From 5e1b0b97b59ba6a04950a15c6dbc8cbfd7612c3c Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Date: Wed, 24 Aug 2022 23:19:51 +0530
Subject: [PATCH 1/4] mqtt/ssl_ds example: Remove configure_ds.py script, use
 esp-secure-cert-tool instread

---
 examples/protocols/mqtt/ssl_ds/README.md      |  14 +-
 .../protocols/mqtt/ssl_ds/configure_ds.py     | 393 ------------------
 .../mqtt/ssl_ds/main/idf_component.yml        |   3 +
 3 files changed, 12 insertions(+), 398 deletions(-)
 delete mode 100644 examples/protocols/mqtt/ssl_ds/configure_ds.py
 create mode 100644 examples/protocols/mqtt/ssl_ds/main/idf_component.yml

diff --git a/examples/protocols/mqtt/ssl_ds/README.md b/examples/protocols/mqtt/ssl_ds/README.md
index 065bcfca2b..cbb7f0c4fd 100644
--- a/examples/protocols/mqtt/ssl_ds/README.md
+++ b/examples/protocols/mqtt/ssl_ds/README.md
@@ -40,22 +40,26 @@ openssl genrsa -out client.key
 openssl req -out client.csr -key client.key -new
 ```
 
-Paste the generated CSR in the [Mosquitto test certificate signer](https://test.mosquitto.org/ssl/index.php), click Submit and copy the downloaded `client.crt` in the `main` directory.
-
-Please note, that the supplied file `client.crt` in the `main` directory is only a placeholder for your client certificate (i.e. the example "as is" would compile but would not connect to the broker)
+Paste the generated CSR in the [Mosquitto test certificate signer](https://test.mosquitto.org/ssl/index.php), click Submit and downloaded the `client.crt`. This `client.crt` file shall be used as the device certificate.
 
 #### 3) Configure the DS peripheral
 
-*  The DS peripheral can be configured with the python script [configure_ds.py](README.md#configure_ds-py) by executing the following command
+* i) Install the [esp_secure_cert configuration utility](https://github.com/espressif/esp_secure_cert_mgr/tree/main/tools#esp_secure_cert-configuration-tool) with following command:
+```
+pip install esp-secure-cert-tool
+```
+*  The DS peripheral can be configured by executing the following command:
 
 ```
-    python configure_ds.py --port /* USB COM port */ --private-key /* RSA priv key */
+configure_esp_secure_cert.py -p /* Serial port */ --device-cert /* Device cert */ --private-key /* RSA priv key */ --target_chip /* target chip */ --configure_ds
 ```
 
 In the command USB COM port is nothing but the serial port to which the ESP chip is connected. see
 [check serial port](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/establish-serial-connection.html#check-port-on-windows) for more details.
 RSA private key is nothing but the client private key ( RSA ) generated in Step 2.
 
+> Note: More details about the `esp-secure-cert-tool` utility can be found [here](https://github.com/espressif/esp_secure_cert_mgr/tree/main/tools).
+
 #### 4) Connection cofiguration
 * Open the project configuration menu (`idf.py menuconfig`)
 * Configure Wi-Fi or Ethernet under "Example Connection Configuration" menu. See "Establishing Wi-Fi or Ethernet Connection" section in [examples/protocols/README.md](../../README.md) for more details.
diff --git a/examples/protocols/mqtt/ssl_ds/configure_ds.py b/examples/protocols/mqtt/ssl_ds/configure_ds.py
deleted file mode 100644
index d847db23a6..0000000000
--- a/examples/protocols/mqtt/ssl_ds/configure_ds.py
+++ /dev/null
@@ -1,393 +0,0 @@
-#!/usr/bin/env python
-# SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
-# SPDX-License-Identifier: Apache-2.0
-import argparse
-import hashlib
-import hmac
-import json
-import os
-import struct
-import subprocess
-import sys
-
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-from cryptography.utils import int_to_bytes
-
-try:
-    import nvs_partition_gen as nvs_gen
-except ImportError:
-    idf_path = os.getenv('IDF_PATH')
-    if not idf_path or not os.path.exists(idf_path):
-        raise Exception('IDF_PATH not found')
-    sys.path.insert(0, os.path.join(idf_path, 'components', 'nvs_flash', 'nvs_partition_generator'))
-    import nvs_partition_gen as nvs_gen
-
-# Check python version is proper or not to avoid script failure
-assert sys.version_info >= (3, 6, 0), 'Python version too low.'
-
-esp_ds_data_dir = 'esp_ds_data'
-# hmac_key_file is generated when HMAC_KEY is calculated, it is used when burning HMAC_KEY to efuse
-hmac_key_file = esp_ds_data_dir + '/hmac_key.bin'
-# csv and bin filenames are default filenames for nvs partition files created with this script
-csv_filename = esp_ds_data_dir + '/pre_prov.csv'
-bin_filename = esp_ds_data_dir + '/pre_prov.bin'
-expected_json_path = os.path.join('build', 'config', 'sdkconfig.json')
-# Targets supported by the script
-supported_targets = {'esp32s2', 'esp32c3', 'esp32s3'}
-supported_key_size = {'esp32s2':[1024, 2048, 3072, 4096], 'esp32c3':[1024, 2048, 3072], 'esp32s3':[1024, 2048, 3072, 4096]}
-
-
-# @return
-#       on success  idf_target - value of the IDF_TARGET read from build/config/sdkconfig.json
-#       on failure  None
-def get_idf_target():
-    if os.path.exists(expected_json_path):
-        sdkconfig = json.load(open(expected_json_path))
-        idf_target_read = sdkconfig['IDF_TARGET']
-        return idf_target_read
-    else:
-        print('ERROR: IDF_TARGET has not been set for the supported targets,'
-              "\nplase execute command \"idf.py set-target {TARGET}\" in the example directory")
-        return None
-
-
-def load_privatekey(key_file_path, password=None):
-    key_file = open(key_file_path, 'rb')
-    key = key_file.read()
-    key_file.close()
-    return serialization.load_pem_private_key(key, password=password, backend=default_backend())
-
-
-def number_as_bytes(number, pad_bits=None):
-    """
-    Given a number, format as a little endian array of bytes
-    """
-    result = int_to_bytes(number)[::-1]
-    while pad_bits is not None and len(result) < (pad_bits // 8):
-        result += b'\x00'
-    return result
-
-
-# @return
-#       c               : ciphertext_c
-#       iv              : initialization vector
-#       key_size        : key size of the RSA private key in bytes.
