Certificate bundle upgrade (IDFGH-12148)

[BitsForPeople]

Modified gen_crt_bundle.py and esp_crt_bundle.c to build/use a static 'index' of the certificates in a bundle and include this index data in the bundle data.
This obviates the need for esp_crt_bundle.c to allocate heap memory and build the index at runtime, saving ~120x4 bytes of heap for the full/'unfiltered' bundle.
Changed "mbedtls_x509_crt parent" in esp_crt_check_signature() to "mbedtls_pk_context pubkey" to save some 200 bytes of stack requirement.

[github-actions]

Warnings

⚠️

Some issues found for the commit messages in this PR: the commit message "Reduced RAM & stack use of cert bundle": summary looks empty type/action looks empty the commit message "Reduced RAM & stack use of cert bundle": summary looks empty type/action looks empty Please fix these commit messages - here are some basic tips: follow Conventional Commits style correct format of commit message should be: <type/action>(<scope/component>): <summary>, for example fix(esp32): Fixed startup timeout issue allowed types are: change,ci,docs,feat,fix,refactor,remove,revert,test sufficiently descriptive message summary should be between 20 to 72 characters and start with upper case letter avoid Jira references in commit messages (unavailable/irrelevant for our customers) TIP: Install pre-commit hooks and run this check when committing (uses the Conventional Precommit Linter).

	Messages
📖	You might consider squashing your 3 commits (simplifying branch history).

👋 Hello BitsForPeople, we appreciate your contribution to this project!

---

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.

---

🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.

---

Click to see more instructions ...

This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- Resolve all warnings (⚠️ ) before requesting a review from human reviewers - they will appreciate it.
- Addressing info messages (📖) is strongly recommended; they're less critical but valuable.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests via this public GitHub repository.

This GitHub project is public mirror of our internal git repository

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved, we synchronize it into our internal git repository.
4. In the internal git repository we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
5. If the change is approved and passes the tests it is merged into the default branch.
5. On next sync from the internal git repository merged change will appear in this public GitHub repository.

Generated by 🚫 dangerJS against c38b75f

[Harshal5]

Hello @BitsForPeople,

It looks like you have made some changes in the mbedtls submodule too. Could you please confirm the changes that were needed in it? Also, it would be preferred if the submodule changes could be avoided as I think this certificate bundle format change would not need changes in the submodule itself.

[BitsForPeople]

Hello @Harshal5 .
You're right in that no changes to mbedtls itself are needed. - And nothing in mbedtls should actually be included in this PR.
Is the PR salvagable? What can I do?

[Harshal5]

@BitsForPeople Also I think we could squash the three commits into one. You could follow the below steps:

1. Soft reset the three commits using the command: git reset --soft c38b75fa31b2861ff8a037597c7abd2b05a5b7e1^.
2. Then restore the staged mbedtls changes using the command: git restore --staged components/mbedtls/mbedtls
3. Now, the mbedtls changes need to be reset. Change directory to the mbedtls submodule and reset the changes using the following commands:

cd components/mbedtls/mbedtls
git reset --hard HEAD

4. Finally move back to the ESP-IDF git directory and commit the changes using git commit and maybe you could use the commit message as "feat(mbedtls/crt_bundle): Store cert indices to reduce memory usage".

Let me know in case you feel this is a bit complicated, I would be happy to help you by carrying this out myself.

[BitsForPeople]

@Harshal5, thank you for providing the steps. Didn't work unfortunately, been having issues with git on my (Windows) machine for some time.
Would you be so kind and 'fix' the PR?

[Harshal5]

sha=c38b75fa31b2861ff8a037597c7abd2b05a5b7e1

[Harshal5]

Hi @BitsForPeople, could you please explain why we allow the issuer name to be longer than the found certificate name? Do you have any example wherein this would be needed?

We think due to this, an incorrect certificate could get matched if the name of another certificate is a prefix of the name of the certificate we're looking for. What do you think?

[BitsForPeople]

Hi @Harshal5.
I'm actually not sure anymore why I did a >= 0 here, t.b.h. Specifically, I can't remember seeing a case where this would be needed.
Reviewing it now, I believe you are right: If one cert's name would be a prefix of another cert's name in a bundle, we might (in theory) pick the wrong cert.
I think changing it to == 0 should work.

Sorry for seemingly not getting back to this PR until now. I spent a few hours trying to fix the issue of the unrelated mbedtls files in the PR but could not for the life of me get my working tree back to a consistent state with a clean PR.
Is there something you can do with the PR on your end?