Get the CSR

esp32_device/main/crypto.c

@@ -2,6 +2,7 @@
 #include "system.h"
 #include "constants.h"
 #include "storage.h"
+#include "dev_name.h"
 
 #include <string.h>
 #include <mbedtls/build_info.h>
@@ -11,6 +12,7 @@
 #include <mbedtls/ecdsa.h>
 #include <mbedtls/sha256.h>
 #include <mbedtls/pk.h>
+#include <mbedtls/x509_csr.h>
 
 #define ECPARAMS MBEDTLS_ECP_DP_SECP256R1
 
@@ -80,6 +82,10 @@ bool crypto_gen_priv_key()
     storage_set_priv_key(key_buff + PRV_KEY_DER_MAX_BYTES - ret, ret);
     free(key_buff);
 
+    mbedtls_pk_free(&key);
+    mbedtls_ctr_drbg_free(&ctr_drbg);
+    mbedtls_entropy_free(&entropy);
+
     return true;
 }
 
@@ -105,6 +111,7 @@ void crypto_print_priv_key()
                        (unsigned int)-ret);
         reboot();
     }
+    free(key_buff);
 
     printf("Show private key\n");
     unsigned char *out = malloc(16000);
@@ -119,5 +126,64 @@ void crypto_print_priv_key()
     printf("%s", out);
     free(out);
 
-    free(key_buff);
+    mbedtls_pk_free(&key);
+    mbedtls_ctr_drbg_free(&ctr_drbg);
+    mbedtls_entropy_free(&entropy);
 }
+
+char *crypto_get_csr()
+{
+    int ret;
+
+    unsigned char *key_buff = malloc(PRV_KEY_DER_MAX_BYTES);
+    size_t key_len = storage_get_priv_key(key_buff);
+    assert(key_len > 0);
+
+    mbedtls_pk_context key;
+    mbedtls_pk_init(&key);
+
+    mbedtls_entropy_context entropy;
+    mbedtls_ctr_drbg_context ctr_drbg;
+    seed_ctr_drbg_context(&entropy, &ctr_drbg);
+
+    printf("Parse private key (len = %d)\n", key_len);
+    if ((ret = mbedtls_pk_parse_key(&key, key_buff, key_len, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg)) != 0)
+    {
+        mbedtls_printf(" failed\n  !  mbedtls_pk_parse_key returned -0x%04x",
+                       (unsigned int)-ret);
+        reboot();
+    }
+    free(key_buff);
+
+    // Create CSR
+    mbedtls_x509write_csr req;
+    mbedtls_x509write_csr_init(&req);
+    mbedtls_x509write_csr_set_md_alg(&req, MBEDTLS_MD_SHA256);
+
+    char subj[DEV_NAME_LEN + 4];
+    char *n = dev_name();
+    sprintf(subj, "CN=%s", n);
+    free(n);
+    if ((ret = mbedtls_x509write_csr_set_subject_name(&req, subj)) != 0)
+    {
+        mbedtls_printf(" failed\n  !  mbedtls_x509write_csr_set_subject_name returned %d", ret);
+        reboot();
+    }
+
+    printf("Sign CSR with private key\n");
+    mbedtls_x509write_csr_set_key(&req, &key);
+
+    char *csr = malloc(4096);
+    if ((ret = mbedtls_x509write_csr_pem(&req, (u_char *)csr, 4096, mbedtls_ctr_drbg_random, &ctr_drbg)) < 0)
+    {
+        mbedtls_printf(" failed\n  !  mbedtls_x509write_csr_pem returned %d", ret);
+        reboot();
+    }
+
+    mbedtls_x509write_csr_free(&req);
+    mbedtls_pk_free(&key);
+    mbedtls_ctr_drbg_free(&ctr_drbg);
+    mbedtls_entropy_free(&entropy);
+
+    return csr;
+}

esp32_device/main/crypto.h

@@ -23,6 +23,14 @@ extern "C"
      */
     void crypto_print_priv_key();
 
+    /**
+     * Get CSR
+     *
+     * @return NULL in case of failure or a buffer that must be
+     * freed in case of success
+     */
+    char *crypto_get_csr();
+
 #ifdef __cplusplus
 }
 #endif

esp32_device/main/main.c

@@ -32,5 +32,9 @@ void app_main(void)
     printf("Device private key:\n");
     crypto_print_priv_key();
 
+    char *csr = crypto_get_csr();
+    printf("Current CSR:\n%s\n", csr);
+    free(csr);
+
     reboot();
 }

esp32_device/main/storage.c

@@ -31,7 +31,7 @@ void storage_set_dev_name(const char *name)
 
     ESP_ERROR_CHECK(nvs_open(STORAGE_NAMESPACE, NVS_READWRITE, &my_handle));
 
-    ESP_ERROR_CHECK(nvs_set_blob(my_handle, DEV_NAME_KEY, name, strlen(name)));
+    ESP_ERROR_CHECK(nvs_set_blob(my_handle, DEV_NAME_KEY, name, strlen(name) + 1));
 
     nvs_close(my_handle);
 }