-# @input
-#       privkey         : path to the RSA private key
-#       priv_key_pass   : path to the RSA privaete key password
-#       hmac_key        : HMAC key value ( to calculate DS params)
-#       idf_target      : The target chip for the script (e.g. esp32s2, esp32c3, esp32s3)
-# @info
-#       The function calculates the encrypted private key parameters.
-#       Consult the DS documentation (available for the ESP32-S2) in the esp-idf programming guide for more details about the variables and calculations.
-def calculate_ds_parameters(privkey, priv_key_pass, hmac_key, idf_target):
-    private_key = load_privatekey(privkey, priv_key_pass)
-    if not isinstance(private_key, rsa.RSAPrivateKey):
-        print('ERROR: Only RSA private keys are supported')
-        sys.exit(-1)
-    if hmac_key is None:
-        print('ERROR: hmac_key cannot be None')
-        sys.exit(-2)
-
-    priv_numbers = private_key.private_numbers()
-    pub_numbers = private_key.public_key().public_numbers()
-    Y = priv_numbers.d
-    M = pub_numbers.n
-    key_size = private_key.key_size
-    if key_size not in supported_key_size[idf_target]:
-        print('ERROR: Private key size {0} not supported for the target {1},\nthe supported key sizes are {2}'
-              .format(key_size, idf_target, str(supported_key_size[idf_target])))
-        sys.exit(-1)
-
-    iv = os.urandom(16)
-
-    rr = 1 << (key_size * 2)
-    rinv = rr % pub_numbers.n
-    mprime = - rsa._modinv(M, 1 << 32)
-    mprime &= 0xFFFFFFFF
-    length = key_size // 32 - 1
-
-    # get max supported key size for the respective target
-    max_len = max(supported_key_size[idf_target])
-    aes_key = hmac.HMAC(hmac_key, b'\xFF' * 32, hashlib.sha256).digest()
-
-    md_in = number_as_bytes(Y, max_len) + \
-        number_as_bytes(M, max_len) + \
-        number_as_bytes(rinv, max_len) + \
-        struct.pack('<II', mprime, length) + \
-        iv
-
-    # expected_len = max_len_Y + max_len_M + max_len_rinv + (mprime + length packed (8 bytes))+ iv (16 bytes)
-    expected_len = (max_len / 8) * 3 + 8 + 16
-    assert len(md_in) == expected_len
-    md = hashlib.sha256(md_in).digest()
-    # In case of ESP32-S2
-    # Y4096 || M4096 || Rb4096 || M_prime32 || LENGTH32 || MD256 || 0x08*8
-    # In case of ESP32-C3
-    # Y3072 || M3072 || Rb3072 || M_prime32 || LENGTH32 || MD256 || 0x08*8
-    p = number_as_bytes(Y, max_len) + \
-        number_as_bytes(M, max_len) + \
-        number_as_bytes(rinv, max_len) + \
-        md + \
-        struct.pack('<II', mprime, length) + \
-        b'\x08' * 8
-
-    # expected_len = max_len_Y + max_len_M + max_len_rinv + md (32 bytes) + (mprime + length packed (8bytes)) + padding (8 bytes)
-    expected_len = (max_len / 8) * 3 + 32 + 8 + 8
-    assert len(p) == expected_len
-
-    cipher = Cipher(algorithms.AES(aes_key), modes.CBC(iv), backend=default_backend())
-    encryptor = cipher.encryptor()
-    c = encryptor.update(p) + encryptor.finalize()
-    return c, iv, key_size
-
-
-# @info
-#       The function makes use of the "espefuse.py" script to read the efuse summary
-def efuse_summary(args, idf_target):
-    os.system('python $IDF_PATH/components/esptool_py/esptool/espefuse.py --chip {0} -p {1} summary'.format(idf_target, (args.port)))
-
-
-# @info
-#       The function makes use of the "espefuse.py" script to burn the HMAC key on the efuse.
-def efuse_burn_key(args, idf_target):
-    # In case of a development (default) usecase we disable the read protection.
-    key_block_status = '--no-read-protect'
-
-    if args.production is True:
-        # Whitespace character will have no additional effect on the command and
-        # read protection will be enabled as the default behaviour of the command
-        key_block_status = ' '
-
-    os.system('python $IDF_PATH/components/esptool_py/esptool/espefuse.py --chip {0} -p {1} burn_key '
-              '{2} {3} HMAC_DOWN_DIGITAL_SIGNATURE {4}'
-              .format((idf_target), (args.port), ('BLOCK_KEY' + str(args.efuse_key_id)), (hmac_key_file), (key_block_status)))
-
-
-# @info
-#       Generate a custom csv file of encrypted private key parameters.
