From 971ae6d1be24275a85bf383ccdbb68c88afb1a2c Mon Sep 17 00:00:00 2001 From: Martin Dummer Date: Wed, 12 Apr 2023 08:30:15 +0200 Subject: [PATCH 1/4] Feature: MQTT add TLS authentication User asked for TLS client certificate based login from DTU to MQTT server. This PR implements storage and use of x509 client certificate and private key. Signed-off-by: Martin Dummer --- include/Configuration.h | 3 +++ include/WebApi_mqtt.h | 2 +- include/defaults.h | 3 +++ src/Configuration.cpp | 6 ++++++ src/MqttSettings.cpp | 7 ++++++- src/WebApi_mqtt.cpp | 17 +++++++++++++++-- webapp/src/locales/de.json | 5 +++++ webapp/src/locales/en.json | 5 +++++ webapp/src/locales/fr.json | 5 +++++ webapp/src/types/MqttConfig.ts | 3 +++ webapp/src/types/MqttStatus.ts | 2 ++ webapp/src/views/MqttAdminView.vue | 15 +++++++++++++++ webapp/src/views/MqttInfoView.vue | 10 ++++++++++ 13 files changed, 79 insertions(+), 4 deletions(-) diff --git a/include/Configuration.h b/include/Configuration.h index 2bdc950..0620503 100644 --- a/include/Configuration.h +++ b/include/Configuration.h @@ -90,6 +90,9 @@ struct CONFIG_T { bool Mqtt_Hass_IndividualPanels; bool Mqtt_Tls; char Mqtt_RootCaCert[MQTT_MAX_ROOT_CA_CERT_STRLEN + 1]; + bool Mqtt_TlsCertLogin; + char Mqtt_ClientCert[MQTT_MAX_ROOT_CA_CERT_STRLEN + 1]; + char Mqtt_ClientKey[MQTT_MAX_ROOT_CA_CERT_STRLEN + 1]; char Mqtt_Hostname[MQTT_MAX_HOSTNAME_STRLEN + 1]; diff --git a/include/WebApi_mqtt.h b/include/WebApi_mqtt.h index 99a494f..5eecc5b 100644 --- a/include/WebApi_mqtt.h +++ b/include/WebApi_mqtt.h @@ -3,7 +3,7 @@ #include -#define MQTT_JSON_DOC_SIZE 3072 +#define MQTT_JSON_DOC_SIZE 10240 class WebApiMqttClass { public: diff --git a/include/defaults.h b/include/defaults.h index a2ba316..8c37166 100644 --- a/include/defaults.h +++ b/include/defaults.h @@ -66,6 +66,9 @@ "mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n" \ "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n" \ "-----END CERTIFICATE-----\n" +#define MQTT_TLSCERTLOGIN false +#define MQTT_TLSCLIENTCERT "" +#define MQTT_TLSCLIENTKEY "" #define MQTT_LWT_TOPIC "dtu/status" #define MQTT_LWT_ONLINE "online" #define MQTT_LWT_OFFLINE "offline" diff --git a/src/Configuration.cpp b/src/Configuration.cpp index 12b184a..593d6df 100644 --- a/src/Configuration.cpp +++ b/src/Configuration.cpp @@ -65,6 +65,9 @@ bool ConfigurationClass::write() JsonObject mqtt_tls = mqtt.createNestedObject("tls"); mqtt_tls["enabled"] = config.Mqtt_Tls; mqtt_tls["root_ca_cert"] = config.Mqtt_RootCaCert; + mqtt_tls["certlogin"] = config.Mqtt_TlsCertLogin; + mqtt_tls["client_cert"] = config.Mqtt_ClientCert; + mqtt_tls["client_key"] = config.Mqtt_ClientKey; JsonObject mqtt_hass = mqtt.createNestedObject("hass"); mqtt_hass["enabled"] = config.Mqtt_Hass_Enabled; @@ -202,6 +205,9 @@ bool ConfigurationClass::read() JsonObject mqtt_tls = mqtt["tls"]; config.Mqtt_Tls = mqtt_tls["enabled"] | MQTT_TLS; strlcpy(config.Mqtt_RootCaCert, mqtt_tls["root_ca_cert"] | MQTT_ROOT_CA_CERT, sizeof(config.Mqtt_RootCaCert)); + config.Mqtt_TlsCertLogin = mqtt_tls["certlogin"] | MQTT_TLSCERTLOGIN; + strlcpy(config.Mqtt_ClientCert, mqtt_tls["client_cert"] | MQTT_TLSCLIENTCERT, sizeof(config.Mqtt_ClientCert)); + strlcpy(config.Mqtt_ClientKey, mqtt_tls["client_key"] | MQTT_TLSCLIENTKEY, sizeof(config.Mqtt_ClientKey)); JsonObject mqtt_hass = mqtt["hass"]; config.Mqtt_Hass_Enabled = mqtt_hass["enabled"] | MQTT_HASS_ENABLED; diff --git a/src/MqttSettings.cpp b/src/MqttSettings.cpp index 9548fba..da0363d 100644 --- a/src/MqttSettings.cpp +++ b/src/MqttSettings.cpp @@ -104,7 +104,12 @@ void MqttSettingsClass::performConnect() if (config.Mqtt_Tls) { static_cast(mqttClient)->setCACert(config.Mqtt_RootCaCert); static_cast(mqttClient)->setServer(config.Mqtt_Hostname, config.Mqtt_Port); - static_cast(mqttClient)->setCredentials(config.Mqtt_Username, config.Mqtt_Password); + if (config.Mqtt_TlsCertLogin) { + static_cast(mqttClient)->setCertificate(config.Mqtt_ClientCert); + static_cast(mqttClient)->setPrivateKey(config.Mqtt_ClientKey); + } else { + static_cast(mqttClient)->setCredentials(config.Mqtt_Username, config.Mqtt_Password); + } static_cast(mqttClient)->setWill(willTopic.c_str(), 2, config.Mqtt_Retain, config.Mqtt_LwtValue_Offline); static_cast(mqttClient)->setClientId(clientId.c_str()); static_cast(mqttClient)->onConnect(std::bind(&MqttSettingsClass::onMqttConnect, this, _1)); diff --git a/src/WebApi_mqtt.cpp b/src/WebApi_mqtt.cpp index 05fe2d1..ff40dad 100644 --- a/src/WebApi_mqtt.cpp +++ b/src/WebApi_mqtt.cpp @@ -45,6 +45,8 @@ void WebApiMqttClass::onMqttStatus(AsyncWebServerRequest* request) root["mqtt_retain"] = config.Mqtt_Retain; root["mqtt_tls"] = config.Mqtt_Tls; root["mqtt_root_ca_cert_info"] = getRootCaCertInfo(config.Mqtt_RootCaCert); + root["mqtt_tls_cert_login"] = config.Mqtt_TlsCertLogin; + root["mqtt_client_cert_info"] = getRootCaCertInfo(config.Mqtt_ClientCert); root["mqtt_lwt_topic"] = String(config.Mqtt_Topic) + config.Mqtt_LwtTopic; root["mqtt_publish_interval"] = config.Mqtt_PublishInterval; root["mqtt_hass_enabled"] = config.Mqtt_Hass_Enabled; @@ -76,6 +78,9 @@ void WebApiMqttClass::onMqttAdminGet(AsyncWebServerRequest* request) root["mqtt_retain"] = config.Mqtt_Retain; root["mqtt_tls"] = config.Mqtt_Tls; root["mqtt_root_ca_cert"] = config.Mqtt_RootCaCert; + root["mqtt_tls_cert_login"] = config.Mqtt_TlsCertLogin; + root["mqtt_client_cert"] = config.Mqtt_ClientCert; + root["mqtt_client_key"] = config.Mqtt_ClientKey; root["mqtt_lwt_topic"] = config.Mqtt_LwtTopic; root["mqtt_lwt_online"] = config.Mqtt_LwtValue_Online; root["mqtt_lwt_offline"] = config.Mqtt_LwtValue_Offline; @@ -137,6 +142,9 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) && root.containsKey("mqtt_topic") && root.containsKey("mqtt_retain") && root.containsKey("mqtt_tls") + && root.containsKey("mqtt_tls_cert_login") + && root.containsKey("mqtt_client_cert") + && root.containsKey("mqtt_client_key") && root.containsKey("mqtt_lwt_topic") && root.containsKey("mqtt_lwt_online") && root.containsKey("mqtt_lwt_offline") @@ -212,8 +220,10 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) return; } - if (root["mqtt_root_ca_cert"].as().