mirror of
https://github.com/espressif/esp-idf.git
synced 2026-07-13 14:33:06 +03:00
feat(esp-tls): Add unified private key interface via esp_key_config_t
Add ESP_KEY_SOURCE_BUFFER and ESP_KEY_SOURCE_PSA key sources so all hardware backends (DS, ECDSA, secure element) are accessed via PSA key IDs through a single esp_tls_cfg_t.client_key field.
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2018-2025 Espressif Systems (Shanghai) CO LTD
|
||||
* SPDX-FileCopyrightText: 2018-2026 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
@@ -105,6 +105,9 @@ struct httpd_ssl_config {
|
||||
/** Private key byte length */
|
||||
size_t prvtkey_len;
|
||||
|
||||
/** Unified key config. Takes precedence over prvtkey_pem when set */
|
||||
const esp_key_config_t *server_key;
|
||||
|
||||
/** Use ECDSA peripheral to use private key */
|
||||
bool use_ecdsa_peripheral;
|
||||
|
||||
@@ -129,9 +132,6 @@ struct httpd_ssl_config {
|
||||
/** Enable tls session tickets */
|
||||
bool session_tickets;
|
||||
|
||||
/** Enable secure element for server session */
|
||||
bool use_secure_element;
|
||||
|
||||
/** User callback for esp_https_server */
|
||||
esp_https_server_user_cb *user_cb;
|
||||
|
||||
@@ -227,7 +227,6 @@ typedef struct httpd_ssl_config httpd_ssl_config_t;
|
||||
.port_secure = 443, \
|
||||
.port_insecure = 80, \
|
||||
.session_tickets = false, \
|
||||
.use_secure_element = false, \
|
||||
.user_cb = NULL, \
|
||||
.ssl_userdata = NULL, \
|
||||
.cert_select_cb = NULL, \
|
||||
|
||||
@@ -348,48 +348,47 @@ static esp_err_t create_secure_context(const struct httpd_ssl_config *config, ht
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Pass on secure element boolean */
|
||||
cfg->use_secure_element = config->use_secure_element;
|
||||
if (!cfg->use_secure_element) {
|
||||
if (config->use_ecdsa_peripheral) {
|
||||
if (config->use_ecdsa_peripheral) {
|
||||
#ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN
|
||||
(*ssl_ctx)->tls_cfg->use_ecdsa_peripheral = config->use_ecdsa_peripheral;
|
||||
(*ssl_ctx)->tls_cfg->ecdsa_key_efuse_blk = config->ecdsa_key_efuse_blk;
|
||||
(*ssl_ctx)->tls_cfg->use_ecdsa_peripheral = config->use_ecdsa_peripheral;
|
||||
(*ssl_ctx)->tls_cfg->ecdsa_key_efuse_blk = config->ecdsa_key_efuse_blk;
|
||||
#if SOC_ECDSA_SUPPORT_CURVE_P384
|
||||
(*ssl_ctx)->tls_cfg->ecdsa_key_efuse_blk_high = config->ecdsa_key_efuse_blk_high;
|
||||
(*ssl_ctx)->tls_cfg->ecdsa_key_efuse_blk_high = config->ecdsa_key_efuse_blk_high;
|
||||
#endif
|
||||
(*ssl_ctx)->tls_cfg->ecdsa_curve = config->ecdsa_curve;
|
||||
(*ssl_ctx)->tls_cfg->ecdsa_curve = config->ecdsa_curve;
|
||||
#else
|
||||
ESP_LOGE(TAG, "Please enable the support for signing using ECDSA peripheral in menuconfig.");
|
||||
ret = ESP_ERR_NOT_SUPPORTED;
|
||||
goto exit;
|
||||
ESP_LOGE(TAG, "Please enable the support for signing using ECDSA peripheral in menuconfig.");
|
||||
ret = ESP_ERR_NOT_SUPPORTED;
|
||||
goto exit;
|
||||
#endif
|
||||
} else if (config->prvtkey_pem != NULL && config->prvtkey_len > 0) {
|
||||
cfg->serverkey_buf = malloc(config->prvtkey_len);
|
||||
} else if (config->server_key != NULL) {
|
||||
/* Unified key config - pass directly to esp_tls */
|
||||
cfg->server_key = config->server_key;
|
||||
} else if (config->prvtkey_pem != NULL && config->prvtkey_len > 0) {
|
||||
cfg->serverkey_buf = malloc(config->prvtkey_len);
|
||||
|
||||
if (cfg->serverkey_buf) {
|
||||
memcpy((char *) cfg->serverkey_buf, config->prvtkey_pem, config->prvtkey_len);
|
||||
cfg->serverkey_bytes = config->prvtkey_len;
|
||||
} else {
|
||||
ESP_LOGE(TAG, "Could not allocate memory for server key");
|
||||
ret = ESP_ERR_NO_MEM;
|
||||
goto exit;
|
||||
}
|
||||
if (cfg->serverkey_buf) {
|
||||
memcpy((char *) cfg->serverkey_buf, config->prvtkey_pem, config->prvtkey_len);
|
||||
cfg->serverkey_bytes = config->prvtkey_len;
|
||||
} else {
|
||||
ESP_LOGE(TAG, "Could not allocate memory for server key");
|
||||
ret = ESP_ERR_NO_MEM;
|
||||
goto exit;
|
||||
}
|
||||
} else {
|
||||
#if defined(CONFIG_ESP_HTTPS_SERVER_CERT_SELECT_HOOK)
|
||||
if (config->cert_select_cb == NULL) {
|
||||
ESP_LOGE(TAG, "No Server key supplied and no certificate selection hook is present");
|
||||
ret = ESP_ERR_INVALID_ARG;
|
||||
goto exit;
|
||||
} else {
|
||||
ESP_LOGW(TAG, "Server key not supplied, make sure to supply it in the certificate selection hook");
|
||||
}
|
||||
#else
|
||||
ESP_LOGE(TAG, "No Server key supplied");
|
||||
if (config->cert_select_cb == NULL) {
|
||||
ESP_LOGE(TAG, "No Server key supplied and no certificate selection hook is present");
|
||||
ret = ESP_ERR_INVALID_ARG;
|
||||
goto exit;
|
||||
#endif
|
||||
} else {
|
||||
ESP_LOGW(TAG, "Server key not supplied, make sure to supply it in the certificate selection hook");
|
||||
}
|
||||
#else
|
||||
ESP_LOGE(TAG, "No Server key supplied");
|
||||
ret = ESP_ERR_INVALID_ARG;
|
||||
goto exit;
|
||||
#endif
|
||||
}
|
||||
|
||||
return ret;
|
||||
|
||||
Reference in New Issue
Block a user