Certificates

class Certificate

Implemented by SSL adapter to handle certificate operations.

Public Types

enum class DN

Distinguished Name type.

Values:

enumerator ISSUER
enumerator SUBJECT
enum class RDN

Relative Distinguished Name type identifying a name component.

Values:

enumerator XX
enumerator MAX

Public Functions

virtual bool getFingerprint(Fingerprint::Type type, Fingerprint &fingerprint) const = 0

Obtain certificate fingerprint.

Parameters:
  • type – Which type of fingerprint to return

  • fingerprint – On success, returned fingerprint

Return values:

bool – true on success, false if fingerprint not available

virtual String getName(DN dn, RDN rdn) const = 0

Retrieve an X.509 distinguished name component.

Parameters:
  • dn – The desired Distinguished Name

  • rdn – The component to return

Return values:

String – The requested Distinguished Name component

size_t printTo(Print &p) const

Debugging print support.

class ValidatorList : public Vector<Validator>

Performs certificate validation.

Validators are created in the application’s session initialisation callback. When the certificate has been received, it is checked against each registered validator in turn until successful. All validators are destroyed during this process.

If there are no validators in the list then the certificate will not be checked and the connection accepted.

Public Functions

inline bool add(Validator *validator)

Add a validator to the list.

Parameters:

validator – Must be allocated on the heap

template<class T>
inline bool pin(const T &fingerprint)

Pin a fingerprint.

Creates and adds a fingerprint validator to the list

inline bool add(ValidatorCallback callback, void *data = nullptr)

Register a custom validator callback.

Parameters:
  • callback

  • data – User-provided data (optional)

bool validate(const Certificate *certificate)

Validate certificate via registered validators.

We only need one match for a successful result, but we free all the validators. This method must be called no more than ONCE.

Note

Called by SSL framework.

Parameters:

certificate – When called with nullptr will free all validators, then fail

Return values:

bool – true on success, false on failure

Public Members

Fingerprint::Types fingerprintTypes

Contains a list of registered fingerprint types.

Allows implementations to avoid calculating fingerprint values which are not required, as this is computationally expensive.

class Validator

Base validator class.

Validation is performed by invoking each validator in turn until a successful result is obtained.

Custom validators may either override this class, or use a callback.

Subclassed by Ssl::CallbackValidator, Ssl::FingerprintValidator< FP >

union Fingerprint
#include <Fingerprints.h>

Various types of fingerprint.

Applications should use the appropriate type to define a fingerprint, for example:

    static const Fingerprint::Cert::Sha1 fingerprint PROGMEM = { ... };

Public Types

enum class Type

SSL Certificate fingerprint type.

Values:

enumerator CertSha1

SHA1 Fingerprint of entire certificate.

enumerator CertSha256

SHA256 Fingerprint of entire certificate.

enumerator PkiSha256

SHA256 Fingerprint of Public Key Information.

Public Members

Cert cert
Pki pki
union Cert
#include <Fingerprints.h>

Fingerprints for the entire Certificate.

Public Members

Sha1 sha1
Sha256 sha256
struct Sha1
#include <Fingerprints.h>

Fingerprint based on the SHA1 value of the certificate.

The SHA1 hash of the entire certificate. This changes on each certificate renewal so needs to be updated every time the remote server updates its certificate.

Advantages: Takes less time to verify than SHA256

Disadvantages: Likely to change periodically

Public Members

Crypto::Sha1::Hash hash

Public Static Attributes

static constexpr Type type = Type::CertSha1
struct Sha256
#include <Fingerprints.h>

Fingerprint based on the SHA256 value of the certificate.

Typically displayed in browser certificate information

Public Members

Crypto::Sha256::Hash hash

Public Static Attributes

static constexpr Type type = Type::CertSha256
union Pki
#include <Fingerprints.h>

@Fingerprints for the Public Key only

Public Members

Sha256 sha256
struct Sha256
#include <Fingerprints.h>

Fingerprint based on the SHA256 value of the Public Key Subject in the certificate.

For HTTP public key pinning (RFC7469), the SHA-256 hash of the Subject Public Key Info (which usually only changes when the public key changes) is used.

Advantages: Doesn’t change frequently

Disadvantages: Takes more time (in ms) to verify.

Public Members

Crypto::Sha256::Hash hash

Public Static Attributes

static constexpr Type type = Type::PkiSha256
class Types
#include <Fingerprints.h>

Maintains a set of fingerprint types.

Public Functions

inline void add(Type type)
inline void remove(Type type)
inline bool contains(Type type) const

Private Members

uint32_t mask = 0
class KeyCertPair

Class to manage an SSL key certificate with optional password.

Unnamed Group

bool assign(const uint8_t *newKey, unsigned newKeyLength, const uint8_t *newCertificate, unsigned newCertificateLength, const char *newKeyPassword = nullptr)

Create certificate using provided values.

Note

We take a new copy of the certificate

Parameters:
  • newKey

  • newKeyLength

  • newCertificate

  • newCertificateLength

  • newKeyPassword

Return values:

bool – false on memory allocation failure

Public Functions

inline bool assign(const KeyCertPair &keyCert)

Assign another certificate to this structure.

Note

We take a new copy of the certificate

Parameters:

keyCert

Return values:

bool – false on memory allocation failure

using Ssl::ValidatorCallback = Delegate<bool(const Certificate *certificate, void *data)>

Validator callback function.

Note

Callback must ALWAYS release any allocated memory before returning. If called with certificate = NULL then just release memory and return false.

Param ssl:

Contains certificate to validate (may be NULL)

Param data:

Data for the callback to use

Retval bool:

true if validation succeeded