-#       The csv file is required by the nvs_partition_generator utility to create the nvs partition.
-def generate_csv_file(c, iv, hmac_key_id, key_size, csv_file):
-
-    with open(csv_file, 'wt', encoding='utf8') as f:
-        f.write('# This is a generated csv file containing required parameters for the Digital Signature operation\n')
-        f.write('key,type,encoding,value\nesp_ds_ns,namespace,,\n')
-        f.write('esp_ds_c,data,hex2bin,%s\n' % (c.hex()))
-        f.write('esp_ds_iv,data,hex2bin,%s\n' % (iv.hex()))
-        f.write('esp_ds_key_id,data,u8,%d\n' % (hmac_key_id))
-        f.write('esp_ds_rsa_len,data,u16,%d\n' % (key_size))
-
-
-class DefineArgs(object):
-    def __init__(self, attributes):
-        for key, value in attributes.items():
-            self.__setattr__(key, value)
-
-
-# @info
-#       This function uses the nvs_partition_generater utility
-#       to generate the nvs partition of the encrypted private key parameters.
-def generate_nvs_partition(input_filename, output_filename):
-
-    nvs_args = DefineArgs({
-        'input': input_filename,
-        'outdir': os.getcwd(),
-        'output': output_filename,
-        'size': hex(0x3000),
-        'version': 2,
-        'keyfile':None,
-    })
-
-    nvs_gen.generate(nvs_args, is_encr_enabled=False, encr_key=None)
-
-
-# @return
-#         The json formatted summary of the efuse.
-def get_efuse_summary_json(args, idf_target):
-    _efuse_summary = None
-    try:
-        _efuse_summary = subprocess.check_output(('python $IDF_PATH/components/esptool_py/esptool/espefuse.py '
-                                                  '--chip {0} -p {1} summary --format json'.format(idf_target, (args.port))), shell=True)
-    except subprocess.CalledProcessError as e:
-        print((e.output).decode('UTF-8'))
-        sys.exit(-1)
-
-    _efuse_summary = _efuse_summary.decode('UTF-8')
-    # Remove everything before actual json data from efuse_summary command output.
-    _efuse_summary = _efuse_summary[_efuse_summary.find('{'):]
-    try:
-        _efuse_summary_json = json.loads(_efuse_summary)
-    except json.JSONDecodeError:
-        print('ERROR: failed to parse the json output')
-        sys.exit(-1)
-    return _efuse_summary_json
-
-
-# @return
-#       on success: 256 bit HMAC key present in the given key_block (args.efuse_key_id)
-#       on failure: None
-# @info
-#       This function configures the provided efuse key_block.
-#       If the provided efuse key_block is empty the function generates a new HMAC key and burns it in the efuse key_block.
-#       If the key_block already contains a key the function reads the key from the efuse key_block
-def configure_efuse_key_block(args, idf_target):
-    efuse_summary_json = get_efuse_summary_json(args, idf_target)
-    key_blk = 'BLOCK_KEY' + str(args.efuse_key_id)
-    key_purpose = 'KEY_PURPOSE_' + str(args.efuse_key_id)
-
-    kb_writeable = efuse_summary_json[key_blk]['writeable']
-    kb_readable = efuse_summary_json[key_blk]['readable']
-    hmac_key_read = None
-
-    # If the efuse key block is writable (empty) then generate and write
-    # the new hmac key and check again
-    # If the efuse key block is not writable (already contains a key) then check if it is redable
-    if kb_writeable is True:
-        print('Provided key block (KEY BLOCK %1d) is writable\n Generating a new key and burning it in the efuse..\n' % (args.efuse_key_id))
-
-        new_hmac_key = os.urandom(32)
-        with open(hmac_key_file, 'wb') as key_file:
-            key_file.write(new_hmac_key)
-        # Burn efuse key
-        efuse_burn_key(args, idf_target)
-        if args.production is False:
-            # Read fresh summary of the efuse to read the key value from efuse.
-            # If the key read from efuse matches with the key generated
-            # on host then burn_key operation was successfull
-            new_efuse_summary_json = get_efuse_summary_json(args, idf_target)
-            hmac_key_read = new_efuse_summary_json[key_blk]['value']
-            print(hmac_key_read)
-            hmac_key_read = bytes.fromhex(hmac_key_read)
-            if new_hmac_key == hmac_key_read:
-                print('Key was successfully written to the efuse (KEY BLOCK %1d)' % (args.efuse_key_id))
-            else:
-                print('ERROR: Failed to burn the hmac key to efuse (KEY BLOCK %1d),'
-                      '\nPlease execute the script again using a different key id' % (args.efuse_key_id))
-                return None
-        else:
-            new_efuse_summary_json = get_efuse_summary_json(args, idf_target)
-            if new_efuse_summary_json[key_purpose]['value'] != 'HMAC_DOWN_DIGITAL_SIGNATURE':
-                print('ERROR: Failed to verify the key purpose of the key block{})'.format(args.efuse_key_id))
-                return None
-            hmac_key_read = new_hmac_key
-    else:
-        # If the efuse key block is redable, then read the key from efuse block and use it for encrypting the RSA private key parameters.
