Return the constructed certificate chain during verification

[briansmith]

Some applications need to remember the certificate chain that was constructed during validation. This can be accomplished by having verify_is_valid_tls_server_cert(), verify_is_valid_tls_client_cert(), etc., return the constructed certificate chain.

We want certificate validation to be possible even in a heap-less #![no_std] environment so we cannot return the certificate chain as a Vec. Instead we need to use a type like ArrayVec that is guaranteed to never use the heap.

Note that we already maintain what is effectively a linked list in the child_cert fields, so it's basically just a matter of converting this linked list into an ArrayVec-like thing.

[akuanti]

I would like to work on this, in service of getting subject name, etc., from the certificate. I'm not sure where to start, however. I'm also not familiar with the #![no_std] environment and what I would need to do to make sure things work in that environment. I would appreciate any guidance you could provide.

Do you mean that verify_cert::build_chain() needs to return something like arrayvec::ArrayVec<untrusted::Input>? Would this chain contain the root CA, then each intermediate CA, then the end entity cert? I don't quite understand the way the logic in build_chain() works.