Hi All,
A gentle reminder that the Asia-Europe timezone-friendly MBed TLS Tech
forum is next *Monday, Oct 10 at 10:00am UK time*. Invite details can be
found on the online calendar here
<https://www.trustedfirmware.org/meetings/>.
If you have any topics, please let Dave Rodgman, cc'd, know. :)
Best regards,
Don Harbin
TrustedFirmware Community Manager
don.harbin(a)linaro.org
Hello
Please note that this is a repost from my previous message from yesterday
as it seemd to have bugged (empty text + html attachement) when viewed
from the archive. Apologies.
Short question :
how do i output an in-memory mbedtls_x509_crt chain to PEM text ?
Context :
I have a project where the user provides a PEM bundle to be used for HTTPS
As it is provided by a user, may be incomplete or malformed :
- no private key
- more than 1 private key
- no certificate at all
- duplicate certificates
- no certificate matching the private key
- broken chain
- extraneous certificates not part of the chain…
So i want to full validate user input.
Here is what i have succeeded so far :
- parse the bundle into atomic parts, based on « BEGIN/END » labels
- try to mbedtls_x509_crt_parse / mbedtls_pk_parse_key each part (no chain)
- check that i only have one private key in the bundle
- search for the certificat C matching the private key
- starting from that atomic certificate, verify it against each other
candidate certificate
- if it validates, add it to the chain of C, and repeat until no
candidate validates
- then check that there are no remaining certificate (which never
validated anything)
- finally print and store the chain (as it’s now deemed correct and minimal)
Now i want to store it in PEM format for later use.
But i do not understand the way to do it :
- there are no write functions for mbedtls_x509_crt
- the mbedtls_x509write_cert structure shares few members with mbedtls_x509_crt
- i have not found yet how to get/convert many of the missing members
- as memory is tight i have have cleaned the « atomic parts » text buffers
(but if there is no other way, i'll keep and reuse them)
I guess it should be pretty simple, but i cannot wrap my head around it.
Thanks in advance for your help
Nicolas
PS : if steps 1-8 could be done more elegantly, please do not
hesitate to point me in the right direction.
