mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 06:05:28 +00:00
Merge pull request #605 from ARMmbed/x509_ondemand_remove_unneeded_fields
[Baremetal] Allow removal of unneeded fields in X.509 CRT structures
This commit is contained in:
commit
7c575d29dc
|
@ -122,6 +122,8 @@
|
|||
#define MBEDTLS_X509_CHECK_KEY_USAGE
|
||||
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
|
||||
#define MBEDTLS_X509_REMOVE_INFO
|
||||
#define MBEDTLS_X509_CRT_REMOVE_TIME
|
||||
#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
|
||||
#define MBEDTLS_X509_ON_DEMAND_PARSING
|
||||
#define MBEDTLS_X509_ALWAYS_FLUSH
|
||||
#define MBEDTLS_ASN1_PARSE_C
|
||||
|
|
|
@ -793,6 +793,11 @@
|
|||
#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_REMOVE_TIME) && \
|
||||
defined(MBEDTLS_HAVE_TIME_DATE)
|
||||
#error "MBEDTLS_X509_CRT_REMOVE_TIME and MBEDTLS_HAVE_TIME_DATE cannot be defined simultaneously"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
|
||||
#error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
|
||||
#endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */
|
||||
|
|
|
@ -1942,6 +1942,29 @@
|
|||
*/
|
||||
//#define MBEDTLS_X509_REMOVE_INFO
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_X509_CRT_REMOVE_TIME
|
||||
*
|
||||
* Don't store time validity fields in X.509 certificate structures.
|
||||
*
|
||||
* Uncomment this to save some code and RAM on constrained systems which
|
||||
* don't have time and where there's no use of the time validity fields
|
||||
* in a certificate.
|
||||
*
|
||||
* Requires: !MBEDTLS_HAVE_TIME_DATE
|
||||
*/
|
||||
//#define MBEDTLS_X509_CRT_REMOVE_TIME
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
|
||||
*
|
||||
* Don't store subject and issuer ID in X.509 certificate structures.
|
||||
*
|
||||
* Uncomment this to save some code and RAM on constrained systems which
|
||||
* don't need to inspect issuer and subject ID fields in certificates.
|
||||
*/
|
||||
//#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
*
|
||||
|
|
|
@ -70,8 +70,10 @@ typedef struct mbedtls_x509_crt_frame
|
|||
uint32_t ext_types; /**< Bitfield indicating which extensions are present.
|
||||
* See the values in x509.h. */
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
mbedtls_x509_time valid_from; /**< The start time of certificate validity. */
|
||||
mbedtls_x509_time valid_to; /**< The end time of certificate validity. */
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
mbedtls_x509_buf_raw raw; /**< The raw certificate data in DER. */
|
||||
mbedtls_x509_buf_raw tbs; /**< The part of the CRT that is [T]o [B]e [S]igned. */
|
||||
|
@ -80,10 +82,12 @@ typedef struct mbedtls_x509_crt_frame
|
|||
|
||||
mbedtls_x509_buf_raw pubkey_raw; /**< The raw public key data (DER). */
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
|
||||
mbedtls_x509_buf_raw issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
|
||||
mbedtls_x509_buf_raw issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
|
||||
|
||||
mbedtls_x509_buf_raw subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
|
||||
mbedtls_x509_buf_raw issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
|
||||
mbedtls_x509_buf_raw subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
|
||||
|
||||
mbedtls_x509_buf_raw sig; /**< Signature: hash of the tbs part signed with the private key. */
|
||||
|
@ -123,14 +127,18 @@ typedef struct mbedtls_x509_crt
|
|||
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
|
||||
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
|
||||
mbedtls_x509_time valid_to; /**< End time of certificate validity. */
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
mbedtls_x509_buf pk_raw;
|
||||