-        # If the efuse key block is not redable or it has key purpose set to a different
-        # value than "HMAC_DOWN_DIGITAL_SIGNATURE" then we cannot use it for DS operation
-        if kb_readable is True:
-            if efuse_summary_json[key_purpose]['value'] == 'HMAC_DOWN_DIGITAL_SIGNATURE':
-                print('Provided efuse key block (KEY BLOCK %1d) already contains a key with key_purpose=HMAC_DOWN_DIGITAL_SIGNATURE,'
-                      '\nusing the same key for encrypting the private key data...\n' % (args.efuse_key_id))
-                hmac_key_read = efuse_summary_json[key_blk]['value']
-                hmac_key_read = bytes.fromhex(hmac_key_read)
-                if args.keep_ds_data is True:
-                    with open(hmac_key_file, 'wb') as key_file:
-                        key_file.write(hmac_key_read)
-            else:
-                print('ERROR: Provided efuse key block ((KEY BLOCK %1d)) contains a key with key purpose different'
-                      'than HMAC_DOWN_DIGITAL_SIGNATURE,\nplease execute the script again with a different value of the efuse key id.' % (args.efuse_key_id))
-                return None
-        else:
-            print('ERROR: Provided efuse key block (KEY BLOCK %1d) is not readable and writeable,'
-                  '\nplease execute the script again with a different value of the efuse key id.' % (args.efuse_key_id))
-            return None
-
-    # Return the hmac key burned into the efuse
-    return hmac_key_read
-
-
-def cleanup(args):
-    if args.keep_ds_data is False:
-        if os.path.exists(hmac_key_file):
-            os.remove(hmac_key_file)
-        if os.path.exists(csv_filename):
-            os.remove(csv_filename)
-
-
-def main():
-    parser = argparse.ArgumentParser(description='''Generate an HMAC key and burn it in the desired efuse key block (required for Digital Signature),
-    Generates an NVS partition containing the encrypted private key parameters from the client private key.
-            ''')
-
-    parser.add_argument(
-        '--private-key',
-        dest='privkey',
-        default='client.key',
-        metavar='relative/path/to/client-priv-key',
-        help='relative path to client private key')
-
-    parser.add_argument(
-        '--pwd', '--password',
-        dest='priv_key_pass',
-        metavar='[password]',
-        help='the password associated with the private key')
-
-    parser.add_argument(
-        '--summary',
-        dest='summary',action='store_true',
-        help='Provide this option to print efuse summary of the chip')
-
-    parser.add_argument(
-        '--efuse_key_id',
-        dest='efuse_key_id', type=int, choices=range(1,6),
-        metavar='[key_id] ',
-        default=1,
-        help='Provide the efuse key_id which contains/will contain HMAC_KEY, default is 1')
-
-    parser.add_argument(
-        '--port', '-p',
-        dest='port',
-        metavar='[port]',
-        required=True,
-        help='UART com port to which the ESP device is connected')
-
-    parser.add_argument(
-        '--keep_ds_data_on_host','-keep_ds_data',
-        dest='keep_ds_data', action='store_true',
-        help='Keep encrypted private key data and key on host machine for testing purpose')
-
-    parser.add_argument(
-        '--production', '-prod',
-        dest='production', action='store_true',
-        help='Enable production configurations. e.g.keep efuse key block read protection enabled')
-
-    args = parser.parse_args()
-
-    idf_target = get_idf_target()
-    if idf_target not in supported_targets:
-        if idf_target is not None:
-            print('ERROR: The script does not support the target %s' % idf_target)
-        sys.exit(-1)
-    idf_target = str(idf_target)
-
-    if args.summary is not False:
-        efuse_summary(args, idf_target)
-        sys.exit(0)
-
-    if (os.path.exists(args.privkey) is False):
-        print('ERROR: The provided private key file does not exist')
-        sys.exit(-1)
-
-    if (os.path.exists(esp_ds_data_dir) is False):
-        os.makedirs(esp_ds_data_dir)
-
-    # Burn hmac_key on the efuse block (if it is empty) or read it
-    # from the efuse block (if the efuse block already contains a key).
-    hmac_key_read = configure_efuse_key_block(args, idf_target)
-    if hmac_key_read is None:
-        sys.exit(-1)
-
-    # Calculate the encrypted private key data along with all other parameters
-    c, iv, key_size = calculate_ds_parameters(args.privkey, args.priv_key_pass, hmac_key_read, idf_target)
-
-    # Generate csv file for the DS data and generate an NVS partition.
-    generate_csv_file(c, iv, args.efuse_key_id, key_size, csv_filename)
-    generate_nvs_partition(csv_filename, bin_filename)
-    cleanup(args)
-
-
-if __name__ == '__main__':
-    main()
diff --git a/examples/protocols/mqtt/ssl_ds/main/idf_component.yml b/examples/protocols/mqtt/ssl_ds/main/idf_component.yml
new file mode 100644
index 0000000000..80c7c822a8
--- /dev/null
+++ b/examples/protocols/mqtt/ssl_ds/main/idf_component.yml
@@ -0,0 +1,3 @@
+## IDF Component Manager Manifest File
+dependencies:
+  espressif/esp_secure_cert_mgr: "^2.0.0"

From 69be3b69556bc94b9f336b0577efcbbcf33d7777 Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Date: Wed, 24 Aug 2022 23:21:02 +0530
Subject: [PATCH 2/4] mqtt/ssl_ds example: Update the code to use
 `esp_secure_cert` component

---
 examples/protocols/mqtt/ssl_ds/CMakeLists.txt |  8 --
 .../protocols/mqtt/ssl_ds/main/app_main.c     | 98 +++----------------
 .../protocols/mqtt/ssl_ds/main/client.crt     |  1 -
 examples/protocols/mqtt/ssl_ds/partitions.csv |  6 +-
 4 files changed, 16 insertions(+), 97 deletions(-)
 delete mode 100644 examples/protocols/mqtt/ssl_ds/main/client.crt

diff --git a/examples/protocols/mqtt/ssl_ds/CMakeLists.txt b/examples/protocols/mqtt/ssl_ds/CMakeLists.txt
index c45c2a0c8d..e821859459 100644
--- a/examples/protocols/mqtt/ssl_ds/CMakeLists.txt
+++ b/examples/protocols/mqtt/ssl_ds/CMakeLists.txt
@@ -9,12 +9,4 @@ set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_exam
 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 project(mqtt_ssl_ds)
 
-# Flash the custom partition named `pre_prov`.
