Merge branch 'feature/enable_secure_element_for_https_server' into 'master'

esp_https_server: Enable secure element support. Closes IDFGH-6650 See merge request espressif/esp-idf!17613
2024-10-05 20:47:46 -04:00 · 2022-03-29 14:51:10 +08:00 · 2022-03-29 14:51:10 +08:00 · f178d69b89
commit f178d69b89
parent d3f75c52d6 4c58685c00
4 changed files with 59 additions and 13 deletions
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@ -251,6 +251,10 @@ typedef struct esp_tls_cfg_server {
    unsigned int serverkey_password_len;        /*!< String length of the password pointed to by
                                                     serverkey_password */

+    bool use_secure_element;                    /*!< Enable this option to use secure element or
+                                                 atecc608a chip ( Integrated with ESP32-WROOM-32SE ) */
+
+
 #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
    esp_tls_server_session_ticket_ctx_t * ticket_ctx; /*!< Session ticket generation context.
                                                    You have to call esp_tls_cfg_server_session_tickets_init
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@ -33,7 +33,7 @@
 #include "cryptoauthlib.h"
 static const atcacert_def_t *cert_def = NULL;
 /* Prototypes for functions */
-static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cfg);
+static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, const void *pki);
 #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */

 #if defined(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
@ -512,7 +512,28 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
        mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
    }

-    if (cfg->servercert_buf != NULL && cfg->serverkey_buf != NULL) {
+    if (cfg->use_secure_element) {
+#ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
+        esp_tls_pki_t pki = {
+            .public_cert = &tls->servercert,
+            .pk_key = &tls->serverkey,
+            .publiccert_pem_buf = cfg->servercert_buf,
+            .publiccert_pem_bytes = cfg->servercert_bytes,
+            .privkey_pem_buf = NULL,
+            .privkey_pem_bytes = 0,
+            .privkey_password = NULL,
+            .privkey_password_len = 0,
+        };
+
+        ret = esp_set_atecc608a_pki_context(tls, (void*) &pki);
+        if (ret != ESP_OK) {
+            return ret;
+        }
+#else
+        ESP_LOGE(TAG, "Please enable secure element support for ESP-TLS in menuconfig");
+        return ESP_FAIL;
+#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
+    } else if (cfg->servercert_buf != NULL && cfg->serverkey_buf != NULL) {
        esp_tls_pki_t pki = {
            .public_cert = &tls->servercert,
            .pk_key = &tls->serverkey,
@ -662,7 +683,17 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t

    if (cfg->use_secure_element) {
 #ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
-        ret = esp_set_atecc608a_pki_context(tls, (esp_tls_cfg_t *)cfg);
+        esp_tls_pki_t pki = {
+            .public_cert = &tls->clientcert,
+            .pk_key = &tls->clientkey,
+            .publiccert_pem_buf = cfg->clientcert_buf,
+            .publiccert_pem_bytes = cfg->clientcert_bytes,
+            .privkey_pem_buf = NULL,
+            .privkey_pem_bytes = 0,
+            .privkey_password = NULL,
+            .privkey_password_len = 0,
+        };
+        ret = esp_set_atecc608a_pki_context(tls, (void*) &pki);
        if (ret != ESP_OK) {
            return ret;
        }
@ -837,7 +868,7 @@ static esp_err_t esp_init_atecc608a(uint8_t i2c_addr)
    return ESP_OK;
 }

-static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cfg)
+static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, const void *pki)
 {
    int ret = 0;
    esp_err_t esp_ret = ESP_FAIL;
@ -878,7 +909,7 @@ static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cf
    mbedtls_x509_crt_init(&tls->clientcert);

    if(cfg->clientcert_buf != NULL) {
-        ret = mbedtls_x509_crt_parse(&tls->clientcert, (const unsigned char*)cfg->clientcert_buf, cfg->clientcert_bytes);
+        ret = mbedtls_x509_crt_parse(&tls->clientcert, (const unsigned char*)((esp_tls_pki_t *)pki->publiccert_pem_buf), (esp_tls_pki_t *)pki->publiccert_pem_bytes);
        if (ret < 0) {
            ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%04X", -ret);
            mbedtls_print_error_msg(ret);
@ -905,6 +936,7 @@ static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, esp_tls_cfg_t *cf
        ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
        return ESP_ERR_ESP_TLS_SE_FAILED;
    }
+
    return ESP_OK;
 }
 #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
--- a/components/esp_https_server/include/esp_https_server.h
+++ b/components/esp_https_server/include/esp_https_server.h
@ -80,6 +80,9 @@ struct httpd_ssl_config {
    /** Enable tls session tickets */
    bool session_tickets;

+    /** Enable secure element for server session */
+    bool use_secure_element;
+
    /** User callback for esp_https_server */
    esp_https_server_user_cb *user_cb;
 };
--- a/components/esp_https_server/src/https_server.c
+++ b/components/esp_https_server/src/https_server.c
@ -181,6 +181,7 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con

    ssl_ctx->tls_cfg = cfg;
    ssl_ctx->user_cb = config->user_cb;
+
 /* cacert = CA which signs client cert, or client cert itself */
    if(config->cacert_pem != NULL) {
        cfg->cacert_buf = (unsigned char *)malloc(config->cacert_len);
@ -193,6 +194,7 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
        memcpy((char *)cfg->cacert_buf, config->cacert_pem, config->cacert_len);
        cfg->cacert_bytes = config->cacert_len;
    }
+
 /* servercert = cert of server itself */
    cfg->servercert_buf = (unsigned char *)malloc(config->servercert_len);
    if (!cfg->servercert_buf) {
@ -205,15 +207,20 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
    memcpy((char *)cfg->servercert_buf, config->servercert, config->servercert_len);
    cfg->servercert_bytes = config->servercert_len;

-    cfg->serverkey_buf = (unsigned char *)malloc(config->prvtkey_len);
-    if (!cfg->serverkey_buf) {
-        ESP_LOGE(TAG, "Could not allocate memory");
-        free((void *)cfg->servercert_buf);
-        free((void *)cfg->cacert_buf);
-        free(cfg);
-        free(ssl_ctx);
-        return NULL;
+    /* Pass on secure element boolean */
+    cfg->use_secure_element = config->use_secure_element;
+    if (!cfg->use_secure_element) {
+        cfg->serverkey_buf = (unsigned char *)malloc(config->prvtkey_len);
+        if (!cfg->serverkey_buf) {
+            ESP_LOGE(TAG, "Could not allocate memory");
+            free((void *)cfg->servercert_buf);
+            free((void *)cfg->cacert_buf);
+            free(cfg);
+            free(ssl_ctx);
+            return NULL;
+        }
    }
+
    memcpy((char *)cfg->serverkey_buf, config->prvtkey_pem, config->prvtkey_len);
    cfg->serverkey_bytes = config->prvtkey_len;