Skip to content

extmod/mbedtls: enable PEM parsing.#145

Closed
kwagyeman wants to merge 1 commit into
openmv:openmv-1.28.0from
kwagyeman:kwabena/mbedtls-pem-parse
Closed

extmod/mbedtls: enable PEM parsing.#145
kwagyeman wants to merge 1 commit into
openmv:openmv-1.28.0from
kwagyeman:kwabena/mbedtls-pem-parse

Conversation

@kwagyeman

Copy link
Copy Markdown
Member

The mbedtls config built only DER support, so the ssl module could load certificates and keys only in DER form, and load_verify_locations could hold just a single certificate (mbedtls >= 3.5 rejects DER buffers with trailing bytes, so concatenated DER doesn't work either).

Enable MBEDTLS_PEM_PARSE_C (with its required MBEDTLS_BASE64_C) so the stack accepts PEM directly -- the format every tool emits -- and so a single load_verify_locations(cadata=...) can load multiple concatenated PEM certificates as a CA bundle (mbedtls_x509_crt_parse iterates PEM blocks). This is needed to verify public servers whose issuing CA rotates among several roots, where pinning one root is fragile. Costs a few KB of flash for base64 + PEM.

The mbedtls config built only DER support, so the ssl module could load
certificates and keys only in DER form, and `load_verify_locations` could hold
just a single certificate (mbedtls >= 3.5 rejects DER buffers with trailing
bytes, so concatenated DER doesn't work either).

Enable MBEDTLS_PEM_PARSE_C (with its required MBEDTLS_BASE64_C) so the stack
accepts PEM directly -- the format every tool emits -- and so a single
`load_verify_locations(cadata=...)` can load multiple concatenated PEM
certificates as a CA bundle (mbedtls_x509_crt_parse iterates PEM blocks). This
is needed to verify public servers whose issuing CA rotates among several roots,
where pinning one root is fragile. Costs a few KB of flash for base64 + PEM.

Signed-off-by: Kwabena W. Agyeman <kwagyeman@live.com>
@kwagyeman kwagyeman requested a review from iabdalkader June 26, 2026 06:24
@iabdalkader

iabdalkader commented Jul 4, 2026

Copy link
Copy Markdown
Member

Would rather not add custom stuff that we have to maintain. You can enable this per-board, for the board you need, via MBEDTLS_CONFIG_FILE. See Arduino boards for an example. I couldn't find a way to enable it globally. Might be worth asking Damien too.

@iabdalkader iabdalkader closed this Jul 4, 2026
@kwagyeman

Copy link
Copy Markdown
Member Author

Asked upstream: micropython#19423

Yeah, it's a pretty useful feature for TLS to be usable. Boards just support one cert right now. But, if you wanted to download data from Cloudflare from a board, its root cert rotates, requiring the board to be able to support multiple certs. Should really be something all MP boards get that have TLS support.

@iabdalkader

Copy link
Copy Markdown
Member

Okay, you can just enable it with a custom board mbedtls config for now, better than custom patches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants