diff --git a/configs/baremetal.h b/configs/baremetal.h index aadbd09d5..9929d5657 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -122,6 +122,8 @@ #define MBEDTLS_X509_CHECK_KEY_USAGE #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE #define MBEDTLS_X509_REMOVE_INFO +#define MBEDTLS_X509_CRT_REMOVE_TIME +#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID #define MBEDTLS_X509_ON_DEMAND_PARSING #define MBEDTLS_X509_ALWAYS_FLUSH #define MBEDTLS_ASN1_PARSE_C diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 576349fbb..29e61db84 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -793,6 +793,11 @@ #error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_X509_CRT_REMOVE_TIME) && \ + defined(MBEDTLS_HAVE_TIME_DATE) +#error "MBEDTLS_X509_CRT_REMOVE_TIME and MBEDTLS_HAVE_TIME_DATE cannot be defined simultaneously" +#endif + #if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64) #error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously" #endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */ diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index fb0f26ea9..643641169 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1942,6 +1942,29 @@ */ //#define MBEDTLS_X509_REMOVE_INFO +/** + * \def MBEDTLS_X509_CRT_REMOVE_TIME + * + * Don't store time validity fields in X.509 certificate structures. + * + * Uncomment this to save some code and RAM on constrained systems which + * don't have time and where there's no use of the time validity fields + * in a certificate. + * + * Requires: !MBEDTLS_HAVE_TIME_DATE + */ +//#define MBEDTLS_X509_CRT_REMOVE_TIME + +/** + * \def MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID + * + * Don't store subject and issuer ID in X.509 certificate structures. + * + * Uncomment this to save some code and RAM on constrained systems which + * don't need to inspect issuer and subject ID fields in certificates. + */ +//#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID + /** * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT * diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 5212e6795..c8f488c5c 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -70,8 +70,10 @@ typedef struct mbedtls_x509_crt_frame uint32_t ext_types; /**< Bitfield indicating which extensions are present. * See the values in x509.h. */ +#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) mbedtls_x509_time valid_from; /**< The start time of certificate validity. */ mbedtls_x509_time valid_to; /**< The end time of certificate validity. */ +#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */ mbedtls_x509_buf_raw raw; /**< The raw certificate data in DER. */ mbedtls_x509_buf_raw tbs; /**< The part of the CRT that is [T]o [B]e [S]igned. */ @@ -80,10 +82,12 @@ typedef struct mbedtls_x509_crt_frame mbedtls_x509_buf_raw pubkey_raw; /**< The raw public key data (DER). */ +#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) mbedtls_x509_buf_raw issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ - mbedtls_x509_buf_raw issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ - mbedtls_x509_buf_raw subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ +#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ + + mbedtls_x509_buf_raw issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ mbedtls_x509_buf_raw subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ mbedtls_x509_buf_raw sig; /**< Signature: hash of the tbs part signed with the private key. */ @@ -123,14 +127,18 @@ typedef struct mbedtls_x509_crt mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ +#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ mbedtls_x509_time valid_to; /**< End time of certificate validity. */ +#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */ mbedtls_x509_buf pk_raw; mbedtls_pk_context pk; /**< Container for the public key context. */ +#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ +#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ diff --git a/library/version_features.c b/library/version_features.c index 3753864d0..51ce7801d 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -564,6 +564,12 @@ static const char *features[] = { #if defined(MBEDTLS_X509_REMOVE_INFO) "MBEDTLS_X509_REMOVE_INFO", #endif /* MBEDTLS_X509_REMOVE_INFO */ +#if defined(MBEDTLS_X509_CRT_REMOVE_TIME) + "MBEDTLS_X509_CRT_REMOVE_TIME", +#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */ +#if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) + "MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID", +#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) "MBEDTLS_X509_RSASSA_PSS_SUPPORT", #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ diff --git a/library/x509_crt.c b/library/x509_crt.c index 24ef0e655..4e5ff43bd 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -223,16 +223,22 @@ int mbedtls_x509_crt_cache_provide_frame( mbedtls_x509_crt const *crt ) frame->version = crt->version; frame->sig_md = crt->sig_md; frame->sig_pk = crt->sig_pk; + +#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) frame->valid_from = crt->valid_from; frame->valid_to = crt->valid_to; +#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */ + x509_buf_to_buf_raw( &frame->raw, &crt->raw ); x509_buf_to_buf_raw( &frame->tbs, &crt->tbs ); x509_buf_to_buf_raw( &frame->serial, &crt->serial ); x509_buf_to_buf_raw( &frame->pubkey_raw, &crt->pk_raw ); x509_buf_to_buf_raw( &frame->issuer_raw, &crt->issuer_raw ); x509_buf_to_buf_raw( &frame->subject_raw, &crt->subject_raw ); +#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) x509_buf_to_buf_raw( &frame->subject_id, &crt->subject_id ); x509_buf_to_buf_raw( &frame->issuer_id, &crt->issuer_id ); +#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ x509_buf_to_buf_raw( &frame->sig, &crt->sig ); x509_buf_to_buf_raw( &frame->v3_ext, &crt->v3_ext ); @@ -694,6 +700,7 @@ static int x509_get_version( unsigned char **p, return( 0 ); } +#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) /* * Validity ::= SEQUENCE { * notBefore Time, @@ -725,7 +732,28 @@ static int x509_get_dates( unsigned char **p, return( 0 ); } +#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */ +static int x509_skip_dates( unsigned char **p, + const unsigned char *end ) +{ + int ret; + size_t len; + if( ( ret = mbedtls_asn1_get_tag( p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) + return( MBEDTLS_ERR_X509_INVALID_DATE + ret ); + + end = *p + len; + + if( *p != end ) + return( MBEDTLS_ERR_X509_INVALID_DATE + + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); + + return( 0 ); +} +#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */ + +#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) /* * X.509 v2/v3 unique identifier (not parsed) */ @@ -752,6 +780,30 @@ static int x509_get_uid( unsigned char **p, return( 0 ); } +#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ +static int x509_skip_uid( unsigned char **p, + const unsigned char *end, + int n ) +{ + int ret; + size_t len; + + if( *p == end ) + return( 0 ); + + if( ( ret = mbedtls_asn1_get_tag( p, end, &len, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 ) + { + if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) + return( 0 ); + + return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); + } + + *p += len; + return( 0 ); +} +#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ static int x509_get_basic_constraints( unsigned char **p, const unsigned char *end, @@ -1293,9 +1345,15 @@ static int x509_crt_parse_frame( unsigned char *start, /* * Validity ::= SEQUENCE { ... */ +#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) ret = x509_get_dates( &p, end, &frame->valid_from, &frame->valid_to ); if( ret != 0 ) return( ret ); +#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */ + ret = x509_skip_dates( &p, end ); + if( ret != 0 ) + return( ret ); +#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */ /* * subject Name @@ -1334,6 +1392,7 @@ static int x509_crt_parse_frame( unsigned char *start, if( frame->version != 1 ) { +#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) /* * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, * -- If present, version shall be v2 or v3 @@ -1349,6 +1408,14 @@ static int x509_crt_parse_frame( unsigned char *start, ret = x509_get_uid( &p, end, &frame->subject_id, 2 /* implicit tag */ ); if( ret != 0 ) return( ret ); +#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ + ret = x509_skip_uid( &p, end, 1 /* implicit tag */ ); + if( ret != 0 ) + return( ret ); + ret = x509_skip_uid( &p, end, 2 /* implicit tag */ ); + if( ret != 0 ) + return( ret ); +#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ } /* @@ -1531,13 +1598,19 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, x509_buf_raw_to_buf( &crt->serial, &frame->serial ); x509_buf_raw_to_buf( &crt->issuer_raw, &frame->issuer_raw ); x509_buf_raw_to_buf( &crt->subject_raw, &frame->subject_raw ); +#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) x509_buf_raw_to_buf( &crt->issuer_id, &frame->issuer_id ); x509_buf_raw_to_buf( &crt->subject_id, &frame->subject_id ); +#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ x509_buf_raw_to_buf( &crt->pk_raw, &frame->pubkey_raw ); x509_buf_raw_to_buf( &crt->sig, &frame->sig ); x509_buf_raw_to_buf( &crt->v3_ext, &frame->v3_ext ); + +#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) crt->valid_from = frame->valid_from; crt->valid_to = frame->valid_to; +#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */ + crt->version = frame->version; crt->ca_istrue = frame->ca_istrue; crt->max_pathlen = frame->max_pathlen; @@ -2270,6 +2343,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, ret = mbedtls_x509_dn_gets( p, n, subject ); MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP; +#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) ret = mbedtls_snprintf( p, n, "\n%sissued on : " \ "%04d-%02d-%02d %02d:%02d:%02d", prefix, frame.valid_from.year, frame.valid_from.mon, @@ -2283,6 +2357,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, frame.valid_to.day, frame.valid_to.hour, frame.valid_to.min, frame.valid_to.sec ); MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP; +#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */ ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix ); MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP; @@ -2897,11 +2972,13 @@ check_signature: if( ret != 0 ) return( MBEDTLS_ERR_X509_FATAL_ERROR ); +#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) if( !mbedtls_x509_time_is_past( &parent->valid_to ) && !mbedtls_x509_time_is_future( &parent->valid_from ) ) { parent_valid = 1; } +#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */ /* basic parenting skills (name, CA bit, key usage) */ if( x509_crt_check_parent( child_sig, parent, top ) == 0 ) @@ -3198,11 +3275,13 @@ find_parent: if( ret != 0 ) return( MBEDTLS_ERR_X509_FATAL_ERROR ); +#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) /* Check time-validity (all certificates) */ if( mbedtls_x509_time_is_past( &child->valid_to ) ) *flags |= MBEDTLS_X509_BADCERT_EXPIRED; if( mbedtls_x509_time_is_future( &child->valid_from ) ) *flags |= MBEDTLS_X509_BADCERT_FUTURE; +#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */ /* Stop here for trusted roots (but not for trusted EE certs) */ if( child_is_trusted ) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 6766314a8..0f7251d45 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1546,6 +1546,22 @@ int query_config( const char *config ) } #endif /* MBEDTLS_X509_REMOVE_INFO */ +#if defined(MBEDTLS_X509_CRT_REMOVE_TIME) + if( strcmp( "MBEDTLS_X509_CRT_REMOVE_TIME", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_REMOVE_TIME ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */ + +#if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) + if( strcmp( "MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID ); + return( 0 ); + } +#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ + #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 ) { diff --git a/scripts/config.pl b/scripts/config.pl index 1c7c736c6..e4648de52 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -39,6 +39,8 @@ # MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION # - this could be enabled if the respective tests were adapted # MBEDTLS_X509_REMOVE_INFO +# MBEDTLS_X509_CRT_REMOVE_TIME +# MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID # MBEDTLS_ZLIB_SUPPORT # MBEDTLS_PKCS11_C # and any symbol beginning _ALT @@ -102,6 +104,8 @@ MBEDTLS_SSL_NO_SESSION_RESUMPTION MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_X509_REMOVE_INFO +MBEDTLS_X509_CRT_REMOVE_TIME +MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID MBEDTLS_ZLIB_SUPPORT MBEDTLS_PKCS11_C MBEDTLS_NO_UDBL_DIVISION