extern crate alloc;
use mbedtls::alloc::List as MbedtlsList;
use mbedtls::x509::Certificate as MbedtlsCertificate;
use super::error::{Result, X509Error};
fn map_mbedtls_err(e: mbedtls::Error) -> X509Error {
X509Error::Message(alloc::format!("mbedtls: {e:?}"))
}
pub fn verify_chain(chain_der: &[&[u8]], trust_roots_pem: &[u8]) -> Result<()> {
if chain_der.is_empty() {
return Err(X509Error::InvalidInput);
}
let mut chain = MbedtlsList::new();
for der in chain_der {
chain.push(MbedtlsCertificate::from_der(der).map_err(map_mbedtls_err)?);
}
let mut trust = trust_roots_pem.to_vec();
if trust.last().copied() != Some(0) {
trust.push(0);
}
let trust_ca = MbedtlsCertificate::from_pem_multiple(&trust).map_err(map_mbedtls_err)?;
let mut err = alloc::string::String::new();
MbedtlsCertificate::verify(&chain, &trust_ca, None, Some(&mut err))
.map_err(|e| X509Error::Message(alloc::format!("verify failed: {e}; {err}")))
}