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN) { - retMsg["message"] = "Certificate must not longer then " STR(MQTT_MAX_ROOT_CA_CERT_STRLEN) " characters!"; + if (root["mqtt_root_ca_cert"].as().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN + || root["mqtt_client_cert"].as().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN + || root["mqtt_client_key"].as().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN) { + retMsg["message"] = "Certificates must not be longer than " STR(MQTT_MAX_ROOT_CA_CERT_STRLEN) " characters!"; retMsg["code"] = WebApiError::MqttCertificateLength; retMsg["param"]["max"] = MQTT_MAX_ROOT_CA_CERT_STRLEN; response->setLength(); @@ -291,6 +301,9 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) config.Mqtt_Retain = root["mqtt_retain"].as(); config.Mqtt_Tls = root["mqtt_tls"].as(); strlcpy(config.Mqtt_RootCaCert, root["mqtt_root_ca_cert"].as().c_str(), sizeof(config.Mqtt_RootCaCert)); + config.Mqtt_TlsCertLogin = root["mqtt_tls_cert_login"].as(); + strlcpy(config.Mqtt_ClientCert, root["mqtt_client_cert"].as().c_str(), sizeof(config.Mqtt_ClientCert)); + strlcpy(config.Mqtt_ClientKey, root["mqtt_client_key"].as().c_str(), sizeof(config.Mqtt_ClientKey)); config.Mqtt_Port = root["mqtt_port"].as(); strlcpy(config.Mqtt_Hostname, root["mqtt_hostname"].as().c_str(), sizeof(config.Mqtt_Hostname)); strlcpy(config.Mqtt_Username, root["mqtt_username"].as().c_str(), sizeof(config.Mqtt_Username)); diff --git a/webapp/src/locales/de.json b/webapp/src/locales/de.json index 0cc300e..699f774 100644 --- a/webapp/src/locales/de.json +++ b/webapp/src/locales/de.json @@ -259,6 +259,8 @@ "Retain": "Retain", "Tls": "TLS", "RootCertifcateInfo": "Root CA-Zertifikat-Informationen", + "TlsCertLogin": "Anmeldung mit TLS Zertifikat", + "ClientCertifcateInfo": "Client Zertifikat-Informationen", "HassSummary": "Home Assistant MQTT-Auto-Discovery Konfigurationszusammenfassung", "Expire": "Ablaufen", "IndividualPanels": "Einzelne Paneele", @@ -387,6 +389,9 @@ "EnableRetain": "Retain Flag aktivieren", "EnableTls": "TLS aktivieren", "RootCa": "CA-Root-Zertifikat (Standard Letsencrypt):", + "TlsCertLoginEnable": "TLS Zertifikat Login", + "ClientCert": "TLS Client-Zertifikat:", + "ClientKey": "TLS Client-Key:", "LwtParameters": "LWT-Parameter", "LwtTopic": "LWT-Topic:", "LwtTopicHint": "LWT-Topic, wird der Basis Topic angehängt", diff --git a/webapp/src/locales/en.json b/webapp/src/locales/en.json index 8cbd609..527bcaf 100644 --- a/webapp/src/locales/en.json +++ b/webapp/src/locales/en.json @@ -259,6 +259,8 @@ "Retain": "Retain", "Tls": "TLS", "RootCertifcateInfo": "Root CA Certifcate Info", + "TlsCertLogin": "Login with TLS Certificate", + "ClientCertifcateInfo": "Client Certifcate Info", "HassSummary": "Home Assistant MQTT Auto Discovery Configuration Summary", "Expire": "Expire", "IndividualPanels": "Individual Panels", @@ -387,6 +389,9 @@ "EnableRetain": "Enable Retain Flag", "EnableTls": "Enable TLS", "RootCa": "CA-Root-Certificate (default Letsencrypt):", + "TlsCertLoginEnable": "Enable TLS Certificate Login", + "ClientCert": "TLS Client-Certificate:", + "ClientKey": "TLS Client-Key:", "LwtParameters": "LWT