From b69ac4448e7aa96e4de1981cab2c94b808a638e6 Mon Sep 17 00:00:00 2001
From: David Cermak <cermak@espressif.com>
Date: Mon, 30 Dec 2019 08:40:50 +0100
Subject: [PATCH] tcp_transport: added API for client-key password

---
 components/esp-tls/esp_tls_mbedtls.c                 |  2 +-
 components/tcp_transport/include/esp_transport_ssl.h | 10 ++++++++++
 components/tcp_transport/transport_ssl.c             |  9 +++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index 243d97be4b..8cb8d9886d 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -266,7 +266,7 @@ static esp_err_t set_pki_context(esp_tls_t *tls, const esp_tls_pki_t *pki)
         }
 
         ret = mbedtls_pk_parse_key(pki->pk_key, pki->privkey_pem_buf, pki->privkey_pem_bytes,
-                                   NULL, 0);
+                                   pki->privkey_password, pki->privkey_password_len);
         if (ret < 0) {
             ESP_LOGE(TAG, "mbedtls_pk_parse_keyfile returned -0x%x", -ret);
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret);
diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h
index 7398dbc4f3..9ce0b19c31 100644
--- a/components/tcp_transport/include/esp_transport_ssl.h
+++ b/components/tcp_transport/include/esp_transport_ssl.h
@@ -92,6 +92,16 @@ void esp_transport_ssl_set_client_cert_data_der(esp_transport_handle_t t, const
  */
 void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char *data, int len);
 
+/**
+ * @brief      Set SSL client key password if the key is password protected. The configured
+ *             password is passed to the underlying TLS stack to decrypt the client key
+ *
+ * @param      t     ssl transport
+ * @param[in]  password  Pointer to the password
+ * @param[in]  password_len   Password length
+ */
+void esp_transport_ssl_set_client_key_password(esp_transport_handle_t t, const char *password, int password_len);
+
 /**
  * @brief      Set SSL client key data for mutual authentication (as DER format).
  *             Note that, this function stores the pointer to data, rather than making a copy.
diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c
index acc963666d..0cef93381d 100644
--- a/components/tcp_transport/transport_ssl.c
+++ b/components/tcp_transport/transport_ssl.c
@@ -245,6 +245,15 @@ void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char
     }
 }
 
+void esp_transport_ssl_set_client_key_password(esp_transport_handle_t t, const char *password, int password_len)
+{
+    transport_ssl_t *ssl = esp_transport_get_context_data(t);
+    if (t && ssl) {
+        ssl->cfg.clientkey_password = (void *)password;
+        ssl->cfg.clientkey_password_len = password_len;
+    }
+}
+
 void esp_transport_ssl_set_client_key_data_der(esp_transport_handle_t t, const char *data, int len)
 {
     transport_ssl_t *ssl = esp_transport_get_context_data(t);