From 057f5cb120277ae393a60bd02c0d7596fcec08f3 Mon Sep 17 00:00:00 2001
From: Nathan Phillips <NathanJPhillips@users.noreply.github.com>
Date: Fri, 22 Apr 2022 11:31:16 +0100
Subject: [PATCH 1/2] Distinguish 4 identical log messages

Say which certificate couldn't be parsed in each one.
---
 components/esp-tls/esp_tls_mbedtls.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index d8aaa991a1..f5ef77b345 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -341,7 +341,7 @@ static esp_err_t set_ca_cert(esp_tls_t *tls, const unsigned char *cacert, size_t
     mbedtls_x509_crt_init(tls->cacert_ptr);
     int ret = mbedtls_x509_crt_parse(tls->cacert_ptr, cacert, cacert_len);
     if (ret < 0) {
-        ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%04X", -ret);
+        ESP_LOGE(TAG, "mbedtls_x509_crt_parse of CA cert returned -0x%04X", -ret);
         mbedtls_print_error_msg(ret);
         ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
         return ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED;
@@ -371,7 +371,7 @@ static esp_err_t set_pki_context(esp_tls_t *tls, const esp_tls_pki_t *pki)
 
         ret = mbedtls_x509_crt_parse(pki->public_cert, pki->publiccert_pem_buf, pki->publiccert_pem_bytes);
         if (ret < 0) {
-            ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%04X", -ret);
+            ESP_LOGE(TAG, "mbedtls_x509_crt_parse of public cert returned -0x%04X", -ret);
             mbedtls_print_error_msg(ret);
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
             return ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED;
@@ -868,7 +868,7 @@ esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, c
     }
     ret = mbedtls_x509_crt_parse(global_cacert, cacert_pem_buf, cacert_pem_bytes);
     if (ret < 0) {
-        ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%04X", -ret);
+        ESP_LOGE(TAG, "mbedtls_x509_crt_parse of global CA cert returned -0x%04X", -ret);
         mbedtls_print_error_msg(ret);
         mbedtls_x509_crt_free(global_cacert);
         free(global_cacert);
@@ -950,7 +950,7 @@ static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, const void *pki)
     if(cfg->clientcert_buf != NULL) {
         ret = mbedtls_x509_crt_parse(&tls->clientcert, (const unsigned char*)((esp_tls_pki_t *)pki->publiccert_pem_buf), (esp_tls_pki_t *)pki->publiccert_pem_bytes);
         if (ret < 0) {
-            ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%04X", -ret);
+            ESP_LOGE(TAG, "mbedtls_x509_crt_parse of client cert returned -0x%04X", -ret);
             mbedtls_print_error_msg(ret);
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
             return ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED;

From 260fd5c5a583375aa9d9409d7393592c598d058e Mon Sep 17 00:00:00 2001
From: Nathan Phillips <NathanJPhillips@users.noreply.github.com>
Date: Thu, 1 Dec 2022 16:45:03 +0000
Subject: [PATCH 2/2] Explicitly log an invalid digest in DS data

---
 components/mbedtls/port/esp_ds/esp_rsa_sign_alt.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/components/mbedtls/port/esp_ds/esp_rsa_sign_alt.c b/components/mbedtls/port/esp_ds/esp_rsa_sign_alt.c
index d0ae6a57e9..539f21451a 100644
--- a/components/mbedtls/port/esp_ds/esp_rsa_sign_alt.c
+++ b/components/mbedtls/port/esp_ds/esp_rsa_sign_alt.c
@@ -69,6 +69,7 @@ esp_err_t esp_ds_init_data_ctx(esp_ds_data_ctx_t *ds_data)
         return ESP_FAIL;
     }
     s_ds_data = ds_data->esp_ds_data;
+    ESP_LOGD(TAG, "Using DS with key block %u, RSA length %u", ds_data->efuse_key_id, ds_data->rsa_length_bits);
     s_esp_ds_hmac_key_id = (hmac_key_id_t) ds_data->efuse_key_id;
 
     const unsigned rsa_length_int = (ds_data->rsa_length_bits / 32) - 1;
@@ -251,7 +252,11 @@ int esp_ds_rsa_sign( void *ctx,
 
     ds_r = esp_ds_finish_sign((void *)signature, esp_ds_ctx);
     if (ds_r != ESP_OK) {
-        ESP_LOGE(TAG, "Error in esp_ds_finish sign, returned %d ", ds_r);
+        if (ds_r == ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST) {
+            ESP_LOGE(TAG, "Invalid digest in DS data reported by esp_ds_finish_sign");
+        } else {
+            ESP_LOGE(TAG, "Error in esp_ds_finish_sign, returned %d ", ds_r);
+        }
         heap_caps_free(signature);
         return -1;
     }