Description
Basic Infos
- This issue complies with the issue POLICY doc.
- I have read the documentation at readthedocs and the issue is not addressed there.
- I have tested that the issue is present in current master branch (aka latest git).
- I have searched the issue tracker for a similar issue.
- If there is a stack dump, I have decoded it.
- I have filled out all fields below.
Platform
- Hardware: All
- Core Version: 24-Oct-2020
- Development Env: Arduino IDE
- Operating System: All
Problem Description
Currently, when using WiFiClientSecure (BearSSL), certificate stores can be loaded from LittleFS or SD.
But there is no documented way or code to load a client certificate and private key in a similar manner.
(The X509List and PrivateKey do not take files/streams as arguments)
Old issues and examples show that older versions used to have this feature:
- https://hackaday.io/project/12482-garage-door-opener/log/45617-connecting-the-esp8266-with-tls
- Can ESP-12E support MQTT with Client Certificates #3544
Specifically it seems like the old functions loadCertificate() and loadPrivateKey() (which are deprecated) could load files.
My current solution is to copy the certificate and key to a global variable, which wastes several KB's RAM:
#include <Arduino.h>
#include <ESP8266WiFi.h>
#include <LittleFS.h>
#include <WiFiClientSecure.h>
#define MAX_PEM_SIZE 4096
char clientKeyStr[MAX_PEM_SIZE];
char clientCertStr[MAX_PEM_SIZE];
void setup() {
LittleFS.begin();
Serial.begin(115200);
//... initialize wifi and time...
File cert = LittleFS.open("/client-crt.pem", "r"); //can be .der file as well
File key = LittleFS.open("/client-key.pem", "r");
//... verify files are opened correctly and not exceed MAX_PEM_SIZE ...
cert.readBytes(clientCertStr, cert.size()); //copy certificate from file to char array
key.readBytes(clientKeyStr, key.size()); //same for private key
X509List clientCert(clientCertStr);
PrivateKey clientKey(clientKeyStr);
//...connect to server...
}This sketch works well but wastes 4096*2 = 8192 bytes of RAM which is 10% of total RAM.
My assumption is, when using CertStoreBearSSL.h, the certificates are not copied to the RAM for most of the time, but loaded in a different way.
Same thing goes when loading a certificate which is saved in PROGMEM (sketch ROM).
Therefore, it should be possible to use a client certificates and a private key which are stored as .pem or .der in the file system, without copying the whole file content to the RAM, for the whole lifetime of the program.
I tried understanding the code in CertStoreBearSSL.cpp but it's too complicated for me.
Thanks in advance and Best regards!