[I assume you meant to reply to the list.]
If you don't have a filesystem, call mbedtls_x509_crt_parse instead of mbedtls_x509_crt_parse_file.
To save static data size, you may want to store the data in binary form instead of base64. To do this: 1. Split the PEM file into individual certificates. 2. Convert each file to DER (you can use programs/util/pem2der, but you need to split the file first, because it only converts the first PEM chunk). 3. Convert each binary file to a C unsigned char array literal. 4. In your code, call mbedtls_x509_crt_parse_der in a loop over the array.
Your code might look something like this:
const uint8_t cert1_der[] = {0x30, …}; const uint8_t cert2_der[] = {0x30, …}; … const struct {const uint8_t *data; size_t size;} root_certs_der = { {cert1_der, sizeof(cert1_der)}, … }; … mbedtls_x509_crt roots; mbedtls_x509_crt_init(&roots); for (i = 0; i < sizeof(root_certs_der)/sizeof(root_certs_der[0]); i++) mbedtls_x509_crt_parse_der(&roots, root_certs_der[i].data, root_certs_der[i].size);
Best regards,
-- Gilles Peskine Mbed TLS developer
On 23/06/2020 23:31, Thompson, Jeff wrote:
I did see that function, but it assumes a file system, doesn't it? I'm not using one, and that would be a really big change to make this late in the development cycle, if I can avoid it. I can program the PEM file into flash memory, where it can be addressed, for reading only, just like ROM. Is there a way to use it like that?
Jeff Thompson | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com -----Original Message----- From: mbed-tls mbed-tls-bounces@lists.trustedfirmware.org On Behalf Of Gilles Peskine via mbed-tls Sent: Tuesday, June 23, 2020 4:38 PM To: mbed-tls@lists.trustedfirmware.org Subject: Re: [mbed-tls] Working with a PEM file
Hi Jeff,
Don't modify or use the certificates in certs.c. The certificates in the certs module are only intended for testing and they will be moved from the library to the test code soon. They are never used automatically and should never be used outside of tests.
The easiest way to set these root certificates is to pass the file to mbedtls_x509_crt_parse_file(). This gives you an object that represents the certificates and you can use those as the trusted CAs for certificate verification through the X.509 or TLS API.
Your code might look like this (error checking and rest of the code omitted):
mbedtls_x509_crt roots; // head of the list of trusted CAs mbedtls_x509_crt_init(&roots); mbedtls_x509_crt_parse_file(&roots, "roots.pem"); … // Verify that there is a chain of trust from a certificate to one of the trusted CAs mbedtls_x509_crt_verify(&crt_to_verify, &roots, NULL, NULL, &flags, NULL, NULL); … // Use the trusted CAs for a TLS connection mbedtls_ssl_conf_ca_chain(&ssl_config, roots, NULL); … // Once the certificates are no longer used anywhere mbedtls_x509_crt_free(&roots);
Best regards,
-- Gilles Peskine Mbed TLS developer
On 23/06/2020 21:38, Thompson, Jeff via mbed-tls wrote:
I’ve downloaded https://pki.goog/roots.pem and want to use the certificates in it with mbedTLS. Is there some documentation that tells me how to do this?
The certs.c file only contains only a handful of certs, while the PEM file has nearly 40. How do I know which one to use for what purpose? The certs.c file has these certificate char[]’s:
mbedtls_test_ca_crt_ec
mbedtls_test_srv_crt_ec
mbedtls_test_cli_crt_ec
mbedtls_test_ca_crt_rsa
mbedtls_test_ca_crt_rsa
mbedtls_test_srv_crt_rsa
mbedtls_test_cli_crt_rsa
I’m reasonably sure I don’t need to replace mbedtls_test_cli_crt_ec and mbedtls_test_cli_crt_rsa, since I am not using a client certificate. But I’m not at all sure about whether I need to replace the 3 **_ca_crt_** certs, the 2 **_srv_crt_** certs, or all 5. And, if so, using which certs from the PEM file to replace which certs in certs.c?. How do I figure out what to do here? I’ve never dealt with cloud communication like this before, so please pardon my ignorance; I’m eager to learn, but overwhelmed by so much that is new to me.
Thanks,
*Jeff Thompson* | Senior Electrical Engineer-Firmware +1 704 752 6513 x1394 www.invue.com
-- mbed-tls mailing list mbed-tls@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls