From 160791ccb653bdbb76fd6fc879b2de63114bbe47 Mon Sep 17 00:00:00 2001 From: opatomic Date: Tue, 12 Oct 2021 17:36:01 -0400 Subject: [PATCH] manually parse CA certs rather than using mbedtls's code mbedtls_x509_crt_parse_file() is slow. This affected startup time by a lot. See https://github.com/ARMmbed/mbedtls/issues/4814 --- src/opatls/mbed.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/opatls/mbed.c b/src/opatls/mbed.c index e380259..420378a 100644 --- a/src/opatls/mbed.c +++ b/src/opatls/mbed.c @@ -225,6 +225,19 @@ int mbedCfgInit(mbedCfg* cfg, int isServer) { return err; } +static int addnextcert(void* ctx, const void* buff, size_t len) { + mbedCfg* cfg = ctx; + int mbederr = mbedtls_x509_crt_parse_der(&cfg->mbedcacert, buff, len); + if (mbederr) { + // TODO: handle more error codes here? + if (mbederr == MBEDTLS_ERR_X509_ALLOC_FAILED) { + return OPA_ERR_NOMEM; + } + //OPALOG("err when adding CA cert"); + } + return 0; +} + int mbedCfgAddCACertsFile(mbedCfg* cfg, const char* filepath) { #ifdef _WIN32 if (startsWith(filepath, MBED_SYSCERTSTORE_PREFIX)) { @@ -238,8 +251,9 @@ int mbedCfgAddCACertsFile(mbedCfg* cfg, const char* filepath) { #endif // TODO: log if some certs were not parsed properly? (this can indicate that mbedtls was not compiled with support // for things such as sha-1, sha-512, specific ec curves, etc) - mbedtls_x509_crt_parse_file(&cfg->mbedcacert, filepath); - return 0; + + // note: mbedtls_x509_crt_parse_file() is slow in mbedtls now. see https://github.com/ARMmbed/mbedtls/issues/4814 + return tlsutilsIterateCerts(filepath, cfg, addnextcert); } int mbedCfgUseCert(mbedCfg* cfg, const char* cert, const char* key) {