.ini

@@ -54,7 +54,8 @@ lib_deps =
 	adafruit/Adafruit BMP280 Library@^2.1.0
 	pololu/VL53L0X@^1.3.0
     ; https://github.com/fhessel/esp32_https_server
-    esp32_https_server
+    https://github.com/fhessel/esp32_https_server.git#feature/subjectAltName
+    ; esp32_https_server@
 build_flags =
     -DCORE_DEBUG_LEVEL=3
     -DHTTPS_LOGLEVEL=3

src/OpenBikeSensorFirmware.cpp

@@ -254,7 +254,7 @@ void setup() {
   }
 
   if (SD.begin()) {
-    displayTest->showTextOnGrid(2, displayTest->currentLine(), "SD... ok");
+    displayTest->showTextOnGrid(2, displayTest->currentLine(), "SD... OK");
   }
   delay(333); // Added for user experience
 
@@ -302,7 +302,7 @@ void setup() {
     writer = new CSVFileWriter;
     writer->setFileName();
     writer->writeHeader(trackUniqueIdentifier);
-    displayTest->showTextOnGrid(2, displayTest->currentLine(), "CSV file... ok");
+    displayTest->showTextOnGrid(2, displayTest->currentLine(), "CSV file... OK");
   } else {
     displayTest->showTextOnGrid(2, displayTest->currentLine(), "CSV. skipped");
   }

src/configServer.cpp

@@ -32,7 +32,7 @@
 #include <HTTPURLEncodedBodyParser.hpp>
 #include <esp_ota_ops.h>
 #include <esp_partition.h>
-#include <utils/Https.h>
+#include <utils/https.h>
 #include "SPIFFS.h"
 #include "HTTPMultipartBodyParser.hpp"
 #include "Firmware.h"
@@ -368,10 +368,12 @@ static const char* const makeCurrentLocationPrivateIndex =
 static const char* const deleteIndex =
   "<h3>Flash</h3>"
   "<p>Flash stores ssl certificate and configuration.</p>"
-  "<label for='flash'>format flash</label>"
+  "<label for='flash'>Format flash</label>"
   "<input type='checkbox' id='flash' name='flash' "
   "onchange=\"document.getElementById('flashCert').checked = document.getElementById('flashConfig').checked = document.getElementById('flash').checked;\">"
-  "<label for='flashCert'>delete ssl certificate, a new one will be created at the next start</label>"
+  "<label for='flashCert'>Delete ssl certificate, a new one will be created at the next start. "
+  " You need to remove the old certificate from your browsers exception store too.</label>"
+  // Link https://support.mozilla.org/en-US/kb/Certificate-contains-the-same-serial-number-as-another-certificate ?
   "<input type='checkbox' id='flashCert' name='flashCert'>"
   "<label for='flashConfig'>delete configuration, default settings will be used at the next start</label>"
   "<input type='checkbox' id='flashConfig' name='flashConfig'>"
@@ -495,15 +497,24 @@ void beginPages() {
   insecureServer->setDefaultHeader("Server", std::string("OBS/") + OBSVersion);
 }
 
+static int ticks;
+static void progressTick() {
+  displayTest->drawWaitBar(4, ticks++);
+}
 
 void createHttpServer() {
-  server = new HTTPSServer(Https::getCertificate(), 443, 2);
+  if (!Https::existsCertificate()) {
+    displayTest->showTextOnGrid(0, 3, "Creating ssl cert!");
+
+  }
+  server = new HTTPSServer(Https::getCertificate(progressTick), 443, 2);
+  displayTest->clearProgressBar(4);
+  displayTest->showTextOnGrid(0, 3, "");
   insecureServer = new HTTPServer(80, 1);
 
-  log_i("About to create pages.");
   beginPages();
 
-  log_i("About to start.");
+  log_i("Starting http(s) servers.");
   server->start();
   insecureServer->start();
 }

src/utils/Https.cpp renamed to src/utils/https.cpp

@@ -24,9 +24,12 @@
 #include "Https.h"
 #include <SPIFFS.h>
 #include <FS.h>
+#include "esp_task_wdt.h"
 
 using namespace httpsserver;
 
+static volatile bool isCertReady = 0;
+
 // "20190101000000"
 static std::string toCertDate(time_t theTime) {
   char date[32];
@@ -39,12 +42,75 @@ static std::string toCertDate(time_t theTime) {
   return std::string(date);
 }
 
