- 
                Notifications
    You must be signed in to change notification settings 
- Fork 13.3k
Description
Basic Infos
- This issue complies with the issue POLICY doc.
- I have read the documentation at readthedocs and the issue is not addressed there.
- I have tested that the issue is present in current master branch (aka latest git).
- I have searched the issue tracker for a similar issue.
- If there is a stack dump, I have decoded it.
- [] I have filled out all fields below.
Problem Description
CertStore is a cornerstone of properly using SSL in esp8266/Arduino, but it's heavily constrained, it depends on having a single archive produced by ar and generated in a very specific way (by a loose script in an example folder), and having a File to provide this archive to it. Meaning it's probably stored in the flash FS.
Theoretically making a overriden FS works, but it's a lot of complexity, and basically a reverse-engineering of the currently used algorithm.
That means in practice a lot of people adopt hacks like overriding the class by using the same header guard. Which is horrifying, but something we actually do in production. This link provides an alternative that is widly used. https://github.com/maakbaas/esp8266-iot-framework/blob/master/src/certStore.h
We can simply solve that need by making CertStore::installCertStore virtual, because it's the only function called by WiFiClientSecure. It's a fairly simple function but one that chooses the static callbacks to find and free a TA.
I don't think providing a built-in alternative way right now is the way to go right now. We could use this implementation https://github.com/internet-of-plants/embedded/blob/master/src/certificate_storage.cpp
But it doesn't seem to make sense to upstream and maintain another python script, to download the certificates and bundle them in the source code, and an implementation to provide certs from it, right now. Maybe it will solve a lot of people's problems, but for now I think not commiting to new behaviors is the way to go and just allowing the users to make their own.
So just making the installCertStore virtual seems enough.
Btw, is a PR to replace X509List raw pointer to a unique_ptr acceptable? Like I did in the link above.