Add ESP certificate bundle feature

Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296
2025-12-15 19:34:03 +00:00 · 2019-09-29 18:04:34 +08:00
parent 8e1442f0e7
commit 947e3e94ed
48 changed files with 5030 additions and 147 deletions
--- a/components/mbedtls/CMakeLists.txt
+++ b/components/mbedtls/CMakeLists.txt
@@ -1,10 +1,54 @@
 idf_build_get_property(idf_target IDF_TARGET)

-idf_component_register(INCLUDE_DIRS "port/include" "mbedtls/include"
+idf_component_register(SRCS "esp_crt_bundle/esp_crt_bundle.c"
+    INCLUDE_DIRS "port/include" "mbedtls/include" "esp_crt_bundle/include"
    REQUIRES lwip
    PRIV_REQUIRES soc
    )

+if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE)
+    set(bundle_name "x509_crt_bundle")
+    set(DEFAULT_CRT_DIR ${COMPONENT_DIR}/esp_crt_bundle)
+
+    # Generate custom certificate bundle using the generate_cert_bundle utility
+    set(GENERATE_CERT_BUNDLEPY ${python} ${COMPONENT_DIR}/esp_crt_bundle/gen_crt_bundle.py)
+
+    if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL)
+        list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem)
+    elseif(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN)
+        list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem)
+        list(APPEND args --filter ${DEFAULT_CRT_DIR}/cmn_crt_authorities.csv)
+    endif()
+
+    if(CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE)
+        get_filename_component(custom_bundle_path
+        ${CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}")
+        list(APPEND crt_paths ${custom_bundle_path})
+
+    endif()
+    list(APPEND args --input ${crt_paths} -q)
+
+    get_filename_component(crt_bundle
+        ${bundle_name}
+        ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}")
+
+    # Generate bundle according to config
+    add_custom_command(OUTPUT ${crt_bundle}
+        COMMAND ${GENERATE_CERT_BUNDLEPY} ${args}
+        DEPENDS ${custom_bundle_path}
+        VERBATIM)
+
+    add_custom_target(custom_bundle DEPENDS ${cert_bundle})
+    add_dependencies(${COMPONENT_LIB} custom_bundle)
+
+
+    target_add_binary_data(${COMPONENT_LIB} ${crt_bundle} BINARY)
+    set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+        APPEND PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
+        "${crt_bundle}")
+endif()
+
+
 # Only build mbedtls libraries
 set(ENABLE_TESTING CACHE BOOL OFF)
 set(ENABLE_PROGRAMS CACHE BOOL OFF)
@@ -26,6 +70,8 @@ set(mbedtls_targets mbedtls mbedcrypto mbedx509)
 target_sources(mbedtls PRIVATE  "${COMPONENT_DIR}/port/mbedtls_debug.c"
                                "${COMPONENT_DIR}/port/net_sockets.c")

+
+
 target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c"
                                "${COMPONENT_DIR}/port/esp_mem.c"
                                "${COMPONENT_DIR}/port/esp_sha.c"
@@ -46,3 +92,4 @@ set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls)
 # Link mbedtls libraries to component library
 target_link_libraries(${COMPONENT_LIB} INTERFACE ${mbedtls_targets})

+