Add ESP certificate bundle feature

Adds the ESP certificate bundle feature that enables users to bundle a root certificate bundle together with their application. Default bundle includes all Mozilla root certificates Closes IDF-296
2026-05-03 19:41:55 +02:00 · 2019-09-29 18:04:34 +08:00
parent 8e1442f0e7
commit 947e3e94ed
48 changed files with 5030 additions and 147 deletions
@@ -0,0 +1,39 @@
+Owner,Common Name or Certificate Name
+Amazon Trust Services,Amazon Root CA 1
+Amazon Trust Services,Amazon Root CA 2
+Amazon Trust Services,Amazon Root CA 3
+Amazon Trust Services,Amazon Root CA 4
+Amazon Trust Services,Starfield Services Root Certificate Authority - G2
+DigiCert,Baltimore CyberTrust Root
+DigiCert,Cybertrust Global Root
+DigiCert,DigiCert Assured ID Root CA
+DigiCert,DigiCert Assured ID Root G2
+DigiCert,DigiCert Assured ID Root G3
+DigiCert,DigiCert Global Root CA
+DigiCert,DigiCert Global Root G2
+DigiCert,DigiCert Global Root G3
+DigiCert,DigiCert High Assurance EV Root CA
+DigiCert,DigiCert Trusted Root G4
+GlobalSign,GlobalSign ECC Root CA - R5
+GlobalSign,GlobalSign Root CA - R3
+GlobalSign,GlobalSign Root CA - R6
+GlobalSign,GlobalSign Root CA
+GoDaddy,Go Daddy Class 2 CA
+GoDaddy,Go Daddy Root Certificate Authority - G2
+GoDaddy,Starfield Class 2 CA
+GoDaddy,Starfield Root Certificate Authority - G2
+Google Trust Services LLC (GTS),GlobalSign ECC Root CA - R4
+Google Trust Services LLC (GTS),GlobalSign Root CA - R2
+Google Trust Services LLC (GTS),GTS Root R1
+Google Trust Services LLC (GTS),GTS Root R2
+Google Trust Services LLC (GTS),GTS Root R3
+Google Trust Services LLC (GTS),GTS Root R4
+"IdenTrust Services, LLC",DST Root CA X3
+"IdenTrust Services, LLC",IdenTrust Commercial Root CA 1
+"IdenTrust Services, LLC",IdenTrust Public Sector Root CA 1
+Sectigo,Comodo AAA Services root
+Sectigo,COMODO Certification Authority
+Sectigo,COMODO ECC Certification Authority
+Sectigo,COMODO RSA Certification Authority
+Sectigo,USERTrust ECC Certification Authority
+Sectigo,USERTrust RSA Certification Authority
@@ -0,0 +1,219 @@
+// Copyright 2018-2019 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+
+#include <string.h>
+#include <esp_system.h>
+#include "esp_crt_bundle.h"
+#include "esp_log.h"
+#include "esp_err.h"
+
+
+#define BUNDLE_HEADER_OFFSET 2
+#define CRT_HEADER_OFFSET 4
+
+static const char *TAG = "esp-x509-crt-bundle";
+
+/* a dummy certificate so that
+ * cacert_ptr passes non-NULL check during handshake */
+static mbedtls_x509_crt s_dummy_crt;
+
+
+extern const uint8_t x509_crt_imported_bundle_bin_start[] asm("_binary_x509_crt_bundle_start");
+extern const uint8_t x509_crt_imported_bundle_bin_end[]   asm("_binary_x509_crt_bundle_end");
+
+
+typedef struct crt_bundle_t {
+    const uint8_t **crts;
+    uint16_t num_certs;
+    size_t x509_crt_bundle_len;
+} crt_bundle_t;
+
+static crt_bundle_t s_crt_bundle;
+
+static int esp_crt_verify_callback(void *buf, mbedtls_x509_crt *crt, int data, uint32_t *flags);
+static esp_err_t esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len);
+
+
+static esp_err_t esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len)
+{
