added KConfig option to allow loading CA certs with unsupported extensions

Close https://github.com/espressif/esp-idf/pull/4445

components/mbedtls/Kconfig

@@ -601,4 +601,16 @@ menu "mbedTLS"
 
             # end of Elliptic Curve options
 
+    menuconfig MBEDTLS_SECURITY_RISKS
+        bool "Show configurations with potential security risks"
+        default n
+
+    config MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT
+        bool "X.509 CRT parsing with unsupported critical extensions"
+        depends on MBEDTLS_SECURITY_RISKS
+        default n
+        help
+            Allow the X.509 certificate parser to load certificates
+            with unsupported critical extensions
+
 endmenu  # mbedTLS

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -2214,6 +2214,25 @@
  */
 #define MBEDTLS_X509_CRT_WRITE_C
 
+/**
+ * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+ *
+  * Alow the X509 parser to not break-off when parsing an X509 certificate
+ * and encountering an unknown critical extension.
+ *
+ * Module:  library/x509_crt.c
+ *
+ * Requires: MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This module is supports loading of certificates with extensions that
+ * may not be supported by mbedtls.
+ */
+#ifdef CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT
+#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#else
+#undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#endif
+
 /**
  * \def MBEDTLS_X509_CSR_WRITE_C
  *