From 4ac4faaaf684bfb3713f54de5fca452e64847700 Mon Sep 17 00:00:00 2001
From: Scott Shawcroft <scott@tannewt.org>
Date: Mon, 30 Nov 2020 17:02:26 -0800
Subject: [PATCH 1/2] Use nina-fw root certs

That way we have one set we use for all of Adafruit's connected
devices.
---
 .gitmodules                                     | 3 +++
 ports/esp32s2/certificates/README.md            | 3 +++
 ports/esp32s2/certificates/nina-fw              | 1 +
 ports/esp32s2/esp-idf-config/sdkconfig.defaults | 7 ++++---
 4 files changed, 11 insertions(+), 3 deletions(-)
 create mode 100644 ports/esp32s2/certificates/README.md
 create mode 160000 ports/esp32s2/certificates/nina-fw

diff --git a/.gitmodules b/.gitmodules
index aaa66caf71821..d36613d604786 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -153,3 +153,6 @@
 [submodule "ports/esp32s2/esp-idf"]
 	path = ports/esp32s2/esp-idf
 	url = https://github.com/jepler/esp-idf.git
+[submodule "ports/esp32s2/certificates/nina-fw"]
+	path = ports/esp32s2/certificates/nina-fw
+	url = https://github.com/adafruit/nina-fw.git
diff --git a/ports/esp32s2/certificates/README.md b/ports/esp32s2/certificates/README.md
new file mode 100644
index 0000000000000..dd5cf25b00a01
--- /dev/null
+++ b/ports/esp32s2/certificates/README.md
@@ -0,0 +1,3 @@
+We share root certificates with the nina-fw to ensure they both use the same roots.
+
+https://github.com/adafruit/nina-fw
diff --git a/ports/esp32s2/certificates/nina-fw b/ports/esp32s2/certificates/nina-fw
new file mode 160000
index 0000000000000..f2a0e601b2321
--- /dev/null
+++ b/ports/esp32s2/certificates/nina-fw
@@ -0,0 +1 @@
+Subproject commit f2a0e601b23212dda4fe305eab30af49a7c7fb41
diff --git a/ports/esp32s2/esp-idf-config/sdkconfig.defaults b/ports/esp32s2/esp-idf-config/sdkconfig.defaults
index 025b05caa681a..53b169e39e01c 100644
--- a/ports/esp32s2/esp-idf-config/sdkconfig.defaults
+++ b/ports/esp32s2/esp-idf-config/sdkconfig.defaults
@@ -575,10 +575,11 @@ CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
 # Certificate Bundle
 #
 CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=y
-CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL=y
+# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL is not set
 # CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN is not set
-# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE is not set
-# CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE is not set
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE=y
+CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE=y
+CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH="certificates/nina-fw/data/roots.pem"
 # end of Certificate Bundle
 
 # CONFIG_MBEDTLS_ECP_RESTARTABLE is not set

From 9a9e972242e985b5528f0255217b641b065ecf74 Mon Sep 17 00:00:00 2001
From: Scott Shawcroft <scott@tannewt.org>
Date: Tue, 1 Dec 2020 11:01:26 -0800
Subject: [PATCH 2/2] Ignore certificates readme in doc build

---
 conf.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/conf.py b/conf.py
index 1d4c420481891..1a90b617b8d74 100644
--- a/conf.py
+++ b/conf.py
@@ -172,6 +172,7 @@
                     "ports/atmel-samd/tools",
                     "ports/cxd56/mkspk",
                     "ports/cxd56/spresense-exported-sdk",
+                    "ports/esp32s2/certificates",
                     "ports/esp32s2/esp-idf",
                     "ports/esp32s2/peripherals",
                     "ports/litex/hw",