-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RSDK-9049] cache TLS certificates for isolated network connection #330
base: main
Are you sure you want to change the base?
[RSDK-9049] cache TLS certificates for isolated network connection #330
Conversation
impl From<CertificateResponse> for TlsCertificate { | ||
fn from(resp: CertificateResponse) -> Self { | ||
Self { | ||
certificate: resp.tls_certificate.into_bytes(), | ||
private_key: resp.tls_private_key.into_bytes(), | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM as well, with an optional logging suggestion
micro-rdk/src/common/conn/viam.rs
Outdated
match certs { | ||
None => { | ||
log::error!("no TLS certificates found in storage or after contacting app"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this log is a warning? I think it should also state that it is disabling the requested HTTP2 server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done with first pass
micro-rdk/src/common/conn/viam.rs
Outdated
if let Some(app) = app_client.as_ref() { | ||
certs = app.get_certificates().await.ok(); | ||
if let Ok(cert_resp) = app.get_certificates().await { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we change the logic so that we only load certs from the nvs if the app client is absent? If storing the cert failed but the response passed then we should be able to continue regardless.
let _ = std::mem::replace(&mut self.http2_server, HTTP2Server::Empty); | ||
} | ||
Some(certs) => { | ||
if let HTTP2Server::HTTP2Connector(s) = &mut self.http2_server { | ||
s.set_server_certificates( | ||
certs.tls_certificate.into_bytes(), | ||
certs.tls_private_key.into_bytes(), | ||
certs.certificate.clone(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can't we just move the certs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to avoid changing the trait, but if we feel it's worth it I can
micro-rdk/src/common/conn/viam.rs
Outdated
match certs { | ||
None => { | ||
log::error!("no TLS certificates found in storage or after contacting app"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is that true all the time or only if the app was indeed contacted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it wasn't before, but after the change you requested above it will be I believe
@@ -75,6 +78,29 @@ impl WifiCredentials { | |||
} | |||
} | |||
|
|||
#[derive(Clone, Debug, Default)] | |||
pub struct TlsCertificate { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we fold this trait into the RobotStorage trait?
micro-rdk/src/esp32/nvs_storage.rs
Outdated
fn store_tls_certificate(&self, creds: TlsCertificate) -> Result<(), Self::Error> { | ||
self.set_blob( | ||
NVS_TLS_CERTIFICATE_KEY, | ||
Bytes::from(creds.certificate.clone()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we are going to clone we should take a ref instead
No description provided.