Parameters", "LwtTopic": "LWT Topic:", "LwtTopicHint": "LWT topic, will be append base topic", diff --git a/webapp/src/locales/fr.json b/webapp/src/locales/fr.json index bbf79d8..d45ecaa 100644 --- a/webapp/src/locales/fr.json +++ b/webapp/src/locales/fr.json @@ -259,6 +259,8 @@ "Retain": "Conserver", "Tls": "TLS", "RootCertifcateInfo": "Informations sur le certificat de l'autorité de certification racine", + "TlsCertLogin": "Connexion avec un certificat TLS", + "ClientCertifcateInfo": "Informations sur le certificat du client", "HassSummary": "Résumé de la configuration de la découverte automatique du MQTT de Home Assistant", "Expire": "Expiration", "IndividualPanels": "Panneaux individuels", @@ -387,6 +389,9 @@ "EnableRetain": "Activation du maintien", "EnableTls": "Activer le TLS", "RootCa": "Certificat CA-Root (par défaut Letsencrypt)", + "TlsCertLoginEnable": "Activer la connexion par certificat TLS", + "ClientCert": "Certificat client TLS:", + "ClientKey": "Clé client TLS:", "LwtParameters": "Paramètres LWT", "LwtTopic": "Sujet LWT", "LwtTopicHint": "Sujet LWT, sera ajouté comme sujet de base", diff --git a/webapp/src/types/MqttConfig.ts b/webapp/src/types/MqttConfig.ts index 8077ae7..dc6280e 100644 --- a/webapp/src/types/MqttConfig.ts +++ b/webapp/src/types/MqttConfig.ts @@ -9,6 +9,9 @@ export interface MqttConfig { mqtt_retain: boolean; mqtt_tls: boolean; mqtt_root_ca_cert: string; + mqtt_tls_cert_login: boolean; + mqtt_client_cert: string; + mqtt_client_key: string; mqtt_lwt_topic: string; mqtt_lwt_online: string; mqtt_lwt_offline: string; diff --git a/webapp/src/types/MqttStatus.ts b/webapp/src/types/MqttStatus.ts index fe046ed..839d485 100644 --- a/webapp/src/types/MqttStatus.ts +++ b/webapp/src/types/MqttStatus.ts @@ -8,6 +8,8 @@ export interface MqttStatus { mqtt_retain: boolean; mqtt_tls: boolean; mqtt_root_ca_cert_info: string; + mqtt_tls_cert_login: boolean; + mqtt_client_cert_info: string; mqtt_connected: boolean; mqtt_hass_enabled: boolean; mqtt_hass_expire: boolean; diff --git a/webapp/src/views/MqttAdminView.vue b/webapp/src/views/MqttAdminView.vue index 1c6cde9..6cd5ef2 100644 --- a/webapp/src/views/MqttAdminView.vue +++ b/webapp/src/views/MqttAdminView.vue @@ -60,6 +60,21 @@ :label="$t('mqttadmin.RootCa')" v-model="mqttConfigList.mqtt_root_ca_cert" type="textarea" maxlength="2560" rows="10"/> + + + + + + {{ $t('mqttinfo.RootCertifcateInfo') }} {{ mqttDataList.mqtt_root_ca_cert_info }} + + {{ $t('mqttinfo.TlsCertLogin') }} + + + + + + {{ $t('mqttinfo.ClientCertifcateInfo') }} + {{ mqttDataList.mqtt_client_cert_info }} + From 0db4b5f226ce04ea36e9a44df2827ee05654c5ea Mon Sep 17 00:00:00 2001 From: Martin Dummer Date: Wed, 12 Apr 2023 08:37:49 +0200 Subject: [PATCH 2/4] Fix: src/WebApi_mqtt.cpp: typos in error messages Signed-off-by: Martin Dummer --- src/WebApi_mqtt.cpp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/WebApi_mqtt.cpp b/src/WebApi_mqtt.cpp index ff40dad..36e279e 100644 --- a/src/WebApi_mqtt.cpp +++ b/src/WebApi_mqtt.cpp @@ -172,7 +172,7 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) } if (root["mqtt_username"].as().length() > MQTT_MAX_USERNAME_STRLEN) { - retMsg["message"] = "Username must not longer then " STR(MQTT_MAX_USERNAME_STRLEN) " characters!"; + retMsg["message"] = "Username must not be longer than " STR(MQTT_MAX_USERNAME_STRLEN) " characters!"; retMsg["code"] = WebApiError::MqttUsernameLength; retMsg["param"]["max"] = MQTT_MAX_USERNAME_STRLEN; response->setLength(); @@ -180,7 +180,7 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) return; } if (root["mqtt_password"].as().length() > MQTT_MAX_PASSWORD_STRLEN) { - retMsg["message"] = "Password must not longer then " STR(MQTT_MAX_PASSWORD_STRLEN) " characters!"; + retMsg["message"] = "Password must not be longer than " STR(MQTT_MAX_PASSWORD_STRLEN) " characters!"; retMsg["code"] = WebApiError::MqttPasswordLength; retMsg["param"]["max"] = MQTT_MAX_PASSWORD_STRLEN; response->setLength(); @@ -188,7 +188,7 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) return; } if (root["mqtt_topic"].as().length() > MQTT_MAX_TOPIC_STRLEN) { - retMsg["message"] = "Topic must not longer then " STR(MQTT_MAX_TOPIC_STRLEN) " characters!"; + retMsg["message"] = "Topic must not be longer than " STR(MQTT_MAX_TOPIC_STRLEN) " characters!"; retMsg["code"] = WebApiError::MqttTopicLength; retMsg["param"]["max"] = MQTT_MAX_TOPIC_STRLEN; response->setLength(); @@ -205,7 +205,7 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) } if (!root["mqtt_topic"].as().endsWith("/")) { - retMsg["message"] = "Topic must end with slash (/)!"; + retMsg["message"] = "Topic must end with a slash (/)!"; retMsg["code"] = WebApiError::MqttTopicTrailingSlash; response->setLength(); request->send(response); @@ -232,7 +232,7 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) } if (root["mqtt_lwt_topic"].as().length() > MQTT_MAX_TOPIC_STRLEN) { - retMsg["message"] = "LWT topic must not longer then " STR(MQTT_MAX_TOPIC_STRLEN) " characters!"; + retMsg["message"] = "LWT topic must not be longer than " STR(MQTT_MAX_TOPIC_STRLEN) " characters!"; retMsg["code"] = WebApiError::MqttLwtTopicLength; retMsg["param"]["max"] = MQTT_MAX_TOPIC_STRLEN; response->setLength(); @@ -249,7 +249,7 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) } if (root["mqtt_lwt_online"].as().length() > MQTT_MAX_LWTVALUE_STRLEN) { - retMsg["message"] = "LWT online value must not longer then " STR(MQTT_MAX_LWTVALUE_STRLEN) " characters!"; + retMsg["message"] = "LWT online value must not be longer than " STR(MQTT_MAX_LWTVALUE_STRLEN) " characters!"; retMsg["code"] = WebApiError::MqttLwtOnlineLength; retMsg["param"]["max"] = MQTT_MAX_LWTVALUE_STRLEN; response->setLength(); @@ -258,7 +258,7 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) } if (root["mqtt_lwt_offline"].as().length() > MQTT_MAX_LWTVALUE_STRLEN) { - retMsg["message"] = "LWT offline value must not longer then " STR(MQTT_MAX_LWTVALUE_STRLEN) " characters!"; + retMsg["message"] = "LWT offline value must not be longer than " STR(MQTT_MAX_LWTVALUE_STRLEN) " characters!"; retMsg["code"] = WebApiError::MqttLwtOfflineLength; retMsg["param"]["max"] = MQTT_MAX_LWTVALUE_STRLEN; response->setLength(); @@ -278,7 +278,7 