Merge branch 'fix/suppress_cert_bundle_serial_number_warning_v5.3' into 'release/v5.3'

fix(mbedtls/esp_crt_bundle): Suppress non-negative serial number warning (v5.3) See merge request espressif/esp-idf!39403
2025-07-29 18:27:20 +02:00 · 2025-05-29 10:29:03 +05:30
parent 1dd628e4a0 38452e4cc8
commit d2f79c406b
1 changed files with 39 additions and 18 deletions
--- a/components/mbedtls/esp_crt_bundle/gen_crt_bundle.py
+++ b/components/mbedtls/esp_crt_bundle/gen_crt_bundle.py
@ -8,27 +8,39 @@
 # The bundle will have the format: number of certificates; crt 1 subject name length; crt 1 public key length;
 # crt 1 subject name; crt 1 public key; crt 2...
 #
-# SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
+# SPDX-FileCopyrightText: 2018-2025 Espressif Systems (Shanghai) CO LTD
 # SPDX-License-Identifier: Apache-2.0
-
-from __future__ import with_statement
-
 import argparse
 import csv
 import os
 import re
 import struct
 import sys
-from io import open
+import warnings
+
+
+# Ignore warning about non-positive serial numbers in certificates
+# Some CA certificates from the certificate bundle contain zero as serial number
+# Please see https://github.com/pyca/cryptography/issues/12948 for more details
+warnings.filterwarnings(
+    'ignore',
+    message=(
+        r"Parsed a serial number which wasn't positive \(i.e., it was negative or zero\), "
+        'which is disallowed by RFC 5280. '
+        'Loading this certificate will cause an exception in a future release of cryptography.'
+    ),
+)

 try:
    from cryptography import x509
    from cryptography.hazmat.backends import default_backend
    from cryptography.hazmat.primitives import serialization
 except ImportError:
-    print('The cryptography package is not installed.'
-          'Please refer to the Get Started section of the ESP-IDF Programming Guide for '
-          'setting up the required packages.')
+    print(
+        'The cryptography package is not installed.'
+        'Please refer to the Get Started section of the ESP-IDF Programming Guide for '
+        'setting up the required packages.'
+    )
    raise

 ca_bundle_bin_file = 'x509_crt_bundle'
@ -37,13 +49,13 @@ quiet = False


 def status(msg):
-    """ Print status message to stderr """
+    """Print status message to stderr"""
    if not quiet:
        critical(msg)


 def critical(msg):
-    """ Print critical message to stderr """
+    """Print critical message to stderr"""
    sys.stderr.write('gen_crt_bundle.py: ')
    sys.stderr.write(msg)
    sys.stderr.write('\n')
@ -58,7 +70,6 @@ class CertificateBundle:
            os.remove(ca_bundle_bin_file)

    def add_from_path(self, crts_path):
-
        found = False
        for file_path in os.listdir(crts_path):
            found |= self.add_from_file(os.path.join(crts_path, file_path))
@ -89,7 +100,7 @@ class CertificateBundle:
        return False

    def add_from_pem(self, crt_str):
-        """ A single PEM file may have multiple certificates """
+        """A single PEM file may have multiple certificates"""

        crt = ''
        count = 0
@ -125,7 +136,9 @@ class CertificateBundle:
        for crt in self.certificates:
            """ Read the public key as DER format """
            pub_key = crt.public_key()
-            pub_key_der = pub_key.public_bytes(serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo)
+            pub_key_der = pub_key.public_bytes(
+                serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo
+            )

            """ Read the subject name as DER format """
            sub_name_der = crt.subject.public_bytes(default_backend())
@ -141,7 +154,6 @@ class CertificateBundle:
        return bundle

    def add_with_filter(self, crts_path, filter_path):
-
        filter_set = set()
        with open(filter_path, 'r', encoding='utf-8') as f:
            csv_reader = csv.reader(f, delimiter=',')
@ -178,10 +190,19 @@ def main():
    parser = argparse.ArgumentParser(description='ESP-IDF x509 certificate bundle utility')

    parser.add_argument('--quiet', '-q', help="Don't print non-critical status messages to stderr", action='store_true')
-    parser.add_argument('--input', '-i', nargs='+', required=True,
-                        help='Paths to the custom certificate folders or files to parse, parses all .pem or .der files')
-    parser.add_argument('--filter', '-f', help='Path to CSV-file where the second columns contains the name of the certificates \
-                        that should be included from cacrt_all.pem')
+    parser.add_argument(
+        '--input',
+        '-i',
+        nargs='+',
+        required=True,
+        help='Paths to the custom certificate folders or files to parse, parses all .pem or .der files',
+    )
+    parser.add_argument(
+        '--filter',
+        '-f',
+        help='Path to CSV-file where the second columns contains the name of the certificates \
+                        that should be included from cacrt_all.pem',
+    )

    args = parser.parse_args()