-set(partition pre_prov)
-idf_build_get_property(project_dir PROJECT_DIR)
-set(image_file ${project_dir}/esp_ds_data/${partition}.bin)
-partition_table_get_partition_info(offset "--partition-name ${partition}" "offset")
-esptool_py_flash_target_image(flash "${partition}" "${offset}" "${image_file}")
-
-target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/client.crt" TEXT)
 target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/mosquitto.org.crt" TEXT)
diff --git a/examples/protocols/mqtt/ssl_ds/main/app_main.c b/examples/protocols/mqtt/ssl_ds/main/app_main.c
index 79b28bf34b..ba94cf0db3 100644
--- a/examples/protocols/mqtt/ssl_ds/main/app_main.c
+++ b/examples/protocols/mqtt/ssl_ds/main/app_main.c
@@ -29,25 +29,10 @@
 #include "esp_log.h"
 #include "mqtt_client.h"
 #include "rsa_sign_alt.h"
+#include "esp_secure_cert_read.h"
 
-/* pre_prov - name of partition containing encrypted prv key parameters ( It is set as such to synchronize it with the pre provisioning service */
-#define NVS_PARTITION_NAME  "pre_prov"
-/* esp_ds_ns - namespace used for defining values in esp_ds_nvs */
-#define NVS_NAMESPACE       "esp_ds_ns"
-/* esp_ds_key_id - efuse key block id where 256 bit key is stored, which will be read by
-     * DS module to perform DS operation */
-#define NVS_EFUSE_KEY_ID    "esp_ds_key_id"
-/* esp_ds_rsa_len - length of RSA private key (in bits) which is encrypted */
-#define NVS_RSA_LEN         "esp_ds_rsa_len"
-/* following entries denote key(ASCII string) for particular value in key-value pair of esp_ds_nvs (which are defined in esp_ds_ns) */
-/* ciphertext_c - encrypted RSA private key, see ESP32-S2 Techincal Reference Manual for more details */
-#define NVS_CIPHER_C        "esp_ds_c"
-/* initialization vector (iv) - 256 bit value used to encrypt RSA private key (to generate ciphertext_c) */
-#define NVS_IV              "esp_ds_iv"
 static const char *TAG = "MQTTS_EXAMPLE";
 
-extern const uint8_t client_cert_pem_start[] asm("_binary_client_crt_start");
-extern const uint8_t client_cert_pem_end[] asm("_binary_client_crt_end");
 extern const uint8_t server_cert_pem_start[] asm("_binary_mosquitto_org_crt_start");
 extern const uint8_t server_cert_pem_end[] asm("_binary_mosquitto_org_crt_end");
 
@@ -109,80 +94,23 @@ static void mqtt_event_handler(void *handler_args, esp_event_base_t base, int32_
     }
 }
 
-void *esp_read_ds_data_from_nvs(void)
-{
-    esp_ds_data_ctx_t *ds_data_ctx;
-    ds_data_ctx = (esp_ds_data_ctx_t *)malloc(sizeof(esp_ds_data_ctx_t));
-    if (ds_data_ctx == NULL) {
-        ESP_LOGE(TAG, "Error in allocating memory for esp_ds_data_context");
-        goto exit;
-    }
-
-    ds_data_ctx->esp_ds_data = (esp_ds_data_t *)calloc(1, sizeof(esp_ds_data_t));
-    if (ds_data_ctx->esp_ds_data == NULL) {
-        ESP_LOGE(TAG, "Could not allocate memory for DS data handle ");
-        goto exit;
-    }
-
-    nvs_handle_t esp_ds_nvs_handle;
-    esp_err_t esp_ret;
-    esp_ret = nvs_flash_init_partition(NVS_PARTITION_NAME);
-    if (esp_ret != ESP_OK) {
-        ESP_LOGE(TAG, "Error in esp_ds_nvs partition init,\nreturned %02x (%s)", esp_ret, esp_err_to_name(esp_ret));
-        goto exit;
-    }
-
-    esp_ret = nvs_open_from_partition(NVS_PARTITION_NAME, NVS_NAMESPACE,
-                                      NVS_READONLY, &esp_ds_nvs_handle);
-    if (esp_ret != ESP_OK) {
-        ESP_LOGE(TAG, "Error in esp_ds_nvs partition open,\nreturned %02x (%s)", esp_ret, esp_err_to_name(esp_ret));
-        goto exit;
-    }
-
-    esp_ret = nvs_get_u8(esp_ds_nvs_handle, NVS_EFUSE_KEY_ID, &ds_data_ctx->efuse_key_id);
-    if (esp_ret != ESP_OK) {
-        ESP_LOGE(TAG, "Error in efuse_key_id value from nvs,\nreturned %02x (%s)", esp_ret, esp_err_to_name(esp_ret));
-        goto exit;
-    }
-
-    esp_ret = nvs_get_u16(esp_ds_nvs_handle, NVS_RSA_LEN, &ds_data_ctx->rsa_length_bits);
-    if (esp_ret != ESP_OK) {
-        ESP_LOGE(TAG, "Error in reading rsa key length value from nvs,\nreturned %02x (%s)", esp_ret, esp_err_to_name(esp_ret));
-        goto exit;
-    }
-
-    size_t blob_length = ESP_DS_C_LEN;
-    esp_ret = nvs_get_blob(esp_ds_nvs_handle, NVS_CIPHER_C, (void *)(ds_data_ctx->esp_ds_data->c), &blob_length);
-    if ((esp_ret != ESP_OK) || (blob_length != ESP_DS_C_LEN)) {
-        ESP_LOGE(TAG, "Error in reading ciphertext_c value from nvs,bytes_read = %d,\nreturned %02x (%s)", blob_length, esp_ret, esp_err_to_name(esp_ret));
-        goto exit;
-    }
-
-    blob_length = ESP_DS_IV_LEN;
-    esp_ret = nvs_get_blob(esp_ds_nvs_handle, NVS_IV, (void *)(ds_data_ctx->esp_ds_data->iv), &blob_length);
-    if ((esp_ret != ESP_OK) || (blob_length != ESP_DS_IV_LEN)) {
-        ESP_LOGE(TAG, "Error in reading initialization vector value from nvs,bytes_read = %d,\nreturned %02x (%s)", blob_length, esp_ret, esp_err_to_name(esp_ret));
-        goto exit;
-    }
-
-    return (void *)ds_data_ctx;
-exit:
-    if (ds_data_ctx != NULL) {
-        free(ds_data_ctx->esp_ds_data);
-    }
-    free(ds_data_ctx);
-    return NULL;
-}
-
 static void mqtt_app_start(void)
 {
-
     /* The context is used by the DS peripheral, should not be freed */
-    void *ds_data = esp_read_ds_data_from_nvs();
+    esp_ds_data_ctx_t *ds_data = esp_secure_cert_get_ds_ctx();
     if (ds_data == NULL) {
         ESP_LOGE(TAG, "Error in reading DS data from NVS");
         vTaskDelete(NULL);
     }
+    char *device_cert = NULL;
+    esp_err_t ret;
+    uint32_t len;
+    ret = esp_secure_cert_get_device_cert(&device_cert, &len);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to obtain the device certificate");
+        vTaskDelete(NULL);
+    }
+
     const esp_mqtt_client_config_t mqtt_cfg = {
         .broker = {
             .address.uri = "mqtts://test.mosquitto.org:8884",
@@ -190,9 +118,9 @@ static void mqtt_app_start(void)
         },
         .credentials = {
             .authentication = {
-                .certificate = (const char *)client_cert_pem_start,
+                .certificate = (const char *)device_cert,
                 .key = NULL,
-                .ds_data = ds_data
+                .ds_data = (void *)ds_data
             },
         },
     };
diff --git a/examples/protocols/mqtt/ssl_ds/main/client.crt b/examples/protocols/mqtt/ssl_ds/main/client.crt
deleted file mode 100644
index 7a3074b907..0000000000
--- a/examples/protocols/mqtt/ssl_ds/main/client.crt
+++ /dev/null
@@ -1 +0,0 @@
-Please paste your client certificate here (follow instructions in README.md)
diff --git a/examples/protocols/mqtt/ssl_ds/partitions.csv b/examples/protocols/mqtt/ssl_ds/partitions.csv
index 2e1b23d522..d59df069f5 100644
--- a/examples/protocols/mqtt/ssl_ds/partitions.csv
+++ b/examples/protocols/mqtt/ssl_ds/partitions.csv
@@ -1,6 +1,6 @@
 # ESP-IDF Partition Table
 # Name, Type, SubType, Offset, Size, Flags
-nvs,data,nvs,0x9000,24K,
-phy_init,data,phy,0xf000,4K,
-pre_prov,data,nvs,0x10000,0x3000,
+esp_secure_cert,0x3F,,0xD000,0x2000,
+nvs,data,nvs,,24K,
+phy_init,data,phy,,4K,
 factory,app,factory,0x20000,1M,

From cbecb2e94494c6e9dda76d8c2682e897309d9226 Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Date: Thu, 25 Aug 2022 09:11:30 +0530
Subject: [PATCH 3/4] mqtt/ssl_ds: Add documentation on how to use
 esp-secure-cert-tool with the example

---
 examples/protocols/mqtt/ssl_ds/CMakeLists.txt     | 7 +++++++
 examples/protocols/mqtt/ssl_ds/README.md          | 5 +++--
 examples/protocols/mqtt/ssl_ds/partitions.csv     | 2 +-
 examples/protocols/mqtt/ssl_ds/sdkconfig.defaults | 6 ++++++
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/examples/protocols/mqtt/ssl_ds/CMakeLists.txt b/examples/protocols/mqtt/ssl_ds/CMakeLists.txt
index e821859459..144cf8b4db 100644
--- a/examples/protocols/mqtt/ssl_ds/CMakeLists.txt
+++ b/examples/protocols/mqtt/ssl_ds/CMakeLists.txt
@@ -9,4 +9,11 @@ set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_exam
 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 project(mqtt_ssl_ds)
 
+# Flash the custom partition named `esp_secure_cert`.