+    int ret = ESP_FAIL;
+    mbedtls_x509_crt parent;
+    const mbedtls_md_info_t *md_info;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+    mbedtls_x509_crt_init(&parent);
+
+    if ( (ret = mbedtls_pk_parse_public_key(&parent.pk , pub_key_buf, pub_key_len) ) != 0) {
+        ESP_LOGE(TAG, "PK parse failed with error %X", ret);
+        return ESP_FAIL;
+    }
+
+
+    // Fast check to avoid expensive computations when not necessary
+    if (!mbedtls_pk_can_do(&parent.pk, child->sig_pk)) {
+        ESP_LOGE(TAG, "Simple compare failed");
+        return ESP_FAIL;
+    }
+
+    md_info = mbedtls_md_info_from_type(child->sig_md);
+    if ( (ret = mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash )) != 0 ) {
+        ESP_LOGE(TAG, "Internal mbedTLS error %X", ret);
+        return ESP_FAIL;
+    }
+
+    ret = mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent.pk,
+                                 child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                                 child->sig.p, child->sig.len ) ;
+
+    if (ret != 0) {
+        ESP_LOGE(TAG, "PK verify failed with error %X", ret);
+        return ESP_FAIL;
+    }
+    return ESP_OK;
+}
+
+
+/* This callback is called for every certificate in the chain. If the chain
+ * is proper each intermediate certificate is validated through its parent
+ * in the x509_crt_verify_chain() function. So this callback should
+ * only verify the first untrusted link in the chain is signed by the
+ * root certificate in the trusted bundle
+*/
+int esp_crt_verify_callback(void *buf, mbedtls_x509_crt *crt, int data, uint32_t *flags)
+{
+    mbedtls_x509_crt *child = crt;
+
+    if (*flags != MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
+        return 0;
+    }
+
+
+    if (s_crt_bundle.crts == NULL) {
+        ESP_LOGE(TAG, "No certificates in bundle");
+        return MBEDTLS_ERR_X509_FATAL_ERROR;
+    }
+
+    ESP_LOGD(TAG, "%d certificates in bundle", s_crt_bundle.num_certs);
+
+    size_t name_len = 0;
+    const uint8_t *crt_name;
+
+    bool crt_found = false;
+    int start = 0;
+    int end = s_crt_bundle.num_certs - 1;
+    int middle = (end - start) / 2;
+
+    /* Look for the certificate using binary search on subject name */
+    while (start <= end) {
+        name_len = s_crt_bundle.crts[middle][0] << 8 | s_crt_bundle.crts[middle][1];
+        crt_name = s_crt_bundle.crts[middle] + CRT_HEADER_OFFSET;
+
+        int cmp_res = memcmp(child->issuer_raw.p, crt_name, name_len );
+        if (cmp_res == 0) {
+            crt_found = true;
+            break;
+        } else if (cmp_res < 0) {
+            end = middle - 1;
+        } else {
+            start = middle + 1;
+        }
+        middle = (start + end) / 2;
+    }
+
+    int ret = MBEDTLS_ERR_X509_FATAL_ERROR;
+    if (crt_found) {
+        size_t key_len = s_crt_bundle.crts[middle][2] << 8 | s_crt_bundle.crts[middle][3];
+        ret = esp_crt_check_signature(child, s_crt_bundle.crts[middle] + CRT_HEADER_OFFSET + name_len, key_len);
+    }
+
+    if (ret == 0) {
+        ESP_LOGI(TAG, "Certificate validated");
+        *flags = 0;
