From a6fd8b0972f10a0ba96c080d07a49289d9df20c5 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Mon, 21 Mar 2022 20:45:24 +0530 Subject: [PATCH] mbedtls: move locally managed root certificates to separate file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Purpose: This will allow for easily automating periodic updates to "cacrt_all.pem" file. Note: For now newly created "cacrt_local.pem" contains single "DST Root CA X3" which we are keeping to manage compatibility with endpoints like "howsmyssl.com". Please note this Root CA is expired and is not part of Mozilla’s NSS root certificate store. --- components/mbedtls/CMakeLists.txt | 4 +-- .../mbedtls/esp_crt_bundle/cacrt_local.pem | 33 +++++++++++++++++++ 2 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 components/mbedtls/esp_crt_bundle/cacrt_local.pem diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt index 8065c8b43b..aff2342fcd 100644 --- a/components/mbedtls/CMakeLists.txt +++ b/components/mbedtls/CMakeLists.txt @@ -15,9 +15,9 @@ if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE) set(GENERATE_CERT_BUNDLEPY ${python} ${COMPONENT_DIR}/esp_crt_bundle/gen_crt_bundle.py) if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL) - list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem) + list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem ${DEFAULT_CRT_DIR}/cacrt_local.pem) elseif(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN) - list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem) + list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem ${DEFAULT_CRT_DIR}/cacrt_local.pem) list(APPEND args --filter ${DEFAULT_CRT_DIR}/cmn_crt_authorities.csv) endif() diff --git a/components/mbedtls/esp_crt_bundle/cacrt_local.pem b/components/mbedtls/esp_crt_bundle/cacrt_local.pem new file mode 100644 index 0000000000..3633ed1619 --- /dev/null +++ b/components/mbedtls/esp_crt_bundle/cacrt_local.pem @@ -0,0 +1,33 @@ +## +## Local CA Root Certificates +## +## Local CA Root Certificates that gets appended to "cacrt_all.pem" + + +## letsencrypt has generated a cross signed certificate with DST ROOT CA X3 +## for compatibility after the expiry of the certificate. +## The new certificate has the ISSUER name as DST Root CA X3. +## Thus, the handshake fails if esp_crt_bundle does not find the +## respective name in the crt_bundle. +## Keeping this certificate for compatibility reasons. +## This will be removed once the cross-signed certificate expires in Sep 2024. + +DST Root CA X3 +============== +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK +ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X +DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1 +cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT +rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9 +UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy +xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d +utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T +AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ +MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug +dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE +GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw +RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS +fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE-----