Platform independent loading of local machine trusted root certificates

[MartyMcFlyInTheSky]

Is there a way to bypass

mbedtls_x509_crt_parse_file(&ca_certs, "trusted_certs.pem");

and advise mbedtls to load the trusted root certificates from the local machines?

If not this might be a very handy feature for everyone. For now I have to specifically write code for Windows and Linux.

Justification

Most of the times (I suppose) the mbedtls clients are initialized with the local machine trusted root certificates. Instead of having every client repeat the same code, this should really be supported by the mbedtls library. Of course, the parse file function should coexist.

[gilles-peskine-arm]

The way to load system certificates on Linux is

mbedtls_x509_crt_parse_path(chain, "/path/to/system/directory")

but I think the path depends on the distribution. Does Windows also offer the system certificates in a single directory, or is it some different interface?

Mbed TLS is very often used with custom infrastructure that doesn't use the system's trusted roots, but using the system trusted roots is common enough that it would make sense to have a way to configure them when Mbed TLS is installed as a system package.

[MartyMcFlyInTheSky]

It is a bit more cumbersome on windows as usual. You have to basically export your certificates from windows certificate manager using a specific API: check out this thread. This could however be abstracted away with something like mbedtls_x509_pull_local_root_certificates(). It would work differently on the embedded system though as there's often no filesystem, but one could support those specifically.

[DemiMarie]

On at least macOS applications should use the system certificate verifier API rather than implementing certificate verification themselves. The default implementation may make blocking network requests, so an asynchronous version is recommended.