+set(partition esp_secure_cert)
+idf_build_get_property(project_dir PROJECT_DIR)
+set(image_file ${project_dir}/esp_secure_cert_data/${partition}.bin)
+partition_table_get_partition_info(offset "--partition-name ${partition}" "offset")
+esptool_py_flash_target_image(flash "${partition}" "${offset}" "${image_file}")
+
 target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/mosquitto.org.crt" TEXT)
diff --git a/examples/protocols/mqtt/ssl_ds/README.md b/examples/protocols/mqtt/ssl_ds/README.md
index cbb7f0c4fd..168cfcb650 100644
--- a/examples/protocols/mqtt/ssl_ds/README.md
+++ b/examples/protocols/mqtt/ssl_ds/README.md
@@ -48,11 +48,12 @@ Paste the generated CSR in the [Mosquitto test certificate signer](https://test.
 ```
 pip install esp-secure-cert-tool
 ```
-*  The DS peripheral can be configured by executing the following command:
+* ii) The DS peripheral can be configured by executing the following command:
 
 ```
-configure_esp_secure_cert.py -p /* Serial port */ --device-cert /* Device cert */ --private-key /* RSA priv key */ --target_chip /* target chip */ --configure_ds
+configure_esp_secure_cert.py -p /* Serial port */ --device-cert /* Device cert */ --private-key /* RSA priv key */ --target_chip /* target chip */ --configure_ds  --skip_flash
 ```
+This command shall generate a partition named `esp_secure_cert.bin` in the `esp_secure_cert_data` directory. This partition would be aumatically detected by the build system and flashed at appropriate offset when `idf.py flash` command is used. For this process, the command must be executed in the current folder only.
 
 In the command USB COM port is nothing but the serial port to which the ESP chip is connected. see
 [check serial port](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/establish-serial-connection.html#check-port-on-windows) for more details.
diff --git a/examples/protocols/mqtt/ssl_ds/partitions.csv b/examples/protocols/mqtt/ssl_ds/partitions.csv
index d59df069f5..0c4ad775c5 100644
--- a/examples/protocols/mqtt/ssl_ds/partitions.csv
+++ b/examples/protocols/mqtt/ssl_ds/partitions.csv
@@ -1,6 +1,6 @@
 # ESP-IDF Partition Table
 # Name, Type, SubType, Offset, Size, Flags
-esp_secure_cert,0x3F,,0xD000,0x2000,
+esp_secure_cert,0x3F,,,0x2000,
 nvs,data,nvs,,24K,
 phy_init,data,phy,,4K,
 factory,app,factory,0x20000,1M,
diff --git a/examples/protocols/mqtt/ssl_ds/sdkconfig.defaults b/examples/protocols/mqtt/ssl_ds/sdkconfig.defaults
index 4b0421e1ab..94e282f1d6 100644
--- a/examples/protocols/mqtt/ssl_ds/sdkconfig.defaults
+++ b/examples/protocols/mqtt/ssl_ds/sdkconfig.defaults
@@ -1 +1,7 @@
 CONFIG_PARTITION_TABLE_CUSTOM=y
+# Setting partition table offset to 0xC000 would make the address of
+# `esp_secure_cert` partition as 0xD000 (comes next in the sequence).
+# Modules that are programmed with  Espressif Secure Pre Provisioining service
+# uses this offset for `esp_secure_cert` and hence this change aligns this example
+# to work on those modules.
+CONFIG_PARTITION_TABLE_OFFSET=0xC000

From c88b27f285ae3a7a3ce2d4326ab7ff3633a6892b Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Date: Mon, 29 Aug 2022 18:11:05 +0530
Subject: [PATCH 4/4] mqtt/ssl_ds: Remove unwanted references to
 configure_ds.py, Also updated the DS documentation

---
 docs/en/api-reference/peripherals/ds.rst |  8 ++---
 examples/protocols/mqtt/ssl_ds/README.md | 46 ------------------------
 tools/ci/mypy_ignore_list.txt            |  1 -
 3 files changed, 2 insertions(+), 53 deletions(-)

diff --git a/docs/en/api-reference/peripherals/ds.rst b/docs/en/api-reference/peripherals/ds.rst
index 78308185e1..09b98070e4 100644
--- a/docs/en/api-reference/peripherals/ds.rst
+++ b/docs/en/api-reference/peripherals/ds.rst
@@ -63,13 +63,9 @@ The configuration involves the following steps -
 
 For more details, see *{IDF_TARGET_NAME} Technical Reference Manual* > *Digital Signature (DS)* [`PDF <{IDF_TARGET_TRM_EN_URL}#digsig>`__].
 
-To configure the DS peripheral for development purposes, you can use the python script :example_file:`configure_ds.py<protocols/mqtt/ssl_ds/configure_ds.py>`.
-More details about the `configure_ds.py` script can be found at :example_file:`mqtt example README <protocols/mqtt/ssl_ds/README.md>`.
+To configure the DS peripheral for development purposes, you can use the `esp-secure-cert-tool <https://pypi.org/project/esp-secure-cert-tool>`_.
 
-The encrypted private key parameters obtained after the DS peripheral configuration are then to be kept in flash. Furthermore, they are to be passed to the DS peripheral which makes use of those parameters for the Digital Signature operation.
-:doc:`Non Volatile Storage<../storage/nvs_flash>` can be used to store the encrypted private key parameters in flash.
