Add _ecVrfy and _ecSign

Add _ecVrfy and _ecSign to allow the user to customize the verification and signature functions (could be useful if the user wants to use BearSSLClient without ECC508) The functions can be customized through the constructor and are set to their current values as soon as the user calls setEccSlot Signed-off-by: Fabrice Fontaine <[email protected]>
arduino-libraries · Jun 23, 2020 · 436c232 · 436c232
1 parent 15763ab
commit 436c232
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 10 deletions.
diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp
@@ -46,6 +46,9 @@ BearSSLClient::BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs,
   _numTAs(myNumTAs),
   _noSNI(false)
 {
+  _ecVrfy = br_ecdsa_vrfy_asn1_get_default();
+  _ecSign = br_ecdsa_sign_asn1_get_default();
+
   _ecKey.curve = 0;
   _ecKey.x = NULL;
   _ecKey.xlen = 0;
@@ -192,6 +195,16 @@ void BearSSLClient::setInsecure(SNI insecure)
   }
 }
 
+void BearSSLClient::setEccVrfy(br_ecdsa_vrfy vrfy)
+{
+  _ecVrfy = vrfy;
+}
+
+void BearSSLClient::setEccSign(br_ecdsa_sign sign)
+{
+  _ecSign = sign;
+}
+
 void BearSSLClient::setEccSlot(int ecc508KeySlot, const byte cert[], int certLength)
 {
   // HACK: put the key slot info. in the br_ec_private_key structure
@@ -202,6 +215,9 @@ void BearSSLClient::setEccSlot(int ecc508KeySlot, const byte cert[], int certLen
   _ecCert.data = (unsigned char*)cert;
   _ecCert.data_len = certLength;
   _ecCertDynamic = false;
+
+  _ecVrfy = eccX08_vrfy_asn1;
+  _ecSign = eccX08_sign_asn1;
 }
 
 void BearSSLClient::setEccSlot(int ecc508KeySlot, const char cert[])
@@ -267,23 +283,23 @@ int BearSSLClient::connectSSL(const char* host)
   // inject entropy in engine
   unsigned char entropy[32];
 
-  if (ECCX08.begin() && ECCX08.locked() && ECCX08.random(entropy, sizeof(entropy))) {
-    // ECC508 random success, add custom ECDSA vfry and EC sign
-    br_ssl_engine_set_ecdsa(&_sc.eng, eccX08_vrfy_asn1);
-    br_x509_minimal_set_ecdsa(&_xc, br_ssl_engine_get_ec(&_sc.eng), br_ssl_engine_get_ecdsa(&_sc.eng));
-
-    // enable client auth using the ECCX08
-    if (_ecCert.data_len && _ecKey.xlen) {
-      br_ssl_client_set_single_ec(&_sc, &_ecCert, 1, &_ecKey, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, BR_KEYTYPE_EC, br_ec_get_default(), eccX08_sign_asn1);
-    }
-  } else {
+  if (!ECCX08.begin() || !ECCX08.locked() || !ECCX08.random(entropy, sizeof(entropy))) {
     // no ECCX08 or random failed, fallback to pseudo random
     for (size_t i = 0; i < sizeof(entropy); i++) {
       entropy[i] = random(0, 255);
     }
   }
   br_ssl_engine_inject_entropy(&_sc.eng, entropy, sizeof(entropy));
 
+  // add custom ECDSA vfry and EC sign
+  br_ssl_engine_set_ecdsa(&_sc.eng, _ecVrfy);
+  br_x509_minimal_set_ecdsa(&_xc, br_ssl_engine_get_ec(&_sc.eng), br_ssl_engine_get_ecdsa(&_sc.eng));
+
+  // enable client auth
+  if (_ecCert.data_len && _ecKey.xlen) {
+    br_ssl_client_set_single_ec(&_sc, &_ecCert, 1, &_ecKey, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, BR_KEYTYPE_EC, br_ec_get_default(), _ecSign);
+  }
+
   // set the hostname used for SNI
   br_ssl_client_reset(&_sc, host, 0);
 

diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h
@@ -71,6 +71,9 @@ class BearSSLClient : public Client {
 
   void setInsecure(SNI insecure) __attribute__((deprecated("INSECURE. DO NOT USE IN PRODUCTION")));
 
+  void setEccVrfy(br_ecdsa_vrfy vrfy);
+  void setEccSign(br_ecdsa_sign sign);
+
   void setEccSlot(int ecc508KeySlot, const byte cert[], int certLength);
   void setEccSlot(int ecc508KeySlot, const char cert[]);
 
@@ -89,6 +92,9 @@ class BearSSLClient : public Client {
 
   bool _noSNI;
 
+  br_ecdsa_vrfy _ecVrfy;
+  br_ecdsa_sign _ecSign;
+
   br_ec_private_key _ecKey;
   br_x509_certificate _ecCert;
   bool _ecCertDynamic;