+static std::string createDn() {
+  char dn[128];
+  const uint64_t chipid_num = ESP.getEfuseMac();
+  // Placed the date in here - firefox does complain about duplicate cert
+  // otherwise (we can not increase the serial number from here).
+  snprintf(dn, sizeof(dn),
+           "CN=obs.local,O=openbikesensor.org,OU=%04x%08x,L=%s,C=DE",
+            (uint16_t)(chipid_num >> 32),
+            (uint32_t)(chipid_num),
+           toCertDate(time(nullptr)).c_str());
+  return std::string(dn);
+}
+
+static void createCert(void *param) {
+  std::string fromDate;
+  std::string toDate;
+  time_t now = time(nullptr);
+  if (now > (2020 - 1970) * 365 * 24 * 60 * 60) {
+    fromDate = toCertDate(now);
+    // Suggestion for hardware devices is to set the validity of the
+    // cert to a high value. But Apple limits this value to 825
+    // days in https://support.apple.com/HT210176
+    toDate = toCertDate(now + 824 * 24 * 60 * 60);
+  } else {
+    fromDate = "20210513090700";
+    toDate = "20301232235959";
+  }
 
+  log_i("DN will be %s", createDn().c_str());
+
+  SSLCert newCert;
+  int res = createSelfSignedCert(newCert,
+                                 KEYSIZE_2048,
+                                 createDn(),
+                                 fromDate,
+                                 toDate);
+  log_i("PK Length %d, Key Length %d", newCert.getPKLength(), newCert.getCertLength());
+
+  if (res != 0) {
+    // Certificate generation failed. Inform the user.
+    log_e("An error occured during certificate generation.");
+    log_e("Error code is 0x%04x", res);
+    log_e("You may have a look at SSLCert.h to find the reason for this error.");
+  } else {
+    SSLCert *cert = static_cast<SSLCert *>(param);
+    cert->setCert(newCert.getCertData(), newCert.getCertLength());
+    cert->setPK(newCert.getPKData(), newCert.getPKLength());
+    log_i("Created new cert.");
+  };
+
+  // Can this be done more elegant?
+  isCertReady = 1;
+  vTaskDelete(nullptr);
+}
+
+/* Just ensure there is a cert! */
+void Https::ensureCertificate() {
+  delete getCertificate();
+}
+
+bool Https::existsCertificate() {
+  return SPIFFS.exists("/key.der") && SPIFFS.exists("/cert.der");
+}
 
 /* Load or create cert.
  * Based on https://github.com/fhessel/esp32_https_server/blob/de1876cf6fe717cf236ad6603a97e88f22e38d62/examples/REST-API/REST-API.ino#L219
+ * https://github.com/fhessel/esp32_https_server/issues/48
  */
-SSLCert *Https::getCertificate() {
+SSLCert *Https::getCertificate(std::function<void()> progress) {
   // Try to open key and cert file to see if they exist
   File keyFile = SPIFFS.open("/key.der");
   File certFile = SPIFFS.open("/cert.der");
@@ -56,27 +122,22 @@ SSLCert *Https::getCertificate() {
     log_i("This may take up to a minute, so please stand by :)");
 
     SSLCert * newCert = new SSLCert();
-    // The part after the CN= is the domain that this certificate will match, in this
-    // case, it's esp32.local.
-    // However, as the certificate is self-signed, your browser won't trust the server
-    // anyway.
-
-    std::string fromDate;
-    std::string toDate;
-    time_t now = time(nullptr);
-    if (now > (2020 - 1970) * 365 * 24 * 60 * 60) {
-      fromDate = toCertDate(now);
-      toDate = toCertDate(now + 365 * 24 * 60 * 60);
-    } else {
-      fromDate = "20210513090700";
-      toDate = "20301232235959";
+
+    TaskHandle_t xHandle;
+    xTaskCreate(reinterpret_cast<TaskFunction_t>(createCert), "createCert",
+                16 * 1024, newCert, 1, &xHandle);
+
+    while (!isCertReady) {
+      if (progress) {
+        progress();
+      }
+      delay(100);
+      yield();
+      esp_task_wdt_reset();
     }
 
-    int res = createSelfSignedCert(*newCert,
-                                   KEYSIZE_1024,
-                                   "CN=obs.local,O=openbikesensor.org,C=DE",
-                                   fromDate,
-                                   toDate);
+    log_i("PK Length %d, Key Length %d", newCert->getPKLength(), newCert->getCertLength());
+    int res = 0;
     if (res == 0) {
       // We now have a certificate. We store it on the SPIFFS to restore it on next boot.
 

src/utils/Https.h renamed to src/utils/https.h

@@ -25,13 +25,19 @@
 #define OPENBIKESENSORFIRMWARE_HTTPS_H
 
 #include <SSLCert.hpp>
+#include <functional>
 
 using namespace httpsserver;
 
 class Https {
   public:
-    static SSLCert * getCertificate();
+    static SSLCert * getCertificate(std::function<void()> progress = nullptr);
     static bool removeCertificate();
+    static void ensureCertificate();
+    static bool existsCertificate();
+
+  private:
+    static SSLCert *getCertificateInternal();
 };