manually parse CA certs rather than using mbedtls's code

mbedtls_x509_crt_parse_file() is slow. This affected startup time by a lot. See Mbed-TLS/mbedtls#4814
opatomic · Oct 12, 2021 · 160791c · 160791c
1 parent 40a48b8
commit 160791c
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/src/opatls/mbed.c b/src/opatls/mbed.c
@@ -225,6 +225,19 @@ int mbedCfgInit(mbedCfg* cfg, int isServer) {
 	return err;
 }
 
+static int addnextcert(void* ctx, const void* buff, size_t len) {
+	mbedCfg* cfg = ctx;
+	int mbederr = mbedtls_x509_crt_parse_der(&cfg->mbedcacert, buff, len);
+	if (mbederr) {
+		// TODO: handle more error codes here?
+		if (mbederr == MBEDTLS_ERR_X509_ALLOC_FAILED) {
+			return OPA_ERR_NOMEM;
+		}
+		//OPALOG("err when adding CA cert");
+	}
+	return 0;
+}
+
 int mbedCfgAddCACertsFile(mbedCfg* cfg, const char* filepath) {
 #ifdef _WIN32
 	if (startsWith(filepath, MBED_SYSCERTSTORE_PREFIX)) {
@@ -238,8 +251,9 @@ int mbedCfgAddCACertsFile(mbedCfg* cfg, const char* filepath) {
 #endif
 	// TODO: log if some certs were not parsed properly? (this can indicate that mbedtls was not compiled with support
 	//   for things such as sha-1, sha-512, specific ec curves, etc)
-	mbedtls_x509_crt_parse_file(&cfg->mbedcacert, filepath);
-	return 0;
+
+	// note: mbedtls_x509_crt_parse_file() is slow in mbedtls now. see https://github.com/ARMmbed/mbedtls/issues/4814
+	return tlsutilsIterateCerts(filepath, cfg, addnextcert);
 }
 
 int mbedCfgUseCert(mbedCfg* cfg, const char* cert, const char* key) {