Add ESP certificate bundle feature

Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296
2025-09-24 01:20:23 +00:00 · 2019-09-29 18:04:34 +08:00
parent 8e1442f0e7
commit 947e3e94ed
48 changed files with 5030 additions and 147 deletions
--- a/components/mbedtls/test/CMakeLists.txt
+++ b/components/mbedtls/test/CMakeLists.txt
@@ -1,6 +1,8 @@
 idf_component_register(SRC_DIRS "."
                    INCLUDE_DIRS "."
-                    REQUIRES unity test_utils mbedtls libsodium)
+                    REQUIRES unity test_utils mbedtls libsodium
+                    EMBED_TXTFILES server_cert_chain.pem prvtkey.pem server_cert_bundle)
+

 idf_component_get_property(mbedtls mbedtls COMPONENT_LIB)
 target_compile_definitions(${mbedtls} INTERFACE "-DMBEDTLS_DEPRECATED_WARNING")
--- a/components/mbedtls/test/component.mk
+++ b/components/mbedtls/test/component.mk
@@ -3,3 +3,4 @@
 #

 COMPONENT_ADD_LDFLAGS = -Wl,--whole-archive -l$(COMPONENT_NAME) -Wl,--no-whole-archive
+COMPONENT_EMBED_FILES := server_cert_chain.pem prvtkey.pem server_cert_bundle
--- a/components/mbedtls/test/prvtkey.pem
+++ b/components/mbedtls/test/prvtkey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAra9Pvr1J4ltGfVdnOv4DVdYTL68UaIKu37r0TMRdBKn5gSKm
+nBnvDx4TyMfiaOyo6tADGZPbzYJ2r45Zmo8zoIiUwh9SWHkFghTl+jNp0+1QxRCH
+HyRak3ShIZvje+c0xDDgMIv41l62FCE86dNW0gUCC/KgRCInqzsKurbxZU2qjebI
+5TKDkOFJsmoaWPb3q2+wEztPpvjGlV33UVX3OK8bJtRKALFn3733E7g5F2qANjOu
+S+7jXDzqxw5HD+QZTTH2Kehh/hrV96WeXUVGnMWru2BtYWKD0Pdh7zGcXjP8oSf2
+FkVssh+0f9khI9Xz6KzdSIMVEeSrDXRKnyJnDQIDAQABAoIBAEtOCpZZvfIdvxdT
+URfb0Jhj5Be1onSZzLaGeavbK7V8+QgLfQ+LkwIL+WoBeGIj0i1VGTL6z79wBIOj
+hagk1K6S6WStbeecOU4oP3pW1lijuXRn8R4IhhkO5VoMG/q5yUATLPD/j1lq4Skj
+LCT5k9glgbiqbuB7qpVsWP+RmGJiLh3jBDrb1NrZLuDlXhXJO+AF69syxxiyvnFA
+s7aVHst2TPXgccA9Fh37GzxN4hratz6n0JAaMxpRdJaJF1sSQQznfrYfxnkwtE1y
+ZXS5XgeDjqv00mucZVVzNkhT9WeS0bXd0lblboK2z39cN2YDYrmfEr2HonbTozNj
+HPlBG2UCgYEA3zWj3kAFhpl6zrHvcIzaemDxi9pFam2wJLgzeSXuHBSZSazi//qm
+Dv7rgP38XsY6MeaqpLW687FZ6yiDg2OLLMc4ho7Rq6mOKjp3nTVHjO+LONfxgWul
+evhFIabW056jafecouUSvy/9nvrrA5QEJjaHxg0tREuaGiBBgMXTnd8CgYEAxzMr
+NkVHqIis5AzGUJOaF2uTqnXbnM+/+kEkJD6yNzFovsxkaebGQF9LA1s/qiDtZtlH
+QiXlDsWl/PrKmvxToBY3v3fJKeAMXValtAtX0h67RX6rJUqXBATT/AOcfdlWoaEt
+xTCRwi70xjVoSwnvE8CZAGDyHk3/cjRcOBe5QJMCgYAyy4ApGaSoRtEdrHxyvnsR
+knIlg1x8pc2J7ak5DpqrJTzk+UUHP8D+dKCfUC1YW//uTzHSHdEXl+qAi02yXrrT
+S9rfNC0exY0mqvuBeRh5SCIEo4/ABgE4hLsmt1L4AYfqm4C3yS2E+KTcwvksbUis
+cYhgV6tPeWzuORzu8xX/PQKBgG5puFv+jrel+l71jb7/8Xtlz5W+ehozNTAbh1Ln
+xZS+OFb5p/bjSaRIraWQoHtGgRBvAwZxRsOnXlgZEtBRaHDln8TrOn+Rhoj+DB79
+4pG/IwJkMa0b6RT7MB0SS12eaFxyoJIaV9CQgnCTDdn6CaCjMqt5EPsnNJ4y06Lr
+020tAoGASPmKKVhXJxfhzyzsY9Kk9o31MKISUqVDNimqVDOt8vPZw8m/2WXUVH9T
+DnuEGaBmpG22Gs1NxbktsYAUzBeRBpoQ/fNK55eaZorJLs3DfFK604lLClJlQsDd
+yfp4LcRNQGodV4Utl6mPOtOFa8nrVGMQn3+M3TK6QTNpjLe87OE=
+-----END RSA PRIVATE KEY-----
--- a/components/mbedtls/test/server_cert_bundle
+++ b/components/mbedtls/test/server_cert_bundle
--- a/components/mbedtls/test/server_cert_chain.pem
+++ b/components/mbedtls/test/server_cert_chain.pem
@@ -0,0 +1,63 @@
+-----BEGIN CERTIFICATE-----
+MIIFODCCAyCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQ04x
+ETAPBgNVBAgMCFNoYW5naGFpMRIwEAYDVQQKDAlFc3ByZXNzaWYxJDAiBgNVBAMM
+G0VzcHJlc3NpZiBJbnRlcm1lZGlhdGUgdGVzdDAeFw0xOTEwMTEwMjU0MDdaFw0z
+MDA5MjMwMjU0MDdaMEgxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTES
+MBAGA1UECgwJRXNwcmVzc2lmMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtr0++vUniW0Z9V2c6/gNV1hMvrxRogq7f
+uvRMxF0EqfmBIqacGe8PHhPIx+Jo7Kjq0AMZk9vNgnavjlmajzOgiJTCH1JYeQWC
+FOX6M2nT7VDFEIcfJFqTdKEhm+N75zTEMOAwi/jWXrYUITzp01bSBQIL8qBEIier
+Owq6tvFlTaqN5sjlMoOQ4UmyahpY9verb7ATO0+m+MaVXfdRVfc4rxsm1EoAsWff
+vfcTuDkXaoA2M65L7uNcPOrHDkcP5BlNMfYp6GH+GtX3pZ5dRUacxau7YG1hYoPQ
+92HvMZxeM/yhJ/YWRWyyH7R/2SEj1fPorN1IgxUR5KsNdEqfImcNAgMBAAGjggEY
+MIIBFDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0E
+JhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQW
+BBR8LwbfGcYMVc++Ugdoc2XXYXUOBzB7BgNVHSMEdDBygBSZ45naA62T1+k4QIyt
+n2h1bWyGOKFWpFQwUjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMRIw
+EAYDVQQKDAlFc3ByZXNzaWYxHDAaBgNVBAMME0VzcHJlc3NpZiBSb290IFRlc3SC
+AhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG
+9w0BAQsFAAOCAgEAQ/9JU171woAvQlZ8gmYIOkyIfYQfKmhvw+2DoP+5r1+LOHtO
+frg9BshucqXlQ65yRWL8KaAIFKE4e/qBXnD/ZX8R8lR0aMKCgYVW6A1n0wWko/fU
+RNXt+sXr+fMX7h0HOC3mzWf2fZkR5B0jUSBQSVkXNt+jkjWOFIGzfHDKldgX5rVX
+vNmHwS5zRjbOvPaXrmNpV7wkQ/bRJbnFmbT5V6fwDFzdLzJami86eiT+C68d07/W
+We5htv20nYFYdwQJMWYlnGLPPaSE+n5m4QqsrlfR7uOgnuX3RfKHMsiWa7TxLA4g
+D9VZq88SQLshec/CIcYlSgnEfa9LxL2mKv386e9YWD2Oho/B33L5tdflihR5m1sd
+9xIgka9aXmHu8GEVaBRqzqtIReoa7KfmEQWYjqXH8YdDLMlMKl968Y7c779/SDxC
+1ibkanS1+2dPBYpoZldcnbH8w2dguk7luTuPlJxJph6NHGI7bbxL9z6yc5kJi2dS
+R4TNXI3UKZ5s7ZUPTv2nYMJIbyEzSjkxinLsr7rFLGlAIpAlRq1C6jmh1ArGA3H2
+jK0xYZcMN8Sz9gYV/zk/VTDMmiyZrYmZSxuhQFZCWaLN79z0pi5SefLW+1K6CzNj
+hah0wJEtzq492IQS0q3gH82iGM35Ffy+rtAWIsxrL/2wn+cOrPGvRdmR6J0=
+-----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIFjjCCA3agAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCQ04x
+ETAPBgNVBAgMCFNoYW5naGFpMRIwEAYDVQQKDAlFc3ByZXNzaWYxHDAaBgNVBAMM
+E0VzcHJlc3NpZiBSb290IFRlc3QwHhcNMTkxMDEwMTE1MDMyWhcNMjkxMDA3MTE1
+MDMyWjBaMQswCQYDVQQGEwJDTjERMA8GA1UECAwIU2hhbmdoYWkxEjAQBgNVBAoM
+CUVzcHJlc3NpZjEkMCIGA1UEAwwbRXNwcmVzc2lmIEludGVybWVkaWF0ZSB0ZXN0
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp7FJAjmfYsTlrcZPRJ3g
+IiKW/Gm3q23X4xzdKUQopth3DPO9FDvnce9e7JwXa1WDF8CZqWkvKrJS0njEAUR
+JERLYSr28aVFUyodnfxp/+1B5aJFj7LHampLWXsnVCchHHZB0pYZ6KLrTUU73KKd
+WaJODtBrq5g9mNNZqVOOHljgr5r8AJefemsCs+LhGcqq8ZFWeZBwzF2YC0h+55hc
+7K5g0MnGnQHD3s5nuuSJ9Grz+NDvzESYjmZfTq56wXN6nQIi+4JYBpAx4y63n6NR
+0JPsSePDlnGC4KNmHOeF9nXMgvqEP1doLssKKWdPZub6VQHLTk5ILFr1JKaSPjgj
+4twKjCTzxN3dPmxY2KPq+tUtoXFxLxqrJk/HyBwiClxSlwhyAe9iZd3Lh0RFENEf
+jS6gdD7coLlkJzALLcUTp0VWFWpPT1MbgYMHnnOuKXjw6KWXz/iuxvOJO4ip3tRf
+ssuog/cMwmkxKC9oHfoIPBuafW42/os4aZwy/7fJgAFO/e1/n6T7T2qygNOKBvYq
+mS6SWm9OFhUJuUtPlUdvHiVDQx40S0a8Z2Rp4XcuBU0M8Toi3lkEwJX/l89Wsos+
+UOITA1B71HxkzHMZQNdXLfnV0tCtC6C3S8IktFm0Kfqa8ruXbjzkKg0I8Wfwyefv
+HTc7FRQpyYgXkVLt1ziA+4MCAwEAAaNmMGQwHQYDVR0OBBYEFJnjmdoDrZPX6ThA
+jK2faHVtbIY4MB8GA1UdIwQYMBaAFAqo9zQmHYRS1EF/1Fkb31gvGK9HMBIGA1Ud
+EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC
+AQBl+7vf7T6K7JhHQTFfOlUNoy4rdau6eAfoQE1wybUNIeuKLqhXfn7uLhYLE9Tq
+LAYcMN8M8F2MFt7nNifbAFRiXCRRes6tFyQkjqG4SijvGoMiCL3pVYEgrET2qIm8
+Rvupsh/u2UuGivy7XzJmMzU6HhTjF/Yfc6AiPkISzMqxLtbzCD+3TOxNe9nalsFv
+gmQsCYUqVZCwdThvHMWY7lC+KZ/f0X8gyVHZpx6K/K+MbMSTzZZa7VEjcJcEQZ8r
+Br0e9X3EkGsKbnq/kVouMZGrZtbOXYNjoVStNdobNaJ1d379xbt8UgkvvSUhJoK
+Y4pZoO3nZZUHslLDuLNG6m2tk1SHL7NPNhJoAGwqFtLyrUaUaGa+uIXev4xA0Cby
+vUn+PXLKo9NcnDI38l/NxVhqWvKAwkWww/GDdic7GGfzJVSr+K4q3dxy3JW1nh4n
+gaGSeKrP0lgO5NqJswGFSrY05lx06HKxHRJRtLf8g+llrGrhApRVqjM9t0By7CgK
+E/EgGWG6MyGi2YLenFdFzFRgqEsKVn11XV+rkaC1NSu7l7QfTSiHrynBsYcCTnzD
+z4QxJvlLon22Jp1qCwFVKXAE9wc/ncENqiA6vbjP9pq5yps+XbO2frdSQcNwHFIR
+aaL+u5SAcyr3qV0I7Wghq0Xoo00DV/pm9K78tIamtsmNhw==
+-----END CERTIFICATE-----
--- a/components/mbedtls/test/test_esp_crt_bundle.c
+++ b/components/mbedtls/test/test_esp_crt_bundle.c
@@ -0,0 +1,312 @@
+/* SSL server using plain mbedTLS sockets
+ *
+ * Adapted from the ssl_server example in mbedtls.
+ *
+ * Original Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Additions Copyright (C) Copyright 2019 Espressif Systems (Shanghai) PTE LTD, Apache 2.0 License.
+ *
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "esp_err.h"
+#include "esp_log.h"
+
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+#include "freertos/semphr.h"
+
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/certs.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/error.h"
+#include "mbedtls/debug.h"
+
+#include "esp_crt_bundle.h"
+
+#include "unity.h"
+#include "test_utils.h"
+
+#define SERVER_ADDRESS "localhost"
+#define SERVER_PORT "4433"
+
+extern const uint8_t server_cert_chain_pem_start[] asm("_binary_server_cert_chain_pem_start");
+extern const uint8_t server_cert_chain_pem_end[]   asm("_binary_server_cert_chain_pem_end");
+
+extern const uint8_t server_pk_start[] asm("_binary_prvtkey_pem_start");
+extern const uint8_t server_pk_end[]   asm("_binary_prvtkey_pem_end");
+
+extern const uint8_t server_cert_bundle_start[] asm("_binary_server_cert_bundle_start");
+extern const uint8_t server_cert_bundle_end[] asm("_binary_server_cert_bundle_end");
+
+typedef struct {
+    mbedtls_ssl_context ssl;
+    mbedtls_net_context listen_fd;
+    mbedtls_net_context client_fd;
+
+    mbedtls_entropy_context entropy;
+    mbedtls_ctr_drbg_context ctr_drbg;
+
+    mbedtls_ssl_config conf;
+    mbedtls_x509_crt cert;
+    mbedtls_pk_context pkey;
+
+}mbedtls_endpoint_t;
+
+static const char *TAG = "cert_bundle_test";
+
+static volatile bool exit_flag;
+
+esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint);
+
+esp_err_t server_setup(mbedtls_endpoint_t * server)
+{
+    int ret;
+    mbedtls_ssl_config_init( &server->conf );
+    mbedtls_net_init( &server->listen_fd );
+    mbedtls_net_init( &server->client_fd );
+    mbedtls_ssl_init( &server->ssl );
+    mbedtls_x509_crt_init( &server->cert );
+    mbedtls_pk_init( &server->pkey );
+    mbedtls_entropy_init( &server->entropy );
+    mbedtls_ctr_drbg_init( &server->ctr_drbg );
+
+    ESP_LOGI(TAG, "Loading the server cert and key");
+    ret = mbedtls_x509_crt_parse( &server->cert, server_cert_chain_pem_start,
+                                  server_cert_chain_pem_end - server_cert_chain_pem_start);
+
+    if( ret != 0 ) {
+        ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned %d", ret );
+        return ESP_FAIL;
+    }
+
+    ret =  mbedtls_pk_parse_key( &server->pkey, (const unsigned char *)server_pk_start ,
+                                 server_pk_end - server_pk_start, NULL, 0 );
+    if( ret != 0 ) {
+        ESP_LOGE(TAG, "mbedtls_pk_parse_key returned %d", ret );
+        return ESP_FAIL;
+    }
+
+    ESP_LOGI(TAG, "Bind on https://%s:%s/", SERVER_ADDRESS, SERVER_PORT );
+    if( ( ret = mbedtls_net_bind( &server->listen_fd, NULL, SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 ) {
+        ESP_LOGE(TAG, "mbedtls_net_bind returned %d", ret );
+        return ESP_FAIL;
+    }
+
+    ESP_LOGI(TAG, "Seeding the random number generator");
+    if( ( ret = mbedtls_ctr_drbg_seed( &server->ctr_drbg, mbedtls_entropy_func, &server->entropy,
+                NULL, 0) ) != 0 ) {
+        ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret );
+        return ESP_FAIL;
+    }
+
+    ESP_LOGI(TAG, "Setting up the SSL data");
+    if( ( ret = mbedtls_ssl_config_defaults( &server->conf,
+                    MBEDTLS_SSL_IS_SERVER,
+                    MBEDTLS_SSL_TRANSPORT_STREAM,
+                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
+    {
+        ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret );
+        return ESP_FAIL;
+    }
+
+    mbedtls_ssl_conf_rng( &server->conf, mbedtls_ctr_drbg_random, &server->ctr_drbg );
+    mbedtls_ssl_conf_ca_chain( &server->conf, server->cert.next, NULL );
+
+    if (( ret = mbedtls_ssl_conf_own_cert( &server->conf, &server->cert, &server->pkey ) ) != 0 )
+    {
+        ESP_LOGE(TAG, "mbedtls_ssl_conf_own_cert returned %d", ret );
+        return ESP_FAIL;
+    }
+
+    if (( ret = mbedtls_ssl_setup( &server->ssl, &server->conf ) ) != 0 )
+    {
+        ESP_LOGE(TAG, "mbedtls_ssl_setup returned %d", ret );
+        return ESP_FAIL;
+    }
+    return ESP_OK;
+}
+
+void server_task(void *pvParameters)
+{
+    int ret;
+    mbedtls_endpoint_t server;
+    xSemaphoreHandle *sema = (xSemaphoreHandle *) pvParameters;
+
+
+    if (server_setup(&server) != ESP_OK) {
+        ESP_LOGE(TAG, "SSL server setup failed");
+        goto exit;
+    }
+
+    ESP_LOGI(TAG, "Waiting for a remote connection" );
+    if( ( ret = mbedtls_net_accept( &server.listen_fd, &server.client_fd,
+                                    NULL, 0, NULL ) ) != 0 ) {
+        ESP_LOGE(TAG, "mbedtls_net_accept returned %d", ret );
+        goto exit;
+    }
+
+    mbedtls_ssl_set_bio( &server.ssl, &server.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
+
+    while(exit_flag == false) {
+        mbedtls_ssl_handshake( &server.ssl );
+    }
+    ESP_LOGE(TAG, "Server shutdown");
+    exit:
+        endpoint_teardown(&server);
+        xSemaphoreGive(*sema);
+        vTaskDelete(NULL);
+}
+
+
+esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint)
+{
+    mbedtls_net_free( &endpoint->client_fd );
+    mbedtls_net_free( &endpoint->listen_fd );
+
+    mbedtls_x509_crt_free( &endpoint->cert );
+    mbedtls_pk_free( &endpoint->pkey );
+    mbedtls_ssl_free( &endpoint->ssl );
+    mbedtls_ssl_config_free( &endpoint->conf );
+
+    mbedtls_ctr_drbg_free( &endpoint->ctr_drbg );
+    mbedtls_entropy_free( &endpoint->entropy );
+
+    return ESP_OK;
+}
+
+esp_err_t client_setup(mbedtls_endpoint_t* client)
+{
+    int ret;
+    mbedtls_ssl_config_init( &client->conf );
+    mbedtls_net_init( &client->client_fd );
+    mbedtls_ssl_init( &client->ssl );
+    mbedtls_x509_crt_init( &client->cert );
+    mbedtls_pk_init( &client->pkey );
+    mbedtls_entropy_init( &client->entropy );
+    mbedtls_ctr_drbg_init( &client->ctr_drbg );
+
+    ESP_LOGI(TAG, "Seeding the random number generator");
+    if((ret = mbedtls_ctr_drbg_seed(&client->ctr_drbg, mbedtls_entropy_func, &client->entropy,
+                                    NULL, 0)) != 0) {
+        ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret);
+        return ESP_FAIL;
+    }
+
+    ESP_LOGI(TAG, "Setting hostname for TLS session...");
+     /* Hostname set here should match CN in server certificate */
+    if((ret = mbedtls_ssl_set_hostname(&client->ssl, SERVER_ADDRESS)) != 0) {
+        ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
+        return ESP_FAIL;
+    }
+
+    ESP_LOGI(TAG, "Setting up the SSL/TLS structure...");
