Copyright © https://mongoose-os.com

Mongoose OS Forum

frame

HTTPS Client/Server authentication with certificates

I would like to perform a rest call to a server that needs CLIENT identification. Therefore I should be able to specify certificate, private key and ca file. The same way you can do this for MQTT-S client today to connect to AWS. And, also the built-in HTTPS server allows you to do that.
I did not find an API for that. Is there a way around?

Comments

  • rojerrojer Dublin, Ireland

    you will need to pul your cert and key onto the device filesystem and then pass them as cert and key params to HTTP.query:

    HTTP.query({
      url: 'https://example.org/',
        cert: 'mycert.pem',  // client certificate
        key: 'mykey.pem',  // client key
        ca_cert: 'ca.pem',  // ca bundle to verify server with
        success: function(body, full_http_msg) { print(body); },
      //   error: function(err) { print(err); },  // Optional
      });
    
    
  • How can this be done with the C library interface?

  • rojerrojer Dublin, Ireland
    struct mg_connect_opts opts;
    memset(&opts, 0, sizeof(opts));
    opts.ssl_ca_cert = "ca.pem";
    opts.ssl_cert = "client.pem";
    struct mg_connection *c = mg_connect_http_opt(
        mgos_get_mgr(),
        ev_handler, NULL, opts,
        "https://example.org",
        NULL, NULL);
    

    see in more detail here.

  • Note: you can also embed certs and keys in C/C++ header files if you wish to - like this

    server_cert.h
    ************************************************************************************************
    #define SERVER_CERT \
    "-----BEGIN CERTIFICATE-----\n"\
    "MIIEPzCCAyegAwIBAgIJAP+jcBdYmPiyMA0GCSqGSIb3DQEBCwUAMIGxMQswCQYD\n"\
    "VQQGEwJVUzERMA8GA1UECBMIT2tsYWhvbWExEDAOBgNVBAcTB0NhdG9vc2ExFTAT\n"\
    "BgNVBAoTDFRoeXNzZW5LcnVwcDEdMBsGA1UECxMUU29mdHdhcmUgRW5naW5lZXJp\n"\
    "bmcxFzAVBgNVBAMTDmplZmYgYmVycnloaWxsMS4wLAYJKoZIhvcNAQkBFh9qZWZm\n"\
    "LmJlcnJ5aGlsbEB0aHlzc2Vua3J1cHAuY29tMB4XDTE4MTAwMzIyNDcxNFoXDTI4\n"\
    "MDkzMDIyNDcxNFowgacxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhPa2xhaG9tYTEQ\n"\
    "MA4GA1UEBxMHQ2F0b29zYTEVMBMGA1UEChMMVGh5c3NlbktydXBwMR0wGwYDVQQL\n"\
    "ExRTb2Z0d2FyZSBFbmdpbmVlcmluZzENMAsGA1UEAxMEd2ltczEuMCwGCSqGSIb3\n"\
    "DQEJARYfamVmZi5iZXJyeWhpbGxAdGh5c3NlbmtydXBwLmNvbTCCASIwDQYJKoZI\n"\
    "hvcNAQEBBQADggEPADCCAQoCggEBAKoo2NrLuNGRh3hXcW2fNEpnp5X9Lh/o1Cgh\n"\
    "+uYa+XeVgKDOchn/vJeqkg7GLW4u0Lt8y1mDxWyw+I9AGzG7s6imaEKq1CUUxG2Y\n"\
    "APM2yjvzvYWeGKgAIPVwjNxA408VQbiit+3k1xGCg3wb7U3rMKqhl3u07cC/y6KW\n"\
    "Qye3A647EyuyN5BDSnj6xvEWwbXJo0iNRIhdO7uUEGEbhgvnSquF3vqMruxjVBpJ\n"\
    "AXa3uDSA7ylgaVelbk8FlTSfATFx6Qsyk2IAx8iUOnAoc9S6v4o44nah81Nfz/vU\n"\
    "YXDB08fMHWwSYKVEZFYxqyNZs2fV4Gm0rQuiGn4eDEnMpPMgwhkCAwEAAaNiMGAw\n"\
    "HQYDVR0RBBYwFIcEwKgAIYIEd2ltc4IGKi93aW1zMCcGA1UdJQQgMB4GCCsGAQUF\n"\
    "BwMBBggrBgEFBQcDAgYIKwYBBQUHAwMwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw\n"\
    "DQYJKoZIhvcNAQELBQADggEBAD4IPSOexhFSmp9PYO0DLzNuSsMiAmzA2OpnH9Rw\n"\
    "2sXMDzCjD7VzSzgShE4CnrggVwJXG9plee4wI4alUX7qb58tS9O8xNkJ0GtWBFgf\n"\
    "YE7TIUPnbVU7lDQakK/Y5XvhmlSg0t1v3D9sBLGUhCyw3PcYNScdeZ7tlhQD7OYi\n"\
    "OslH3tKigpYnfIqXP5ypGrTPb3xhCo2TYwam9h0RgFHTC5WCsG494/Ej9y41L4hp\n"\
    "VeZNSdRCQsqX8wr/++hi9EyaRAPCxxhTKLJqzVbpxxt/YOOtgKw3v2B1t1r5fobz\n"\
    "hQJ78J6HTVZiLlXVRBJM9pXFbwK4nN7GQn2zPY+0LiRpBTk=\n"\
    "-----END CERTIFICATE-----\n"\
    

    Then to use -

    #include "server_cert.h"
    const char* webServer::server_cert = SERVER_CERT;
    
    bind_opts.ssl_cert = server_cert;
    

    I find this method useful in embedded systems with clunky or near non-existant file systems.

Sign In or Register to comment.