Introduce MBEDTLS_X509_CRT_REMOVE_TIME removing time fields from CRT

configs/baremetal.h

@@ -104,6 +104,7 @@
 #define MBEDTLS_X509_CHECK_KEY_USAGE
 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 #define MBEDTLS_X509_REMOVE_INFO
+#define MBEDTLS_X509_CRT_REMOVE_TIME
 #define MBEDTLS_X509_ON_DEMAND_PARSING
 #define MBEDTLS_X509_ALWAYS_FLUSH
 #define MBEDTLS_ASN1_PARSE_C

include/mbedtls/check_config.h

@@ -750,6 +750,11 @@
 #error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_X509_CRT_REMOVE_TIME) && \
+    defined(MBEDTLS_HAVE_TIME_DATE)
+#error "MBEDTLS_X509_CRT_REMOVE_TIME and MBEDTLS_HAVE_TIME_DATE cannot be defined simultaneously"
+#endif
+
 #if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
 #error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
 #endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */

include/mbedtls/config.h

@@ -1942,6 +1942,19 @@
  */
 //#define MBEDTLS_X509_REMOVE_INFO
 
+/**
+ * \def MBEDTLS_X509_CRT_REMOVE_TIME
+ *
+ * Don't store time validity fields in X.509 certificate structures.
+ *
+ * Uncomment this to save some code and RAM on constrained systems which
+ * don't have time and where there's no use of the time validity fields
+ * in a certificate.
+ *
+ * Requires: !MBEDTLS_HAVE_TIME_DATE
+ */
+//#define MBEDTLS_X509_CRT_REMOVE_TIME
+
 /**
  * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
  *

include/mbedtls/x509_crt.h

@@ -70,8 +70,10 @@ typedef struct mbedtls_x509_crt_frame
     uint32_t ext_types;                     /**< Bitfield indicating which extensions are present.
                                              *   See the values in x509.h.                                      */
 
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
     mbedtls_x509_time valid_from;           /**< The start time of certificate validity.                        */
     mbedtls_x509_time valid_to;             /**< The end time of certificate validity.                          */
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
 
     mbedtls_x509_buf_raw raw;               /**< The raw certificate data in DER.                               */
     mbedtls_x509_buf_raw tbs;               /**< The part of the CRT that is [T]o [B]e [S]igned.                */
@@ -123,8 +125,10 @@ typedef struct mbedtls_x509_crt
     mbedtls_x509_name issuer;           /**< The parsed issuer data (named information object). */
     mbedtls_x509_name subject;          /**< The parsed subject data (named information object). */
 
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
     mbedtls_x509_time valid_from;       /**< Start time of certificate validity. */
     mbedtls_x509_time valid_to;         /**< End time of certificate validity. */
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
 
     mbedtls_x509_buf pk_raw;
     mbedtls_pk_context pk;              /**< Container for the public key context. */

library/x509_crt.c

@@ -223,8 +223,12 @@ int mbedtls_x509_crt_cache_provide_frame( mbedtls_x509_crt const *crt )
     frame->version = crt->version;
     frame->sig_md = crt->sig_md;
     frame->sig_pk = crt->sig_pk;
+
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
     frame->valid_from = crt->valid_from;
     frame->valid_to = crt->valid_to;
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
+
     x509_buf_to_buf_raw( &frame->raw, &crt->raw );
     x509_buf_to_buf_raw( &frame->tbs, &crt->tbs );
     x509_buf_to_buf_raw( &frame->serial, &crt->serial );
@@ -694,6 +698,7 @@ static int x509_get_version( unsigned char **p,
     return( 0 );
 }
 
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
 /*
  *  Validity ::= SEQUENCE {
  *       notBefore      Time,
@@ -725,6 +730,26 @@ static int x509_get_dates( unsigned char **p,
 
     return( 0 );
 }
+#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
+static int x509_skip_dates( unsigned char **p,
+                           const unsigned char *end )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+
+    end = *p + len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
 
 /*
  * X.509 v2/v3 unique identifier (not parsed)
@@ -1293,9 +1318,15 @@ static int x509_crt_parse_frame( unsigned char *start,
     /*
      * Validity ::= SEQUENCE { ...
      */
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
     ret = x509_get_dates( &p, end, &frame->valid_from, &frame->valid_to );
     if( ret != 0 )
         return( ret );
+#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
+    ret = x509_skip_dates( &p, end );
+    if( ret != 0 )
+        return( ret );
+#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
 
     /*
      * subject              Name
@@ -1536,8 +1567,12 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
     x509_buf_raw_to_buf( &crt->pk_raw, &frame->pubkey_raw );
     x509_buf_raw_to_buf( &crt->sig, &frame->sig );
     x509_buf_raw_to_buf( &crt->v3_ext, &frame->v3_ext );
+
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
     crt->valid_from = frame->valid_from;
     crt->valid_to = frame->valid_to;
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
+
     crt->version      = frame->version;
     crt->ca_istrue    = frame->ca_istrue;
     crt->max_pathlen  = frame->max_pathlen;
@@ -2270,6 +2305,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
     ret = mbedtls_x509_dn_gets( p, n, subject );
     MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
 
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
     ret = mbedtls_snprintf( p, n, "\n%sissued  on        : " \
                    "%04d-%02d-%02d %02d:%02d:%02d", prefix,
                    frame.valid_from.year, frame.valid_from.mon,
@@ -2283,6 +2319,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
                    frame.valid_to.day,  frame.valid_to.hour,
                    frame.valid_to.min,  frame.valid_to.sec );
     MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
+#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
 
     ret = mbedtls_snprintf( p, n, "\n%ssigned using      : ", prefix );
     MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
@@ -2897,11 +2934,13 @@ check_signature:
             if( ret != 0 )
                 return( MBEDTLS_ERR_X509_FATAL_ERROR );
 
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
             if( !mbedtls_x509_time_is_past( &parent->valid_to ) &&
                 !mbedtls_x509_time_is_future( &parent->valid_from ) )
             {
                 parent_valid = 1;
             }
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
 
             /* basic parenting skills (name, CA bit, key usage) */
             if( x509_crt_check_parent( child_sig, parent, top ) == 0 )
@@ -3198,11 +3237,13 @@ find_parent:
                 if( ret != 0 )
                     return( MBEDTLS_ERR_X509_FATAL_ERROR );
 
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
                 /* Check time-validity (all certificates) */
                 if( mbedtls_x509_time_is_past( &child->valid_to ) )
                     *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
                 if( mbedtls_x509_time_is_future( &child->valid_from ) )
                     *flags |= MBEDTLS_X509_BADCERT_FUTURE;
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
 
                 /* Stop here for trusted roots (but not for trusted EE certs) */
                 if( child_is_trusted )

scripts/config.pl

@@ -39,6 +39,7 @@
 #   MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 #       - this could be enabled if the respective tests were adapted
 #   MBEDTLS_X509_REMOVE_INFO
+#   MBEDTLS_X509_CRT_REMOVE_TIME
 #   MBEDTLS_ZLIB_SUPPORT
 #   MBEDTLS_PKCS11_C
 #   and any symbol beginning _ALT
@@ -102,6 +103,7 @@ MBEDTLS_SSL_NO_SESSION_RESUMPTION
 MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 MBEDTLS_X509_REMOVE_INFO
+MBEDTLS_X509_CRT_REMOVE_TIME
 MBEDTLS_ZLIB_SUPPORT
 MBEDTLS_PKCS11_C
 MBEDTLS_NO_UDBL_DIVISION