From d07614c529a1432c6d7ddcc6f75a0205a213fe75 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Tue, 25 Jun 2019 10:19:58 +0100
Subject: [PATCH] Introduce MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID removing
 IDs

---
 configs/baremetal.h        |  1 +
 include/mbedtls/config.h   | 10 ++++++++++
 include/mbedtls/x509_crt.h |  8 ++++++--
 library/x509_crt.c         | 38 ++++++++++++++++++++++++++++++++++++++
 scripts/config.pl          |  2 ++
 5 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/configs/baremetal.h b/configs/baremetal.h
index 902398154..ce503aa75 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -105,6 +105,7 @@
 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 #define MBEDTLS_X509_REMOVE_INFO
 #define MBEDTLS_X509_CRT_REMOVE_TIME
+#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
 #define MBEDTLS_X509_ON_DEMAND_PARSING
 #define MBEDTLS_X509_ALWAYS_FLUSH
 #define MBEDTLS_ASN1_PARSE_C
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 3ae1d0dfe..39b1cb195 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1955,6 +1955,16 @@
  */
 //#define MBEDTLS_X509_CRT_REMOVE_TIME
 
+/**
+ * \def MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
+ *
+ * Don't store subject and issuer ID in X.509 certificate structures.
+ *
+ * Uncomment this to save some code and RAM on constrained systems which
+ * don't need to inspect issuer and subject ID fields in certificates.
+ */
+//#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
+
 /**
  * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
  *
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 88e3e7b47..c8f488c5c 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -82,10 +82,12 @@ typedef struct mbedtls_x509_crt_frame
 
     mbedtls_x509_buf_raw pubkey_raw;        /**< The raw public key data (DER).                                 */
 
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
     mbedtls_x509_buf_raw issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier.                 */
-    mbedtls_x509_buf_raw issuer_raw;        /**< The raw issuer data (DER). Used for quick comparison.          */
-
     mbedtls_x509_buf_raw subject_id;        /**< Optional X.509 v2/v3 subject unique identifier.                */
+#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
+
+    mbedtls_x509_buf_raw issuer_raw;        /**< The raw issuer data (DER). Used for quick comparison.          */
     mbedtls_x509_buf_raw subject_raw;       /**< The raw subject data (DER). Used for quick comparison.         */
 
     mbedtls_x509_buf_raw sig;               /**< Signature: hash of the tbs part signed with the private key.   */
@@ -133,8 +135,10 @@ typedef struct mbedtls_x509_crt
     mbedtls_x509_buf pk_raw;
     mbedtls_pk_context pk;              /**< Container for the public key context. */
 
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
     mbedtls_x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
     mbedtls_x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
+#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
     mbedtls_x509_buf v3_ext;            /**< Optional X.509 v3 extensions.  */
     mbedtls_x509_sequence subject_alt_names;    /**< Optional list of Subject Alternative Names (Only dNSName supported). */
 
diff --git a/library/x509_crt.c b/library/x509_crt.c
index eb746deb0..4e5ff43bd 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -235,8 +235,10 @@ int mbedtls_x509_crt_cache_provide_frame( mbedtls_x509_crt const *crt )
     x509_buf_to_buf_raw( &frame->pubkey_raw, &crt->pk_raw );
     x509_buf_to_buf_raw( &frame->issuer_raw, &crt->issuer_raw );
     x509_buf_to_buf_raw( &frame->subject_raw, &crt->subject_raw );
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
     x509_buf_to_buf_raw( &frame->subject_id, &crt->subject_id );
     x509_buf_to_buf_raw( &frame->issuer_id, &crt->issuer_id );
+#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
     x509_buf_to_buf_raw( &frame->sig, &crt->sig );
     x509_buf_to_buf_raw( &frame->v3_ext, &crt->v3_ext );
 
@@ -751,6 +753,7 @@ static int x509_skip_dates( unsigned char **p,
 }
 #endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
 
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
 /*
  * X.509 v2/v3 unique identifier (not parsed)
  */
@@ -777,6 +780,30 @@ static int x509_get_uid( unsigned char **p,
 
     return( 0 );
 }
+#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
+static int x509_skip_uid( unsigned char **p,
+                          const unsigned char *end,
+                          int n )
+{
+    int ret;
+    size_t len;
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( 0 );
+
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    *p += len;
+    return( 0 );
+}
+#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
 
 static int x509_get_basic_constraints( unsigned char **p,
                                        const unsigned char *end,
@@ -1365,6 +1392,7 @@ static int x509_crt_parse_frame( unsigned char *start,
 
     if( frame->version != 1 )
     {
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
         /*
          *  issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
          *                       -- If present, version shall be v2 or v3
@@ -1380,6 +1408,14 @@ static int x509_crt_parse_frame( unsigned char *start,
         ret = x509_get_uid( &p, end, &frame->subject_id, 2 /* implicit tag */ );
         if( ret != 0 )
             return( ret );
+#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
+        ret = x509_skip_uid( &p, end, 1 /* implicit tag */ );
+        if( ret != 0 )
+            return( ret );
+        ret = x509_skip_uid( &p, end, 2 /* implicit tag */ );
+        if( ret != 0 )
+            return( ret );
+#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
     }
 
     /*
@@ -1562,8 +1598,10 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
     x509_buf_raw_to_buf( &crt->serial, &frame->serial );
     x509_buf_raw_to_buf( &crt->issuer_raw, &frame->issuer_raw );
     x509_buf_raw_to_buf( &crt->subject_raw, &frame->subject_raw );
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
     x509_buf_raw_to_buf( &crt->issuer_id, &frame->issuer_id );
     x509_buf_raw_to_buf( &crt->subject_id, &frame->subject_id );
+#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
     x509_buf_raw_to_buf( &crt->pk_raw, &frame->pubkey_raw );
     x509_buf_raw_to_buf( &crt->sig, &frame->sig );
     x509_buf_raw_to_buf( &crt->v3_ext, &frame->v3_ext );
diff --git a/scripts/config.pl b/scripts/config.pl
index 308af4a16..e4648de52 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -40,6 +40,7 @@
 #       - this could be enabled if the respective tests were adapted
 #   MBEDTLS_X509_REMOVE_INFO
 #   MBEDTLS_X509_CRT_REMOVE_TIME
+#   MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
 #   MBEDTLS_ZLIB_SUPPORT
 #   MBEDTLS_PKCS11_C
 #   and any symbol beginning _ALT
@@ -104,6 +105,7 @@ MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 MBEDTLS_X509_REMOVE_INFO
 MBEDTLS_X509_CRT_REMOVE_TIME
+MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
 MBEDTLS_ZLIB_SUPPORT
 MBEDTLS_PKCS11_C
 MBEDTLS_NO_UDBL_DIVISION