Merge pull request #71 from arduino/new-cert-list

Add new certificate list and instructions on how to build it.
arduino · Jun 9, 2021 · 09eb519 · 09eb519
2 parents 9b4c435 + a33dc6d
commit 09eb519
Show file tree

Hide file tree

Showing 8 changed files with 2,754 additions and 835 deletions.
diff --git a/README.md b/README.md
@@ -19,6 +19,21 @@ If updating **Arduino UNO WiFi Rev. 2** NINA firmware via [SerialNINAPassthrough
 +  --baud 115200 --before no_reset
 ```
 
+## Build a new certificate list (based on the Google Android root CA list)
+```bash
+git clone https://android.googlesource.com/platform/system/ca-certificates
+cp nina-fw/tools/nina-fw-create-roots.sh ca-certificates/files
+cd ca-certificates/files
+./nina-fw-create-roots.sh
+cp roots.pem ../../nina-fw/data/roots.pem
+```
+
+## Check certificate list against URL list
+```bash
+cd tools
+./sslcheck.sh -c ../data/roots.pem -l url_lists/url_list_moz.com.txt -e
+```
+
 ## License
 
 Copyright (c) 2018-2019 Arduino SA. All rights reserved.

diff --git a/data/roots.pem b/data/roots.pem
diff --git a/main/CommandHandler.cpp b/main/CommandHandler.cpp
@@ -36,7 +36,7 @@
 
 #include "esp_log.h"
 
-const char FIRMWARE_VERSION[6] = "1.4.5";
+const char FIRMWARE_VERSION[6] = "1.4.6";
 
 /*IPAddress*/uint32_t resolvedHostname;
 

diff --git a/tools/nina-fw-create-roots.sh b/tools/nina-fw-create-roots.sh
@@ -0,0 +1,101 @@
+#!/bin/bash
+echo '' > roots.pem
+
+for filename in *.0
+do
+
+  is_amazon=$(openssl x509 -in $filename -text -nocert | grep "O = Amazon")
+  is_google=$(openssl x509 -in $filename -text -nocert | grep "O = Google Trust Services LLC")
+  is_comodo=$(openssl x509 -in $filename -text -nocert | grep "O = Comodo CA Limited")
+  is_comodo_uppercase=$(openssl x509 -in $filename -text -nocert | grep "O = COMODO CA Limited")
+  is_digicert=$(openssl x509 -in $filename -text -nocert | grep "O = DigiCert")
+  is_isrg=$(openssl x509 -in $filename -text -nocert | grep "O = Internet Security Research Group")
+  is_verisign=$(openssl x509 -in $filename -text -nocert | grep "O = \"VeriSign, Inc.\"")
+  is_baltimore=$(openssl x509 -in $filename -text -nocert | grep "O = Baltimore")
+  is_globalsign=$(openssl x509 -in $filename -text -nocert | grep "O = GlobalSign")
+  is_starfield=$(openssl x509 -in $filename -text -nocert | grep "O = \"Starfield Technologies, Inc.\"")
+  is_dst=$(openssl x509 -in $filename -text -nocert | grep "O = Digital Signature Trust Co.")
+  is_cybertrust=$(openssl x509 -in $filename -text -nocert | grep "O = \"Cybertrust, Inc\"")
+  is_usertrust=$(openssl x509 -in $filename -text -nocert | grep "O = The USERTRUST Network")
+
+  openssl_opts="-text -certopt no_header,no_pubkey,no_subject,no_issuer,no_signame,no_version,no_serial,no_validity,no_extensions,no_sigdump,no_aux,no_extensions"
+
+  if [ ! -z "$is_amazon" ]
+  then
+    echo $is_amazon
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_google" ]
+  then
+    echo $is_google
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_comodo_uppercase" ]
+  then
+    echo $is_comodo_uppercase
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_comodo" ]
+  then
+    echo $is_comodo
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_digicert" ]
+  then
+    echo $is_digicert
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_isrg" ]
+  then
+    echo $is_isrg
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_verisign" ]
+  then
+    echo $is_verisign
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_baltimore" ]
+  then
+    echo $is_baltimore
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_globalsign" ]
+  then
+    echo $is_globalsign
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_starfield" ]
+  then
+    echo $is_starfield
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_dst" ]
+  then
+    echo $is_dst
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_cybertrust" ]
+  then
+    echo $is_cybertrust
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+  if [ ! -z "$is_usertrust" ]
+  then
+    echo $is_usertrust
+    openssl x509 -in $filename $openssl_opts >> roots.pem
+  fi
+
+done
diff --git a/tools/sslcheck.sh b/tools/sslcheck.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+while getopts "c:l:e" opt;do
+	case $opt in
+	c ) export CER_FILE="$OPTARG";;
+	l ) export URL_LIST="$OPTARG";;
+	e ) export SHOW_ERR=1;;
+	* )
+		echo "Unknown parameter."
+		exit 1
+		;;
+	esac
+done
+
+if [ $# -eq 0 ] ; then
+	echo "Usage: $(basename $0) [-c /path/to/certificate/file.pem] [-l path/to/url/list.txt]"
+	echo
+	echo " -c specify certificate file to test"
+	echo " -l specify url list"
+	echo " -e show curl errors in log"
+	echo
+	echo "Example:"
+	echo " $(basename $0) -c roots.pem -l url_list.txt"
+	exit 0
+fi
+
+export SHOW_ERR=${SHOW_ERR:-0}
+
+echo
+echo SHOW_ERR=$SHOW_ERR
+echo
+
+for i in $(cat $URL_LIST)
+do
+echo -n "$i "
+# -s: silent
+# -S: show error
+# -m: max time
+# --cacert: path to certificate pem file
+# --capath: local certificate path
+# --output: stdout output
+if [ "$SHOW_ERR" -eq 1 ] ; then
+	m=$(curl "$i" -s -S -m 60 --cacert $CER_FILE --capath /dev/null --output /dev/null --stderr -)
+else
+	curl "$i" -s -m 60 --cacert $CER_FILE --capath /dev/null --output /dev/null
+fi
+#curl --cacert roots.pem --trace-ascii log.log -K url_list.txt 
+if [ $? -eq 0 ] ; then
+echo -e "\e[32m PASS \e[39m"
+else
+echo -n -e "\e[31m FAIL \e[39m"
+echo $m
+fi
+done