Merge branch 'feature/enable_secure_element_for_https_server' into 'master'

esp_https_server: Enable secure element support.

Closes IDFGH-6650

See merge request espressif/esp-idf!17613

components/esp-tls/esp_tls.h

@@ -251,6 +251,10 @@ typedef struct esp_tls_cfg_server {
     unsigned int serverkey_password_len;        /*!< String length of the password pointed to by
                                                      serverkey_password */
 
+    bool use_secure_element;                    /*!< Enable this option to use secure element or
+                                                 atecc608a chip ( Integrated with ESP32-WROOM-32SE ) */
+
+
 #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
     esp_tls_server_session_ticket_ctx_t * ticket_ctx; /*!< Session ticket generation context.
                                                     You have to call esp_tls_cfg_server_session_tickets_init

components/esp-tls/esp_tls_mbedtls.c

@@ -33,7 +33,7 @@
 #include "cryptoauthlib.h"
 static const atcacert_def_t *cert_def = NULL;
 /* Prototypes for functions */
-static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cfg);
+static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, const void *pki);
 #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
 
 #if defined(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
@@ -512,7 +512,28 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
         mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
     }
 
-    if (cfg->servercert_buf != NULL && cfg->serverkey_buf != NULL) {
+    if (cfg->use_secure_element) {
+#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+        esp_tls_pki_t pki = {
+            .public_cert = &tls->servercert,
+            .pk_key = &tls->serverkey,
+            .publiccert_pem_buf = cfg->servercert_buf,
+            .publiccert_pem_bytes = cfg->servercert_bytes,
+            .privkey_pem_buf = NULL,
+            .privkey_pem_bytes = 0,
+            .privkey_password = NULL,
+            .privkey_password_len = 0,
+        };
+
+        ret = esp_set_atecc608a_pki_context(tls, (void*) &pki);
+        if (ret != ESP_OK) {
+            return ret;
+        }
+#else
+        ESP_LOGE(TAG, "Please enable secure element support for ESP-TLS in menuconfig");
+        return ESP_FAIL;
+#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+    } else if (cfg->servercert_buf != NULL && cfg->serverkey_buf != NULL) {
         esp_tls_pki_t pki = {
             .public_cert = &tls->servercert,
             .pk_key = &tls->serverkey,
@@ -662,7 +683,17 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
 
     if (cfg->use_secure_element) {
 #ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
-        ret = esp_set_atecc608a_pki_context(tls, (esp_tls_cfg_t *)cfg);
+        esp_tls_pki_t pki = {
+            .public_cert = &tls->clientcert,
+            .pk_key = &tls->clientkey,
+            .publiccert_pem_buf = cfg->clientcert_buf,
+            .publiccert_pem_bytes = cfg->clientcert_bytes,
+            .privkey_pem_buf = NULL,
+            .privkey_pem_bytes = 0,
+            .privkey_password = NULL,
+            .privkey_password_len = 0,
+        };
+        ret = esp_set_atecc608a_pki_context(tls, (void*) &pki);
         if (ret != ESP_OK) {
             return ret;
         }
@@ -837,7 +868,7 @@ static esp_err_t esp_init_atecc608a(uint8_t i2c_addr)
     return ESP_OK;
 }
 
-static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cfg)
+static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, const void *pki)
 {
     int ret = 0;
     esp_err_t esp_ret = ESP_FAIL;
@@ -878,7 +909,7 @@ static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cf
     mbedtls_x509_crt_init(&tls->clientcert);
 
     if(cfg->clientcert_buf != NULL) {
-        ret = mbedtls_x509_crt_parse(&tls->clientcert, (const unsigned char*)cfg->clientcert_buf, cfg->clientcert_bytes);
+        ret = mbedtls_x509_crt_parse(&tls->clientcert, (const unsigned char*)((esp_tls_pki_t *)pki->publiccert_pem_buf), (esp_tls_pki_t *)pki->publiccert_pem_bytes);
         if (ret < 0) {
             ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%04X", -ret);
             mbedtls_print_error_msg(ret);
@@ -905,6 +936,7 @@ static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cf
         ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
         return ESP_ERR_ESP_TLS_SE_FAILED;
     }
+
     return ESP_OK;
 }
 #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */

components/esp_https_server/include/esp_https_server.h

@@ -80,6 +80,9 @@ struct httpd_ssl_config {
     /** Enable tls session tickets */
     bool session_tickets;
 
+    /** Enable secure element for server session */
+    bool use_secure_element;
+
     /** User callback for esp_https_server */
     esp_https_server_user_cb *user_cb;
 };

components/esp_https_server/src/https_server.c

@@ -181,6 +181,7 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
 
     ssl_ctx->tls_cfg = cfg;
     ssl_ctx->user_cb = config->user_cb;
+
 /* cacert = CA which signs client cert, or client cert itself */
     if(config->cacert_pem != NULL) {
         cfg->cacert_buf = (unsigned char *)malloc(config->cacert_len);
@@ -193,6 +194,7 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
         memcpy((char *)cfg->cacert_buf, config->cacert_pem, config->cacert_len);
         cfg->cacert_bytes = config->cacert_len;
     }
+
 /* servercert = cert of server itself */
     cfg->servercert_buf = (unsigned char *)malloc(config->servercert_len);
     if (!cfg->servercert_buf) {
@@ -205,15 +207,20 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
     memcpy((char *)cfg->servercert_buf, config->servercert, config->servercert_len);
     cfg->servercert_bytes = config->servercert_len;
 
-    cfg->serverkey_buf = (unsigned char *)malloc(config->prvtkey_len);
+    /* Pass on secure element boolean */
-    if (!cfg->serverkey_buf) {
+    cfg->use_secure_element = config->use_secure_element;
-        ESP_LOGE(TAG, "Could not allocate memory");
+    if (!cfg->use_secure_element) {
-        free((void *)cfg->servercert_buf);
+        cfg->serverkey_buf = (unsigned char *)malloc(config->prvtkey_len);
-        free((void *)cfg->cacert_buf);
+        if (!cfg->serverkey_buf) {
-        free(cfg);
+            ESP_LOGE(TAG, "Could not allocate memory");
-        free(ssl_ctx);
+            free((void *)cfg->servercert_buf);
-        return NULL;
+            free((void *)cfg->cacert_buf);
+            free(cfg);
+            free(ssl_ctx);
+            return NULL;
+        }
     }
+
     memcpy((char *)cfg->serverkey_buf, config->prvtkey_pem, config->prvtkey_len);
     cfg->serverkey_bytes = config->prvtkey_len;