+30
-16
lines changedFilter options
+30
-16
lines changed Original file line number Diff line number Diff line change
@@ -30,7 +30,7 @@ import (
30 30 31 31
// ScrapeRootCertificatesFromURL downloads from a webserver the root certificate
32 32
// required to connect to that server from the TLS handshake response.
33 -
func ScrapeRootCertificatesFromURL(URL string) (*x509.Certificate, error) {
33 +
func ScrapeRootCertificatesFromURL(URL string) ([]*x509.Certificate, error) {
34 34
conn, err := tls.Dial("tcp", URL, &tls.Config{
35 35
InsecureSkipVerify: false,
36 36
})
@@ -45,15 +45,16 @@ func ScrapeRootCertificatesFromURL(URL string) (*x509.Certificate, error) {
45 45
return nil, err
46 46
}
47 47 48 -
peerCertificates := conn.ConnectionState().PeerCertificates
49 -
if len(peerCertificates) == 0 {
50 -
err = fmt.Errorf("no peer certificates found at %s", URL)
51 -
logrus.Error(err)
52 -
return nil, err
48 +
chains := conn.ConnectionState().VerifiedChains
49 +
if len(chains) == 0 {
50 +
return nil, fmt.Errorf("no certificates found at %s", URL)
53 51
}
54 - 55 -
rootCertificate := peerCertificates[len(peerCertificates)-1]
56 -
return rootCertificate, nil
52 +
rootCertificates := make([]*x509.Certificate, len(chains))
53 +
for i, chain := range chains {
54 +
// The last certificate of the chain is always the Root Certificate
55 +
rootCertificates[i] = chain[len(chain)-1]
56 +
}
57 +
return rootCertificates, nil
57 58
}
58 59 59 60
// LoadCertificatesFromFile read certificates from the given file. PEM and CER formats
@@ -0,0 +1,16 @@
1 +
package certificates_test
2 + 3 +
import (
4 +
"testing"
5 + 6 +
"github.com/arduino/arduino-fwuploader/certificates"
7 +
"github.com/stretchr/testify/require"
8 +
)
9 + 10 +
func TestScrapeRootCertificatesFromURL(t *testing.T) {
11 +
rootCerts, err := certificates.ScrapeRootCertificatesFromURL("www.arduino.cc:443")
12 +
require.NoError(t, err)
13 +
for _, cert := range rootCerts {
14 +
require.Equal(t, cert.Issuer, cert.Subject)
15 +
}
16 +
}
Original file line number Diff line number Diff line change
@@ -121,11 +121,11 @@ func flashCertificates(uploader *plugin.FwUploader, certificateURLs, certificate
121 121
for _, URL := range certificateURLs {
122 122
logrus.Infof("Converting and flashing certificate from %s", URL)
123 123
stdout.Write([]byte(fmt.Sprintf("Converting and flashing certificate from %s\n", URL)))
124 -
rootCert, err := certificates.ScrapeRootCertificatesFromURL(URL)
124 +
rootCerts, err := certificates.ScrapeRootCertificatesFromURL(URL)
125 125
if err != nil {
126 126
return nil, err
127 127
}
128 -
allCerts = append(allCerts, rootCert)
128 +
allCerts = append(allCerts, rootCerts...)
129 129
}
130 130 131 131
f, err := certsBundle.Create()
@@ -94,11 +94,8 @@ Error: reboot mode: upload commands sketch: setting DTR to OFF
94 94 95 95
#### I flashed the certificates, but I am unable to reach the host
96 96 97 -
The **whole certificate chain** is needed to make it work. Using
98 -
[`-u` flags](commands/arduino-fwuploader_certificates_flash.md#options) (ex: `-u www.arduino.cc:443`) won’t work because
99 -
it only downloads the root certificates. The solution is to use only the
100 -
[`-f` flag](commands/arduino-fwuploader_certificates_flash.md#options) and provide a pem certificate containing the
101 -
whole chain.
97 +
There was a bug in the arduino-fwuploader prior `2.4.1` which didn't pick the actual root certificate. Upgrading to the
98 +
latest version solves the problem.
102 99 103 100
#### My antivirus says that `espflash` is a threat
104 101 You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4