-The script :example_file:`configure_ds.py<protocols/mqtt/ssl_ds/configure_ds.py>` creates an NVS partition for the encrypted private key parameters. Then the script flashes this partition onto the {IDF_TARGET_NAME}.
-The application then needs to read the DS data from NVS, which can be done with the function ``esp_read_ds_data_from_nvs()`` in file :example_file:`ssl_ds/main/app_main.c <protocols/mqtt/ssl_ds/main/app_main.c>`
+The encrypted private key parameters obtained after the DS peripheral configuration are then to be kept in flash. Furthermore, they are to be passed to the DS peripheral which makes use of those parameters for the Digital Signature operation. The application then needs to read the ds data from the flash which has been done through the API's provided by the `esp_secure_cert_mgr <https://github.com/espressif/esp_secure_cert_mgr>`_ component. Please refer the `component/README. <https://github.com/espressif/esp_secure_cert_mgr#readme>`_ for more details.
 
 The process of initializing the DS peripheral and then performing the Digital Signature operation is done internally with help of `ESP-TLS`. Please refer to `Digital Signature with ESP-TLS` in :doc:`ESP-TLS <../protocols/esp_tls>` for more details.
 As mentioned in the `ESP-TLS` documentation, the application only needs to provide the encrypted private key parameters to the esp_tls context (as `ds_data`), which internally performs
diff --git a/examples/protocols/mqtt/ssl_ds/README.md b/examples/protocols/mqtt/ssl_ds/README.md
index 168cfcb650..6a321bd483 100644
--- a/examples/protocols/mqtt/ssl_ds/README.md
+++ b/examples/protocols/mqtt/ssl_ds/README.md
@@ -102,49 +102,3 @@ I (5194) MQTTS_EXAMPLE: MQTT_EVENT_DATA
 TOPIC=/topic/qos0
 DATA=data
 ```
-
-
-### configure_ds.py
-The script [configure_ds.py](./configure_ds.py) is used for configuring the DS peripheral on the ESP32-S2/ESP32-S3/ESP32-C3 SoC. The steps in the script are based on technical details of certain operations in the Digital Signature calculation, which can be found at Digital Signature Section of [ESP32-S2 TRM](https://www.espressif.com/sites/default/files/documentation/esp32-s2_technical_reference_manual_en.pdf)
-
-The configuration script performs the following steps -
-
-1. Take the client private key ( RSA key ) as input.
-    (*required parameter for the script)
-can be provided with
-```
-    python configure_ds.py --private-key /* path to client (rsa) prv key */
-```
-
-2.  Randomly Calculate the `HMAC_KEY` and the `initialization vector`(IV). Then calculate the encrypted private key parameters from client private key (step i) and newly generated parameters. These encrypted private key parameters are required for the DS peripheral to perform the Digital Signature operation.
-
-3.  Store the `HMAC_KEY` in one of the efuse key blocks (in the hardware).
-    The ID of the efuse key block ( should be in range 1-5) can be provided with the following option. (default value of 1 is used if not provided),
-```
-    python configure_ds.py --efuse_key_id /* key id in range 1-5 */
-```
-
-Currently for development purposes, the `HMAC_KEY` is stored in the efuse key block  without read protection so that read operation can be performed on the same key block.
-> You can burn (write) a key on an efuse key block only once. Please use a different key block ID if you want to use a different `HMAC_KEY` for the DS operation.
-
-4. Create an NVS partition of the name `pre_prov.csv` (in `esp_ds_data` folder) which contains the required encrypted private key parameters. A bin file of the nvs partition (`pre_prov.bin`) is also created. As we have added a custom partition, the example is set to use the custom partition table by adding the required option in `sdkconfig.defaults`.
-
-5. (optional) The script can be made to print the summary of the efuse on the chip by providing the following option. When this option is enabled, no other operations in the script are performed.
-```
-    python configure_ds.py --summary
-```
-
-6. (optional) If the user wants to keep the encrypted private key data and the randomly generated `HMAC_KEY` on the host machine for testing purpose. The following option may be used.
-```
-    python configure_ds.py --keep_ds_data_on_host
-```
- The respective files will be stored in the `esp_ds_data` folder which is generated by the script in the same directory. The contents of the `esp_ds_data` folder may be overwritten when the `configure_ds.py` script is executed again.
-
-7. (optional) If the user wants to use the script for production usecase then this option can be used.
-Currently for development purpose, the script disables the read protection on the efuse key block by default.
-In case of a production usecase it is recommeneded to enable the read protection for the efuse key block. It can be done by providing following option along with other required options:
-```
-    python configure_ds.py --production
-```
-
-> A list of all the supported options in the script can be obtained by executing `python configure_ds.py --help`.
diff --git a/tools/ci/mypy_ignore_list.txt b/tools/ci/mypy_ignore_list.txt
index b0e37ec659..29c0bf8b7f 100644
--- a/tools/ci/mypy_ignore_list.txt
+++ b/tools/ci/mypy_ignore_list.txt
@@ -78,7 +78,6 @@ examples/protocols/icmp_echo/example_test.py
 examples/protocols/modbus/serial/example_test.py
 examples/protocols/modbus/tcp/example_test.py
 examples/protocols/mqtt/ssl/mqtt_ssl_example_test.py
-examples/protocols/mqtt/ssl_ds/configure_ds.py
 examples/protocols/mqtt/tcp/mqtt_tcp_example_test.py
 examples/protocols/mqtt/ws/mqtt_ws_example_test.py
 examples/protocols/mqtt/wss/mqtt_wss_example_test.py