+        return 0;
+    }
+
+    ESP_LOGE(TAG, "Failed to verify certificate");
+    return MBEDTLS_ERR_X509_FATAL_ERROR;
+}
+
+
+/* Initialize the bundle into an array so we can do binary search for certs,
+   the bundle generated by the python utility is already presorted by subject name
+ */
+static esp_err_t esp_crt_bundle_init(const uint8_t *x509_bundle)
+{
+    s_crt_bundle.num_certs = (x509_bundle[0] << 8) | x509_bundle[1];
+    s_crt_bundle.crts = calloc(s_crt_bundle.num_certs, sizeof(x509_bundle));
+
+    if (s_crt_bundle.crts == NULL) {
+        ESP_LOGE(TAG, "Unable to allocate memory for bundle");
+        return ESP_ERR_NO_MEM;
+    }
+
+    const uint8_t *cur_crt;
+    cur_crt = x509_bundle + BUNDLE_HEADER_OFFSET;
+
+    for (int i = 0; i < s_crt_bundle.num_certs; i++) {
+        s_crt_bundle.crts[i] = cur_crt;
+
+        size_t name_len = cur_crt[0] << 8 | cur_crt[1];
+        size_t key_len = cur_crt[2] << 8 | cur_crt[3];
+        cur_crt = cur_crt + CRT_HEADER_OFFSET + name_len + key_len;
+    }
+
+    return ESP_OK;
+}
+
+esp_err_t esp_crt_bundle_attach(mbedtls_ssl_config *conf)
+{
+    esp_err_t ret = ESP_OK;
+    // If no bundle has been set by the user then use the bundle embedded in the binary
+    if (s_crt_bundle.crts == NULL) {
+        ret = esp_crt_bundle_init(x509_crt_imported_bundle_bin_start);
+    }
+
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to attach bundle");
+        return ret;
+    }
+
+    if (conf) {
+        /* point to a dummy certificate
+         * This is only required so that the
+         * cacert_ptr passes non-NULL check during handshake
+         */
+        mbedtls_x509_crt_init(&s_dummy_crt);
+        conf->ca_chain = &s_dummy_crt;
+        mbedtls_ssl_conf_verify(conf, esp_crt_verify_callback, NULL);
+    }
+
+    return ret;
+}
+
+void esp_crt_bundle_detach(mbedtls_ssl_config *conf)
+{
+    free(s_crt_bundle.crts);
+    if (conf) {
+        mbedtls_ssl_conf_verify(conf, NULL, NULL);
+    }
+}
+
+void esp_crt_bundle_set(const uint8_t *x509_bundle)
+{
+    // Free any previously used bundle
+    free(s_crt_bundle.crts);
+    esp_crt_bundle_init(x509_bundle);
+}
+
@@ -0,0 +1,226 @@
+#!/usr/bin/env python
+#
+# ESP32 x509 certificate bundle generation utility
+#
+# Converts PEM and DER certificates to a custom bundle format which stores just the
+# subject name and public key to reduce space
+#
+# The bundle will have the format: number of certificates; crt 1 subject name length; crt 1 public key length;
+# crt 1 subject name; crt 1 public key; crt 2...
+#
+# Copyright 2018-2019 Espressif Systems (Shanghai) PTE LTD
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import with_statement
+
+import os
+import sys
+import struct
+import argparse
+import csv
+import re
+
+try:
+    from cryptography import x509
+    from cryptography.hazmat.backends import default_backend
+    from cryptography.hazmat.primitives import serialization
+except ImportError:
+    print('The cryptography package is not installed.'
+          'Please refer to the Get Started section of the ESP-IDF Programming Guide for '
+          'setting up the required packages.')
