Merge branch 'feature/add_crt_bundle' into 'master'

Added support for certificate bundle See merge request espressif/esp-mqtt!98
2025-07-29 18:28:24 +02:00 · 2021-05-26 15:54:21 +00:00
parent ff8226a464 06157be118
commit 048f12f55f
3 changed files with 14 additions and 0 deletions
--- a/include/mqtt_client.h
+++ b/include/mqtt_client.h
@ -191,6 +191,7 @@ typedef struct {
    int refresh_connection_after_ms;        /*!< Refresh connection after this value (in milliseconds) */
    const struct psk_key_hint *psk_hint_key;     /*!< Pointer to PSK struct defined in esp_tls.h to enable PSK authentication (as alternative to certificate verification). If not NULL and server/client certificates are NULL, PSK is enabled */
    bool          use_global_ca_store;      /*!< Use a global ca_store for all the connections in which this bool is set. */
+    esp_err_t ((*crt_bundle_attach)(void *conf)); /*!< Pointer to ESP x509 Certificate Bundle attach function for the usage of certification bundles in mqtts */
    int reconnect_timeout_ms;               /*!< Reconnect to the broker after this value in miliseconds if auto reconnect is not disabled (defaults to 10s) */
    const char **alpn_protos;               /*!< NULL-terminated list of supported application protocols to be used for ALPN */
    const char *clientkey_password;         /*!< Client key decryption password string */
--- a/include/mqtt_supported_features.h
+++ b/include/mqtt_supported_features.h
@ -57,6 +57,7 @@
 // Features supported in 4.3
 #define MQTT_SUPPORTED_FEATURE_DIGITAL_SIGNATURE
 #define MQTT_SUPPORTED_FEATURE_TRANSPORT_SOCK_ERRNO_REPORTING
+#define MQTT_SUPPORTED_FEATURE_CERTIFICATE_BUNDLE
 #endif

 #endif /* ESP_IDF_VERSION */
--- a/mqtt_client.c
+++ b/mqtt_client.c
@ -78,6 +78,7 @@ typedef struct {
    char *clientkey_password;
    int clientkey_password_len;
    bool use_global_ca_store;
+    esp_err_t ((*crt_bundle_attach)(void *conf));
    const char *cacert_buf;
    size_t cacert_bytes;
    const char *clientcert_buf;
@ -203,11 +204,21 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle

    if (cfg->use_global_ca_store == true) {
        esp_transport_ssl_enable_global_ca_store(ssl);
+    } else if (cfg->crt_bundle_attach != NULL) {
+#ifdef MQTT_SUPPORTED_FEATURE_CERTIFICATE_BUNDLE
+            esp_transport_ssl_crt_bundle_attach(ssl, cfg->crt_bundle_attach);
+#else   
+            ESP_LOGE(TAG, "Certificate bundle feature is not available in IDF version %s", IDF_VER);
+            goto esp_mqtt_set_transport_failed;
+#endif
    } else {
        ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CA_CERT, cfg->cacert_buf, cfg->cacert_bytes),
                     goto esp_mqtt_set_transport_failed);
+        
    }

+    
+
    if (cfg->use_secure_element) {
 #ifdef MQTT_SUPPORTED_FEATURE_SECURE_ELEMENT
 #ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
@ -491,6 +502,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
    client->config->psk_hint_key = config->psk_hint_key;
    client->config->skip_cert_common_name_check = config->skip_cert_common_name_check;
    client->config->use_secure_element = config->use_secure_element;
+    client->config->crt_bundle_attach = config->crt_bundle_attach;
    client->config->ds_data = config->ds_data;

    if (config->clientkey_password && config->clientkey_password_len) {