From 45c6553567d1d069b2fa3db851c23cbbe2f5c6e5 Mon Sep 17 00:00:00 2001
From: Matt Rodgers <mrodgers@witekio.com>
Date: Mon, 25 Nov 2024 16:40:23 +0000
Subject: [PATCH] samples: http_server: consolidate certificate options

Remove the CONFIG_NET_SAMPLE_CERTS_WITH_SC option and make the CA-signed
certificate the only option - there is no real downside to this over
using the unsigned certificate.

Remove adding of CA certificate as a TLS credential on the server, since
this credential is not used by the server. It may be useful to include
in any client code used to communicate with the server, so the
certificate itself is retained.

After this, some TLS tag enumerations are unused so have been removed.

Signed-off-by: Matt Rodgers <mrodgers@witekio.com>
---
 .../net/sockets/http_server/CMakeLists.txt    |   7 ++---
 samples/net/sockets/http_server/Kconfig       |   7 -----
 .../net/sockets/http_server/src/certificate.h |  24 ++----------------
 .../http_server/src/{ => certs}/ca.der        | Bin
 .../src/{server.der => certs/server_cert.der} | Bin
 .../src/{ => certs}/server_privkey.der        | Bin
 .../http_server/src/https-server-cert.der     | Bin 767 -> 0 bytes
 .../http_server/src/https-server-key.der      | Bin 1218 -> 0 bytes
 samples/net/sockets/http_server/src/main.c    |  10 --------
 9 files changed, 4 insertions(+), 44 deletions(-)
 rename samples/net/sockets/http_server/src/{ => certs}/ca.der (100%)
 rename samples/net/sockets/http_server/src/{server.der => certs/server_cert.der} (100%)
 rename samples/net/sockets/http_server/src/{ => certs}/server_privkey.der (100%)
 delete mode 100644 samples/net/sockets/http_server/src/https-server-cert.der
 delete mode 100644 samples/net/sockets/http_server/src/https-server-key.der

diff --git a/samples/net/sockets/http_server/CMakeLists.txt b/samples/net/sockets/http_server/CMakeLists.txt
index b4853257c78..1f793c1fcef 100644
--- a/samples/net/sockets/http_server/CMakeLists.txt
+++ b/samples/net/sockets/http_server/CMakeLists.txt
@@ -54,15 +54,12 @@ foreach(web_resource
 endforeach()
 
 foreach(inc_file
-	ca.der
-	server.der
+	server_cert.der
 	server_privkey.der
-	https-server-cert.der
-	https-server-key.der
     )
   generate_inc_file_for_target(
     app
-    src/${inc_file}
+    src/certs/${inc_file}
     ${gen_dir}/${inc_file}.inc
     )
 endforeach()
diff --git a/samples/net/sockets/http_server/Kconfig b/samples/net/sockets/http_server/Kconfig
index db09c5b261e..a95e0d7a37f 100644
--- a/samples/net/sockets/http_server/Kconfig
+++ b/samples/net/sockets/http_server/Kconfig
@@ -31,13 +31,6 @@ config NET_SAMPLE_PSK_HEADER_FILE
 	  Name of a header file containing a
 	  pre-shared key.
 
-config NET_SAMPLE_CERTS_WITH_SC
-	bool "Signed certificates"
-	depends on NET_SOCKETS_SOCKOPT_TLS
-	help
-	  Enable this flag, if you are interested to run this
-	  application with signed certificates and keys.
-
 config NET_SAMPLE_WEBSOCKET_SERVICE
 	bool "Enable websocket service"
 	default y if HTTP_SERVER_WEBSOCKET
diff --git a/samples/net/sockets/http_server/src/certificate.h b/samples/net/sockets/http_server/src/certificate.h
index 52a3fa9c8ea..eea583b8929 100644
--- a/samples/net/sockets/http_server/src/certificate.h
+++ b/samples/net/sockets/http_server/src/certificate.h
@@ -8,40 +8,20 @@
 #define __CERTIFICATE_H__
 
 enum tls_tag {
-	/** The Certificate Authority public key */
-	HTTP_SERVER_CA_CERTIFICATE_TAG,
 	/** Used for both the public and private server keys */
 	HTTP_SERVER_CERTIFICATE_TAG,
-	/** Used for both the public and private client keys */
-	HTTP_SERVER_CLIENT_CERTIFICATE_TAG,
+	/* Used for pre-shared key */
 	PSK_TAG,
 };
 
