Skip to content

Verify server certificates against the full Mozilla trust store #365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 16, 2024

Conversation

schiermi
Copy link
Contributor

@schiermi schiermi commented Jun 7, 2024

  • Include the TLS CA certificate trust store from Mozilla's CA Certificate Program, processed by curls CA extract. Based on this change all server certificates from portals which work "out of the box" in common browsers are also valid for track uploads.
  • Also verify the server from which ublox ALP data is retrieved.

A build containing those changes was tested for three weeks "on the bike". Testing included track uploads, OBS webinterface access & ALP data downloads.

This PR increases the compiled firmware size by ~60 kb.

It should be beneficial to include the instructions found in src/truststore/README.md to update the binary trust store src/truststore/x509_crt_bundle into the Github actions pipeline for new builds, but I'm missing knowledge for this task.

Copy link
Member

@amandel amandel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the contribution!

@amandel
Copy link
Member

amandel commented Jun 27, 2024

I can add the steps to the Github actions build. I hope to fine the time to do this as well as building the pro & classic code in one go. If I don't find the time till near next release we merge it as is :)

@schiermi
Copy link
Contributor Author

  • Mozilla trust store was updated beginning of July 24. I've updated the prepared trust store in the repo.
  • (untested) attempt to update trust store in GH actions during build

@amandel
Copy link
Member

amandel commented Sep 14, 2024

Great to have the certs update integrated in the build!

The CI build now fails giving:

Traceback (most recent call last):
The cryptography package is not installed.Please refer to the Get Started section of the ESP-IDF Programming Guide for setting up the required packages.
  File "/__w/OpenBikeSensorFirmware/OpenBikeSensorFirmware/src/truststore/gen_crt_bundle.py", line 36, in <module>
    from cryptography import x509
ModuleNotFoundError: No module named 'cryptography'
Error: Process completed with exit code 1.

@schiermi schiermi force-pushed the feature/full-trust-store branch 2 times, most recently from 0e08941 to beb1ef6 Compare September 15, 2024 20:33
@schiermi schiermi force-pushed the feature/full-trust-store branch from beb1ef6 to c4a0b65 Compare September 15, 2024 20:35
@schiermi schiermi force-pushed the feature/full-trust-store branch from e36727a to 4532430 Compare September 15, 2024 20:49
@schiermi
Copy link
Contributor Author

schiermi commented Sep 15, 2024

Slowly getting my feet wet with GH actions; looks better now:
image

https://github.com/schiermi/OpenBikeSensorFirmware/actions/runs/10874202448/job/30171220169

@amandel amandel merged commit a0d7669 into openbikesensor:main Sep 16, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants