Add ESP certificate bundle feature

Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296
2025-08-09 12:35:28 +00:00 · 2019-09-29 18:04:34 +08:00
parent 8e1442f0e7
commit 947e3e94ed
48 changed files with 5030 additions and 147 deletions
--- a/examples/protocols/https_request/main/https_request_example_main.c
+++ b/examples/protocols/https_request/main/https_request_example_main.c
@@ -41,6 +41,7 @@
 #include "lwip/dns.h"

 #include "esp_tls.h"
+#include "esp_crt_bundle.h"

 /* Constants that aren't configurable in menuconfig */
 #define WEB_SERVER "www.howsmyssl.com"
@@ -54,20 +55,6 @@ static const char *REQUEST = "GET " WEB_URL " HTTP/1.0\r\n"
    "User-Agent: esp-idf/1.0 esp32\r\n"
    "\r\n";

-/* Root cert for howsmyssl.com, taken from server_root_cert.pem
-
-   The PEM file was extracted from the output of this command:
-   openssl s_client -showcerts -connect www.howsmyssl.com:443 </dev/null
-
-   The CA root cert is the last cert given in the chain of certs.
-
-   To embed it in the app binary, the PEM file is named
-   in the component.mk COMPONENT_EMBED_TXTFILES variable.
-*/
-extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start");
-extern const uint8_t server_root_cert_pem_end[]   asm("_binary_server_root_cert_pem_end");
-
-
 static void https_get_task(void *pvParameters)
 {
    char buf[512];
@@ -75,23 +62,22 @@ static void https_get_task(void *pvParameters)

    while(1) {
        esp_tls_cfg_t cfg = {
-            .cacert_buf  = server_root_cert_pem_start,
-            .cacert_bytes = server_root_cert_pem_end - server_root_cert_pem_start,
+            .crt_bundle_attach = esp_crt_bundle_attach,
        };
-        
+
        struct esp_tls *tls = esp_tls_conn_http_new(WEB_URL, &cfg);
-        
+
        if(tls != NULL) {
            ESP_LOGI(TAG, "Connection established...");
        } else {
            ESP_LOGE(TAG, "Connection failed...");
            goto exit;
        }
-        
+
        size_t written_bytes = 0;
        do {
-            ret = esp_tls_conn_write(tls, 
-                                     REQUEST + written_bytes, 
+            ret = esp_tls_conn_write(tls,
+                                     REQUEST + written_bytes,
                                     strlen(REQUEST) - written_bytes);
            if (ret >= 0) {
                ESP_LOGI(TAG, "%d bytes written", ret);
@@ -109,10 +95,10 @@ static void https_get_task(void *pvParameters)
            len = sizeof(buf) - 1;
            bzero(buf, sizeof(buf));
            ret = esp_tls_conn_read(tls, (char *)buf, len);
-            
+
            if(ret == ESP_TLS_ERR_SSL_WANT_WRITE  || ret == ESP_TLS_ERR_SSL_WANT_READ)
                continue;
-            
+
            if(ret < 0)
           {
                ESP_LOGE(TAG, "esp_tls_conn_read  returned -0x%x", -ret);
@@ -134,7 +120,7 @@ static void https_get_task(void *pvParameters)
        } while(1);

    exit:
-        esp_tls_conn_delete(tls);    
+        esp_tls_conn_delete(tls);
        putchar('\n'); // JSON output doesn't have a newline at end

        static int request_count;