Let’s say I would want to find all certificates that correspond to the chain of my leaf certificate. Is there a built-in function inside mbedtls for that?
Somethign like Input: Leaf Certificate - Output: Leaf Certificate - Sub CA of Leaf - Root CA of Sub CA
If not, what fields would I have to compare inside two certificates to deduce that the leaf certificate really is part of the SubCA / CA’s PKI.
Issuer Leaf == CA Subject
Leaf AKI == CA SKI
I am not sure I follow your use case.
As mentioned in other post, I would suggest you follow what is done in
However, this function only finds a candidate for a parent, f course, the parent’s public key(embedded in its certificate) should be used to verify the leaf certificate, so even if the parent has correct Issuer name, the signature algorithm should be correct, and also, verified ( e.g. not expired, revoked, etc…)
Mbed TLS Support
Thanks for your reply. For now I first just do a simple Issuer = Subject comparison and chain all certificates that meet that criteria. In the end I will do a complete chain verification with the function mbedTLS itself uses for validating the certificate (chain).
Might not be the most optimized solution as in case of an error you’d be able to stop much earlier but it is a viable solution.