Add ESP certificate bundle feature

Adds the ESP certificate bundle feature that enables users to bundle a
root certificate bundle together with their application.

Default bundle includes all Mozilla root certificates

Closes IDF-296

examples/protocols/https_x509_bundle/CMakeLists.txt

@@ -0,0 +1,10 @@
+# The following five lines of boilerplate have to be in your project's
+# CMakeLists in this exact order for cmake to work correctly
+cmake_minimum_required(VERSION 3.5)
+
+# (Not part of the boilerplate)
+# This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
+set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)
+
+include($ENV{IDF_PATH}/tools/cmake/project.cmake)
+project(https_x509_bundle)

examples/protocols/https_x509_bundle/Makefile

@@ -0,0 +1,11 @@
+#
+# This is a project Makefile. It is assumed the directory this Makefile resides in is a
+# project subdirectory.
+#
+
+PROJECT_NAME := https_x509_bundle
+
+EXTRA_COMPONENT_DIRS = $(IDF_PATH)/examples/common_components/protocol_examples_common
+
+include $(IDF_PATH)/make/project.mk
+

examples/protocols/https_x509_bundle/README.md

@@ -0,0 +1,45 @@
+# HTTPS x509 Bundle Example
+
+This example shows how to use the ESP certificate bundle utility to embed a bundle of x509 certificates and use them to
+establish a simple HTTPS connection over a secure connection. The path of the certificates are specified using menuconfig.
+
+See the README.md file in the upper level 'examples' directory for more information about examples.
+
+## Example workflow
+- ESP TLS is initialized with the certificate bundle option enabled.
+- The application loops through the given URLs, establishing a secure TLS connection to all of them, verifying the server certificate included.
+
+### Configure the project
+
+* Open the project configuration menu (`idf.py menuconfig`)
+* Configure Wi-Fi or Ethernet under "Example Connection Configuration" menu. See "Establishing Wi-Fi or Ethernet Connection" section in [examples/protocols/README.md](../README.md) for more details.
+* When using Make build system, set `Default serial port` under `Serial flasher config`.
+* If using a different folder than `certs` for storing certificates then update `Custom Certificate Bundle Path` under `Component config` - `mbedTLS` - `Certificate Bundle`
+
+### Build and Flash
+
+Build the project and flash it to the board, then run monitor tool to view serial output:
+
+```
+idf.py -p PORT flash monitor
+```
+
+(To exit the serial monitor, type ``Ctrl-]``.)
+
+See the Getting Started Guide for full steps to configure and use ESP-IDF to build projects.
+
+## Example Output
+```
+I (0) cpu_start: Starting scheduler on APP CPU.
+I (491) system_api: Base MAC address is not set, read default base MAC address from BLK0 of EFUSE
+I (4051) example_connect: Ethernet Link Up
+I (5971) tcpip_adapter: eth ip: 192.168.2.137, mask: 255.255.255.0, gw: 192.168.2.2
+I (5971) example_connect: Connected to Ethernet
+I (5971) example_connect: IPv4 address: 192.168.2.137
+I (5971) example_connect: IPv6 address: fe80:0000:0000:0000:bedd:c2ff:fed4:a92b
+I (5981) example: Connecting to 2 URLs
+I (8371) example: Connection established to https://www.howsmyssl.com/a/check
+I (11821) example: Connection established to https://espressif.com
+I (12821) example: Completed 2 connections
+I (12821) example: Starting over again...
+

examples/protocols/https_x509_bundle/certs/Digicert_global_root.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
+CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
+nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
+43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
+T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
+gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
+TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
+DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
+hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
+06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
+PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
+YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
+CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
+-----END CERTIFICATE-----
+
+
+

examples/protocols/https_x509_bundle/example_test.py

@@ -0,0 +1,40 @@
+import re
+import os
+import sys
+
+try:
+    import IDF
+except ImportError:
+    # this is a test case write with tiny-test-fw.
+    # to run test cases outside tiny-test-fw,
+    # we need to set environment variable `TEST_FW_PATH`,
+    # then get and insert `TEST_FW_PATH` to sys path before import FW module
+    test_fw_path = os.getenv("TEST_FW_PATH")
+    if test_fw_path and test_fw_path not in sys.path:
+        sys.path.insert(0, test_fw_path)
+    import IDF
+
+
+@IDF.idf_example_test(env_tag="Example_WIFI", ignore=True)
+def test_examples_protocol_https_x509_bundle(env, extra_data):
+    """
+    steps: |
+      1. join AP
+      2. connect to multiple URLs
+      3. send http request
+    """
+    dut1 = env.get_dut("https_x509_bundle", "examples/protocols/https_x509_bundle")
+    # check and log bin size
+    binary_file = os.path.join(dut1.app.binary_path, "https_x509_bundle.bin")
+    bin_size = os.path.getsize(binary_file)
+    IDF.log_performance("https_x509_bundle_bin_size", "{}KB".format(bin_size // 1024))
+    IDF.check_performance("https_x509_bundle_bin_size", bin_size // 1024)
+    # start test
+    dut1.start_app()
+    num_URLS = dut1.expect(re.compile(r"Connecting to (\d+) URLs"), timeout=30)
+    dut1.expect(re.compile(r"Connection established to ([\s\S]*)"), timeout=30)
+    dut1.expect("Completed {} connections".format(num_URLS[0]), timeout=60)
+
+
+if __name__ == '__main__':
+    test_examples_protocol_https_x509_bundle()

examples/protocols/https_x509_bundle/main/CMakeLists.txt

@@ -0,0 +1,4 @@
+set(COMPONENT_SRCS "https_x509_bundle_example_main.c")
+set(COMPONENT_ADD_INCLUDEDIRS ".")
+
+register_component()

examples/protocols/https_x509_bundle/main/component.mk

@@ -0,0 +1,5 @@
+#
+# "main" pseudo-component makefile.
+#
+# (Uses default behaviour of compiling all source files in directory, adding 'include' to include path.)
+

examples/protocols/https_x509_bundle/main/https_x509_bundle_example_main.c

@@ -0,0 +1,97 @@
+/* HTTPS GET Example using plain mbedTLS sockets
+ *
+ * Contacts the howsmyssl.com API via TLS v1.2 and reads a JSON
+ * response.
+ *
+ * Adapted from the ssl_client1 example in mbedtls.
+ *
+ * Original Copyright (C) 2006-2016, ARM Limited, All Rights Reserved, Apache 2.0 License.
+ * Additions Copyright (C) Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD, Apache 2.0 License.
+ *
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <string.h>
+#include <stdlib.h>
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+#include "freertos/event_groups.h"
+#include "esp_wifi.h"
+#include "esp_event.h"
+#include "esp_log.h"
+#include "esp_system.h"
+#include "nvs_flash.h"
+#include "protocol_examples_common.h"
+#include "esp_netif.h"
+
+#include "lwip/err.h"
+#include "lwip/sockets.h"
+#include "lwip/sys.h"
+#include "lwip/netdb.h"
+#include "lwip/dns.h"
+
+#include "esp_tls.h"
+#include "esp_crt_bundle.h"
+
+#define MAX_URLS    2
+
+static const char *web_urls[MAX_URLS] = {
+    "https://www.howsmyssl.com/a/check",
+    "https://espressif.com",
+};
+
+static const char *TAG = "example";
+
+static void https_get_task(void *pvParameters)
+{
+    while (1) {
+        int conn_count = 0;
+
+        ESP_LOGI(TAG, "Connecting to %d URLs", MAX_URLS);
+        for (int i = 0; i < MAX_URLS; i++) {
+            esp_tls_cfg_t cfg = {
+                .crt_bundle_attach = esp_crt_bundle_attach,
+            };
+
+            struct esp_tls *tls = esp_tls_conn_http_new(web_urls[i], &cfg);
+
+            if (tls != NULL) {
+                ESP_LOGI(TAG, "Connection established to %s", web_urls[i]);
+                conn_count++;
+            } else {
+                ESP_LOGE(TAG, "Could not connect to %s", web_urls[i]);
+            }
+
+            esp_tls_conn_delete(tls);
+            vTaskDelay(1000 / portTICK_PERIOD_MS);
+        }
+
+        ESP_LOGI(TAG, "Completed %d connections", conn_count);
+        ESP_LOGI(TAG, "Starting over again...");
+    }
+}
+
+void app_main(void)
+{
+    ESP_ERROR_CHECK( nvs_flash_init() );
+    esp_netif_init();
+    ESP_ERROR_CHECK(esp_event_loop_create_default());
+
+    /* This helper function configures Wi-Fi or Ethernet, as selected in menuconfig.
+     * Read "Establishing Wi-Fi or Ethernet Connection" section in
+     * examples/protocols/README.md for more information about this function.
+     */
+    ESP_ERROR_CHECK(example_connect());
+
+    xTaskCreate(&https_get_task, "https_get_task", 8192, NULL, 5, NULL);
+}

examples/protocols/https_x509_bundle/sdkconfig.defaults

@@ -0,0 +1,5 @@
+# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL is not set
+# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN is not set
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE=y
+CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE=y
+CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH="certs"