From 5b047057cacaa6c52a41ccbdf3fc35477e1e9b01 Mon Sep 17 00:00:00 2001
From: Mahavir Jain <mahavir@espressif.com>
Date: Tue, 24 Oct 2023 18:55:24 +0530
Subject: [PATCH] feat(mbedtls): add new deprecated cert list and relevant
 config

Cert bundle is periodically updated with the upstream Mozilla's NSS
root cert store. Retracted certs are moved to deprecated list now and
an additional config allows to include them in the default bundle. New
config is kept default disabled but can be enabled if one would like
to ensure 100% compatibility w.r.t. cert bundle across IDF minor or
patch releases. In IDF major release the deprecated list shall be reset.
---
 components/mbedtls/CMakeLists.txt             |  6 ++++++
 components/mbedtls/Kconfig                    | 15 +++++++++++++++
 examples/protocols/https_request/sdkconfig.ci |  1 +
 3 files changed, 22 insertions(+)

diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt
index 3d2ad9d855..a162a0a3ab 100644
--- a/components/mbedtls/CMakeLists.txt
+++ b/components/mbedtls/CMakeLists.txt
@@ -45,6 +45,12 @@ if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE)
         list(APPEND args --filter ${DEFAULT_CRT_DIR}/cmn_crt_authorities.csv)
     endif()
 
+    # Add deprecated root certs if enabled. This config is not visible if the default cert
+    # bundle is not selected
+    if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST)
+        list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_deprecated.pem)
+    endif()
+
     if(CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE)
         get_filename_component(custom_bundle_path
         ${CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}")
diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
index e618261230..8fc0f0eb2b 100644
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -348,6 +348,21 @@ menu "mbedTLS"
                 Name of the custom certificate directory or file. This path is evaluated
                 relative to the project root directory.
 
+        config MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST
+            bool "Add deprecated root certificates"
+            depends on MBEDTLS_CERTIFICATE_BUNDLE && !MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE
+            help
+                Include the deprecated list of root certificates in the bundle.
+                This list gets updated when a certificate is removed from the Mozilla's
+                NSS root certificate store. This config can be enabled if you would like
+                to ensure that none of the certificates that were deployed in the product
+                are affected because of the update to bundle. In turn, enabling this
+                config keeps expired, retracted certificates in the bundle and it may
+                pose a security risk.
+
+                - Deprecated cert list may grow based based on sync with upstream bundle
+                - Deprecated certs would be be removed in ESP-IDF (next) major release
+
         config MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS
             int "Maximum no of certificates allowed in certificate bundle"
             default 200
diff --git a/examples/protocols/https_request/sdkconfig.ci b/examples/protocols/https_request/sdkconfig.ci
index 5577f9549a..9f61f58c61 100644
--- a/examples/protocols/https_request/sdkconfig.ci
+++ b/examples/protocols/https_request/sdkconfig.ci
@@ -10,3 +10,4 @@ CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
 CONFIG_EXAMPLE_ETH_PHY_ADDR=1
 CONFIG_EXAMPLE_CONNECT_IPV6=y
 CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST=y