Avoid certificate substitution during OTA

Wasabinary
Posts: 13
Joined: Fri Apr 23, 2021 10:09 am

Avoid certificate substitution during OTA

Postby Wasabinary » Fri Apr 23, 2021 10:28 am

Hi,

I'm currently working with several ESP32 and OTA updates.

Since my app uses SSL/TLS certificates, I currently uses the following lines of code to get my .pem certificates from my project/server_certs folder and use them in my HTTPS client config :

Code: Select all

const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start");
const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end");
...
esp_http_client_config_t config = {
   ...,
  .cert_pem = (char *)server_cert_pem_start,
  ...
};
Since I want to implement OTA for several ESP32 devices and update them all at the time using HTTPS OTA, I want to make sure they keep their own SSL certificate, meaning that I want to find a way to save the certificates somewhere in the memory that will not be erased during OTA update.

Any advice about the way to do this?

Thanks for your help

Wasabinary
Posts: 13
Joined: Fri Apr 23, 2021 10:09 am

Re: Avoid certificate substitution during OTA

Postby Wasabinary » Thu Apr 29, 2021 8:34 am

I finally found a way to avoid certificate substitution during OTA, by creating a SPIFFS partition in the ESP32 memory and saving the certificate inside of it.

Let me know if you wonder the way to do so, I would be happy to share my solution in details !

aeropagz
Posts: 2
Joined: Tue Jan 18, 2022 3:30 pm

Re: Avoid certificate substitution during OTA

Postby aeropagz » Tue Jan 18, 2022 3:31 pm

Hey Wasabinary,

I try to solve the same problem.
Could you pls share your solution in some detail?

Thank you

Klaas

Wasabinary
Posts: 13
Joined: Fri Apr 23, 2021 10:09 am

Re: Avoid certificate substitution during OTA

Postby Wasabinary » Wed Jan 19, 2022 7:54 am

Hi aeropagz,

To avoid certificate substitution, you may need to create a file system partition in the ESP32 flash (like SPIFFS or FatFS). To do so, you need to use a custom partition table (see Partition Table menu in sdkconfig of your project) where you add a fiel system partition. Inside of it, you can place your certificate, init the partition in your code and retrieve your files when you need them.

As you probably already know, HTTPS OTA update requires at least the otadata, ota_0 and ota_1 partitions, which are the only ones that are updated during the process. That means that your filesystem partition will not be changed during the update, which allows you to keep your certificate unharmed.

Let me know if you need more help

Who is online

Users browsing this forum: Bing [Bot] and 136 guests