The problem of cross certificate verification

[timothy110]

Description

• Type: Enhancement\Feature Request
• Priority: Blocker
  On embedded devices with limited memory, We need to integrate 17 certificates. Due to limited memory, we can't import 17 certificates into RAM via mbedtls_ssl_conf_ca_chain function at one time. So we have to use mbedtls_ssl_conf_verify register callBack function to verify cert. But it can not verify cross certification With this way. For example, the cross certificate is that issuer is r1 & subject is r2, We only have r2 certificate. But it must have r1 certificate to verify with the way of callback function.

---

Enhancement\Feature Request

Justification - why does the library need this feature?
On embedded devices with limited memory, we can't import many certificates into RAM. But the way of callback function Verifing certificate Can't verify cross certificate Sucessfully.

Suggested enhancement

---

[mpg]

Hi @timothy110 and thanks for your interest in Mbed TLS. If I understand your use case correctly, mbedtls_ssl_conf_verify() is not suitable to meet your needs. Fortunately, we have another callback that I think does exactly what you want: mbedtls_ssl_conf_ca_cb() is a replacement for mbedtls_ssl_conf_ca_chain() that allows dynamic loading of the trusted roots/CAs, hence avoiding the need to have all of them in RAM at once.

See the documentation for this API in include/mbedtls/ssl.h, or the description in the PR that introduced it: #2532

I'm closing this issue as I think we're already providing an API that supports you use case. If you need help using that API, feel free to discuss it on our mailing-list.