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) if (root["mqtt_hass_enabled"].as()) { if (root["mqtt_hass_topic"].as().length() > MQTT_MAX_TOPIC_STRLEN) { - retMsg["message"] = "Hass topic must not longer then " STR(MQTT_MAX_TOPIC_STRLEN) " characters!"; + retMsg["message"] = "Hass topic must not be longer than " STR(MQTT_MAX_TOPIC_STRLEN) " characters!"; retMsg["code"] = WebApiError::MqttHassTopicLength; retMsg["param"]["max"] = MQTT_MAX_TOPIC_STRLEN; response->setLength(); From d920726a7646810a446b6940020a6df11051f92a Mon Sep 17 00:00:00 2001 From: Martin Dummer Date: Wed, 12 Apr 2023 08:47:24 +0200 Subject: [PATCH 3/4] src/WebApi_mqtt.cpp: rename function getRootCaCertInfo rename function WebApiMqttClass::getRootCaCertInfo to more generic name WebApiMqttClass::getTlsCertInfo Signed-off-by: Martin Dummer --- include/WebApi_mqtt.h | 2 +- src/WebApi_mqtt.cpp | 26 +++++++++++++------------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/include/WebApi_mqtt.h b/include/WebApi_mqtt.h index 5eecc5b..91f7367 100644 --- a/include/WebApi_mqtt.h +++ b/include/WebApi_mqtt.h @@ -14,7 +14,7 @@ private: void onMqttStatus(AsyncWebServerRequest* request); void onMqttAdminGet(AsyncWebServerRequest* request); void onMqttAdminPost(AsyncWebServerRequest* request); - String getRootCaCertInfo(const char* cert); + String getTlsCertInfo(const char* cert); AsyncWebServer* _server; }; \ No newline at end of file diff --git a/src/WebApi_mqtt.cpp b/src/WebApi_mqtt.cpp index 36e279e..2a8f2f0 100644 --- a/src/WebApi_mqtt.cpp +++ b/src/WebApi_mqtt.cpp @@ -44,9 +44,9 @@ void WebApiMqttClass::onMqttStatus(AsyncWebServerRequest* request) root["mqtt_connected"] = MqttSettings.getConnected(); root["mqtt_retain"] = config.Mqtt_Retain; root["mqtt_tls"] = config.Mqtt_Tls; - root["mqtt_root_ca_cert_info"] = getRootCaCertInfo(config.Mqtt_RootCaCert); + root["mqtt_root_ca_cert_info"] = getTlsCertInfo(config.Mqtt_RootCaCert); root["mqtt_tls_cert_login"] = config.Mqtt_TlsCertLogin; - root["mqtt_client_cert_info"] = getRootCaCertInfo(config.Mqtt_ClientCert); + root["mqtt_client_cert_info"] = getTlsCertInfo(config.Mqtt_ClientCert); root["mqtt_lwt_topic"] = String(config.Mqtt_Topic) + config.Mqtt_LwtTopic; root["mqtt_publish_interval"] = config.Mqtt_PublishInterval; root["mqtt_hass_enabled"] = config.Mqtt_Hass_Enabled; @@ -331,23 +331,23 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) MqttHandleHass.forceUpdate(); } -String WebApiMqttClass::getRootCaCertInfo(const char* cert) +String WebApiMqttClass::getTlsCertInfo(const char* cert) { - char rootCaCertInfo[1024] = ""; + char tlsCertInfo[1024] = ""; - mbedtls_x509_crt global_cacert; + mbedtls_x509_crt tlsCert; - strlcpy(rootCaCertInfo, "Can't parse root ca", sizeof(rootCaCertInfo)); + strlcpy(tlsCertInfo, "Can't parse TLS certificate", sizeof(tlsCertInfo)); - mbedtls_x509_crt_init(&global_cacert); - int ret = mbedtls_x509_crt_parse(&global_cacert, const_cast((unsigned char*)cert), 1 + strlen(cert)); + mbedtls_x509_crt_init(&tlsCert); + int ret = mbedtls_x509_crt_parse(&tlsCert, const_cast((unsigned char*)cert), 1 + strlen(cert)); if (ret < 