Merge pull request #605 from ARMmbed/x509_ondemand_remove_unneeded_fields

[Baremetal] Allow removal of unneeded fields in X.509 CRT structures
This commit is contained in:
Manuel Pégourié-Gonnard 2019-07-29 11:58:58 +02:00 committed by GitHub
commit 7c575d29dc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 145 additions and 2 deletions

View file

@ -122,6 +122,8 @@
#define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_X509_REMOVE_INFO
#define MBEDTLS_X509_CRT_REMOVE_TIME
#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
#define MBEDTLS_X509_ON_DEMAND_PARSING
#define MBEDTLS_X509_ALWAYS_FLUSH
#define MBEDTLS_ASN1_PARSE_C

View file

@ -793,6 +793,11 @@
#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CRT_REMOVE_TIME) && \
defined(MBEDTLS_HAVE_TIME_DATE)
#error "MBEDTLS_X509_CRT_REMOVE_TIME and MBEDTLS_HAVE_TIME_DATE cannot be defined simultaneously"
#endif
#if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
#error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
#endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */

View file

@ -1942,6 +1942,29 @@
*/
//#define MBEDTLS_X509_REMOVE_INFO
/**
* \def MBEDTLS_X509_CRT_REMOVE_TIME
*
* Don't store time validity fields in X.509 certificate structures.
*
* Uncomment this to save some code and RAM on constrained systems which
* don't have time and where there's no use of the time validity fields
* in a certificate.
*
* Requires: !MBEDTLS_HAVE_TIME_DATE
*/
//#define MBEDTLS_X509_CRT_REMOVE_TIME
/**
* \def MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
*
* Don't store subject and issuer ID in X.509 certificate structures.
*
* Uncomment this to save some code and RAM on constrained systems which
* don't need to inspect issuer and subject ID fields in certificates.
*/
//#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
/**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
*

View file

@ -70,8 +70,10 @@ typedef struct mbedtls_x509_crt_frame
uint32_t ext_types; /**< Bitfield indicating which extensions are present.
* See the values in x509.h. */
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
mbedtls_x509_time valid_from; /**< The start time of certificate validity. */
mbedtls_x509_time valid_to; /**< The end time of certificate validity. */
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
mbedtls_x509_buf_raw raw; /**< The raw certificate data in DER. */
mbedtls_x509_buf_raw tbs; /**< The part of the CRT that is [T]o [B]e [S]igned. */
@ -80,10 +82,12 @@ typedef struct mbedtls_x509_crt_frame
mbedtls_x509_buf_raw pubkey_raw; /**< The raw public key data (DER). */
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
mbedtls_x509_buf_raw issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf_raw issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
mbedtls_x509_buf_raw subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
mbedtls_x509_buf_raw issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
mbedtls_x509_buf_raw subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
mbedtls_x509_buf_raw sig; /**< Signature: hash of the tbs part signed with the private key. */
@ -123,14 +127,18 @@ typedef struct mbedtls_x509_crt
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
mbedtls_x509_time valid_to; /**< End time of certificate validity. */
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
mbedtls_x509_buf pk_raw;
mbedtls_pk_context pk; /**< Container for the public key context. */
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */

View file

@ -564,6 +564,12 @@ static const char *features[] = {
#if defined(MBEDTLS_X509_REMOVE_INFO)
"MBEDTLS_X509_REMOVE_INFO",
#endif /* MBEDTLS_X509_REMOVE_INFO */
#if defined(MBEDTLS_X509_CRT_REMOVE_TIME)
"MBEDTLS_X509_CRT_REMOVE_TIME",
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
#if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
"MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID",
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
"MBEDTLS_X509_RSASSA_PSS_SUPPORT",
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */

View file

@ -223,16 +223,22 @@ int mbedtls_x509_crt_cache_provide_frame( mbedtls_x509_crt const *crt )
frame->version = crt->version;
frame->sig_md = crt->sig_md;
frame->sig_pk = crt->sig_pk;
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
frame->valid_from = crt->valid_from;
frame->valid_to = crt->valid_to;
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
x509_buf_to_buf_raw( &frame->raw, &crt->raw );
x509_buf_to_buf_raw( &frame->tbs, &crt->tbs );
x509_buf_to_buf_raw( &frame->serial, &crt->serial );
x509_buf_to_buf_raw( &frame->pubkey_raw, &crt->pk_raw );
x509_buf_to_buf_raw( &frame->issuer_raw, &crt->issuer_raw );
x509_buf_to_buf_raw( &frame->subject_raw, &crt->subject_raw );
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
x509_buf_to_buf_raw( &frame->subject_id, &crt->subject_id );
x509_buf_to_buf_raw( &frame->issuer_id, &crt->issuer_id );
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
x509_buf_to_buf_raw( &frame->sig, &crt->sig );
x509_buf_to_buf_raw( &frame->v3_ext, &crt->v3_ext );
@ -694,6 +700,7 @@ static int x509_get_version( unsigned char **p,
return( 0 );
}
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
/*
* Validity ::= SEQUENCE {
* notBefore Time,
@ -725,7 +732,28 @@ static int x509_get_dates( unsigned char **p,
return( 0 );
}
#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
static int x509_skip_dates( unsigned char **p,
const unsigned char *end )
{
int ret;
size_t len;
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
end = *p + len;
if( *p != end )
return( MBEDTLS_ERR_X509_INVALID_DATE +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
return( 0 );
}
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
/*
* X.509 v2/v3 unique identifier (not parsed)
*/
@ -752,6 +780,30 @@ static int x509_get_uid( unsigned char **p,
return( 0 );
}
#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
static int x509_skip_uid( unsigned char **p,
const unsigned char *end,
int n )
{
int ret;
size_t len;
if( *p == end )
return( 0 );
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 )
{
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
return( 0 );
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
}
*p += len;
return( 0 );
}
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
static int x509_get_basic_constraints( unsigned char **p,
const unsigned char *end,
@ -1293,9 +1345,15 @@ static int x509_crt_parse_frame( unsigned char *start,
/*
* Validity ::= SEQUENCE { ...
*/
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
ret = x509_get_dates( &p, end, &frame->valid_from, &frame->valid_to );
if( ret != 0 )
return( ret );
#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
ret = x509_skip_dates( &p, end );
if( ret != 0 )
return( ret );
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
/*
* subject Name
@ -1334,6 +1392,7 @@ static int x509_crt_parse_frame( unsigned char *start,
if( frame->version != 1 )
{
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
/*
* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
* -- If present, version shall be v2 or v3
@ -1349,6 +1408,14 @@ static int x509_crt_parse_frame( unsigned char *start,
ret = x509_get_uid( &p, end, &frame->subject_id, 2 /* implicit tag */ );
if( ret != 0 )
return( ret );
#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
ret = x509_skip_uid( &p, end, 1 /* implicit tag */ );
if( ret != 0 )
return( ret );
ret = x509_skip_uid( &p, end, 2 /* implicit tag */ );
if( ret != 0 )
return( ret );
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
}
/*
@ -1531,13 +1598,19 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
x509_buf_raw_to_buf( &crt->serial, &frame->serial );
x509_buf_raw_to_buf( &crt->issuer_raw, &frame->issuer_raw );
x509_buf_raw_to_buf( &crt->subject_raw, &frame->subject_raw );
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
x509_buf_raw_to_buf( &crt->issuer_id, &frame->issuer_id );
x509_buf_raw_to_buf( &crt->subject_id, &frame->subject_id );
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
x509_buf_raw_to_buf( &crt->pk_raw, &frame->pubkey_raw );
x509_buf_raw_to_buf( &crt->sig, &frame->sig );
x509_buf_raw_to_buf( &crt->v3_ext, &frame->v3_ext );
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
crt->valid_from = frame->valid_from;
crt->valid_to = frame->valid_to;
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
crt->version = frame->version;
crt->ca_istrue = frame->ca_istrue;
crt->max_pathlen = frame->max_pathlen;
@ -2270,6 +2343,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
ret = mbedtls_x509_dn_gets( p, n, subject );
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
ret = mbedtls_snprintf( p, n, "\n%sissued on : " \
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
frame.valid_from.year, frame.valid_from.mon,
@ -2283,6 +2357,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
frame.valid_to.day, frame.valid_to.hour,
frame.valid_to.min, frame.valid_to.sec );
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
@ -2897,11 +2972,13 @@ check_signature:
if( ret != 0 )
return( MBEDTLS_ERR_X509_FATAL_ERROR );
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
if( !mbedtls_x509_time_is_past( &parent->valid_to ) &&
!mbedtls_x509_time_is_future( &parent->valid_from ) )
{
parent_valid = 1;
}
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
/* basic parenting skills (name, CA bit, key usage) */
if( x509_crt_check_parent( child_sig, parent, top ) == 0 )
@ -3198,11 +3275,13 @@ find_parent:
if( ret != 0 )
return( MBEDTLS_ERR_X509_FATAL_ERROR );
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
/* Check time-validity (all certificates) */
if( mbedtls_x509_time_is_past( &child->valid_to ) )
*flags |= MBEDTLS_X509_BADCERT_EXPIRED;
if( mbedtls_x509_time_is_future( &child->valid_from ) )
*flags |= MBEDTLS_X509_BADCERT_FUTURE;
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
/* Stop here for trusted roots (but not for trusted EE certs) */
if( child_is_trusted )

View file

@ -1546,6 +1546,22 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_X509_REMOVE_INFO */
#if defined(MBEDTLS_X509_CRT_REMOVE_TIME)
if( strcmp( "MBEDTLS_X509_CRT_REMOVE_TIME", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_REMOVE_TIME );
return( 0 );
}
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
#if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
if( strcmp( "MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID );
return( 0 );
}
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
{

View file

@ -39,6 +39,8 @@
# MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
# - this could be enabled if the respective tests were adapted
# MBEDTLS_X509_REMOVE_INFO
# MBEDTLS_X509_CRT_REMOVE_TIME
# MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
# MBEDTLS_ZLIB_SUPPORT
# MBEDTLS_PKCS11_C
# and any symbol beginning _ALT
@ -102,6 +104,8 @@ MBEDTLS_SSL_NO_SESSION_RESUMPTION
MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
MBEDTLS_X509_REMOVE_INFO
MBEDTLS_X509_CRT_REMOVE_TIME
MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
MBEDTLS_ZLIB_SUPPORT
MBEDTLS_PKCS11_C
MBEDTLS_NO_UDBL_DIVISION