Merge branch 'task/led_light_server_crt' into 'master'

shahpiyushv · shahpiyushv · commit b4db703281af · 2022-05-09T17:22:17.000+08:00
ssl_server_cert: Use mbedtls certificate bundle for server authentication

See merge request app-frameworks/esp-rainmaker!298
diff --git a/components/esp_rainmaker/Kconfig.projbuild b/components/esp_rainmaker/Kconfig.projbuild
@@ -132,6 +132,15 @@ menu "ESP RainMaker Config"
         default 0 if ESP_RMAKER_CONSOLE_UART_NUM_0
         default 1 if ESP_RMAKER_CONSOLE_UART_NUM_1
 
+    config ESP_RMAKER_USE_CERT_BUNDLE
+        bool "Use Certificate Bundle"
+        default y
+        select ESP_RMAKER_MQTT_USE_CERT_BUNDLE
+        help
+            Use Certificate Bundle for server authentication. Enabling this is recommended to safeguard
+            against any changes in the server certificates in future. This has an impact on the binary
+            size as well as heap requirement.
+
     menu "ESP RainMaker OTA Config"
 
         config ESP_RMAKER_OTA_AUTOFETCH
diff --git a/components/esp_rainmaker/src/core/esp_rmaker_claim.c b/components/esp_rainmaker/src/core/esp_rmaker_claim.c
@@ -54,6 +54,21 @@
 #include "esp_rmaker_client_data.h"
 #include "esp_rmaker_claim.h"
 
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(4, 4, 0)
+// Features supported in 4.4+
+
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+#define ESP_RMAKER_USE_CERT_BUNDLE
+#include <esp_crt_bundle.h>
+#endif
+
+#else
+
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+#warning "Certificate Bundle not supported below IDF v4.4. Using provided certificate instead."
+#endif
+
+#endif /* !IDF4.4 */
 
 static const char *TAG = "esp_claim";
 
@@ -370,7 +385,11 @@ static esp_err_t esp_rmaker_claim_perform_common(esp_rmaker_claim_data_t *claim_
         .url = url,
         .transport_type = HTTP_TRANSPORT_OVER_SSL,
         .buffer_size = 1024,
+#ifdef ESP_RMAKER_USE_CERT_BUNDLE
+        .crt_bundle_attach = esp_crt_bundle_attach,
+#else
         .cert_pem = (const char *)claim_service_server_root_ca_pem_start,
+#endif
         .skip_cert_common_name_check = false
     };
     esp_http_client_handle_t client = esp_http_client_init(&config);
diff --git a/components/esp_rainmaker/src/ota/esp_rmaker_ota.c b/components/esp_rainmaker/src/ota/esp_rmaker_ota.c
@@ -28,6 +28,21 @@
 #include <esp_rmaker_utils.h>
 #include "esp_rmaker_ota_internal.h"
 
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(4, 4, 0)
+// Features supported in 4.4+
+
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+#define ESP_RMAKER_USE_CERT_BUNDLE
+#include <esp_crt_bundle.h>
+#endif
+
+#else
+
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+#warning "Certificate Bundle not supported below IDF v4.4. Using provided certificate instead."
+#endif
+
+#endif /* !IDF4.4 */
 static const char *TAG = "esp_rmaker_ota";
 
 #define OTA_REBOOT_TIMER_SEC    10
@@ -146,7 +161,11 @@ esp_err_t esp_rmaker_ota_default_cb(esp_rmaker_ota_handle_t ota_handle, esp_rmak
     esp_err_t ota_finish_err = ESP_OK;
     esp_http_client_config_t config = {
         .url = ota_data->url,
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+        .crt_bundle_attach = esp_crt_bundle_attach,
+#else
         .cert_pem = ota_data->server_cert,
+#endif
         .timeout_ms = 5000,
         .buffer_size = DEF_HTTP_RX_BUFFER_SIZE,
         .buffer_size_tx = buffer_size_tx,
diff --git a/components/rmaker_common b/components/rmaker_common
@@ -1 +1 @@
-Subproject commit 473417c053888d4ad89def7d856e75a366f74122
+Subproject commit b40a39e06fc449beed9f57ced2417e9a01aad287
diff --git a/examples/fan/sdkconfig.defaults b/examples/fan/sdkconfig.defaults
@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y
diff --git a/examples/gpio/sdkconfig.defaults b/examples/gpio/sdkconfig.defaults
@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y
diff --git a/examples/homekit_switch/sdkconfig.defaults b/examples/homekit_switch/sdkconfig.defaults
@@ -12,6 +12,7 @@ CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
 CONFIG_MBEDTLS_HARDWARE_MPI=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 #LWIP
 CONFIG_LWIP_MAX_SOCKETS=16
diff --git a/examples/led_light/main/CMakeLists.txt b/examples/led_light/main/CMakeLists.txt
@@ -1,4 +1,2 @@
 idf_component_register(SRCS ./app_driver.c ./app_main.c
                        INCLUDE_DIRS ".")
-
-target_add_binary_data(${COMPONENT_TARGET} "server.crt" TEXT)
diff --git a/examples/led_light/main/app_main.c b/examples/led_light/main/app_main.c
@@ -29,8 +29,6 @@ static const char *TAG = "app_main";
 
 esp_rmaker_device_t *light_device;
 
-extern const char ota_server_cert[] asm("_binary_server_crt_start");
-
 /* Callback to handle commands received from the RainMaker cloud */
 static esp_err_t write_cb(const esp_rmaker_device_t *device, const esp_rmaker_param_t *param,
             const esp_rmaker_param_val_t val, void *priv_data, esp_rmaker_write_ctx_t *ctx)
@@ -108,7 +106,7 @@ void app_main()
 
     /* Enable OTA */
     esp_rmaker_ota_config_t ota_config = {
-        .server_cert = ota_server_cert,
+        .server_cert = ESP_RMAKER_OTA_DEFAULT_SERVER_CERT,
     };
     esp_rmaker_ota_enable(&ota_config, OTA_USING_PARAMS);
 
diff --git a/examples/led_light/main/server.crt b/examples/led_light/main/server.crt
diff --git a/examples/led_light/sdkconfig.defaults b/examples/led_light/sdkconfig.defaults
@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y
diff --git a/examples/multi_device/sdkconfig.defaults b/examples/multi_device/sdkconfig.defaults
@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y
diff --git a/examples/switch/sdkconfig.defaults b/examples/switch/sdkconfig.defaults
@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y
diff --git a/examples/temperature_sensor/sdkconfig.defaults b/examples/temperature_sensor/sdkconfig.defaults
@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y