+    raise
+
+ca_bundle_bin_file = 'x509_crt_bundle'
+
+quiet = False
+
+
+def status(msg):
+    """ Print status message to stderr """
+    if not quiet:
+        critical(msg)
+
+
+def critical(msg):
+    """ Print critical message to stderr """
+    sys.stderr.write('gen_crt_bundle.py: ')
+    sys.stderr.write(msg)
+    sys.stderr.write('\n')
+
+
+class CertificateBundle:
+    def __init__(self):
+        self.certificates = []
+        self.compressed_crts = []
+
+        if os.path.isfile(ca_bundle_bin_file):
+            os.remove(ca_bundle_bin_file)
+
+    def add_from_path(self, crts_path):
+
+        found = False
+        for file_path in os.listdir(crts_path):
+            found |= self.add_from_file(os.path.join(crts_path, file_path))
+
+        if found is False:
+            raise InputError('No valid x509 certificates found in %s' % crts_path)
+
+    def add_from_file(self, file_path):
+        try:
+            if file_path.endswith('.pem'):
+                status("Parsing certificates from %s" % file_path)
+                with open(file_path, 'r') as f:
+                    crt_str = f.read()
+                    self.add_from_pem(crt_str)
+                    return True
+
+            elif file_path.endswith('.der'):
+                status("Parsing certificates from %s" % file_path)
+                with open(file_path, 'rb') as f:
+                    crt_str = f.read()
+                    self.add_from_der(crt_str)
+                    return True
+
+        except ValueError:
+            critical("Invalid certificate in %s" % file_path)
+            raise InputError("Invalid certificate")
+
+        return False
+
+    def add_from_pem(self, crt_str):
+        """ A single PEM file may have multiple certificates """
+
+        crt = ''
+        count = 0
+        start = False
+
+        for strg in crt_str.splitlines(True):
+            if strg == '-----BEGIN CERTIFICATE-----\n' and start is False:
+                crt = ''
+                start = True
+            elif strg == '-----END CERTIFICATE-----\n' and start is True:
+                crt += strg + '\n'
+                start = False
+                self.certificates.append(x509.load_pem_x509_certificate(crt.encode(), default_backend()))
+                count += 1
+            if start is True:
+                crt += strg
+
+        if(count == 0):
+            raise InputError("No certificate found")
+
+        status("Successfully added %d certificates" % count)
+
+    def add_from_der(self, crt_str):
+        self.certificates.append(x509.load_der_x509_certificate(crt_str, default_backend()))
+        status("Successfully added 1 certificate")
+
+    def create_bundle(self):
+        # Sort certificates in order to do binary search when looking up certificates
+        self.certificates = sorted(self.certificates, key=lambda cert: cert.subject.public_bytes(default_backend()))
+
+        bundle = struct.pack('>H', len(self.certificates))
+
+        for crt in self.certificates:
+            """ Read the public key as DER format """
+            pub_key = crt.public_key()
+            pub_key_der = pub_key.public_bytes(serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo)
+
+            """ Read the subject name as DER format """
+            sub_name_der = crt.subject.public_bytes(default_backend())
+
+            name_len = len(sub_name_der)
+            key_len = len(pub_key_der)
+            len_data = struct.pack('>HH', name_len, key_len)
+
+            bundle += len_data
+            bundle += sub_name_der
+            bundle += pub_key_der
+
+        return bundle
+
+    def add_with_filter(self, crts_path, filter_path):
+
+        filter_set = set()
+        with open(filter_path, 'r') as f:
+            csv_reader = csv.reader(f, delimiter=',')
+
+            # Skip header
+            next(csv_reader)
+            for row in csv_reader:
+                filter_set.add(row[1])
+
+        status("Parsing certificates from %s" % crts_path)
+        crt_str = []
+        with open(crts_path, 'r') as f:
+            crt_str = f.read()
+
+            # Split all certs into a list of (name, certificate string) tuples
+            pem_crts = re.findall(r'(^.+?)\n(=+\n[\s\S]+?END CERTIFICATE-----\n)', crt_str, re.MULTILINE)
+
+            filtered_crts = ''
+            for name, crt in pem_crts:
+                if name in filter_set:
+                    filtered_crts += crt
+
+        self.add_from_pem(filtered_crts)
+
+
+class InputError(RuntimeError):
+    def __init__(self, e):
