Hi Team,
Need support on one the below query. I had previously raised this in issue #9116 : Client certificate verify · Issue #9116 · Mbed-TLS/mbedtls · GitHubhttps://github.com/Mbed-TLS/mbedtls/issues/9116 .However I was asked to redirect the query to the mbedTLS support.
Q#1 : I have a client certificate chain (end entity cert, intermediate cert and root cert) and I have got 1 public key (extracted from root CA cert) on my server. Is there any way in mbedTLS where I can validate the client certificate using just the public key of the root CA and not the whole root CA certificate on my server?
As per my understanding of CA and certificate validation we would need a whole CA cert and not just the public key of the root certificate. However, I would like to know if there are any API's in mbedTLS for this validation?
Thanks,
Sushma
________________________________ Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient of this message , or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Email transmission cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors, omissions or contaminations in the contents of this message which might have occurred as a result of email transmission. If verification is required, please request for a hard-copy version. ________________________________
Hi Sushma,
Thanks for redirecting your query to the mailing list; this is the correct place for support requests of this nature.
If you only have the public key of the root CA then you lose key bits of information that are associated with the cert, such as expiration dates, revocation and any restraints on key usage. Thus this is not a standard way of doing verification. We do not have an API that directly enables this type of verification.
That being said, you should be able to achieve your goals using the function mbedtls_ssl_conf_verify().
Hope that is of some use to you.
Thanks, Tom Daubney
On Thu, 2024-05-16 at 14:04 +0000, Sushma Narayan Shetty via mbed-tls wrote:
Hi Team,
Need support on one the below query. I had previously raised this in issue #9116 : Client certificate verify · Issue #9116 · Mbed- TLS/mbedtls · GitHub .However I was asked to redirect the query to the mbedTLS support.
Q#1 : I have a client certificate chain (end entity cert, intermediate cert and root cert) and I have got 1 public key (extracted from root CA cert) on my server. Is there any way in mbedTLS where I can validate the client certificate using just the public key of the root CA and not the whole root CA certificate on my server?
As per my understanding of CA and certificate validation we would need a whole CA cert and not just the public key of the root certificate. However, I would like to know if there are any API's in mbedTLS for this validation?
Thanks, Sushma
Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient of this message , or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Email transmission cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors, omissions or contaminations in the contents of this message which might have occurred as a result of email transmission. If verification is required, please request for a hard-copy version.
mbed-tls@lists.trustedfirmware.org