Add ESP certificate bundle feature

Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296
2025-12-15 19:34:03 +00:00 · 2019-09-29 18:04:34 +08:00
parent 8e1442f0e7
commit 947e3e94ed
48 changed files with 5030 additions and 147 deletions
--- a/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/baltimore.der
+++ b/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/baltimore.der
--- a/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/baltimore_crt_bundle
+++ b/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/baltimore_crt_bundle
--- a/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/entrust.pem
+++ b/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/entrust.pem
@@ -0,0 +1,26 @@
+Entrust Root Certification Authority
+====================================
+-----BEGIN CERTIFICATE-----
+MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNV
+BAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jw
+b3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsG
+A1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0
+MloXDTI2MTEyNzIwNTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMu
+MTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVu
+Y2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1c3QgUm9v
+dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALaVtkNC+sZtKm9I35RMOVcF7sN5EUFoNu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYsz
+A9u3g3s+IIRe7bJWKKf44LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOww
+Cj0Yzfv9KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGIrb68
+j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi94DkZfs0Nw4pgHBN
+rziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOBsDCBrTAOBgNVHQ8BAf8EBAMCAQYw
+DwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAigA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1
+MzQyWjAfBgNVHSMEGDAWgBRokORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DH
+hmak8fdLQ/uEvW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
+A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9tO1KzKtvn1ISM
+Y/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6ZuaAGAT/3B+XxFNSRuzFVJ7yVTa
+v52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTS
+W3iDVuycNsMm4hH2Z0kdkquM++v/eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0
+tHuu2guQOHXvgR1m0vdXcDazv/wor3ElhVsT/h5/WrQ8
+-----END CERTIFICATE-----
+
--- a/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/entrust_crt_bundle
+++ b/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/entrust_crt_bundle
--- a/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/invalid_crt.pem
+++ b/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/invalid_crt.pem
@@ -0,0 +1,26 @@
+Entrust Root Certification Authority
+====================================
+-----BEGIN CERTIFICATE-----
+MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNV
+BAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jw
+b3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsG
+A1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0
+MloXDTI2MTEyNzIwNTM0MFFwgFFxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMu
+MTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVu
+Y2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1c3QgUm9v
+dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALaVtkNC+sZtKm9I35RMOVcF7sN5EUFoNu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYsz
+A9u3g3s+IIRe7bJWKKf44LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOww
+Cj0Yzfv9KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGIrb68
+j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi94DkZfs0Nw4pgHBN
+rziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOBsDCBrTAOBgNVHQ8BAf8EBAMCAQYw
+DwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAigA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1
+MzQyWjAfBgNVHSMEGDAWgBRokORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DH
+hmak8fdLQ/uEvW0wHQYJKoZIhvZ9B0EABBFFDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
+A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9tO1KzKtvn1ISM
+Y/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxR22IkSNcUesyBrJ6ZuaAGAT/3B+XxFNSRuzFVJ7yVTa
+v52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi447pynP9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTS
+W3iDVuycNsMm4hH2Z0kdkquM++v/eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0
+tHuu2guQOHXvgR1m0vdXcDazv/wor3ElhVsT/h5/WrQ8
+-----END CERTIFICATE-----
+
--- a/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/test_gen_crt_bundle.py
+++ b/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/test_gen_crt_bundle.py
@@ -0,0 +1,77 @@
+#!/usr/bin/env python
+
+import unittest
+import sys
+import os
+
+try:
+    import gen_crt_bundle
+except ImportError:
+    sys.path.append("..")
+    import gen_crt_bundle
+
+
+idf_path            = os.environ['IDF_PATH']
+ca_crts_path        = idf_path + '/components/mbedtls/esp_crt_bundle/'
+test_crts_path      = idf_path + '/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/'
+
+ca_bundle_bin_file  = 'x509_crt_bundle'
+
+der_test_file       = 'baltimore.der'
+pem_test_file       = 'entrust.pem'
+verified_der_bundle = 'baltimore_crt_bundle'
+verified_pem_bundle = 'entrust_crt_bundle'
+invalid_test_file   = 'invalid_crt.pem'
+ca_crts_all_file    = 'cacrt_all.pem'
+
+
+class Py23TestCase(unittest.TestCase):
+
+    def __init__(self, *args, **kwargs):
+        super(Py23TestCase, self).__init__(*args, **kwargs)
+        try:
+            self.assertRaisesRegex
+        except AttributeError:
+            # assertRaisesRegexp is deprecated in Python3 but assertRaisesRegex doesn't exist in Python2
+            # This fix is used in order to avoid using the alias from the six library
+            self.assertRaisesRegex = self.assertRaisesRegexp
+
+
+class GenCrtBundleTests(Py23TestCase):
+
+    # Verify generation from der vs known certificate
+    def test_gen_from_der(self):
+        bundle = gen_crt_bundle.CertificateBundle()
+        bundle.add_from_file(test_crts_path + der_test_file)
+
+        crt_bundle = bundle.create_bundle()
+
+        with open(test_crts_path + verified_der_bundle, 'rb') as f:
+            verified_bundle = f.read()
+
+        self.assertEqual(crt_bundle, verified_bundle)
+
+    # Verify generation from pem vs known certificate
+    def test_gen_from_pem(self):
+        bundle = gen_crt_bundle.CertificateBundle()
+        bundle.add_from_file(test_crts_path + pem_test_file)
+
+        crt_bundle = bundle.create_bundle()
+
+        with open(test_crts_path + verified_pem_bundle, 'rb') as f:
+            verified_bundle = f.read()
+
+        self.assertEqual(crt_bundle, verified_bundle)
+
+    def test_invalid_crt_input(self):
+        bundle = gen_crt_bundle.CertificateBundle()
+
+        with self.assertRaisesRegex(gen_crt_bundle.InputError, "Invalid certificate"):
+            bundle.add_from_file(test_crts_path  + invalid_test_file)
+
+        with self.assertRaisesRegex(gen_crt_bundle.InputError, "No certificate found"):
+            bundle.add_from_pem("")
+
+
+if __name__ == "__main__":
+    unittest.main()