curl · sergio-nsk · Mar 13, 2024 · May 24, 2024
diff --git a/docs/libcurl/opts/CURLINFO_CERTINFO.md b/docs/libcurl/opts/CURLINFO_CERTINFO.md
@@ -93,9 +93,10 @@ See also the *certinfo.c* example.
 
 # AVAILABILITY
 
-This option is only working in libcurl built with OpenSSL, GnuTLS, Schannel or
-Secure Transport. GnuTLS support added in 7.42.0. Schannel support added in
-7.50.0. Secure Transport support added in 7.79.0.
+This option is only working in libcurl built with OpenSSL, GnuTLS, Schannel,
+Secure Transport or mbedTLS. GnuTLS support added in 7.42.0. Schannel support
+added in 7.50.0. Secure Transport support added in 7.79.0. mbedTLS support added
+in 8.9.0.
 
 Added in 7.19.1
 

diff --git a/docs/libcurl/opts/CURLOPT_CERTINFO.md b/docs/libcurl/opts/CURLOPT_CERTINFO.md
@@ -85,6 +85,7 @@ int main(void)
 # AVAILABILITY
 
 Schannel support added in 7.50.0. Secure Transport support added in 7.79.0.
+mbedTLS support added in 8.9.0.
 
 # RETURN VALUE
 

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
@@ -75,6 +75,7 @@
 #include "mbedtls.h"
 #include "vtls.h"
 #include "vtls_int.h"
+#include "x509asn1.h"
 #include "parsedate.h"
 #include "connect.h" /* for the connect timeout */
 #include "select.h"
@@ -896,6 +897,60 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
   return CURLE_OK;
 }
 
+static int count_server_cert(const mbedtls_x509_crt *peercert)
+{
+  int count = 1;
+
+  DEBUGASSERT(peercert);
+
+  while(peercert->next) {
+    ++count;
+    peercert = peercert->next;
+  }
+  return count;
+}
+
+static CURLcode collect_server_cert_single(struct Curl_easy *data,
+                                           const mbedtls_x509_crt *server_cert,
+                                           int idx)
+{
+  const char *beg, *end;
+
+  DEBUGASSERT(server_cert);
+
+  beg = (const char *)server_cert->raw.p;
+  end = beg + server_cert->raw.len;
+  return Curl_extract_certinfo(data, idx, beg, end);
+}
+
+static CURLcode collect_server_cert(struct Curl_cfilter *cf,
+                                    struct Curl_easy *data,
+                                    const struct mbedtls_x509_crt *peercert)
+{
+#ifndef CURL_DISABLE_VERBOSE_STRINGS
+  const bool show_verbose_server_cert = data->set.verbose;
+#else
+  const bool show_verbose_server_cert = false;
+#endif
+  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
+  CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
+  int i, count;
+
+  if(!show_verbose_server_cert && !ssl_config->certinfo)
+    return CURLE_OK;
+
+  if(!peercert)
+    return result;
+
+  count = count_server_cert(peercert);
+  result = Curl_ssl_init_certinfo(data, count);
+  for(i = 0 ; !result && peercert ; i++) {
+    result = collect_server_cert_single(data, peercert, i);
+    peercert = peercert->next;
+  }
+  return result;
+}
+
 static CURLcode
 mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
 {
@@ -972,6 +1027,12 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
 
   peercert = mbedtls_ssl_get_peer_cert(&backend->ssl);
 
+  if(peercert) {
+    const CURLcode result = collect_server_cert(cf, data, peercert);
+    if(result)
+      return result;
+  }
+
   if(peercert && data->set.verbose) {
 #ifndef MBEDTLS_X509_REMOVE_INFO
     const size_t bufsize = 16384;
@@ -1488,6 +1549,7 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
 
   SSLSUPP_CA_PATH |
   SSLSUPP_CAINFO_BLOB |
+  SSLSUPP_CERTINFO |
   SSLSUPP_PINNEDPUBKEY |
   SSLSUPP_SSL_CTX |
   SSLSUPP_HTTPS_PROXY,

diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
@@ -25,13 +25,15 @@
 #include "curl_setup.h"
 
 #if defined(USE_GNUTLS) || defined(USE_WOLFSSL) ||      \
-  defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
+  defined(USE_SCHANNEL) || defined(USE_SECTRANSP) ||    \
+  defined(USE_MBEDTLS)
 
 #if defined(USE_WOLFSSL) || defined(USE_SCHANNEL)
 #define WANT_PARSEX509 /* uses Curl_parseX509() */
 #endif
 
-#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
+  defined(USE_MBEDTLS)
 #define WANT_EXTRACT_CERTINFO /* uses Curl_extract_certinfo() */
 #define WANT_PARSEX509 /* ... uses Curl_parseX509() */
 #endif

diff --git a/lib/vtls/x509asn1.h b/lib/vtls/x509asn1.h
@@ -28,7 +28,8 @@
 #include "curl_setup.h"
 
 #if defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
-  defined(USE_SCHANNEL) || defined(USE_SECTRANSP)
+  defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
+  defined(USE_MBEDTLS)
 
 #include "cfilters.h"
 #include "urldata.h"

diff --git a/tests/data/test3102 b/tests/data/test3102
@@ -20,7 +20,6 @@ HTTP GET
 <features>
 SSL
 !bearssl
-!mbedtls
 !rustls
 !wolfssl
 </features>

diff --git a/tests/test1275.pl b/tests/test1275.pl
@@ -32,6 +32,7 @@
 my %accepted=('curl' => 1,
               'libcurl' => 1,
               'macOS' => 1,
+              'mbedTLS' => 1,
               'c-ares' => 1);
 
 sub checkfile {