espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-30 02:37:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix/suppress_cert_bundle_serial_number_warning_v5.3' into 'release/v5.3'

Browse Source 
fix(mbedtls/esp_crt_bundle): Suppress non-negative serial number warning (v5.3)

See merge request espressif/esp-idf!39403
This commit is contained in:
Mahavir Jain
2025-05-29 10:29:03 +05:30
parent 1dd628e4a0 38452e4cc8
commit d2f79c406b
1 changed files with 39 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
components/mbedtls/esp_crt_bundle/gen_crt_bundle.py
View File

@ -8,27 +8,39 @@
# The bundle will have the format: number of certificates; crt 1 subject name length; crt 1 public key length; # The bundle will have the format: number of certificates; crt 1 subject name length; crt 1 public key length;
# crt 1 subject name; crt 1 public key; crt 2... # crt 1 subject name; crt 1 public key; crt 2...
# #
# SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD # SPDX-FileCopyrightText: 2018-2025 Espressif Systems (Shanghai) CO LTD
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
from __future__ import with_statement
import argparse import argparse
import csv import csv
import os import os
import re import re
import struct import struct
import sys import sys
from io import open import warnings
# Ignore warning about non-positive serial numbers in certificates
# Some CA certificates from the certificate bundle contain zero as serial number
# Please see https://github.com/pyca/cryptography/issues/12948 for more details
warnings.filterwarnings(
'ignore',
message=(
r"Parsed a serial number which wasn't positive \(i.e., it was negative or zero\), "
'which is disallowed by RFC 5280. '
'Loading this certificate will cause an exception in a future release of cryptography.'
),
)
try: try:
from cryptography import x509 from cryptography import x509
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives import serialization
except ImportError: except ImportError:
print('The cryptography package is not installed.' print(
'Please refer to the Get Started section of the ESP-IDF Programming Guide for ' 'The cryptography package is not installed.'
'setting up the required packages.') 'Please refer to the Get Started section of the ESP-IDF Programming Guide for '
'setting up the required packages.'
)
raise raise
ca_bundle_bin_file = 'x509_crt_bundle' ca_bundle_bin_file = 'x509_crt_bundle'
@ -37,13 +49,13 @@ quiet = False
def status(msg): def status(msg):
""" Print status message to stderr """ """Print status message to stderr"""
if not quiet: if not quiet:
critical(msg) critical(msg)
def critical(msg): def critical(msg):
""" Print critical message to stderr """ """Print critical message to stderr"""
sys.stderr.write('gen_crt_bundle.py: ') sys.stderr.write('gen_crt_bundle.py: ')
sys.stderr.write(msg) sys.stderr.write(msg)
sys.stderr.write('\n') sys.stderr.write('\n')
@ -58,7 +70,6 @@ class CertificateBundle:
os.remove(ca_bundle_bin_file) os.remove(ca_bundle_bin_file)
def add_from_path(self, crts_path): def add_from_path(self, crts_path):
found = False found = False
for file_path in os.listdir(crts_path): for file_path in os.listdir(crts_path):
found |= self.add_from_file(os.path.join(crts_path, file_path)) found |= self.add_from_file(os.path.join(crts_path, file_path))
@ -89,7 +100,7 @@ class CertificateBundle:
return False return False
def add_from_pem(self, crt_str): def add_from_pem(self, crt_str):
""" A single PEM file may have multiple certificates """ """A single PEM file may have multiple certificates"""
crt = '' crt = ''
count = 0 count = 0
@ -125,7 +136,9 @@ class CertificateBundle:
for crt in self.certificates: for crt in self.certificates:
""" Read the public key as DER format """ """ Read the public key as DER format """
pub_key = crt.public_key() pub_key = crt.public_key()
pub_key_der = pub_key.public_bytes(serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo) pub_key_der = pub_key.public_bytes(
serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo
)
""" Read the subject name as DER format """ """ Read the subject name as DER format """
sub_name_der = crt.subject.public_bytes(default_backend()) sub_name_der = crt.subject.public_bytes(default_backend())
@ -141,7 +154,6 @@ class CertificateBundle:
return bundle return bundle
def add_with_filter(self, crts_path, filter_path): def add_with_filter(self, crts_path, filter_path):
filter_set = set() filter_set = set()
with open(filter_path, 'r', encoding='utf-8') as f: with open(filter_path, 'r', encoding='utf-8') as f:
csv_reader = csv.reader(f, delimiter=',') csv_reader = csv.reader(f, delimiter=',')
@ -178,10 +190,19 @@ def main():
parser = argparse.ArgumentParser(description='ESP-IDF x509 certificate bundle utility') parser = argparse.ArgumentParser(description='ESP-IDF x509 certificate bundle utility')
parser.add_argument('--quiet', '-q', help="Don't print non-critical status messages to stderr", action='store_true') parser.add_argument('--quiet', '-q', help="Don't print non-critical status messages to stderr", action='store_true')
parser.add_argument('--input', '-i', nargs='+', required=True, parser.add_argument(
help='Paths to the custom certificate folders or files to parse, parses all .pem or .der files') '--input',
parser.add_argument('--filter', '-f', help='Path to CSV-file where the second columns contains the name of the certificates \ '-i',
that should be included from cacrt_all.pem') nargs='+',
required=True,
help='Paths to the custom certificate folders or files to parse, parses all .pem or .der files',
)
parser.add_argument(
'--filter',
'-f',
help='Path to CSV-file where the second columns contains the name of the certificates \
that should be included from cacrt_all.pem',
)
args = parser.parse_args() args = parser.parse_args()