Introduce MBEDTLS_X509_CRT_REMOVE_TIME removing time fields from CRT

This commit is contained in:
Hanno Becker 2019-06-25 09:39:21 +01:00
parent 6f61b7bb5c
commit 843b71a1df
6 changed files with 66 additions and 0 deletions

View file

@ -104,6 +104,7 @@
#define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_X509_REMOVE_INFO
#define MBEDTLS_X509_CRT_REMOVE_TIME
#define MBEDTLS_X509_ON_DEMAND_PARSING
#define MBEDTLS_X509_ALWAYS_FLUSH
#define MBEDTLS_ASN1_PARSE_C

View file

@ -750,6 +750,11 @@
#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CRT_REMOVE_TIME) && \
defined(MBEDTLS_HAVE_TIME_DATE)
#error "MBEDTLS_X509_CRT_REMOVE_TIME and MBEDTLS_HAVE_TIME_DATE cannot be defined simultaneously"
#endif
#if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
#error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
#endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */

View file

@ -1942,6 +1942,19 @@
*/
//#define MBEDTLS_X509_REMOVE_INFO
/**
* \def MBEDTLS_X509_CRT_REMOVE_TIME
*
* Don't store time validity fields in X.509 certificate structures.
*
* Uncomment this to save some code and RAM on constrained systems which
* don't have time and where there's no use of the time validity fields
* in a certificate.
*
* Requires: !MBEDTLS_HAVE_TIME_DATE
*/
//#define MBEDTLS_X509_CRT_REMOVE_TIME
/**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
*

View file

@ -70,8 +70,10 @@ typedef struct mbedtls_x509_crt_frame
uint32_t ext_types; /**< Bitfield indicating which extensions are present.
* See the values in x509.h. */
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
mbedtls_x509_time valid_from; /**< The start time of certificate validity. */
mbedtls_x509_time valid_to; /**< The end time of certificate validity. */
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
mbedtls_x509_buf_raw raw; /**< The raw certificate data in DER. */
mbedtls_x509_buf_raw tbs; /**< The part of the CRT that is [T]o [B]e [S]igned. */
@ -123,8 +125,10 @@ typedef struct mbedtls_x509_crt
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
mbedtls_x509_time valid_to; /**< End time of certificate validity. */
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
mbedtls_x509_buf pk_raw;
mbedtls_pk_context pk; /**< Container for the public key context. */

View file

@ -223,8 +223,12 @@ int mbedtls_x509_crt_cache_provide_frame( mbedtls_x509_crt const *crt )
frame->version = crt->version;
frame->sig_md = crt->sig_md;
frame->sig_pk = crt->sig_pk;
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
frame->valid_from = crt->valid_from;
frame->valid_to = crt->valid_to;
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
x509_buf_to_buf_raw( &frame->raw, &crt->raw );
x509_buf_to_buf_raw( &frame->tbs, &crt->tbs );
x509_buf_to_buf_raw( &frame->serial, &crt->serial );
@ -694,6 +698,7 @@ static int x509_get_version( unsigned char **p,
return( 0 );
}
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
/*
* Validity ::= SEQUENCE {
* notBefore Time,
@ -725,6 +730,26 @@ static int x509_get_dates( unsigned char **p,
return( 0 );
}
#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
static int x509_skip_dates( unsigned char **p,
const unsigned char *end )
{
int ret;
size_t len;
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
end = *p + len;
if( *p != end )
return( MBEDTLS_ERR_X509_INVALID_DATE +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
return( 0 );
}
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
/*
* X.509 v2/v3 unique identifier (not parsed)
@ -1293,9 +1318,15 @@ static int x509_crt_parse_frame( unsigned char *start,
/*
* Validity ::= SEQUENCE { ...
*/
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
ret = x509_get_dates( &p, end, &frame->valid_from, &frame->valid_to );
if( ret != 0 )
return( ret );
#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
ret = x509_skip_dates( &p, end );
if( ret != 0 )
return( ret );
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
/*
* subject Name
@ -1536,8 +1567,12 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
x509_buf_raw_to_buf( &crt->pk_raw, &frame->pubkey_raw );
x509_buf_raw_to_buf( &crt->sig, &frame->sig );
x509_buf_raw_to_buf( &crt->v3_ext, &frame->v3_ext );
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
crt->valid_from = frame->valid_from;
crt->valid_to = frame->valid_to;
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
crt->version = frame->version;
crt->ca_istrue = frame->ca_istrue;
crt->max_pathlen = frame->max_pathlen;
@ -2270,6 +2305,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
ret = mbedtls_x509_dn_gets( p, n, subject );
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
ret = mbedtls_snprintf( p, n, "\n%sissued on : " \
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
frame.valid_from.year, frame.valid_from.mon,
@ -2283,6 +2319,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
frame.valid_to.day, frame.valid_to.hour,
frame.valid_to.min, frame.valid_to.sec );
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
@ -2897,11 +2934,13 @@ check_signature:
if( ret != 0 )
return( MBEDTLS_ERR_X509_FATAL_ERROR );
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
if( !mbedtls_x509_time_is_past( &parent->valid_to ) &&
!mbedtls_x509_time_is_future( &parent->valid_from ) )
{
parent_valid = 1;
}
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
/* basic parenting skills (name, CA bit, key usage) */
if( x509_crt_check_parent( child_sig, parent, top ) == 0 )
@ -3198,11 +3237,13 @@ find_parent:
if( ret != 0 )
return( MBEDTLS_ERR_X509_FATAL_ERROR );
#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
/* Check time-validity (all certificates) */
if( mbedtls_x509_time_is_past( &child->valid_to ) )
*flags |= MBEDTLS_X509_BADCERT_EXPIRED;
if( mbedtls_x509_time_is_future( &child->valid_from ) )
*flags |= MBEDTLS_X509_BADCERT_FUTURE;
#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
/* Stop here for trusted roots (but not for trusted EE certs) */
if( child_is_trusted )

View file

@ -39,6 +39,7 @@
# MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
# - this could be enabled if the respective tests were adapted
# MBEDTLS_X509_REMOVE_INFO
# MBEDTLS_X509_CRT_REMOVE_TIME
# MBEDTLS_ZLIB_SUPPORT
# MBEDTLS_PKCS11_C
# and any symbol beginning _ALT
@ -102,6 +103,7 @@ MBEDTLS_SSL_NO_SESSION_RESUMPTION
MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
MBEDTLS_X509_REMOVE_INFO
MBEDTLS_X509_CRT_REMOVE_TIME
MBEDTLS_ZLIB_SUPPORT
MBEDTLS_PKCS11_C
MBEDTLS_NO_UDBL_DIVISION