smartswitch/fetch_certs.sh at main · mlauke/smartswitch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/bin/bash
# Fetch root CA certs for SmartSwitch TLS validation.
# Run this to renew certs.h when root CAs change.
# Usage: ./fetch_certs.sh  (from workspace root)

set -e

OUT="smartswitch.espxx/include/certs.h"

get_root_ca() {
  local host=$1
  local port=${2:-443}
  openssl s_client -connect "$host:$port" -showcerts </dev/null 2>/dev/null \
    | awk '/-----BEGIN CERTIFICATE-----/{cert=""} {cert=cert $0 "\n"} /-----END CERTIFICATE-----/{last=cert} END{printf "%s", last}'
}

echo "Fetching root CA for api.github.com ..."
GITHUB_CA=$(get_root_ca api.github.com)

echo "Fetching root CA for api.forecast.solar ..."
FORECAST_CA=$(get_root_ca api.forecast.solar)

GITHUB_CN=$(echo "$GITHUB_CA"   | openssl x509 -noout -subject 2>/dev/null | sed 's/.*CN\s*=\s*//' | sed 's/,.*//')
GITHUB_EXP=$(echo "$GITHUB_CA"  | openssl x509 -noout -enddate 2>/dev/null | sed 's/notAfter=//')

FORECAST_CN=$(echo "$FORECAST_CA"  | openssl x509 -noout -subject 2>/dev/null | sed 's/.*CN\s*=\s*//' | sed 's/,.*//')
FORECAST_EXP=$(echo "$FORECAST_CA" | openssl x509 -noout -enddate 2>/dev/null | sed 's/notAfter=//')

{
  cat << 'HEADER'
#pragma once
// Auto-generated by fetch_certs.sh — do not edit manually.
// Re-run fetch_certs.sh to renew when root CAs expire.
#ifdef ESP32
static const char ROOT_CA_BUNDLE[] PROGMEM =
HEADER

  printf '  // %s — expires %s\n' "$GITHUB_CN" "$GITHUB_EXP"
  echo "$GITHUB_CA" | sed 's/\(.*\)/  "\1\\n"/'

  printf '  // %s — expires %s\n' "$FORECAST_CN" "$FORECAST_EXP"
  echo "$FORECAST_CA" | sed 's/\(.*\)/  "\1\\n"/'

  cat << 'FOOTER'
  ;
#endif // ESP32
FOOTER
} > "$OUT"

echo ""
echo "${OUT} updated."
echo "  api.github.com:    CN=${GITHUB_CN}, expires ${GITHUB_EXP}"
echo "  api.forecast.solar: CN=${FORECAST_CN}, expires ${FORECAST_EXP}"