mbedtls_pk_context pk; /**< Container for the public key context. */
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
|
||||
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
|
||||
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
|
||||
mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
|
||||
|
||||
|
|
|
@ -564,6 +564,12 @@ static const char *features[] = {
|
|||
#if defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
"MBEDTLS_X509_REMOVE_INFO",
|
||||
#endif /* MBEDTLS_X509_REMOVE_INFO */
|
||||
#if defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
"MBEDTLS_X509_CRT_REMOVE_TIME",
|
||||
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
#if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
|
||||
"MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID",
|
||||
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||
"MBEDTLS_X509_RSASSA_PSS_SUPPORT",
|
||||
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
|
||||
|
|
|
@ -223,16 +223,22 @@ int mbedtls_x509_crt_cache_provide_frame( mbedtls_x509_crt const *crt )
|
|||
frame->version = crt->version;
|
||||
frame->sig_md = crt->sig_md;
|
||||
frame->sig_pk = crt->sig_pk;
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
frame->valid_from = crt->valid_from;
|
||||
frame->valid_to = crt->valid_to;
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
x509_buf_to_buf_raw( &frame->raw, &crt->raw );
|
||||
x509_buf_to_buf_raw( &frame->tbs, &crt->tbs );
|
||||
x509_buf_to_buf_raw( &frame->serial, &crt->serial );
|
||||
x509_buf_to_buf_raw( &frame->pubkey_raw, &crt->pk_raw );
|
||||
x509_buf_to_buf_raw( &frame->issuer_raw, &crt->issuer_raw );
|
||||
x509_buf_to_buf_raw( &frame->subject_raw, &crt->subject_raw );
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
|
||||
x509_buf_to_buf_raw( &frame->subject_id, &crt->subject_id );
|
||||
x509_buf_to_buf_raw( &frame->issuer_id, &crt->issuer_id );
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
x509_buf_to_buf_raw( &frame->sig, &crt->sig );
|
||||
x509_buf_to_buf_raw( &frame->v3_ext, &crt->v3_ext );
|
||||
|
||||
|
@ -694,6 +700,7 @@ static int x509_get_version( unsigned char **p,
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
/*
|
||||
* Validity ::= SEQUENCE {
|
||||
* notBefore Time,
|
||||
|
@ -725,7 +732,28 @@ static int x509_get_dates( unsigned char **p,
|
|||
|
||||
return( 0 );
|
||||
}
|
||||
#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
static int x509_skip_dates( unsigned char **p,
|
||||
const unsigned char *end )
|
||||
{
|
||||
int ret;
|
||||
size_t len;
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
|
||||
|
||||
end = *p + len;
|
||||
|
||||
if( *p != end )
|
||||
return( MBEDTLS_ERR_X509_INVALID_DATE +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
|
||||
/*
|
||||
* X.509 v2/v3 unique identifier (not parsed)
|
||||
*/
|
||||
|
@ -752,6 +780,30 @@ static int x509_get_uid( unsigned char **p,
|
|||
|
||||
return( 0 );
|
||||
}
|
||||
#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
static int x509_skip_uid( unsigned char **p,
|
||||
const unsigned char *end,
|
||||
int n )
|
||||
{
|
||||
int ret;
|
||||
size_t len;
|
||||
|
||||
if( *p == end )
|
||||
return( 0 );
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
|
||||
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 )
|
||||
{
|
||||
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||
return( 0 );
|
||||
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||
}
|
||||
|
||||
*p += len;
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
|
||||
static int x509_get_basic_constraints( unsigned char **p,
|
||||
const unsigned char *end,
|
||||
|
@ -1293,9 +1345,15 @@ static int x509_crt_parse_frame( unsigned char *start,
|
|||
/*
|
||||
* Validity ::= SEQUENCE { ...