+        super(InputError, self).__init__(e)
+
+
+def main():
+    global quiet
+
+    parser = argparse.ArgumentParser(description='ESP-IDF x509 certificate bundle utility')
+
+    parser.add_argument('--quiet', '-q', help="Don't print non-critical status messages to stderr", action='store_true')
+    parser.add_argument('--input', '-i', nargs='+', required=True,
+                        help='Paths to the custom certificate folders or files to parse, parses all .pem or .der files')
+    parser.add_argument('--filter', '-f', help='Path to CSV-file where the second columns contains the name of the certificates \
+                        that should be included from cacrt_all.pem')
+
+    args = parser.parse_args()
+
+    quiet = args.quiet
+
+    bundle = CertificateBundle()
+
+    for path in args.input:
+        if os.path.isfile(path):
+            if os.path.basename(path) == "cacrt_all.pem" and args.filter:
+                bundle.add_with_filter(path, args.filter)
+            else:
+                bundle.add_from_file(path)
+        elif os.path.isdir(path):
+            bundle.add_from_path(path)
+        else:
+            raise InputError("Invalid --input=%s, is neither file nor folder" % args.input)
+
+    status('Successfully added %d certificates in total' % len(bundle.certificates))
+
+    crt_bundle = bundle.create_bundle()
+
+    with open(ca_bundle_bin_file, 'wb') as f:
+        f.write(crt_bundle)
+
+
+if __name__ == '__main__':
+    try:
+        main()
+    except InputError as e:
+        print(e)
+        sys.exit(2)
@@ -0,0 +1,67 @@
+// Copyright 2017-2019 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+
+#ifndef _ESP_CRT_BUNDLE_H_
+#define _ESP_CRT_BUNDLE_H_
+
+#include "mbedtls/ssl.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * @brief      Attach and enable use of a bundle for certificate verification
+ *
+ * Attach and enable use of a bundle for certificate verification through a verification callback.
+ * If no specific bundle has been set through esp_crt_bundle_set() it will default to the
+ * bundle defined in menuconfig and embedded in the binary.
+ *
+ * @param[in]  conf      The config struct for the SSL connection.
+ *
+ * @return
+ *             - ESP_OK  if adding certificates was successful.
+ *             - Other   if an error occured or an action must be taken by the calling process.
+ */
+esp_err_t esp_crt_bundle_attach(mbedtls_ssl_config *conf);
+
+
+/**
+ * @brief      Disable and dealloc the certification bundle
+ *
+ * Removes the certificate verification callback and deallocates used resources
+ *
+ * @param[in]  conf      The config struct for the SSL connection.
+ */
+void esp_crt_bundle_detach(mbedtls_ssl_config *conf);
+
+
+/**
+ * @brief      Set the default certificate bundle used for verification
+ *
+ * Overrides the default certificate bundle. In most use cases the bundle should be
+ * set through menuconfig. The bundle needs to be sorted by subject name since binary search is
+ * used to find certificates.
+ *
+ * @param[in]  x509_bundle     A pointer to the certificate bundle.
+ */
+void esp_crt_bundle_set(const uint8_t *x509_bundle);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif //_ESP_CRT_BUNDLE_H_
@@ -0,0 +1,26 @@
+Entrust Root Certification Authority
+====================================
+-----BEGIN CERTIFICATE-----
+MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNV
+BAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jw
+b3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsG
+A1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0
+MloXDTI2MTEyNzIwNTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMu
+MTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVu
+Y2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1c3QgUm9v
+dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALaVtkNC+sZtKm9I35RMOVcF7sN5EUFoNu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYsz
+A9u3g3s+IIRe7bJWKKf44LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOww
+Cj0Yzfv9KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGIrb68
+j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi94DkZfs0Nw4pgHBN
+rziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOBsDCBrTAOBgNVHQ8BAf8EBAMCAQYw
+DwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAigA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1
+MzQyWjAfBgNVHSMEGDAWgBRokORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DH
+hmak8fdLQ/uEvW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
+A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9tO1KzKtvn1ISM
