HTTPS + HTTPS OTA - client key password

[joncmaloney]

Hi,

The MQTT over SSL API provides two fields clientkey_password and clientkey_password_len that allow connections to MQTT to be supplied with password protected keys. Is there a way to create HTTPS connections and OTA over HTTPS with password protected keys?

I can't seem to find a field for this directly in the HTTPS client API. Is there a known workaround? Possibly removing password protection from the key file before creating the HTTPS connection. Or is there a way to directly override the esp_tls_cfg for the HTTPS connection?

Thanks in advance for your response.

[joncmaloney]

Hi All,

I've found a work around for anyone else that might have the same problem.

Assuming you are using mbedtls as the ssl library. The below function will remove password protection from a private key file.

**Note i've only tested this using keys in PEM file format that are using RSA.

Code: Select all

#include "mbedtls/pk.h"

int remove_password_protection( char *out_new_key, size_t *new_key_len, char *key, size_t *key_len, char *key_password, size_t key_password_len )
{

   if( key == NULL || key_password == NULL ) return -1; 
   
    mbedtls_pk_context ctx; 
    /* Initialize a mbedtls_pk_context (as NONE) */
    mbedtls_pk_init( &ctx );
    
    /* Parse a private key in PEM or DER format. */
    int ret = mbedtls_pk_parse_key( &ctx, key, *key_len, key_password, key_password_len );
    if( ret != 0 ) return -2;
    
    /* Write the key into PEM string */
    ret = mbedtls_pk_write_key_pem( &ctx, out_new_key, *new_key_len );
    if( ret != 0 ) return -3;

    /* update the key length */
    *new_key_len = strlen( out_new_key );

   return 0;
}