0) { - snprintf(rootCaCertInfo, sizeof(rootCaCertInfo), "Can't parse root ca: mbedtls_x509_crt_parse returned -0x%x\n\n", -ret); - mbedtls_x509_crt_free(&global_cacert); + snprintf(tlsCertInfo, sizeof(tlsCertInfo), "Can't parse TLS certificate: mbedtls_x509_crt_parse returned -0x%x\n\n", -ret); + mbedtls_x509_crt_free(&tlsCert); return ""; } - mbedtls_x509_crt_info(rootCaCertInfo, sizeof(rootCaCertInfo) - 1, "", &global_cacert); - mbedtls_x509_crt_free(&global_cacert); + mbedtls_x509_crt_info(tlsCertInfo, sizeof(tlsCertInfo) - 1, "", &tlsCert); + mbedtls_x509_crt_free(&tlsCert); - return rootCaCertInfo; + return tlsCertInfo; } From bea0a738c143c91a5ea4b8d3ce743749367c27f0 Mon Sep 17 00:00:00 2001 From: Martin Dummer Date: Wed, 12 Apr 2023 11:58:27 +0200 Subject: [PATCH 4/4] include/Configuration.h: rename MQTT_MAX_ROOT_CA_CERT_STRLEN rename const MQTT_MAX_ROOT_CA_CERT_STRLEN to more generic name MQTT_MAX_CERT_STRLEN Signed-off-by: Martin Dummer --- include/Configuration.h | 8 ++++---- src/WebApi_mqtt.cpp | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/Configuration.h b/include/Configuration.h index 0620503..8f0a645 100644 --- a/include/Configuration.h +++ b/include/Configuration.h @@ -19,7 +19,7 @@ #define MQTT_MAX_PASSWORD_STRLEN 64 #define MQTT_MAX_TOPIC_STRLEN 32 #define MQTT_MAX_LWTVALUE_STRLEN 20 -#define MQTT_MAX_ROOT_CA_CERT_STRLEN 2560 +#define MQTT_MAX_CERT_STRLEN 2560 #define INV_MAX_NAME_STRLEN 31 #define INV_MAX_COUNT 10 @@ -89,10 +89,10 @@ struct CONFIG_T { char Mqtt_Hass_Topic[MQTT_MAX_TOPIC_STRLEN + 1]; bool Mqtt_Hass_IndividualPanels; bool Mqtt_Tls; - char Mqtt_RootCaCert[MQTT_MAX_ROOT_CA_CERT_STRLEN + 1]; + char Mqtt_RootCaCert[MQTT_MAX_CERT_STRLEN + 1]; bool Mqtt_TlsCertLogin; - char Mqtt_ClientCert[MQTT_MAX_ROOT_CA_CERT_STRLEN + 1]; - char Mqtt_ClientKey[MQTT_MAX_ROOT_CA_CERT_STRLEN + 1]; + char Mqtt_ClientCert[MQTT_MAX_CERT_STRLEN + 1]; + char Mqtt_ClientKey[MQTT_MAX_CERT_STRLEN + 1]; char Mqtt_Hostname[MQTT_MAX_HOSTNAME_STRLEN + 1]; diff --git a/src/WebApi_mqtt.cpp b/src/WebApi_mqtt.cpp index 2a8f2f0..62e54e7 100644 --- a/src/WebApi_mqtt.cpp +++ b/src/WebApi_mqtt.cpp @@ -220,12 +220,12 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request) return; } - if (root["mqtt_root_ca_cert"].as().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN - || root["mqtt_client_cert"].as().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN - || root["mqtt_client_key"].as().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN) { - retMsg["message"] = "Certificates must not be longer than " STR(MQTT_MAX_ROOT_CA_CERT_STRLEN) " characters!"; + if (root["mqtt_root_ca_cert"].as().length() > MQTT_MAX_CERT_STRLEN + || root["mqtt_client_cert"].as().length() > MQTT_MAX_CERT_STRLEN + || root["mqtt_client_key"].as().length() > MQTT_MAX_CERT_STRLEN) { + retMsg["message"] = "Certificates must not be longer than " STR(MQTT_MAX_CERT_STRLEN) " characters!"; retMsg["code"] = WebApiError::MqttCertificateLength; - retMsg["param"]["max"] = MQTT_MAX_ROOT_CA_CERT_STRLEN; + retMsg["param"]["max"] = MQTT_MAX_CERT_STRLEN; response->setLength(); request->send(response); return;