+Y/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6ZuaAGAT/3B+XxFNSRuzFVJ7yVTa
+v52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTS
+W3iDVuycNsMm4hH2Z0kdkquM++v/eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0
+tHuu2guQOHXvgR1m0vdXcDazv/wor3ElhVsT/h5/WrQ8
+-----END CERTIFICATE-----
+
@@ -0,0 +1,26 @@
+Entrust Root Certification Authority
+====================================
+-----BEGIN CERTIFICATE-----
+MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNV
+BAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jw
+b3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsG
+A1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0
+MloXDTI2MTEyNzIwNTM0MFFwgFFxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMu
+MTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVu
+Y2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1c3QgUm9v
+dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ALaVtkNC+sZtKm9I35RMOVcF7sN5EUFoNu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYsz
+A9u3g3s+IIRe7bJWKKf44LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOww
+Cj0Yzfv9KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGIrb68
+j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi94DkZfs0Nw4pgHBN
+rziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOBsDCBrTAOBgNVHQ8BAf8EBAMCAQYw
+DwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAigA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1
+MzQyWjAfBgNVHSMEGDAWgBRokORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DH
+hmak8fdLQ/uEvW0wHQYJKoZIhvZ9B0EABBFFDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
+A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9tO1KzKtvn1ISM
+Y/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxR22IkSNcUesyBrJ6ZuaAGAT/3B+XxFNSRuzFVJ7yVTa
+v52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi447pynP9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTS
+W3iDVuycNsMm4hH2Z0kdkquM++v/eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0
+tHuu2guQOHXvgR1m0vdXcDazv/wor3ElhVsT/h5/WrQ8
+-----END CERTIFICATE-----
+
@@ -0,0 +1,77 @@
+#!/usr/bin/env python
+
+import unittest
+import sys
+import os
+
+try:
+    import gen_crt_bundle
+except ImportError:
+    sys.path.append("..")
+    import gen_crt_bundle
+
+
+idf_path            = os.environ['IDF_PATH']
+ca_crts_path        = idf_path + '/components/mbedtls/esp_crt_bundle/'
+test_crts_path      = idf_path + '/components/mbedtls/esp_crt_bundle/test_gen_crt_bundle/'
+
+ca_bundle_bin_file  = 'x509_crt_bundle'
+
+der_test_file       = 'baltimore.der'
+pem_test_file       = 'entrust.pem'
+verified_der_bundle = 'baltimore_crt_bundle'
+verified_pem_bundle = 'entrust_crt_bundle'
+invalid_test_file   = 'invalid_crt.pem'
+ca_crts_all_file    = 'cacrt_all.pem'
+
+
+class Py23TestCase(unittest.TestCase):
+
+    def __init__(self, *args, **kwargs):
+        super(Py23TestCase, self).__init__(*args, **kwargs)
+        try:
+            self.assertRaisesRegex
+        except AttributeError:
+            # assertRaisesRegexp is deprecated in Python3 but assertRaisesRegex doesn't exist in Python2
+            # This fix is used in order to avoid using the alias from the six library
+            self.assertRaisesRegex = self.assertRaisesRegexp
+
+
+class GenCrtBundleTests(Py23TestCase):
+
+    # Verify generation from der vs known certificate
+    def test_gen_from_der(self):
+        bundle = gen_crt_bundle.CertificateBundle()
+        bundle.add_from_file(test_crts_path + der_test_file)
+
+        crt_bundle = bundle.create_bundle()
+
+        with open(test_crts_path + verified_der_bundle, 'rb') as f:
+            verified_bundle = f.read()
+
+        self.assertEqual(crt_bundle, verified_bundle)
+
+    # Verify generation from pem vs known certificate
+    def test_gen_from_pem(self):
+        bundle = gen_crt_bundle.CertificateBundle()
+        bundle.add_from_file(test_crts_path + pem_test_file)
+
+        crt_bundle = bundle.create_bundle()
+
+        with open(test_crts_path + verified_pem_bundle, 'rb') as f:
+            verified_bundle = f.read()
+
+        self.assertEqual(crt_bundle, verified_bundle)
+
+    def test_invalid_crt_input(self):
+        bundle = gen_crt_bundle.CertificateBundle()
+
+        with self.assertRaisesRegex(gen_crt_bundle.InputError, "Invalid certificate"):
+            bundle.add_from_file(test_crts_path  + invalid_test_file)
+
+        with self.assertRaisesRegex(gen_crt_bundle.InputError, "No certificate found"):
+            bundle.add_from_pem("")
+
+
+if __name__ == "__main__":
+    unittest.main()