client: add support for secondary root ca certificate

joelguittet · joelguittet · commit c7395861be17 · 2025-05-29T23:27:40.000+02:00
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -40,5 +40,6 @@ target_sources(app PRIVATE "src/main.c")
 # Definitions
 target_compile_definitions(app PRIVATE PROJECT_NAME="mender-stm32l4a6-zephyr-example")
 
-# Generate Root CA include file
-generate_inc_file_for_target(app "src/AmazonRootCA1.cer" "${ZEPHYR_BINARY_DIR}/include/generated/AmazonRootCA1.cer.inc")
+# Generate Root CA include files
+generate_inc_file_for_target(app "src/AmazonRootCA1.der" "${ZEPHYR_BINARY_DIR}/include/generated/AmazonRootCA1.der.inc")
+generate_inc_file_for_target(app "src/GoogleTrustServicesR4.der" "${ZEPHYR_BINARY_DIR}/include/generated/GoogleTrustServicesR4.der.inc")
diff --git a/components/mender-mcu-client b/components/mender-mcu-client
@@ -1 +1 @@
-Subproject commit 4d4007ef9ea32d7d6f834958310d4f64adcc41f4
+Subproject commit 6a25dd31fd7dcfc8d8b1662bca9b6eb1f28829ab
diff --git a/prj.conf b/prj.conf
@@ -24,6 +24,8 @@ CONFIG_MENDER_CLIENT_ADD_ON_CONFIGURE=y
 #CONFIG_MENDER_CLIENT_TROUBLESHOOT_SHELL=y
 #CONFIG_MENDER_CLIENT_TROUBLESHOOT_FILE_TRANSFER=y
 CONFIG_MENDER_STORAGE_NVS_SECTOR_COUNT=4
+CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_PRIMARY=1
+CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY=2
 
 # Required to get Device Troubleshoot add-on working
 #CONFIG_HEAP_MEM_POOL_SIZE=1500
diff --git a/src/AmazonRootCA1.der b/src/AmazonRootCA1.der
diff --git a/src/GoogleTrustServicesR4.der b/src/GoogleTrustServicesR4.der
diff --git a/src/main.c b/src/main.c
@@ -40,20 +40,40 @@ LOG_MODULE_REGISTER(mender_stm32l4a6_zephyr_example, LOG_LEVEL_INF);
 #include <zephyr/llext/buf_loader.h>
 #endif /* CONFIG_LLEXT */
 
+#ifdef CONFIG_NET_SOCKETS_SOCKOPT_TLS
+#include <zephyr/net/tls_credentials.h>
+#endif /* CONFIG_NET_SOCKETS_SOCKOPT_TLS */
+
 /*
  * Amazon Root CA 1 certificate, retrieved from https://www.amazontrust.com/repository in DER format.
  * It is converted to include file in application CMakeLists.txt.
  */
-#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
-#include <zephyr/net/tls_credentials.h>
-#if defined(CONFIG_TLS_CREDENTIAL_FILENAMES)
-static const unsigned char ca_certificate[] = "AmazonRootCA1.cer";
+#ifdef CONFIG_NET_SOCKETS_SOCKOPT_TLS
+#ifdef CONFIG_TLS_CREDENTIAL_FILENAMES
+static const unsigned char ca_certificate_primary[] = "AmazonRootCA1.der";
+#else
+static const unsigned char ca_certificate_primary[] = {
+#include "AmazonRootCA1.der.inc"
+};
+#endif /* CONFIG_TLS_CREDENTIAL_FILENAMES */
+#endif /* CONFIG_NET_SOCKETS_SOCKOPT_TLS */
+
+/*
+ * Google Trust Services Root R4 certificate, retrieved from https://pki.goog/repository in DER format.
+ * It is converted to include file in application CMakeLists.txt.
+ * This secondary Root CA certificate is to be used if the device is connected to a free hosted Mender account (for which artifacts are saved on a Cloudflare server instead of the Amazon S3 storage)
+ */
+#ifdef CONFIG_NET_SOCKETS_SOCKOPT_TLS
+#if (0 != CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY)
+#ifdef CONFIG_TLS_CREDENTIAL_FILENAMES
+static const unsigned char ca_certificate_secondary[] = "GoogleTrustServicesR4.der";
 #else
-static const unsigned char ca_certificate[] = {
-#include "AmazonRootCA1.cer.inc"
+static const unsigned char ca_certificate_secondary[] = {
+#include "GoogleTrustServicesR4.der.inc"
 };
-#endif
-#endif
+#endif /* CONFIG_TLS_CREDENTIAL_FILENAMES */
+#endif /* (0 != CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY) */
+#endif /* CONFIG_NET_SOCKETS_SOCKOPT_TLS */
 
 #include "mender-client.h"
 #include "mender-configure.h"
@@ -504,10 +524,17 @@ main(void) {
     /* Wait until the network interface is operational */
     k_event_wait_all(&mender_client_events, MENDER_CLIENT_EVENT_NETWORK_UP, false, K_FOREVER);
 
-#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
-    /* Initialize certificate */
-    tls_credential_add(CONFIG_MENDER_NET_CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE, ca_certificate, sizeof(ca_certificate));
-#endif
+#ifdef CONFIG_NET_SOCKETS_SOCKOPT_TLS
+    /* Initialize certificate(s) */
+    assert(0
+           == tls_credential_add(
+               CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_PRIMARY, TLS_CREDENTIAL_CA_CERTIFICATE, ca_certificate_primary, sizeof(ca_certificate_primary)));
+#if (0 != CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY)
+    assert(0
+           == tls_credential_add(
+               CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY, TLS_CREDENTIAL_CA_CERTIFICATE, ca_certificate_secondary, sizeof(ca_certificate_secondary)));
+#endif /* (0 != CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY) */
+#endif /* CONFIG_NET_SOCKETS_SOCKOPT_TLS */
 
     /* Read base MAC address of the device */
     char                 mac_address[18];
