Hello

Short question :

how do i output an in-memory mbedtls_x509_crt chain to PEM text ?

Context :

I have a project where the user provides a PEM bundle to be used for HTTPS

As it is provided by a user, may be incomplete or malformed :

• no private key
• more than 1 private key
• no certificate at all
• duplicate certificates
• no certificate matching the private key
• broken chain
• extraneous certificates not part of the chain…

So i want to full validate user input.

Here is what i have succeeded so far :

1. parse the bundle into atomic parts, based on « BEGIN/END » labels
2. try to mbedtls_x509_crt_parse / mbedtls_pk_parse_key each part (no chain)
3. check that i only have one private key in the bundle
4. search for the certificat C matching the private key
5. starting from that atomic certificate, verify it against each other candidate certificate
6. if it validates, add it to the chain of C, and repeat until no candidate validates
7. then check that there are no remaining certificate (which never validated anything)
8. finally print and store the chain (as it’s now deemed correct and minimal)

Now i want to store it in PEM format for later use.

But i do not understand the way to do it :

• there are no write functions for mbedtls_x509_crt
• the mbedtls_x509write_cert structure shares few members with mbedtls_x509_crt
• i have not found yet how to get/convert many of the missing members
• as memory is tight i have already cleaned the « atomic parts » text buffers

I guess it should be pretty simple, but i cannot wrap my head around it.

Thanks in advance for your help

Nicolas

PS : if steps 1-8 could be done more elegantly, please do not hesitate to point me in the right direction.