ssl_server_cert: Use mbedtls certificate bundle for server authentica…

…tion

Instead of using 1 or 2 certificates for server authentication, use a
bundle of commonly used server certificates, so that even if the server
moves to a different signing authority, the device connection is not
affected.

This change has been done for claiming, OTA and MQTT certificates.

components/esp_rainmaker/Kconfig.projbuild

@@ -132,6 +132,15 @@ menu "ESP RainMaker Config"
         default 0 if ESP_RMAKER_CONSOLE_UART_NUM_0
         default 1 if ESP_RMAKER_CONSOLE_UART_NUM_1
 
+    config ESP_RMAKER_USE_CERT_BUNDLE
+        bool "Use Certificate Bundle"
+        default y
+        select ESP_RMAKER_MQTT_USE_CERT_BUNDLE
+        help
+            Use Certificate Bundle for server authentication. Enabling this is recommended to safeguard
+            against any changes in the server certificates in future. This has an impact on the binary
+            size as well as heap requirement.
+
     menu "ESP RainMaker OTA Config"
 
         config ESP_RMAKER_OTA_AUTOFETCH

components/esp_rainmaker/src/core/esp_rmaker_claim.c

@@ -54,6 +54,21 @@
 #include "esp_rmaker_client_data.h"
 #include "esp_rmaker_claim.h"
 
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(4, 4, 0)
+// Features supported in 4.4+
+
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+#define ESP_RMAKER_USE_CERT_BUNDLE
+#include <esp_crt_bundle.h>
+#endif
+
+#else
+
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+#warning "Certificate Bundle not supported below IDF v4.4. Using provided certificate instead."
+#endif
+
+#endif /* !IDF4.4 */
 
 static const char *TAG = "esp_claim";
 
@@ -370,7 +385,11 @@ static esp_err_t esp_rmaker_claim_perform_common(esp_rmaker_claim_data_t *claim_
         .url = url,
         .transport_type = HTTP_TRANSPORT_OVER_SSL,
         .buffer_size = 1024,
+#ifdef ESP_RMAKER_USE_CERT_BUNDLE
+        .crt_bundle_attach = esp_crt_bundle_attach,
+#else
         .cert_pem = (const char *)claim_service_server_root_ca_pem_start,
+#endif
         .skip_cert_common_name_check = false
     };
     esp_http_client_handle_t client = esp_http_client_init(&config);

components/esp_rainmaker/src/ota/esp_rmaker_ota.c

@@ -28,6 +28,21 @@
 #include <esp_rmaker_utils.h>
 #include "esp_rmaker_ota_internal.h"
 
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(4, 4, 0)
+// Features supported in 4.4+
+
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+#define ESP_RMAKER_USE_CERT_BUNDLE
+#include <esp_crt_bundle.h>
+#endif
+
+#else
+
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+#warning "Certificate Bundle not supported below IDF v4.4. Using provided certificate instead."
+#endif
+
+#endif /* !IDF4.4 */
 static const char *TAG = "esp_rmaker_ota";
 
 #define OTA_REBOOT_TIMER_SEC    10
@@ -146,7 +161,11 @@ esp_err_t esp_rmaker_ota_default_cb(esp_rmaker_ota_handle_t ota_handle, esp_rmak
     esp_err_t ota_finish_err = ESP_OK;
     esp_http_client_config_t config = {
         .url = ota_data->url,
+#ifdef CONFIG_ESP_RMAKER_USE_CERT_BUNDLE
+        .crt_bundle_attach = esp_crt_bundle_attach,
+#else
         .cert_pem = ota_data->server_cert,
+#endif
         .timeout_ms = 5000,
         .buffer_size = DEF_HTTP_RX_BUFFER_SIZE,
         .buffer_size_tx = buffer_size_tx,

examples/fan/sdkconfig.defaults

@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y

examples/gpio/sdkconfig.defaults

@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y

examples/homekit_switch/sdkconfig.defaults

@@ -12,6 +12,7 @@ CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
 CONFIG_MBEDTLS_HARDWARE_MPI=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 #LWIP
 CONFIG_LWIP_MAX_SOCKETS=16

examples/led_light/sdkconfig.defaults

@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y

examples/multi_device/sdkconfig.defaults

@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y

examples/switch/sdkconfig.defaults

@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y

examples/temperature_sensor/sdkconfig.defaults

@@ -11,6 +11,7 @@ CONFIG_PARTITION_TABLE_MD5=y
 CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT=y
 CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
 
 # For BLE Provisioning using NimBLE stack (Not applicable for ESP32-S2)
 CONFIG_BT_ENABLED=y