|
||||
*/
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
ret = x509_get_dates( &p, end, &frame->valid_from, &frame->valid_to );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
ret = x509_skip_dates( &p, end );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
/*
|
||||
* subject Name
|
||||
|
@ -1334,6 +1392,7 @@ static int x509_crt_parse_frame( unsigned char *start,
|
|||
|
||||
if( frame->version != 1 )
|
||||
{
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
|
||||
/*
|
||||
* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
|
||||
* -- If present, version shall be v2 or v3
|
||||
|
@ -1349,6 +1408,14 @@ static int x509_crt_parse_frame( unsigned char *start,
|
|||
ret = x509_get_uid( &p, end, &frame->subject_id, 2 /* implicit tag */ );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
ret = x509_skip_uid( &p, end, 1 /* implicit tag */ );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
ret = x509_skip_uid( &p, end, 2 /* implicit tag */ );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -1531,13 +1598,19 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
|
|||
x509_buf_raw_to_buf( &crt->serial, &frame->serial );
|
||||
x509_buf_raw_to_buf( &crt->issuer_raw, &frame->issuer_raw );
|
||||
x509_buf_raw_to_buf( &crt->subject_raw, &frame->subject_raw );
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
|
||||
x509_buf_raw_to_buf( &crt->issuer_id, &frame->issuer_id );
|
||||
x509_buf_raw_to_buf( &crt->subject_id, &frame->subject_id );
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
x509_buf_raw_to_buf( &crt->pk_raw, &frame->pubkey_raw );
|
||||
x509_buf_raw_to_buf( &crt->sig, &frame->sig );
|
||||
x509_buf_raw_to_buf( &crt->v3_ext, &frame->v3_ext );
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
crt->valid_from = frame->valid_from;
|
||||
crt->valid_to = frame->valid_to;
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
crt->version = frame->version;
|
||||
crt->ca_istrue = frame->ca_istrue;
|
||||
crt->max_pathlen = frame->max_pathlen;
|
||||
|
@ -2270,6 +2343,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
|
|||
ret = mbedtls_x509_dn_gets( p, n, subject );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
ret = mbedtls_snprintf( p, n, "\n%sissued on : " \
|
||||
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
|
||||
frame.valid_from.year, frame.valid_from.mon,
|
||||
|
@ -2283,6 +2357,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
|
|||
frame.valid_to.day, frame.valid_to.hour,
|
||||
frame.valid_to.min, frame.valid_to.sec );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
|
||||
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
|
||||
|
@ -2897,11 +2972,13 @@ check_signature:
|
|||
if( ret != 0 )
|
||||
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
if( !mbedtls_x509_time_is_past( &parent->valid_to ) &&
|
||||
!mbedtls_x509_time_is_future( &parent->valid_from ) )
|
||||
{
|
||||
parent_valid = 1;
|
||||
}
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
/* basic parenting skills (name, CA bit, key usage) */
|
||||
if( x509_crt_check_parent( child_sig, parent, top ) == 0 )
|
||||
|
@ -3198,11 +3275,13 @@ find_parent:
|
|||
if( ret != 0 )
|
||||
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||
|
||||
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
/* Check time-validity (all certificates) */
|
||||
if( mbedtls_x509_time_is_past( &child->valid_to ) )
|
||||
*flags |= MBEDTLS_X509_BADCERT_EXPIRED;
|
||||
if( mbedtls_x509_time_is_future( &child->valid_from ) )
|
||||
*flags |= MBEDTLS_X509_BADCERT_FUTURE;
|
||||
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
/* Stop here for trusted roots (but not for trusted EE certs) */
|
||||
if( child_is_trusted )
|
||||
|
|
|
@ -1546,6 +1546,22 @@ int query_config( const char *config )
|
|||
}
|
||||
#endif /* MBEDTLS_X509_REMOVE_INFO */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_REMOVE_TIME)
|
||||
if( strcmp( "MBEDTLS_X509_CRT_REMOVE_TIME", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_REMOVE_TIME );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
|
||||
if( strcmp( "MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
|
||||
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||
if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
|
||||
{
|
||||
|
|
|
@ -39,6 +39,8 @@
|
|||
# MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||
# - this could be enabled if the respective tests were adapted
|
||||
# MBEDTLS_X509_REMOVE_INFO
|
||||
# MBEDTLS_X509_CRT_REMOVE_TIME
|
||||
# MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
|
||||
# MBEDTLS_ZLIB_SUPPORT
|
||||
# MBEDTLS_PKCS11_C
|
||||
# and any symbol beginning _ALT
|
||||
|
@ -102,6 +104,8 @@ MBEDTLS_SSL_NO_SESSION_RESUMPTION
|
|||
MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
|
||||
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||
MBEDTLS_X509_REMOVE_INFO
|
||||
MBEDTLS_X509_CRT_REMOVE_TIME
|
||||
MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
|
||||
MBEDTLS_ZLIB_SUPPORT
|
||||
MBEDTLS_PKCS11_C
|
||||
MBEDTLS_NO_UDBL_DIVISION
|
||||
|
|
Loading…
Reference in a new issue