Hello

Please note that this is a repost from my previous message from yesterday as it seemd to have bugged (empty text + html attachement) when viewed from the archive. Apologies.

Short question : how do i output an in-memory mbedtls_x509_crt chain to PEM text ?

Context : I have a project where the user provides a PEM bundle to be used for HTTPS As it is provided by a user, may be incomplete or malformed : - no private key - more than 1 private key - no certificate at all - duplicate certificates - no certificate matching the private key - broken chain - extraneous certificates not part of the chain… So i want to full validate user input.

Here is what i have succeeded so far : - parse the bundle into atomic parts, based on « BEGIN/END » labels - try to mbedtls_x509_crt_parse / mbedtls_pk_parse_key each part (no chain) - check that i only have one private key in the bundle - search for the certificat C matching the private key - starting from that atomic certificate, verify it against each other candidate certificate - if it validates, add it to the chain of C, and repeat until no candidate validates - then check that there are no remaining certificate (which never validated anything) - finally print and store the chain (as it’s now deemed correct and minimal)

Now i want to store it in PEM format for later use.

But i do not understand the way to do it : - there are no write functions for mbedtls_x509_crt - the mbedtls_x509write_cert structure shares few members with mbedtls_x509_crt - i have not found yet how to get/convert many of the missing members - as memory is tight i have have cleaned the « atomic parts » text buffers (but if there is no other way, i'll keep and reuse them)

I guess it should be pretty simple, but i cannot wrap my head around it.

Thanks in advance for your help Nicolas

PS : if steps 1-8 could be done more elegantly, please do not hesitate to point me in the right direction.