diff --git a/samples/net/sockets/http_server/CMakeLists.txt b/samples/net/sockets/http_server/CMakeLists.txt index 1f793c1fcef..b860f8a07ce 100644 --- a/samples/net/sockets/http_server/CMakeLists.txt +++ b/samples/net/sockets/http_server/CMakeLists.txt @@ -20,6 +20,20 @@ if(CONFIG_NET_SOCKETS_SOCKOPT_TLS AND add_dependencies(app development_psk) endif() +set(CERTS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/src/certs) + +add_custom_target(sample_ca_cert + WORKING_DIRECTORY ${CERTS_DIR} + COMMAND sh gen_ca_cert.sh + COMMENT "Generating sample CA certificate" +) + +add_custom_target(sample_server_cert + WORKING_DIRECTORY ${CERTS_DIR} + COMMAND sh gen_server_cert.sh + COMMENT "Generating sample server certificate" +) + option(INCLUDE_HTML_CONTENT "Include the HTML content" ON) target_sources(app PRIVATE src/main.c) diff --git a/samples/net/sockets/http_server/prj.conf b/samples/net/sockets/http_server/prj.conf index aa04b93f223..73024d1aca1 100644 --- a/samples/net/sockets/http_server/prj.conf +++ b/samples/net/sockets/http_server/prj.conf @@ -69,6 +69,14 @@ CONFIG_NET_SOCKETS_SOCKOPT_TLS=y CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6 CONFIG_TLS_CREDENTIALS=y CONFIG_TLS_MAX_CREDENTIALS_NUMBER=5 +CONFIG_MBEDTLS_ECDH_C=y +CONFIG_MBEDTLS_ECDSA_C=y +CONFIG_MBEDTLS_ECP_C=y +CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y +CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n +CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y +CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y +CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y # Networking tweaks # Required to handle large number of consecutive connections, diff --git a/samples/net/sockets/http_server/src/certs/.gitignore b/samples/net/sockets/http_server/src/certs/.gitignore new file mode 100644 index 00000000000..96aff7026ab --- /dev/null +++ b/samples/net/sockets/http_server/src/certs/.gitignore @@ -0,0 +1,3 @@ +*.pem +!ca_cert.pem +*.ext diff --git a/samples/net/sockets/http_server/src/certs/ca_cert.pem b/samples/net/sockets/http_server/src/certs/ca_cert.pem new file mode 100644 index 00000000000..38ea9d14c99 --- /dev/null +++ b/samples/net/sockets/http_server/src/certs/ca_cert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5DCCAYmgAwIBAgIUXHpFEmhwtzDyteoz+ZSOhyQ6xzUwCgYIKoZIzj0EAwIw +RjEWMBQGA1UECgwNWmVwaHlycHJvamVjdDEsMCoGA1UEAwwjWmVwaHlycHJvamVj +dCBTYW1wbGUgRGV2ZWxvcG1lbnQgQ0EwIBcNMjQxMTI3MTE1ODUwWhgPMjEyNDEx +MDMxMTU4NTBaMEYxFjAUBgNVBAoMDVplcGh5cnByb2plY3QxLDAqBgNVBAMMI1pl +cGh5cnByb2plY3QgU2FtcGxlIERldmVsb3BtZW50IENBMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEvCX35MoLVdt4STWeomwFjuLV8nAz+K1IIc5PrfD9nVhLZfOS +Z35O9dTEMvn1dP2MqUqjL6wWA3oSnvItU81qD6NTMFEwHQYDVR0OBBYEFNFC9qd/ +SSYq7aDvLGsc4Fu7Fn5cMB8GA1UdIwQYMBaAFNFC9qd/SSYq7aDvLGsc4Fu7Fn5c +MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhALWzu1PtNJYu9sWb +A2iBixJuoK7y8EqCkGDp0e66mA+qAiEAyz7YdO7zhcHWgaUXqLwlVqe5cstVMsLv +4TbLwQi+wfI= +-----END CERTIFICATE----- diff --git a/samples/net/sockets/http_server/src/certs/gen_ca_cert.sh b/samples/net/sockets/http_server/src/certs/gen_ca_cert.sh new file mode 100644 index 00000000000..e2e38e38039 --- /dev/null +++ b/samples/net/sockets/http_server/src/certs/gen_ca_cert.sh @@ -0,0 +1,17 @@ +# Copyright (c) 2024, Witekio +# SPDX-License-Identifier: Apache-2.0 + +# Generate a root CA private key +openssl ecparam \ + -name prime256v1 \ + -genkey \ + -out ca_privkey.pem + +# Generate a root CA certificate using private key +openssl req \ + -new \ + -x509 \ + -days 36500 \ + -key ca_privkey.pem \ + -out ca_cert.pem \ + -subj "/O=Zephyrproject/CN=Zephyrproject Sample Development CA" diff --git a/samples/net/sockets/http_server/src/certs/gen_server_cert.sh b/samples/net/sockets/http_server/src/certs/gen_server_cert.sh new file mode 100644 index 00000000000..a088e708db2 --- /dev/null +++ b/samples/net/sockets/http_server/src/certs/gen_server_cert.sh @@ -0,0 +1,48 @@ +# Copyright (c) 2024, Witekio +# SPDX-License-Identifier: Apache-2.0 + +# Generate a server private key +openssl ecparam \ + -name prime256v1 \ + -genkey \ + -out server_privkey.pem + +# Generate a certificate signing request using server key +openssl req \ + -new \ + -sha256 \ + -key server_privkey.pem \ + -out server_csr.pem \ + -subj "/O=Zephyrproject/CN=zephyr" + +# Create a file containing server CSR extensions +echo "subjectKeyIdentifier=hash" > server_csr.ext +echo "authorityKeyIdentifier=keyid,issuer" >> server_csr.ext +echo "basicConstraints=critical,CA:FALSE" >> server_csr.ext +echo "keyUsage=critical,digitalSignature" >> server_csr.ext +echo "extendedKeyUsage=serverAuth" >> server_csr.ext +echo "subjectAltName=DNS:zephyr.local,IP.1:192.0.2.1,IP.2:2001:db8::1" >> server_csr.ext + +# Create a server certificate by signing the server CSR using the CA cert/key +openssl x509 \ + -req \ + -sha256 \ + -CA ca_cert.pem \ + -CAkey ca_privkey.pem \ + -days 36500 \ + -CAcreateserial \ + -CAserial ca.srl \ + -in server_csr.pem \ + -out server_cert.pem \ + -extfile server_csr.ext + +# Create DER encoded versions of server certificate and private key +openssl ec \ + -outform der \ + -in server_privkey.pem \ + -out server_privkey.der + +openssl x509 \ + -outform der \ + -in server_cert.pem \ + -out server_cert.der diff --git a/samples/net/sockets/http_server/src/certs/server_cert.der b/samples/net/sockets/http_server/src/certs/server_cert.der index 2b664a4bdb2..35b47f4487d 100644 Binary files a/samples/net/sockets/http_server/src/certs/server_cert.der and b/samples/net/sockets/http_server/src/certs/server_cert.der differ diff --git a/samples/net/sockets/http_server/src/certs/server_privkey.der b/samples/net/sockets/http_server/src/certs/server_privkey.der index 2269293fe79..5e6ab5bd1f4 100644 Binary files a/samples/net/sockets/http_server/src/certs/server_privkey.der and b/samples/net/sockets/http_server/src/certs/server_privkey.der differ