Using SHA256 certificate hasing

Hello.

After some great struggles, we've managed to enable WiFi and encrypted socket + TLS connection to google.com and various websites.

Since then, we've been looking into having a r1.pem that contains all trusted certificates. Since that entails around 143 certificates, that equates to 223kb so the file is too big. The team lead had a great idea: sha256 fingerprint checking, which would make the file ~4,5kb if we store just the fingerprints for the 143 certificates.

So I've been looking into enabling this instead of the normal certificate verification in mbedtls. Currently I'm dabbling with:

Note: devepment is done on Macbook (so MacOS), and we're using Nordic SDK v3.0.0.
#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
and:
mbedtls_ssl_conf_ca_cb(&conf, cert_verify_callback, NULL);
 
I've succeeded in hacking the SDK itself and overriding the certificate check from inside:
/opt/nordic/ncs/v3.0.0/modules/crypto/mbedtls/library/ssl_tls.c:10045:

ret = mbedtls_x509_crt_verify_restartable(
chain,
ca_chain, ca_crl,
ssl->conf->cert_profile,
hostname,
&ssl->session_negotiate->verify_result,
f_vrfy, p_vrfy, rs_ctx);
with a custom one written by us.
But I doubt I'm doing it correctly given the define and callback mentioned above. Any hints regarding this from anyone?
Parents Reply
  • Hi again Tudor Slight smile

    So this problem is something that is a bit beyond what we would typically provide support with. It is not really an optimization supported by Mbed TLS nor Zephyr nor otherwise in NCS. You would of course be free to hack another solution, but it would be outside of the code we provide/support.

    Zephyr has this TLS credentials module to handle certs, this takes full cert and as already pointed would need a lot of memory, but if we are talking about taking a shortcut to store only fingerprints (like eg. ESP is providing), this does sound like an idea.

    That being said, I am trying to ask around if anyone has any feedback on the methodology you explain here.

    Regards,

    Elfving

Children
No Data
Related