fix: use DigiCert G5 root certificate #21
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This SDK is currently misconfigured for connecting to ClearBlade's new DigiCert G5-based endpoints: firmware built using this SDK will fail to connect to ClearBlade IoT Core with error 62 (IOTC_TLS_FAILED_CERT_ERROR). # Issues with current implementation There are 2 big issues with the current implementation: ## `roots.pem` contains the wrong certificate The current `roots.pem` contains an _intermediate_ certificate (DigiCert G5 TLS ECC SHA384 2021 CA1), not the root certificate (DigiCert TLS ECC P384 Root G5). While `mbedtls` _is_ flexible enough to short-circuit validation once we've verified the intermediate certificate, this is fragile and violates using the root of a trust hierarchy as a trust anchor. If ClearBlade's servers ever decide to issue a new server certificate from a different intermediate (signed by the same G5 root), all these device connections would suddenly break. In addition, the intermediate certificate is only valid until Apr 14th, 2031 -- 15 years before the end-of-validity of the root certificate (Jan 14th, 2046). ## The builtin certificate buffer was never updated In the end, it doesn't even matter how `roots.pem` was changed: the actual buffer of bytes in `src/libiotc/tls/certs/iotc_RootCA_list.c` was never updated! So the built program would still end up using the old G1 root certificates. # Fix introduced in this commit This commit updates the `$(IOTC_BUILTIN_ROOTCA_CERTS)` Makefile target to fetch `roots.pem` from the correct URL for the DigiCert TLS ECC P384 Root G5 certificate (https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt.pem). It then suffices to: * delete `roots.pem` * run `make update_builtin_cert_buffer` to fetch the correct root certificate and update the builtin certificate buffer in `iotc_RootCA_list.c`.
|
On more of a meta-note: #20 was merged in Sept 2024. As far as I can tell, this means that this repository has been broken for the past year for anyone trying to connect to the G5 URLs (e.g., I'm concerned that a) this was seemingly not tested before merging and b) this wasn't caught until now. If there were any users that relied on IoT Core to perform over-the-air updates in order update these root certificates, they would have been bricked when we reached the G1 distrust date. What happened here? Is this repository still being maintained? Are other users using a different library to connect to ClearBlade IoT Core? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This SDK is currently misconfigured for connecting to ClearBlade's new DigiCert G5-based endpoints: firmware built using this SDK will fail to connect to ClearBlade IoT Core with error 62 (IOTC_TLS_FAILED_CERT_ERROR).
Issues with current implementation
There are 2 big issues with the current implementation:
roots.pemcontains the wrong certificateThe current
roots.pemcontains an intermediate certificate (DigiCert G5 TLS ECC SHA384 2021 CA1), not the root certificate (DigiCert TLS ECC P384 Root G5).While
mbedtlsis flexible enough to short-circuit validation once we've verified the intermediate certificate, this is fragile and violates using the root of a trust hierarchy as a trust anchor.If ClearBlade's servers ever decide to issue a new server certificate from a different intermediate (signed by the same G5 root), all these device connections would suddenly break. In addition, the intermediate certificate is only valid until Apr 14th, 2031 -- 15 years before the end-of-validity of the root certificate (Jan 14th, 2046).
The builtin certificate buffer was never updated
In the end, it doesn't even matter how
roots.pemwas changed: the actual buffer of bytes insrc/libiotc/tls/certs/iotc_RootCA_list.cwas never updated! So the built program would still end up using the old G1 root certificates.Fix introduced in this commit
This commit updates the
$(IOTC_BUILTIN_ROOTCA_CERTS)Makefile target to fetchroots.pemfrom the correct URL for the DigiCert TLS ECC P384 Root G5 certificate (https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt.pem).It then suffices to:
roots.pemmake update_builtin_cert_bufferto fetch the correct root certificate and update the builtin certificate buffer in
iotc_RootCA_list.c.