samples: http_server: update cipher suites and certificates

Existing cipher suites and certificates used by HTTP server sample are
included in RFC9113 Appendix A: Prohibited TLS 1.2 Cipher Suites. The
RFC specifies that when using HTTP/2, these cipher suites may be treated
as an error of type INADEQUATE_SECURITY, and in practice it seems that
Chrome and Firefox do implement this.

The certificates have been updated to use ECDSA-P265 signatures, and
supported cipher suites updated to include ECDH key exchange and AES GCM
and CCM modes.

Some scripts are included to allow users to generate their own
certificates if desired.

Signed-off-by: Matt Rodgers <[email protected]>

Author: mrodgers-witekio

samples/net/sockets/http_server/CMakeLists.txt

@@ -20,6 +20,20 @@ if(CONFIG_NET_SOCKETS_SOCKOPT_TLS AND
   add_dependencies(app development_psk)
 endif()
 
+set(CERTS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/src/certs)
+
+add_custom_target(sample_ca_cert
+  WORKING_DIRECTORY ${CERTS_DIR}
+  COMMAND sh gen_ca_cert.sh
+  COMMENT "Generating sample CA certificate"
+)
+
+add_custom_target(sample_server_cert
+  WORKING_DIRECTORY ${CERTS_DIR}
+  COMMAND sh gen_server_cert.sh
+  COMMENT "Generating sample server certificate"
+)
+
 option(INCLUDE_HTML_CONTENT "Include the HTML content" ON)
 
 target_sources(app PRIVATE src/main.c)

samples/net/sockets/http_server/prj.conf

@@ -69,6 +69,14 @@ CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
 CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
 CONFIG_TLS_CREDENTIALS=y
 CONFIG_TLS_MAX_CREDENTIALS_NUMBER=5
+CONFIG_MBEDTLS_ECDH_C=y
+CONFIG_MBEDTLS_ECDSA_C=y
+CONFIG_MBEDTLS_ECP_C=y
+CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
+CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
+CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
+CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
+CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
 
 # Networking tweaks
 # Required to handle large number of consecutive connections,

samples/net/sockets/http_server/src/certs/.gitignore

@@ -0,0 +1,3 @@
+*.pem
+!ca_cert.pem
+*.ext

samples/net/sockets/http_server/src/certs/ca_cert.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5DCCAYmgAwIBAgIUXHpFEmhwtzDyteoz+ZSOhyQ6xzUwCgYIKoZIzj0EAwIw
+RjEWMBQGA1UECgwNWmVwaHlycHJvamVjdDEsMCoGA1UEAwwjWmVwaHlycHJvamVj
+dCBTYW1wbGUgRGV2ZWxvcG1lbnQgQ0EwIBcNMjQxMTI3MTE1ODUwWhgPMjEyNDEx
+MDMxMTU4NTBaMEYxFjAUBgNVBAoMDVplcGh5cnByb2plY3QxLDAqBgNVBAMMI1pl
+cGh5cnByb2plY3QgU2FtcGxlIERldmVsb3BtZW50IENBMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEvCX35MoLVdt4STWeomwFjuLV8nAz+K1IIc5PrfD9nVhLZfOS
+Z35O9dTEMvn1dP2MqUqjL6wWA3oSnvItU81qD6NTMFEwHQYDVR0OBBYEFNFC9qd/
+SSYq7aDvLGsc4Fu7Fn5cMB8GA1UdIwQYMBaAFNFC9qd/SSYq7aDvLGsc4Fu7Fn5c
+MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhALWzu1PtNJYu9sWb
+A2iBixJuoK7y8EqCkGDp0e66mA+qAiEAyz7YdO7zhcHWgaUXqLwlVqe5cstVMsLv
+4TbLwQi+wfI=
+-----END CERTIFICATE-----

samples/net/sockets/http_server/src/certs/gen_ca_cert.sh

@@ -0,0 +1,17 @@
+# Copyright (c) 2024, Witekio
+# SPDX-License-Identifier: Apache-2.0
+
+# Generate a root CA private key
+openssl ecparam \
+    -name prime256v1 \
+    -genkey \
+    -out ca_privkey.pem
+
+# Generate a root CA certificate using private key
+openssl req \
+    -new \
+    -x509 \
+    -days 36500 \
+    -key ca_privkey.pem \
+    -out ca_cert.pem \
+    -subj "/O=Zephyrproject/CN=Zephyrproject Sample Development CA"

samples/net/sockets/http_server/src/certs/gen_server_cert.sh

@@ -0,0 +1,48 @@
+# Copyright (c) 2024, Witekio
+# SPDX-License-Identifier: Apache-2.0
+
+# Generate a server private key
+openssl ecparam \
+    -name prime256v1 \
+    -genkey \
+    -out server_privkey.pem
+
+# Generate a certificate signing request using server key
+openssl req \
+    -new \
+    -sha256 \
+    -key server_privkey.pem \
+    -out server_csr.pem \
+    -subj "/O=Zephyrproject/CN=zephyr"
+
+# Create a file containing server CSR extensions
+echo "subjectKeyIdentifier=hash" > server_csr.ext
+echo "authorityKeyIdentifier=keyid,issuer" >> server_csr.ext
+echo "basicConstraints=critical,CA:FALSE" >> server_csr.ext
+echo "keyUsage=critical,digitalSignature" >> server_csr.ext
+echo "extendedKeyUsage=serverAuth" >> server_csr.ext
+echo "subjectAltName=DNS:zephyr.local,IP.1:192.0.2.1,IP.2:2001:db8::1" >> server_csr.ext
+
+# Create a server certificate by signing the server CSR using the CA cert/key
+openssl x509 \
+    -req \
+    -sha256 \
+    -CA ca_cert.pem \
+    -CAkey ca_privkey.pem \
+    -days 36500 \
+    -CAcreateserial \
+    -CAserial ca.srl \
+    -in server_csr.pem \
+    -out server_cert.pem \
+    -extfile server_csr.ext
+
+# Create DER encoded versions of server certificate and private key
+openssl ec \
+    -outform der \
+    -in server_privkey.pem \
+    -out server_privkey.der
+
+openssl x509 \
+    -outform der \
+    -in server_cert.pem \
+    -out server_cert.der