On Tue, 21 Feb 2023 18:11:54 +0000, Peter via mbed-tls mbed-tls@lists.trustedfirmware.org wrote:
Hi, I recently had to do some PKCS#7 signature validation and was disappointed to find that it didn't just work. After digging through RFCs to figure out the myriad of things I'd done wrong I was also left with a lack of 3 features in mbedtls:
- The full certificate chain was not being loaded and explicitly not
supported.
I am not sure if this is relevant but there is a patch for mbedtls which can read the root cert list from a file
https://github.com/mongoose-os/mbedtls
It takes a few days to implement and debug, but it works and gets around the need for ~200k of free RAM for loading the whole root cert chain which is currently ~200k (cacert.pem, 218k).
You need to re-do this each time you upgrade mbedtls, obviously...
It's a pretty important patch which should be in there as standard. Otherwise, mbedtls is usable mainly for single private server hosts.
I don't think it's relevant. The full certificate chain I'm referring to is not the list of CA certs but the certs embedded in the PKCS#7 signature. In this case it's 2 certs and I need to verify validity back to a single known root.