-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mbedtls_x509_crt_parse returns a chain, no way to "unchain" or get an unchained copy #9793
Comments
Hi @Midar and thanks for your report! I agree your request is reasonable and our API is unfortunately not making it easy. I think there's a way to do it what you want, specifically copy a single certificate with (To be clear: I'm not saying this is pretty, efficient or easy to discover - so a better API would be desirable. I'm just trying to offer a realistic solution that works now.)
Indeed, the documentation for the |
That is indeed a very valid concern. An It would be nice to have an |
But if the buffer has multiple certs, they would all be set and chained, right?
That certainly would be an option, but also only half the solution: I would also need something to chain the certificates again. Ideally there would be a function to take a cert out of a chain and a function to insert it into a chain. What I ended up with in the mean time is that I create a dummy chain object that wraps the entire chain. The certificate objects then reference the mbedlts_x509_crt and keep a reference to the dummy chain object (reference counted). On the other side, if I get wrapped certificates passed, I just get the dummy chain object from the certificate and unwrap that. Code is here: https://objfw.nil.im/file?name=src/tls/OFMbedTLSX509Certificate.m&ci=tls-server |
I don't think so, the |
Summary
mbedtls_x509_crt_parse
returnsmbedtls_x509_crt
with thenext
pointer set. While this is fine for many use cases, it does not allow keeping a single certificate. Creating any kind of wrapper for X.509 certificates, like is often required with applications that support multiple TLS implementations, requires being able to parse a set of certificates and wrap every certificate separately.System information
Mbed TLS version (number or commit id): 2.28.9
Operating system and version: Linux
Configuration (if not default, please attach
mbedtls_config.h
): Fedora defaultCompiler and options (if you used a pre-built binary, please indicate how you obtained it): Fedora package
Additional environment information:
Expected behavior
There is either a way to get an array of certificates, a way to break the chain and get individual certificates, or a function that copies a single certificate with
next
not being set.Actual behavior
There is no way to get the certificates in a way that they are not referencing each other. I have not tried what happens if I break the chain manually by setting
next
toNULL
. Given it's not documented, I would expect nothing good would come from it and that even if it works now, it might cause memory corruption in the future.Steps to reproduce
Call
mbedtls_x509_crt_parse
Additional information
The text was updated successfully, but these errors were encountered: