mqtt: Add support for Digital Signature (through ESP-TLS)

Digital Signature enables hardware accelerated RSA signature
for TLS handshake.The RSA private key(client key) is also stored in
encrypted format and ecryption key is stored in hardware(efuse) which adds
additional level of security for mutual authentication.
* Digital Signature is only supported for ESP32-S2.

Applicable IDF version >= v4.3

include/mqtt_client.h

@@ -14,6 +14,9 @@
 
 #include "mqtt_config.h"
 #include "esp_event.h"
+#if CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+#include "rsa_sign_alt.h"
+#endif
 
 #ifdef __cplusplus
 extern "C" {
@@ -184,6 +187,7 @@ typedef struct {
     int out_buffer_size;                    /*!< size of MQTT output buffer. If not defined, both output and input buffers have the same size defined as ``buffer_size`` */
     bool skip_cert_common_name_check;       /*!< Skip any validation of server certificate CN field, this reduces the security of TLS and makes the mqtt client susceptible to MITM attacks  */
     bool use_secure_element;                /*!< enable secure element for enabling SSL connection */
+    void *ds_data;                          /*!< carrier of handle for digital signature parameters */
 } esp_mqtt_client_config_t;
 
 /**

include/mqtt_supported_features.h

@@ -53,5 +53,10 @@
 #define MQTT_SUPPORTED_FEATURE_SECURE_ELEMENT
 #endif
 
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(4, 3, 0)
+// Features supported in 4.3
+#define MQTT_SUPPORTED_FEATURE_DIGITAL_SIGNATURE
+#endif
+
 #endif /* ESP_IDF_VERSION */
 #endif // _MQTT_SUPPORTED_FEATURES_H_

mqtt_client.c

@@ -82,6 +82,7 @@ typedef struct {
     const struct psk_key_hint *psk_hint_key;
     bool skip_cert_common_name_check;
     bool use_secure_element;
+    void *ds_data;
 } mqtt_config_storage_t;
 
 typedef enum {
@@ -222,6 +223,20 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
         goto esp_mqtt_set_transport_failed;
 #endif /* MQTT_SUPPORTED_FEATURE_SECURE_ELEMENT */
     }
+
+    if(cfg->ds_data != NULL) {
+#ifdef MQTT_SUPPORTED_FEATURE_DIGITAL_SIGNATURE
+#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+        esp_transport_ssl_set_ds_data(ssl, cfg->ds_data);
+#else
+        ESP_LOGE(TAG, "Digital Signature not enabled for esp-tls in menuconfig");
+        goto esp_mqtt_set_transport_failed;
+#endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */
+#else
+        ESP_LOGE(TAG, "Digital Signature feature is not available in IDF version %s", IDF_VER);
+        goto esp_mqtt_set_transport_failed;
+#endif
+    }
     ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CLIENT_CERT, cfg->clientcert_buf, cfg->clientcert_bytes),
                  goto esp_mqtt_set_transport_failed);
     ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CLIENT_KEY, cfg->clientkey_buf, cfg->clientkey_bytes),
@@ -473,6 +488,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
     cfg->psk_hint_key = config->psk_hint_key;
     cfg->skip_cert_common_name_check = config->skip_cert_common_name_check;
     cfg->use_secure_element = config->use_secure_element;
+    cfg->ds_data = config->ds_data;
 
     if (config->clientkey_password && config->clientkey_password_len) {
         cfg->clientkey_password_len = config->clientkey_password_len;