From e17daa5b3e7b4496d4bfc59861efd20fbde6a22a Mon Sep 17 00:00:00 2001
From: Victor Morales <v.morales@samsung.com>
Date: Fri, 1 Oct 2021 18:27:07 -0700
Subject: [PATCH] Implement Docker best practices on ESP32 image

Signed-off-by: Victor Morales <v.morales@samsung.com>
---
 ...crt_bundle-remove-EC-ACC-certificate.patch | 54 +++++++++++++++++++
 .../docker/images/chip-build-esp32/Dockerfile | 48 ++++++++---------
 integrations/docker/images/chip-build/version |  2 +-
 3 files changed, 79 insertions(+), 25 deletions(-)
 create mode 100644 integrations/docker/images/chip-build-esp32/0001-esp_crt_bundle-remove-EC-ACC-certificate.patch

diff --git a/integrations/docker/images/chip-build-esp32/0001-esp_crt_bundle-remove-EC-ACC-certificate.patch b/integrations/docker/images/chip-build-esp32/0001-esp_crt_bundle-remove-EC-ACC-certificate.patch
new file mode 100644
index 00000000000000..ae3f42edb0d7c7
--- /dev/null
+++ b/integrations/docker/images/chip-build-esp32/0001-esp_crt_bundle-remove-EC-ACC-certificate.patch
@@ -0,0 +1,54 @@
+From 4e45f13e2df72a4cb4dc875942e95775198db85c Mon Sep 17 00:00:00 2001
+From: Victor Morales <chipahuac@hotmail.com>
+Date: Fri, 1 Oct 2021 13:56:33 -0700
+Subject: [PATCH] esp_crt_bundle: remove EC-ACC certificate
+
+Fixes bug #7631
+---
+ .../mbedtls/esp_crt_bundle/cacrt_all.pem      | 30 -------------------
+ 1 file changed, 30 deletions(-)
+
+diff --git a/components/mbedtls/esp_crt_bundle/cacrt_all.pem b/components/mbedtls/esp_crt_bundle/cacrt_all.pem
+index 09b4ce16b7..a669b94fbd 100644
+--- a/components/mbedtls/esp_crt_bundle/cacrt_all.pem
++++ b/components/mbedtls/esp_crt_bundle/cacrt_all.pem
+@@ -1645,36 +1645,6 @@ tnRGEmyR7jTV7JqR50S+kDFy1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0eg29
+ mvVXIwAHIRc/SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03
+ -----END CERTIFICATE-----
+ 
+-EC-ACC
+-======
+------BEGIN CERTIFICATE-----
+-MIIFVjCCBD6gAwIBAgIQ7is969Qh3hSoYqwE893EATANBgkqhkiG9w0BAQUFADCB8zELMAkGA1UE
+-BhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChOSUYgUS0w
+-ODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYD
+-VQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMGA1UE
+-CxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzANBgNVBAMT
+-BkVDLUFDQzAeFw0wMzAxMDcyMzAwMDBaFw0zMTAxMDcyMjU5NTlaMIHzMQswCQYDVQQGEwJFUzE7
+-MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZpY2FjaW8gKE5JRiBRLTA4MDExNzYt
+-SSkxKDAmBgNVBAsTH1NlcnZlaXMgUHVibGljcyBkZSBDZXJ0aWZpY2FjaW8xNTAzBgNVBAsTLFZl
+-Z2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3ZlcmFycmVsIChjKTAzMTUwMwYDVQQLEyxKZXJh
+-cnF1aWEgRW50aXRhdHMgZGUgQ2VydGlmaWNhY2lvIENhdGFsYW5lczEPMA0GA1UEAxMGRUMtQUND
+-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyLHT+KXQpWIR4NA9h0X84NzJB5R85iK
+-w5K4/0CQBXCHYMkAqbWUZRkiFRfCQ2xmRJoNBD45b6VLeqpjt4pEndljkYRm4CgPukLjbo73FCeT
+-ae6RDqNfDrHrZqJyTxIThmV6PttPB/SnCWDaOkKZx7J/sxaVHMf5NLWUhdWZXqBIoH7nF2W4onW4
+-HvPlQn2v7fOKSGRdghST2MDk/7NQcvJ29rNdQlB50JQ+awwAvthrDk4q7D7SzIKiGGUzE3eeml0a
+-E9jD2z3Il3rucO2n5nzbcc8tlGLfbdb1OL4/pYUKGbio2Al1QnDE6u/LDsg0qBIimAy4E5S2S+zw
+-0JDnJwIDAQABo4HjMIHgMB0GA1UdEQQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8E
+-BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUoMOLRKo3pUW/l4Ba0fF4opvpXY0wfwYD
+-VR0gBHgwdjB0BgsrBgEEAfV4AQMBCjBlMCwGCCsGAQUFBwIBFiBodHRwczovL3d3dy5jYXRjZXJ0
+-Lm5ldC92ZXJhcnJlbDA1BggrBgEFBQcCAjApGidWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5l
+-dC92ZXJhcnJlbCAwDQYJKoZIhvcNAQEFBQADggEBAKBIW4IB9k1IuDlVNZyAelOZ1Vr/sXE7zDkJ
+-lF7W2u++AVtd0x7Y/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPpqojlNcAZQmNa
+-Al6kSBg6hW/cnbw/nZzBh7h6YQjpdwt/cKt63dmXLGQehb+8dJahw3oS7AwaboMMPOhyRp/7SNVe
+-l+axofjk70YllJyJ22k4vuxcDlbHZVHlUIiIv0LVKz3l+bqeLrPK9HOSAgu+TGbrIP65y7WZf+a2
+-E/rKS03Z7lNGBjvGTq2TWoF+bCpLagVFjPIhpDGQh2xlnJ2lYJU6Un/10asIbvPuW/mIPX64b24D
+-5EI=
+------END CERTIFICATE-----
+-
+ Hellenic Academic and Research Institutions RootCA 2011
+ =======================================================
+ -----BEGIN CERTIFICATE-----
+-- 
+2.25.1
+
diff --git a/integrations/docker/images/chip-build-esp32/Dockerfile b/integrations/docker/images/chip-build-esp32/Dockerfile
index f594e1618ba63e..d2699e474e9d20 100644
--- a/integrations/docker/images/chip-build-esp32/Dockerfile
+++ b/integrations/docker/images/chip-build-esp32/Dockerfile
@@ -1,36 +1,36 @@
 ARG VERSION=latest
-FROM connectedhomeip/chip-build:${VERSION}
+FROM connectedhomeip/chip-build:${VERSION} as build
 
