Add Github Digicert cert hash check

to avoid loading a deprecated certificate
2026-02-20 00:32:04 +01:00 · 2024-06-11 14:05:37 -05:00
parent c2e95cf9b0
commit 9e44313714
4 changed files with 36 additions and 3 deletions
--- a/main/User_config.h
+++ b/main/User_config.h
@@ -215,6 +215,8 @@ const char* certificate PROGMEM = R"EOF("
 #    define MQTT_CERT_VALIDATE_DEFAULT false
 #  endif

+#  define GITHUB_OTA_SERVER_CERT_HASH "d4d211b4553af9fac371f24c2268d59d2b0fec6b9aa0fdbbde068f078d7daf86" // SHA256 fingerprint of the certificate used by the OTA server
+
 #  ifndef AWS_IOT
 #    define AWS_IOT false
 #  endif
--- a/main/ZboardTheengs.ino
+++ b/main/ZboardTheengs.ino
@@ -31,7 +31,7 @@ void addTestMessage(JsonArray& data, String name, String value, String result) {
 }

 void testDevice() {
-  StaticJsonDocument<1200> doc;
+  StaticJsonDocument<1280> doc;
  JsonArray data = doc.to<JsonArray>();

  addTestMessage(data, "Mac Address", String(WiFi.macAddress()), "OK");
@@ -46,6 +46,7 @@ void testDevice() {
  addTestMessage(data, "ETH Link Speed", String(ETH.linkSpeed()) + "Mbs", ETH.linkSpeed() ? "OK" : "NOK");
  addTestMessage(data, "Build Date", String(__DATE__), "OK");
  addTestMessage(data, "Build Time", String(__TIME__), "OK");
+  Serial.println();
  serializeJson(doc, Serial);
  Serial.println();
 }
--- a/main/certs/default_ota_cert.h
+++ b/main/certs/default_ota_cert.h
@@ -1,5 +1,5 @@
 // The certificate must be in PEM ascii format.
-// The default certificate is for github.
+// The default certificate is for ota.openmqttgateway.com
 const char* OTAserver_cert PROGMEM = R"EOF("
 -----BEGIN CERTIFICATE-----
 MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
--- a/main/main.ino
+++ b/main/main.ino
@@ -1695,6 +1695,22 @@ void saveConfig() {
  configFile.close();
 }

+#  ifdef ESP32
+#    include "mbedtls/sha256.h"
+
+std::string generateHash(const std::string& input) {
+  unsigned char hash[32];
+  mbedtls_sha256((unsigned char*)input.c_str(), input.length(), hash, 0);
+
+  char hashString[65]; // Room for null terminator
+  for (int i = 0; i < 32; ++i) {
+    sprintf(&hashString[i * 2], "%02x", hash[i]);
+  }
+
+  return std::string(hashString);
+}
+#  endif
+
 bool loadConfigFromFlash() {
  Log.trace(F("mounting FS..." CR));
  bool result = false;
@@ -1751,8 +1767,22 @@ bool loadConfigFromFlash() {
          }
 #  endif
        }
-        if (json.containsKey("ota_server_cert"))
+        if (json.containsKey("ota_server_cert")) {
+#  ifdef ESP32
+          // Read hash from the file
+          std::string hash = generateHash(json["ota_server_cert"]);
+          // Compare the hash with the expected hash
+          if (hash == GITHUB_OTA_SERVER_CERT_HASH) {
+            // Do nothing
+            Log.warning(F("Old Github OTA server detected, skipping" CR));
+          } else {
+            Log.notice(F("OTA server cert hash: %s" CR), hash.c_str());
+            ota_server_cert = json["ota_server_cert"].as<const char*>();
+          }
+#  else
          ota_server_cert = json["ota_server_cert"].as<const char*>();
+#  endif
+        }
        result = true;
      } else {
        Log.warning(F("failed to load json config" CR));