feat(esp-wolfssl): add wolfSSL certificate bundle support#31
Open
hrushikesh430 wants to merge 1 commit into
Open
feat(esp-wolfssl): add wolfSSL certificate bundle support#31hrushikesh430 wants to merge 1 commit into
hrushikesh430 wants to merge 1 commit into
Conversation
Migrated from esp-idf PRs #16145 and #17683 (wolfSSL cert-bundle series). Adds the wolfSSL equivalent of CONFIG_MBEDTLS_CERTIFICATE_BUNDLE so apps can verify TLS servers against an embedded common-root-CA bundle via esp_tls_cfg_t.crt_bundle_attach = esp_crt_bundle_attach, without supplying a CA certificate per connection. - Kconfig: WOLFSSL_CERTIFICATE_BUNDLE (+ default FULL/NONE, MAX_CERTS, debug); mutually exclusive with MBEDTLS_CERTIFICATE_BUNDLE (wolfSSL forbids both). - CMakeLists: compile the wolfSSL esp_crt_bundle.c port and generate + embed the CA bundle blob (gen_crt_bundle.py -> _binary_x509_crt_bundle_wolfssl_*). esp_crt_bundle.c is gated on the legacy CONFIG_ESP_TLS_USING_WOLFSSL and must include settings.h first, so both are forced for that single file. - esp_tls_wolfssl.c: wire crt_bundle_attach into the custom stack by handing our WOLFSSL_CTX to the bundle (it installs a WOLFSSL_VERIFY_PEER callback); the ESP_ERR_NOT_SUPPORTED path remains when the feature is disabled. - user_settings.h: allow zero-serial CAs (WOLFSSL_ASN_ALLOW_0_SERIAL) when the bundle is enabled so legacy roots are not dropped from the bundle. Verified on ESP32-C5: a client using only the embedded bundle (no explicit CA) completes a TLS handshake to www.howsmyssl.com.
Collaborator
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What the original esp-idf PRs did
The wolfSSL cert-bundle series in ESP-IDF added the wolfSSL equivalent of the mbedTLS certificate bundle:
Kconfig+CMakeListsfor the wolfSSL bundle.They targeted the old built-in wolfSSL backend (
CONFIG_ESP_TLS_USING_WOLFSSL), which no longer exists in ESP-IDF (wolfSSL now lives here as the esp-tls custom stack).What this PR does
Re-implements the feature for the custom-stack model:
WOLFSSL_CERTIFICATE_BUNDLE(+ default FULL/NONE, max-certs, debug). Mutually exclusive withMBEDTLS_CERTIFICATE_BUNDLE(wolfSSL forbids both at once).esp_crt_bundle.cport and generates + embeds the CA blob (gen_crt_bundle.py→_binary_x509_crt_bundle_wolfssl_*). That file is gated on the legacyCONFIG_ESP_TLS_USING_WOLFSSLand needssettings.hfirst, so both are forced for that single source.crt_bundle_attachinto the custom stack by handing ourWOLFSSL_CTXto the bundle (installs aWOLFSSL_VERIFY_PEERcallback). TheESP_ERR_NOT_SUPPORTEDpath stays when the feature is off.WOLFSSL_ASN_ALLOW_0_SERIAL) when the bundle is enabled, so legacy roots are not dropped.Usage (unchanged from mbedTLS):
esp_tls_cfg_t cfg = { .crt_bundle_attach = esp_crt_bundle_attach };Testing
www.howsmyssl.com(PASS); after allowing zero-serial CAs the full bundle loads with no parse errors.