Hello,
I have an implementation in OpenSSL and am trying to recreate it using MbedTLS. One of the differences in these two I have yet to overcome is the following:
Is there a way to treat mbedtls_x509_crt simply as a certificate store? Say I have some PEM data, parse it into a temporary mbedtls_x509_crt and then I would like to append this certificate to said mbedtls_x509_crt certificate store.
The following is stated in the docs of mbedtls_x509_crt:
struct mbedtls_x509_crt *next
Next certificate in the linked list that constitutes the CA chain. NULL indicates the end of the list. Do not modify this field directly.
Is there a way to achieve this if it's advised not to modify the field directly? Thank you in advance, Roman.
Hi Roman,
I am sorry, I don’t know about any Mbed TLS API that would directly implement a certificate store. mbedtls_x509_crt meant to handle certificate chains and not certificate stores. One way of implementing a certificate store on top of Mbed TLS would be to define your file format for the certificate store and define your own operations on it and use Mbed TLS to read and write single certificates.
Best regards, Janos
From: Roman Janota via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Tuesday, 16 April 2024 at 09:37 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Appending a cert to mbedtls_x509_crt Hello,
I have an implementation in OpenSSL and am trying to recreate it using MbedTLS. One of the differences in these two I have yet to overcome is the following:
Is there a way to treat mbedtls_x509_crt simply as a certificate store? Say I have some PEM data, parse it into a temporary mbedtls_x509_crt and then I would like to append this certificate to said mbedtls_x509_crt certificate store.
The following is stated in the docs of mbedtls_x509_crt:
struct mbedtls_x509_crt *next
Next certificate in the linked list that constitutes the CA chain. NULL indicates the end of the list. Do not modify this field directly.
Is there a way to achieve this if it's advised not to modify the field directly? Thank you in advance, Roman.
Hi Janos,
I think that the words "certificate store" and "certificate chain" have the same meaning in my case. I'll try to illustrate what I'm trying to achieve with pseudocode:
``` mbedtls_x509_crt cert, chain; mbedtls_x509_crt_parse(&cert, pem, len); mbedtls_x509_crt_add_to_chain(chain, cert); // doesn't exist ```
I couldn't find any function which would work like "mbedtls_x509_crt_add_to_chain" in the API. And since based on the docs I shouldn't work with the linked list in the chain directly, there is currently no way to achieve this, right?
Either way, I can just stick with doing `mbedtls_x509_crt_parse(&chain, ...)` instead. It's just a small inconvenience in my use case, but it works just fine.
Regards, Roman.
On 4/16/24 11:25, Janos Follath via mbed-tls wrote:
Hi Roman,
I am sorry, I don’t know about any Mbed TLS API that would directly implement a certificate store. mbedtls_x509_crt meant to handle certificate chains and not certificate stores. One way of implementing a certificate store on top of Mbed TLS would be to define your file format for the certificate store and define your own operations on it and use Mbed TLS to read and write single certificates.
Best regards,
Janos
*From: *Roman Janota via mbed-tls mbed-tls@lists.trustedfirmware.org *Date: *Tuesday, 16 April 2024 at 09:37 *To: *mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org *Subject: *[mbed-tls] Appending a cert to mbedtls_x509_crt
Hello,
I have an implementation in OpenSSL and am trying to recreate it using MbedTLS. One of the differences in these two I have yet to overcome is the following:
Is there a way to treat mbedtls_x509_crt simply as a certificate store? Say I have some PEM data, parse it into a temporary mbedtls_x509_crt and then I would like to append this certificate to said mbedtls_x509_crt certificate store.
The following is stated in the docs of mbedtls_x509_crt:
> struct mbedtls_x509_crt *next Next certificate in the linked list that constitutes the CA chain. NULL indicates the end of the list. Do not modify this field directly.
Is there a way to achieve this if it's advised not to modify the field directly? Thank you in advance, Roman.
Hi Roman,
my understanding and experience is that `mbedtls_x509_crt` either represents a single X509 cert (next == NULL), or a collection of certificates (either a chain, or a list of trusted CA certificates) that are linked together via `next` pointer.
When you call the `mbedtls_x509_crt_parse` and give it a PEM containing multiple root certs (for example) it will return a linked list of those certs.
I assume the argument to not touch the `next` pointer comes from the fact that you need to properly free any memory, or keep a reference to it when breaking the chain.
I am successfully building a chain to be later used by TLS context by manually linking the pointers together and have not seen any issues so far.
But let’s see what Gilles or others have to say, take my answer as unverified :)
Martin
On 16. 4. 2024, at 10:37, Roman Janota via mbed-tls mbed-tls@lists.trustedfirmware.org wrote:
Hello,
I have an implementation in OpenSSL and am trying to recreate it using MbedTLS. One of the differences in these two I have yet to overcome is the following:
Is there a way to treat mbedtls_x509_crt simply as a certificate store? Say I have some PEM data, parse it into a temporary mbedtls_x509_crt and then I would like to append this certificate to said mbedtls_x509_crt certificate store.
The following is stated in the docs of mbedtls_x509_crt:
struct mbedtls_x509_crt *next
Next certificate in the linked list that constitutes the CA chain. NULL indicates the end of the list. Do not modify this field directly.
Is there a way to achieve this if it's advised not to modify the field directly? Thank you in advance, Roman.
-- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
On 16/04/2024 12:19, Martin Man via mbed-tls wrote:
I assume the argument to not touch the `next` pointer comes from the fact that you need to properly free any memory, or keep a reference to it when breaking the chain.
That's right. Reading from the next pointer is not a problem. But if you modify it, you need to be compatible with the library's memory management, and that's risky. If you aren't careful, you might have a memory leak, or worse, a use-after-free.
Appending a certificate to one existing chain is fine. On the other hand, appending the same certificate to multiple chains is dangerous: if you then call mbedtls_x509_crt_free() on one chain, it will cause the other chain to have a dangling pointer.
On 16/04/2024 10:37, Roman Janota via mbed-tls wrote:
Is there a way to treat mbedtls_x509_crt simply as a certificate store? Say I have some PEM data, parse it into a temporary mbedtls_x509_crt and then I would like to append this certificate to said mbedtls_x509_crt certificate store.
Due to the difficulty of ensuring correct memory management in C, the official way to do this is to parse the certificate directly into the chain: mbedtls_x509_crt_parse() and friends do this, and doing it that way ensures that a certificate only ends up on one chain.
Best regards,
mbed-tls@lists.trustedfirmware.org
-
Gilles Peskine -
Janos Follath -
Martin Man -
Roman Janota