added a define that can be used as an option to reduce memory footpri… (

#1274)

* added a define that can be used as an option to reduce memory footprint on embedded devices Note: esp8266 may run out of memory without this define.

Add in #defines for loading only specific certs.

* Update linux_c_option_test.sh
Added option to test build with -Duse_baltimore_cert=ON

* Update certs.c
Update to certificate descriptions.

Name conventions set.

* Update CMakeLists.txt
pass cert defines down to compiler

CMakeLists.txt

@@ -28,6 +28,7 @@ elseif (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
     add_definitions(-DMACOSX)
 endif()
 
+
 include (CTest)
 
 if (MSVC)
@@ -74,6 +75,10 @@ option(use_prov_client "Enable provisioning client" OFF)
 option(use_tpm_simulator "tpm simulator type of hsm used with the provisioning client" OFF)
 option(use_edge_modules "Enable support for running modules against Azure IoT Edge" OFF)
 option(use_custom_heap "use externally defined heap functions instead of the malloc family" OFF)
+option(use_baltimore_cert "set use_baltimore_cert to ON if the Baltimore cert is to be used, set to OFF to not use it" OFF)
+option(use_microsoftazure_de_cert "set use_microsoftazure_de_cert to ON if the MicrosoftAzure DE cert is to be used, set to OFF to not use it" OFF)
+option(use_portal_azure_cn_cert "set use_portal_azure_cn_cert to ON if the Portal Azure CN cert is to be used, set to OFF to not use it" OFF)
+
 set(compileOption_C "" CACHE STRING "passes a string to the command line of the C compiler")
 set(compileOption_CXX "" CACHE STRING "passes a string to the command line of the C++ compiler")
 set(linkerOption "" CACHE STRING "passes a string to the shared and exe linker options of the C compiler")
@@ -109,6 +114,19 @@ else()
     option(use_sample_trusted_cert "Set flag in samples to use SDK's built-in CA as TrustedCerts" OFF)
 endif()
 
+# Enable specific certs
+if (${use_baltimore_cert})
+    add_definitions(-DUSE_BALTIMORE_CERT)
+endif()
+
+if (${use_microsoftazure_de_cert})
+    add_definitions(-DUSE_MICROSOFTAZURE_DE_CERT)
+endif()
+
+if (${use_portal_azure_cn_cert})
+    add_definitions(-DUSE_PORTAL_AZURE_CN_CERT)
+endif()
+
 # Enable IoT SDK to act as a module for Edge
 if(${use_edge_modules})
     set(use_prov_client_core ON)

certs/certs.c

@@ -4,9 +4,22 @@
 /* This file contains certs needed to communicate with Azure (IoT) */
 
 #include "certs.h"
+/* Note: for devices with limited resources, only one cert should be loaded. 
+   #defines are used to reduce memory footprint of certificates.
+   For DE and CN regions, please build with -DUSE_MICROSOFTAZURE_DE_CERT or -DUSE_PORTAL_AZURE_CN_CERT, respectively, 
+   if you wish to load ONLY those certs.
+*/
+#if !defined(USE_BALTIMORE_CERT) && !defined(USE_MICROSOFTAZURE_DE_CERT) && !defined(USE_PORTAL_AZURE_CN_CERT)
+// For legacy, if no certificates were explicitly selected then include all of them
+#define USE_BALTIMORE_CERT
+#define USE_MICROSOFTAZURE_DE_CERT 
+#define USE_PORTAL_AZURE_CN_CERT
+#endif
 
 const char certificates[] =
-/* DigiCert Baltimore Root */
+#if defined(USE_BALTIMORE_CERT)
+/* DigiCert Baltimore Root --Used Globally--*/
+// This cert should be used when connecting to Azure IoT on the Azure Cloud available globally. When in doubt, use this cert.
 "-----BEGIN CERTIFICATE-----\r\n"
 "MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ\r\n"
 "RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD\r\n"
@@ -28,7 +41,11 @@ const char certificates[] =
 "ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS\r\n"
 "R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp\r\n"
 "-----END CERTIFICATE-----\r\n"
-/*DigiCert Global Root CA*/
+#endif /* BALTIMORE_CERT */
+
+#if defined(USE_PORTAL_AZURE_CN_CERT)
+/* DigiCert Global Root CA */
+// This cert should be used when connecting to Azure IoT on the https://portal.azure.cn Cloud address.
 "-----BEGIN CERTIFICATE-----\r\n"
 "MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\r\n"
 "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\n"
@@ -51,7 +68,11 @@ const char certificates[] =
 "YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\r\n"
 "CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\r\n"
 "-----END CERTIFICATE-----\r\n"
-/*D-TRUST Root Class 3 CA 2 2009*/
+#endif /* PORTAL_AZURE_CN_CERT */
+
+#if defined(USE_MICROSOFTAZURE_DE_CERT)
+/* D-TRUST Root Class 3 CA 2 2009 */
+// This cert should be used when connecting to Azure IoT on the https://portal.microsoftazure.de Cloud address.
 "-----BEGIN CERTIFICATE-----\r\n"
 "MIIEMzCCAxugAwIBAgIDCYPzMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRF\r\n"
 "MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBD\r\n"
@@ -77,4 +98,6 @@ const char certificates[] =
 "PIWmawomDeCTmGCufsYkl4phX5GOZpIJhzbNi5stPvZR1FDUWSi9g/LMKHtThm3Y\r\n"
 "Johw1+qRzT65ysCQblrGXnRl11z+o+I=\r\n"
 "-----END CERTIFICATE-----\r\n"
+#endif /* MICROSOFTAZURE_DE_CERT */
+
 ;

jenkins/linux_c_option_test.sh

@@ -56,6 +56,7 @@ declare -a arr=(
     "-Drun_longhaul_tests=ON"
     "-Duse_prov_client=ON -Dhsm_custom_lib=$custom_hsm_lib"
     "-Drun_e2e_tests=ON -Drun_sfc_tests=ON -Duse_edge_modules=ON"
+    "-Drun_e2e_tests=ON -Duse_baltimore_cert=ON"
 )
 
 for item in "${arr[@]}"