Use Mozilla CA certificate store

Author: schiermi

platformio.ini

@@ -46,6 +46,7 @@ monitor_speed = 115200
 ; with it. If uploads fail for you, comment out the following line:
 upload_speed = 921600
 board_build.partitions = src/sd-partition-table.csv
+board_build.embed_txtfiles = src/truststore/x509_crt_bundle
 lib_deps =
     adafruit/Adafruit BusIO @ ^1.13.1
     ; https://arduinojson.org/v6/api/

src/Firmware.cpp

@@ -27,7 +27,9 @@
 #include <SD.h>
 #include <Update.h>
 #include <esp_ota_ops.h>
-#include "utils/cacerts.h"
+
+// https://docs.platformio.org/en/latest/platforms/espressif32.html#embedding-binary-data
+extern const uint8_t x509_crt_bundle_start[] asm("_binary_src_truststore_x509_crt_bundle_start");
 
 static const String FLASH_APP_FILENAME("/sdflash/app.bin");
 static const String OPEN_BIKE_SENSOR_FLASH_APP_PROJECT_NAME("OpenBikeSensorFlash");
@@ -37,7 +39,7 @@ static const int SHA256_HASH_LEN = 32;
 // todo: error handling
 void Firmware::downloadToSd(String url, String filename, bool unsafe) {
   WiFiClientSecure client;
-  if (!unsafe) client.setCACert(trustedRootCACertificates);
+  if (!unsafe) client.setCACertBundle(x509_crt_bundle_start);
   else client.setInsecure();
   HTTPClient http;
   http.setUserAgent(mUserAgent);
@@ -63,8 +65,8 @@ bool Firmware::downloadToFlash(String url,
                                bool unsafe) {
   bool success = false;
   WiFiClientSecure client;
-  if (!unsafe) client.setCACert(trustedRootCACertificates);
-  if (unsafe) client.setInsecure();
+  if (!unsafe) client.setCACertBundle(x509_crt_bundle_start);
+  else client.setInsecure();
   HTTPClient http;
   http.setUserAgent(mUserAgent);
   http.setFollowRedirects(HTTPC_STRICT_FOLLOW_REDIRECTS);

src/truststore/README.md

@@ -0,0 +1,7 @@
+# Full TLS Truststore
+
+## Generate / Update
+
+1. curl --remote-name https://raw.githubusercontent.com/espressif/arduino-esp32/master/tools/gen_crt_bundle.py
+1. curl --remote-name https://curl.se/ca/cacert.pem
+1. python3 gen_crt_bundle.py --input cacert.pem

src/truststore/x509_crt_bundle

@@ -25,17 +25,19 @@
 
 #include "globals.h"
 #include "utils/multipart.h"
-#include "utils/cacerts.h"
 #include "utils/timeutils.h"
 #include "writer.h"
 
+// https://docs.platformio.org/en/latest/platforms/espressif32.html#embedding-binary-data
+extern const uint8_t x509_crt_bundle_start[] asm("_binary_src_truststore_x509_crt_bundle_start");
+
 static char const *const HTTP_LOCATION_HEADER = "location";
 
 Uploader::Uploader(String portalUrl, String userToken) :
     mPortalUrl(std::move(portalUrl)),
     mPortalUserToken(std::move(userToken)) {
   TimeUtils::setClockByNtpAndWait();
-  mWiFiClient.setCACert(trustedRootCACertificates);
+  mWiFiClient.setCACertBundle(x509_crt_bundle_start);
 }
 
 /* Upload file as track data to "The Portal" as multipart form data.