espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-08 07:04:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(mbedtls): add new deprecated cert list and relevant config

Browse Source 
Cert bundle is periodically updated with the upstream Mozilla's NSS
root cert store. Retracted certs are moved to deprecated list now and
an additional config allows to include them in the default bundle. New
config is kept default disabled but can be enabled if one would like
to ensure 100% compatibility w.r.t. cert bundle across IDF minor or
patch releases. In IDF major release the deprecated list shall be reset.
This commit is contained in:
Mahavir Jain
2023-10-24 18:55:24 +05:30
parent 24446bfab1
commit 5b047057ca
3 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
components/mbedtls/CMakeLists.txt
View File

@@ -45,6 +45,12 @@ if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE)
list(APPEND args --filter ${DEFAULT_CRT_DIR}/cmn_crt_authorities.csv) list(APPEND args --filter ${DEFAULT_CRT_DIR}/cmn_crt_authorities.csv)
endif() endif()
# Add deprecated root certs if enabled. This config is not visible if the default cert
# bundle is not selected
if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST)
list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_deprecated.pem)
endif()
if(CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE) if(CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE)
get_filename_component(custom_bundle_path get_filename_component(custom_bundle_path
${CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}") ${CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}")

15
components/mbedtls/Kconfig
View File

@@ -348,6 +348,21 @@ menu "mbedTLS"
Name of the custom certificate directory or file. This path is evaluated Name of the custom certificate directory or file. This path is evaluated
relative to the project root directory. relative to the project root directory.
config MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST
bool "Add deprecated root certificates"
depends on MBEDTLS_CERTIFICATE_BUNDLE && !MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE
help
Include the deprecated list of root certificates in the bundle.
This list gets updated when a certificate is removed from the Mozilla's
NSS root certificate store. This config can be enabled if you would like
to ensure that none of the certificates that were deployed in the product
are affected because of the update to bundle. In turn, enabling this
config keeps expired, retracted certificates in the bundle and it may
pose a security risk.
- Deprecated cert list may grow based based on sync with upstream bundle
- Deprecated certs would be be removed in ESP-IDF (next) major release
config MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS config MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS
int "Maximum no of certificates allowed in certificate bundle" int "Maximum no of certificates allowed in certificate bundle"
default 200 default 200

1
examples/protocols/https_request/sdkconfig.ci
View File

@@ -10,3 +10,4 @@ CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
CONFIG_EXAMPLE_ETH_PHY_ADDR=1 CONFIG_EXAMPLE_ETH_PHY_ADDR=1
CONFIG_EXAMPLE_CONNECT_IPV6=y CONFIG_EXAMPLE_CONNECT_IPV6=y
CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS=y CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS=y
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST=y