-# Setup the ESP-IDF
 RUN set -x \
     && apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y python libgcrypt20-dev \
-    && mkdir -p /opt/espressif \
-    && cd /opt/espressif \
-    && git clone --progress -b v4.3 https://github.com/espressif/esp-idf.git \
-    && cd esp-idf \
-    && git submodule update --init --progress \
-    && IDF_TOOLS_PATH=/opt/espressif/tools ./install.sh \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -fy --no-install-recommends \
+    git=1:2.25.1-1ubuntu3.2 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/ \
+    && : # last line
+
+RUN set -x \
+    && git clone --depth 1 --recursive -b v4.3 https://github.com/espressif/esp-idf.git /tmp/esp-idf \
     && : # last line
 
-# BEGIN: PATCH BROKEN UPSTREAM
-#
-# After an upgrade in https://pypi.org/project/cryptography/#history
-# ESP sdk starts failing when attempting to run:
-#
-#   /opt/espressif/tools/python_env/idf4.3_py3.9_env/bin/python \
-#       /opt/espressif/esp-idf/components/mbedtls/esp_crt_bundle/gen_crt_bundle.py \
-#       --input /opt/espressif/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem -q
-#
-# Unfortunately cryptography is brought up as ">=2.1.4" from
-# /opt/espressif/esp-idf/requirements.txt, so we get an incompatible version
-# Code below reverts to a known working version.
+# TODO: Remove this patch once https://github.com/espressif/esp-idf/pull/7632 is available
+COPY 0001-esp_crt_bundle-remove-EC-ACC-certificate.patch /tmp/esp-idf/0001-esp_crt_bundle-remove-EC-ACC-certificate.patch
 
+WORKDIR /tmp/esp-idf
 RUN set -x \
-    && /opt/espressif/tools/python_env/idf4.3_py3.9_env/bin/pip uninstall -y cryptography \
-    && /opt/espressif/tools/python_env/idf4.3_py3.9_env/bin/pip install cryptography==3.4.8 \
+    && git apply /tmp/esp-idf/0001-esp_crt_bundle-remove-EC-ACC-certificate.patch \
+    && rm -f /tmp/esp-idf/0001-esp_crt_bundle-remove-EC-ACC-certificate.patch \
     && : # last line
-# END: PATCH BROKEN UPSTREAM
+
+FROM connectedhomeip/chip-build:${VERSION}
 
 ENV IDF_PATH=/opt/espressif/esp-idf/
 ENV IDF_TOOLS_PATH=/opt/espressif/tools
+
+COPY --from=build /tmp/esp-idf /opt/espressif/esp-idf
+
+# Setup the ESP-IDF
+WORKDIR /opt/espressif/esp-idf
+RUN set -x \
+    && ./install.sh \
+    && : # last line
diff --git a/integrations/docker/images/chip-build/version b/integrations/docker/images/chip-build/version
index 50c76ef872e534..69626fb9299734 100644
--- a/integrations/docker/images/chip-build/version
+++ b/integrations/docker/images/chip-build/version
@@ -1 +1 @@
-0.5.10
+0.5.11