+    if((ret = mbedtls_ssl_config_defaults(&client->conf,
+                                          MBEDTLS_SSL_IS_CLIENT,
+                                          MBEDTLS_SSL_TRANSPORT_STREAM,
+                                          MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
+        ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret);
+        return ESP_FAIL;
+    }
+    mbedtls_ssl_conf_rng(&client->conf, mbedtls_ctr_drbg_random, &client->ctr_drbg);
+
+    if ((ret = mbedtls_ssl_setup(&client->ssl, &client->conf)) != 0) {
+        ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret);
+        return ESP_FAIL;
+    }
+
+    return ESP_OK;
+}
+
+void client_task(void *pvParameters)
+{
+    int ret;
+
+    xSemaphoreHandle *sema = (xSemaphoreHandle *) pvParameters;
+
+    mbedtls_endpoint_t client;
+
+    if(client_setup(&client) != ESP_OK) {
+        ESP_LOGE(TAG, "SSL client setup failed");
+        goto exit;
+    }
+
+    // Set the custom bundle which DOESN'T includes the server's root certificate (default bundle)
+    esp_crt_bundle_attach(&client.conf);
+
+    ESP_LOGI(TAG, "Connecting to %s:%s...", SERVER_ADDRESS, SERVER_PORT);
+    if ((ret = mbedtls_net_connect(&client.client_fd, SERVER_ADDRESS, SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
+        ESP_LOGE(TAG, "mbedtls_net_connect returned -%x", -ret);
+        goto exit;
+    }
+
+    ESP_LOGI(TAG, "Connected.");
+    mbedtls_ssl_set_bio(&client.ssl, &client.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
+
+    ESP_LOGI(TAG, "Performing the SSL/TLS handshake with bundle that is missing the server root certificate");
+    ret = mbedtls_ssl_handshake(&client.ssl);
+
+    ESP_LOGI(TAG, "Verifying peer X.509 certificate for bundle ...");
+    TEST_ASSERT(mbedtls_ssl_get_verify_result(&client.ssl) != 0);
+
+    // Reset session before new connection
+    mbedtls_ssl_close_notify(&client.ssl);
+    mbedtls_ssl_session_reset(&client.ssl);
+
+    // Set the custom bundle which includes the server's root certificate
+    esp_crt_bundle_set(server_cert_bundle_start);
+
+    ESP_LOGI(TAG, "Performing the SSL/TLS handshake with bundle containing the server root certificate");
+    ret = mbedtls_ssl_handshake(&client.ssl);
+
+    ESP_LOGI(TAG, "Verifying peer X.509 certificate ...");
+    ret = mbedtls_ssl_get_verify_result(&client.ssl);
+    TEST_ASSERT(ret == 0);
+
+    if(ret == 0) {
+        ESP_LOGI(TAG, "Certificate validated");
+    }
+
+
+    exit_flag = true;
+
+    exit:
+        mbedtls_ssl_close_notify(&client.ssl);
+        mbedtls_ssl_session_reset(&client.ssl);
+        esp_crt_bundle_detach(&client.conf);
+        endpoint_teardown(&client);
+        xSemaphoreGive(*sema);
+        vTaskDelete(NULL);
+}
+
+TEST_CASE("custom certificate bundle", "[mbedtls]")
+{
+    test_case_uses_tcpip();
+
+    xSemaphoreHandle exit_sema = xSemaphoreCreateCounting(2, 0);
+
+    xTaskCreate(server_task, "server task", 8192, &exit_sema, 5, NULL);
+
+    // Wait for the server to start up
+    vTaskDelay(100 / portTICK_PERIOD_MS);
+    xTaskCreate(client_task, "https_get_task", 8192, &exit_sema, 5, NULL);
+
+    for(int i = 0; i < 2; i++) {
+        if(!xSemaphoreTake(exit_sema, 10000/portTICK_PERIOD_MS)) {
+            TEST_FAIL_MESSAGE("exit_sem not released by test task");
+        }
+    }
+    vSemaphoreDelete(exit_sema);
+}