From 3460d18d3ff4355727c2321aa2c9f3dc2479eb37 Mon Sep 17 00:00:00 2001 From: "Kwabena W. Agyeman" Date: Thu, 25 Jun 2026 23:04:25 -0700 Subject: [PATCH] extmod/mbedtls: enable PEM parsing. The mbedtls config built only DER support, so the ssl module could load certificates and keys only in DER form, and `load_verify_locations` could hold just a single certificate (mbedtls >= 3.5 rejects DER buffers with trailing bytes, so concatenated DER doesn't work either). Enable MBEDTLS_PEM_PARSE_C (with its required MBEDTLS_BASE64_C) so the stack accepts PEM directly -- the format every tool emits -- and so a single `load_verify_locations(cadata=...)` can load multiple concatenated PEM certificates as a CA bundle (mbedtls_x509_crt_parse iterates PEM blocks). This is needed to verify public servers whose issuing CA rotates among several roots, where pinning one root is fragile. Costs a few KB of flash for base64 + PEM. Signed-off-by: Kwabena W. Agyeman --- extmod/mbedtls/mbedtls_config_common.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/extmod/mbedtls/mbedtls_config_common.h b/extmod/mbedtls/mbedtls_config_common.h index 040b0598dce..4ef0f3542ae 100644 --- a/extmod/mbedtls/mbedtls_config_common.h +++ b/extmod/mbedtls/mbedtls_config_common.h @@ -67,6 +67,7 @@ #define MBEDTLS_AES_C #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_BASE64_C #define MBEDTLS_BIGNUM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C @@ -79,6 +80,7 @@ #define MBEDTLS_MD_C #define MBEDTLS_MD5_C #define MBEDTLS_OID_C +#define MBEDTLS_PEM_PARSE_C #define MBEDTLS_PKCS5_C #define MBEDTLS_PK_C #define MBEDTLS_PK_HAVE_ECC_KEYS