Hi, I recently had to do some PKCS#7 signature validation and was disappointed to find that it didn't just work. After digging through RFCs to figure out the myriad of things I'd done wrong I was also left with a lack of 3 features in mbedtls:
- The full certificate chain was not being loaded and explicitly not
supported.
I am not sure if this is relevant but there is a patch for mbedtls which can read the root cert list from a file
https://github.com/mongoose-os/mbedtls
It takes a few days to implement and debug, but it works and gets around the need for ~200k of free RAM for loading the whole root cert chain which is currently ~200k (cacert.pem, 218k).
You need to re-do this each time you upgrade mbedtls, obviously...
It's a pretty important patch which should be in there as standard. Otherwise, mbedtls is usable mainly for single private server hosts.