I'm using NVS for certificates providing to HTTPS server, and NVS files are generated by mfg_gen.py script.
The certificate files are OK, but after adding it into NVS file with further loading on ESP32, I see certificate and some bloat symbols.
Additionally, I see the cert length on ESP32 loaded from NVS different with original cert length. The same situation with key.
Could you please help to solve this issue?
P.S. Embedding certificate into firmware directly is not eligible for me, it's needed for mass manufacture files generation
Certificate file in attachments
Logs and codes:
Certificate is loaded, but some bloat symbols and errors when client tries to connect to ESP32 HTTPS server:
Code: Select all
I (00:00:02.767) HTTPS Server: Starting server
I (00:00:02.794) STORAGE: Loaded cert:
-----BEGIN CERTIFICATE-----
MIIFPzCCAyegAwIBAgICEBwwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UEBhMCUlUx
DzANBgNVBAgMBlJ1c3NpYTETMBEGA1UECgwKR3JvbGxpIEx0ZDE8MDoGA1UEAwwz
R3JvbGxpIEx0ZCBJbnRlcm1lZGlhdGUgQ0EgZm9yIGRldmljZSBIVFRQUyBzZXJ2
ZXJzMB4XDTIyMDUxNDE3MDUzNloXDTMyMDUxMTE3MDUzNlowgZAxCzAJBgNVBAYT
AlJVMQ8wDQYDVQQIDAZSdXNzaWExDzANBgNVBAcMBlJ1c3NpYTEsMCoGA1UECgwj
R3JvbGxpIEx0ZCBIVFRQUyBzZXJ2ZXIgY2VydGlmaWNhdGUxEzARBgNVBAsMCkdy
b2xsaSBMdGQxHDAaBgNVBAMME2dyb2xsaS1hYmMwMTMubG9jYWwwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAMB9CDP1GDbnx0LvWA0wCLPqX/u2zExqGv+3F6Sw
aGGaMwVKhMONBHonkKF6J03ASobqpsn4gNDZ1hEftZP0qpJuwre0nSK/pC8RhwHQ
u2glGsKUeefpZKB/aaWPsHwDS/qdge+0qTl25uy65TcK7VM62peBwz2XbtaV7Kd6
GgUHAgMBAAGjggFDMIIBPzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAz
BglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmlj
YXRlMB0GA1UdDgQWBBSqW1r5nH4VYHfhh6lPPRKrKT59djCBpQYDVR0jBIGdMIGa
gBTYKy5/MTDdRdxXMxZu40hgZw+Pe6F+pHwwejELMAkGA1UEBhMCUlUxDzANBgNV
BAgMBlJ1c3NpYTEPMA0GA1UEBwwGUnVzc2lhMRMwEQYDVQQKDApHcm9sbGkgTHRk
MTQwMgYDVQQDDCtHcm9sbGkgTHRkIFJvb3QgQ0EgZm9yIGRldmljZSBIVFRQUyBz
ZXJ2ZXJzggIQATAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
DQYJKoZIhvcNAQELBQADggIBAAHUXMwwQLOHp/SUmd0zwWOzFnVYzYJupMMZuV2c
fH7JbVXAZGBnmNdIboy0VoY7NJtco7j1fj5/nzn/xhAsMBFFDVUh1VA4e8LtLOWZ
g7oJriBQOSaofgwYRJL8QR5SeIxNiEbGq8KDKqAnAA4+Ss3uj8xzRKRgHf4OG6di
xI8MUmkIXKxuIYo+EeAEVO1R4Ep9cWUXetFWnyTeipOiD95IK6OU9Xp0cKGEtbLC
nWpA7GvIEmtrXudRdJ/HP8tCgim50SxmG1bCztIPdGd65p/hhqdsvrApVaElbpGM
iyFAyA600WGTUKpekdmnHmCunS14yk6vuP5FGojt+M98cpUZjQAdp9P9D9hDanpC
LiJuz4+mtpUJ7UY3tVBrfGEefT+1qhPHOcK2oxm4xSOQNgdk8/mggV6ttcl0ACln
Fsnrv3iTsaHPbDF8a3oDS9q7Yk1a4OXmngTXoS8rnggeu0wMm7WHRUB2k7Nr0W0H
z9duzZq0QngovuPL2wSzSz6+haawtvvlgYiuzNy/+D8V84WUKyu7GBuOyVWTMxtn
HmkMxURLJx/ONppxKPyHeRm4uYNVDzf5Ry/EHrG+Eq8t9nsfWK2spIYOZli2Azga
wyO/MD4OKoBOyC3RfbTEJWRbHry6rriX3tU3hbRG3kuydJzSkRlaKhyev9yIyy2c
qAdO
-----END CERTIFICATE-----
?
Length: 1880
-------------------------------
I (00:00:51.396) esp_https_server: performing session handshake
E (00:00:51.399) esp-tls-mbedtls: mbedtls_x509_crt_parse returned -0x2180
E (00:00:51.400) esp-tls-mbedtls: Failed to set server pki context
E (00:00:51.407) esp-tls-mbedtls: Failed to set server configurations, returned [0x8015] (ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED)
E (00:00:51.419) esp-tls-mbedtls: create_ssl_handle failed, returned [0x8015] (ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED)
E (00:00:51.430) esp_https_server: esp_tls_create_server_session failed
W (00:00:51.440) httpd: httpd_accept_conn: session creation failed
W (00:00:51.445) httpd: httpd_server: error accepting new connection
Part of mfg_config.csv
Code: Select all
certs_ns,namespace,
https_cert,file,binary
https_key,file,binary
- typedef struct {
- unsigned char https_server_cert[3072];
- uint32_t https_server_cert_len;
- unsigned char https_server_key[3072];
- uint32_t https_server_key_len;
- unsigned char ota_root_cert[2048];
- uint32_t ota_root_cert_len;
- } device_certs;
- unsigned char * getBlobNVSValue(nvs_handle_t handler, const char* key, unsigned char * default_value) {
- unsigned char * out = default_value;
- size_t required_size;
- esp_err_t err;
- err = nvs_get_blob(handler, key, NULL, &required_size);
- if (err) return out;
- unsigned char value[required_size];
- err = nvs_get_blob(handler, key, value, &required_size);
- if (err) return out;
- out = value;
- return out;
- }
- device_certs readDeviceCertsFromNVS() {
- device_certs out;
- out.https_server_cert_len = 0;
- out.https_server_key_len = 0;
- out.ota_root_cert_len = 0;
- flush_string((char *)out.https_server_cert, 3072);
- flush_string((char *)out.https_server_key, 3072);
- nvs_handle_t my_handle;
- esp_err_t err = nvs_open(CERTS_NAMESPACE, NVS_READWRITE, &my_handle);
- if (err != ESP_OK) {
- ESP_LOGE(STORAGE_TAG, "Error (%s) opening NVS handle to obtain certs!", esp_err_to_name(err));
- } else {
- //printf("Done\n");
- ESP_LOGD(STORAGE_TAG, "Done opening storage for %s, reading", CERTS_NAMESPACE);
- strcpy((char *)out.https_server_cert, (const char *)getBlobNVSValue(my_handle, HTTPS_SERVER_CERT, (unsigned char *)""));
- strcpy((char *)out.https_server_key, (const char *)getBlobNVSValue(my_handle, HTTPS_SERVER_KEY, (unsigned char *)""));
- //strcpy((char *)out.https_server_cert, getStringNVSValue(my_handle, HTTPS_SERVER_CERT, (const char *)""));
- //strcpy((char *)out.https_server_key, getStringNVSValue(my_handle, HTTPS_SERVER_KEY, (const char *)""));
- strcpy((char *)out.ota_root_cert, (const char *)getBlobNVSValue(my_handle, OTA_ROOT_CERT, (unsigned char *)""));
- out.https_server_cert_len = strlen((const char *)out.https_server_cert);
- out.https_server_key_len = strlen((const char *)out.https_server_key);
- out.ota_root_cert_len = strlen((const char *)out.ota_root_cert);
- // Close
- nvs_close(my_handle);
- }
- ESP_LOGD(STORAGE_TAG, "Got certs lengths: HTTPS server cert %u key %u OTA root cert %u", out.https_server_cert_len, out.https_server_key_len, out.ota_root_cert_len);
- ESP_LOGI(STORAGE_TAG, "Loaded cert: \n%s\nLength: %d", out.https_server_cert, out.https_server_cert_len);
- ESP_LOGI(STORAGE_TAG, "Loaded key: \n%s\nLength: %d", out.https_server_key, out.https_server_key_len);
- return out;
- }