Hi Jeff,
Don't modify or use the certificates in certs.c. The certificates in the
certs module are only intended for testing and they will be moved from
the library to the test code soon. They are never used automatically and
should never be used outside of tests.
The easiest way to set these root certificates is to pass the file to
mbedtls_x509_crt_parse_file(). This gives you an object that represents
the certificates and you can use those as the trusted CAs for
certificate verification through the X.509 or TLS API.
Your code might look like this (error checking and rest of the code
omitted):
mbedtls_x509_crt roots; // head of the list of trusted CAs
mbedtls_x509_crt_init(&roots);
mbedtls_x509_crt_parse_file(&roots, "roots.pem");
…
// Verify that there is a chain of trust from a certificate to one of
the trusted CAs
mbedtls_x509_crt_verify(&crt_to_verify, &roots, NULL, NULL, &flags,
NULL, NULL);
…
// Use the trusted CAs for a TLS connection
mbedtls_ssl_conf_ca_chain(&ssl_config, roots, NULL);
…
// Once the certificates are no longer used anywhere
mbedtls_x509_crt_free(&roots);
Best regards,
--
Gilles Peskine
Mbed TLS developer
On 23/06/2020 21:38, Thompson, Jeff via mbed-tls wrote:
>
> I’ve downloaded
https://pki.goog/roots.pem and want to use the
> certificates in it with mbedTLS. Is there some documentation that
> tells me how to do this?
>
>
>
> The certs.c file only contains only a handful of certs, while the PEM
> file has nearly 40. How do I know which one to use for what purpose?
> The certs.c file has these certificate char[]’s:
>
>
>
> mbedtls_test_ca_crt_ec
>
> mbedtls_test_srv_crt_ec
>
> mbedtls_test_cli_crt_ec
>
> mbedtls_test_ca_crt_rsa
>
> mbedtls_test_ca_crt_rsa
>
> mbedtls_test_srv_crt_rsa
>
> mbedtls_test_cli_crt_rsa
>
>
>
> I’m reasonably sure I don’t need to replace mbedtls_test_cli_crt_ec
> and mbedtls_test_cli_crt_rsa, since I am not using a client
> certificate. But I’m not at all sure about whether I need to replace
> the 3 **_ca_crt_** certs, the 2 **_srv_crt_** certs, or all 5. And, if
> so, using which certs from the PEM file to replace which certs in
> certs.c?. How do I figure out what to do here? I’ve never dealt with
> cloud communication like this before, so please pardon my ignorance;
> I’m eager to learn, but overwhelmed by so much that is new to me.
>
>
>
> Thanks,
>
>
>
> *Jeff Thompson* | Senior Electrical Engineer-Firmware
> +1 704 752 6513 x1394
> www.invue.com
>
>
>
>
Gilles Peskine