From 6a25dd31fd7dcfc8d8b1662bca9b6eb1f28829ab Mon Sep 17 00:00:00 2001 From: Joel Guittet Date: Tue, 5 Nov 2024 23:05:29 +0100 Subject: [PATCH] platform: net: zephyr: add support for secondary root ca certificate --- platform/net/zephyr/src/mender-net.c | 6 ++++-- zephyr/Kconfig | 11 +++++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/platform/net/zephyr/src/mender-net.c b/platform/net/zephyr/src/mender-net.c index 42ff27c..bdf988d 100644 --- a/platform/net/zephyr/src/mender-net.c +++ b/platform/net/zephyr/src/mender-net.c @@ -138,8 +138,10 @@ mender_net_connect(const char *host, const char *port, int *sock) { #ifdef CONFIG_NET_SOCKETS_SOCKOPT_TLS /* Set TLS_SEC_TAG_LIST option */ - sec_tag_t sec_tag[] = { - CONFIG_MENDER_NET_CA_CERTIFICATE_TAG, + sec_tag_t sec_tag[] = { CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_PRIMARY, +#if (0 != CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY) + CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY +#endif /* (0 != CONFIG_MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY) */ }; if ((result = zsock_setsockopt(*sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag, sizeof(sec_tag))) < 0) { mender_log_error("Unable to set TLS_SEC_TAG_LIST option, result = %d, errno = %d", result, errno); diff --git a/zephyr/Kconfig b/zephyr/Kconfig index 2f497e1..2ac9843 100755 --- a/zephyr/Kconfig +++ b/zephyr/Kconfig @@ -286,12 +286,19 @@ if MENDER_MCU_CLIENT menu "Network options (ADVANCED)" - config MENDER_NET_CA_CERTIFICATE_TAG - int "CA certificate tag" + config MENDER_NET_CA_CERTIFICATE_TAG_PRIMARY + int "Primary CA certificate tag" default 1 help A security tag that ROOT CA server credential will be referenced with, see tls_credential_add. + config MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY + int "Secondary CA certificate tag" + default 0 + help + A secondary security tag that ROOT CA server credential will be referenced with, see tls_credential_add. + Setting this value to 0 permits to disable the secondary CA certificate tag. + config MENDER_NET_TLS_PEER_VERIFY int "TLS_PEER_VERIFY option" range 0 2