-#if !defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC)
 static const unsigned char server_certificate[] = {
-#include "https-server-cert.der.inc"
-};
-
-/* This is the private key in pkcs#8 format. */
-static const unsigned char private_key[] = {
-#include "https-server-key.der.inc"
-};
-
-#else
-
-static const unsigned char ca_certificate[] = {
-#include "ca.der.inc"
-};
-
-static const unsigned char server_certificate[] = {
-#include "server.der.inc"
+#include "server_cert.der.inc"
 };
 
 /* This is the private key in pkcs#8 format. */
 static const unsigned char private_key[] = {
 #include "server_privkey.der.inc"
 };
-#endif
 
 #if defined(CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
 #include CONFIG_NET_SAMPLE_PSK_HEADER_FILE
diff --git a/samples/net/sockets/http_server/src/ca.der b/samples/net/sockets/http_server/src/certs/ca.der
similarity index 100%
rename from samples/net/sockets/http_server/src/ca.der
rename to samples/net/sockets/http_server/src/certs/ca.der
diff --git a/samples/net/sockets/http_server/src/server.der b/samples/net/sockets/http_server/src/certs/server_cert.der
similarity index 100%
rename from samples/net/sockets/http_server/src/server.der
rename to samples/net/sockets/http_server/src/certs/server_cert.der
diff --git a/samples/net/sockets/http_server/src/server_privkey.der b/samples/net/sockets/http_server/src/certs/server_privkey.der
similarity index 100%
rename from samples/net/sockets/http_server/src/server_privkey.der
rename to samples/net/sockets/http_server/src/certs/server_privkey.der
diff --git a/samples/net/sockets/http_server/src/https-server-cert.der b/samples/net/sockets/http_server/src/https-server-cert.der
deleted file mode 100644
index bfcb335e31c8c37fd5c964276c42a3554abc3f4e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 767
zcmXqLV)|{+#Q1mtGZP~d6DPwv0r`WU3|<Nv@Un4gwRyCC=VfH%W@RuCF%&WoU}Fwt
zVdmk?$xlwq$;dA*F_07IH8eLcGcq$YFa_c$ab6P>LlA&)ap-DdR6;hMk(GhDiIJZH
z=nO8VCPqevV+_^27sZ{kS1zxd!{1vz@zQs9)6L?K?!L`s{JC+`NsopH^5?fNiT_~s
zYX3vyA1jYOyCT`$q<T}bq@eQ6v5b@N&q=NPu$|F#;{VH~c}%<5W@)WCue4uV{$P=X
zlIg2k`FGP7X-is2^0{0rwAhlX)_U#OzJvKT@77PTVGZ+J8{F7^McFX3NPY4at2N3m
z1lE0>&%G?~a`7n%!BhJR8NxJ8LeAXMj8@Z}=^MXr+0N72oA?D7SXK(^cx;@x^i)my
z(tRQdLffsY{O=sUs>_nL`zz1ck4Bc)1848L{c-s}-C57(WQW}Pc-Q0S^$(^seJXV>
z`k(h(@=aU)(3QD6<j%uwf{lty%!~|-ivtY&3}k^JF3ZOv#v-!heeRvv%15p4n%rcR
z$zTp%H|fwx19_0NGK++PSOaziJRk+aEUX61jEw)0!yFi;z%XZINKf5Ax$~ZX;eVOQ
z84FT4<EBpedi6`Tg3%3@hBZHe%&IJ!*R9r6aw@EQ_0+#`jf?%fI8P<kcgw0*hv{ve
zWh&KiIAr$UHK`%%6_-D_o21#ZPK~=oKC`0bSl#&(Unljjt`N33%RM9b_ubyW2`d7B
z1?|(gQW#JyzhN7n>qd7+wwtn5CeIu6c$fmF-&;}Dq9gkyFl=eiRu;X}cf0k(j@>))
zviDuwwgnHgTeUi?cV#qa|IX8EcwRM~bF02W-`hPi@~2*nwpEi<6R~VsvBJr1b>w9C
z=I@pJi?_zcR{Tp^^LD$O*V@A~Eo<!z6xC$YZu5TL)$aCz<<H@LEv+_;?;m8Oz5@Uf
C?>lM$

