samples: net: sockets: big_http_download: Update root certificate

The download server that the origin server redirects to seems now to
use different certificate (signed by a different root CA). Therefore
add the additional root CA to the certificate list and refactor the
sample code a bit to allow to easily extend/replace certificates in the
future.

Bump the mbed TLS heap size a bit to accommodate the extra registered
certificate.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>

samples/net/sockets/big_http_download/overlay-tls.conf

@@ -5,7 +5,7 @@ CONFIG_NET_PKT_TX_COUNT=10
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
-CONFIG_MBEDTLS_HEAP_SIZE=60000
+CONFIG_MBEDTLS_HEAP_SIZE=65000
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
 

samples/net/sockets/big_http_download/src/DigiCertGlobalRootG2.crt.pem

@@ -0,0 +1,22 @@
+"-----BEGIN CERTIFICATE-----\n"
+"MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh\n"
+"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
+"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\n"
+"MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\n"
+"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
+"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\n"
+"9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\n"
+"2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\n"
+"1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\n"
+"q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\n"
+"tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\n"
+"vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\n"
+"BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\n"
+"5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\n"
+"1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\n"
+"NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\n"
+"Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\n"
+"8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\n"
+"pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\n"
+"MrY=\n"
+"-----END CERTIFICATE-----\n"

samples/net/sockets/big_http_download/src/big_http_download.c

@@ -274,9 +274,12 @@ bool download(struct addrinfo *ai, bool is_tls, bool *redirect)
 
 #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
 	if (is_tls) {
-		sec_tag_t sec_tag_opt[] = {
+		sec_tag_t sec_tag_opt[ARRAY_SIZE(ca_certificates)];
-			CA_CERTIFICATE_TAG,
+
+		for (int i = 0; i < ARRAY_SIZE(ca_certificates); i++) {
+			sec_tag_opt[i] = CA_CERTIFICATE_TAG + i;
 		};
+
 		CHECK(setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST,
 				 sec_tag_opt, sizeof(sec_tag_opt)));
 
@@ -369,8 +372,12 @@ int main(void)
 	bool redirect = false;
 
 #if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
-	tls_credential_add(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE,
+	for (int i = 0; i < ARRAY_SIZE(ca_certificates); i++) {
-			   ca_certificate, sizeof(ca_certificate));
+		tls_credential_add(CA_CERTIFICATE_TAG + i,
+				   TLS_CREDENTIAL_CA_CERTIFICATE,
+				   ca_certificates[i],
+				   strlen(ca_certificates[i]) + 1);
+	}
 #endif
 
 	setbuf(stdout, NULL);

samples/net/sockets/big_http_download/src/ca_certificate.h

@@ -13,10 +13,14 @@
  * certificate in PEM format, you can enable support for it in Kconfig.
  */
 
-/* ISRG Root X1 for https://launchpad.net/ubuntu */
+/* ISRG Root X1 for https://launchpad.net/ubuntu
-static const unsigned char ca_certificate[] =
+ * DigiCert Global Root G2 for possible redirects
+ */
+static const unsigned char *ca_certificates[] = {
 #include "isrgrootx1.pem"
-;
+,
+#include "DigiCertGlobalRootG2.crt.pem"
+};
 
 
 #endif /* __CA_CERTIFICATE_H__ */