mbedtls_x509write_crt_der return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL

[LeNidViolet]

Description

• Type: Bug
• Priority: Major

---

Bug

I recently created a transparent proxy project that includes the ability to decrypt https streams,
I use mbedtls to dynamically generate certificates,
(Obtain the original certificate of the domain name from website, extract the necessary information from it, and then use these information and my own root certificate to generate a new certificate.)

I found that mbedtls_x509write_crt_der returns the error value MBEDTLS_ERR_ASN1_BUF_TOO_SMALL when regenerating a certificate for some domain names.

After debugging, I found that the problem is related to a fixed-size array in mbedtls_x509write_crt_der
unsigned char tmp_buf[2048];

If there is too much content in the certificate of a domain name (I tested the domain name 'www.xiami.com', it contains more than one hundred DNS names!), the array size is not enough to handle them.

[RonEld]

@raprepo Thank you for reporting this issue!
As you know, Mbed TLS main purpose targeting embedded systems, where stack and heap usage are limited.
Increasing the size of the tmp_buf might help you, but it will affect many other users.
I agree the size limit should probably be documented better though.
Nonetheless, we will take your case into consideration.

[ciarmcom]

ARM Internal Ref: IOTSSL-2394

[tom-cosgrove-arm]

This is pretty much a duplicate of #2631, and was fixed by #2632, so closing as completed