diff --git a/samples/net/sockets/http_server/src/https-server-key.der b/samples/net/sockets/http_server/src/https-server-key.der
deleted file mode 100644
index 5a4d67372ea41873b1c69e5e9371f6f9d2c5a4bd..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1218
zcmV;z1U>sOf&{(-0RS)!1_>&LNQU<f0RaI800e>rs4#*Aqyhl|0)hbn0LB1&4bc}v
zYpJJsoDYq6k<#}^HM1Au-R*4w`LUA8NPyrU&$pys@HXnd;WPND#pcu*i-IND8FX-Y
z?8a!x@6H;j@V5aqk^j?mZUVXnnkuZ%BEKsi!E!hvHR{@L-DjdJ88{gZMA30Lv~4DZ
z*2ccUZ#?d=lspAiPOVdci_{}AX>uo%v^uOK=n$^;p9`jL({sug5z4-C09Gk9RLt5b
zTP7))O<$p=xyviE4-fzZsSzwlv6-dHd}pP;6d)3}J9<yt$JH$aX1nza&G9lh*HN3g
z+wrIVEt=+>YgF3t-AMV@@HKpnBz{CM^S?O`maE}K1B+DL;kFThAp!#d009Dm0RaH7
z0UN?WjiWr2jsEeC*@o6{wYkmT#(VLVd8DRNY9H7lcy<MS79Q!%P(4~oIz6m9ayv!P
zIjy2k1zzrj3wL;`9c>umSAs^->(9OQQ2?gklP=v-L`Gx}l}Epd9hrmzrWPB^HgY2;
zPe4Raxg5}uhi0bmA2T-mx#s85P@au1X1#k-Aozb#I!LTKGTvnxtemE5>_qMcl?C!j
z#SDE>AF8y#xd(^;D<~3x>O7vYf$#m);|U+hoAc_SeGMv2ZJY+*hf(x<z<tAPcv<AP
zC)fA&Z)5)_;a7(92&4IH@4nD-DMUM|229@f4r3yaGcFVi|ARvCmZM7bTLJL`fq?+y
zq$XDa5t%}}KoDs3%%LwlgbsYA{5)tFj_I5)97$K;-HFQiPnja+)G!KQrve-VE(aVB
zwqRN7k2sMw3$tt!*snU}a7Rq*Z7I=ar{|YZTy5I-Y_l=a*<6{bgfcBa`|zlRJ1mBW
zo9DEjArny4R%>P2JocW!<nG>N5Gh>(fq?+ts}+mI(T~AV*HlNM#ec4c%-zD89*-5W
zoj3kXL$XrmvJT)MNZtpI|8%|ly(cPqz-9@rTLkUAoS)`Hqn^ieJ<D%tSVQRk*ao@F
z3B1R(F73?UDJE<IGyS8j#)1p76m_!py1}m7Ob7`_3CV~(X>#j$+4frJ&sg!>B1V-0
zfq+K~=0jzR<d0=7n{kF^k1*8iN-;46#yy_gi=c@+gwTG6<_C#H1c6n>p|HDkq&((1
z4^sTRXxZnW?SQnSc0LySo5cU}$nFBvF(&`13#hnd=8Im5cx&cpoOA&>{Ra-O67MCI
z&{4EyJ}s*>fq2TSrW{4Sogwp8<_}h%jHv>FfdJOeMWN~48A<M<MD#Y>K`JI_MJJDU
z8=_kU!4}(t3vFMBFF}{=yak@NV(~@!ROfCqUOUOBjX|tSjTWBzA{$rPt$=l?X&Xg<
zGCkVbG5nX724gmcghG9WqLN(tyh?m2u)<BWEmeBT29~U;jCz`cI1yqkBedTf@j0QT
zmtg{dfNc9C1E!=Y12%+)m2HMHn7#_4x<}9{Ka8d*lW!$yI5-34o5)Bt$0opa(v@3L
zZ77JbOYm736`h_)wPy^lgZf2CO{%)%-*#XI2@P_L4AO8p?HSk`WHZhZsI#E;U(EL!
gV_igH#-LQ`0j5+Ir=Xt6*qj*z;a=4@yZv@|bp@74`v3p{

diff --git a/samples/net/sockets/http_server/src/main.c b/samples/net/sockets/http_server/src/main.c
index 23ab975cd6c..5bd27c14438 100644
--- a/samples/net/sockets/http_server/src/main.c
+++ b/samples/net/sockets/http_server/src/main.c
@@ -311,16 +311,6 @@ static void setup_tls(void)
 #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
 	int err;
 
-#if defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC)
-	err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG,
-				 TLS_CREDENTIAL_CA_CERTIFICATE,
-				 ca_certificate,
-				 sizeof(ca_certificate));
-	if (err < 0) {
-		LOG_ERR("Failed to register CA certificate: %d", err);
-	}
-#endif /* defined(CONFIG_NET_SAMPLE_CERTS_WITH_SC) */
-
 	err = tls_credential_add(HTTP_SERVER_CERTIFICATE_TAG,
 				 TLS_CREDENTIAL_SERVER_CERTIFICATE,
 				 server_certificate,