TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 17f4a6a609af0eb3ad2c580e11d1bdb28d201eb9^! / .
commit17f4a6a609af0eb3ad2c580e11d1bdb28d201eb9[log] [tgz]
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Thu Jun 29 11:57:01 2017 +0200
committerManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Tue Aug 08 11:06:50 2017 +0200
treee546a6b5c7520d0615a3b98329ea0840ff3285dc
parentc61e5c930484140f4c6961cd68bfe55d64f5d77e [diff]
Take shortcut for directly trusted EE cert

This is a slight change of behaviour in that the previous condition was:
- same subject
- signature matches
while the new condition is:
- exact same certificate

However the documentation for mbedtls_x509_crt_verify() (note on trust_ca)
mentions the new condition, so code that respected the documentation will keep
working.

In addition, this is a bit faster as it doesn't check the self-signature
(which never needs to be checked for certs in the trusted list).

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 332c02d..be5a87e 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c

@@ -1924,7 +1924,6 @@
 {
     int ret;
     uint32_t ca_flags = 0;
-    int check_path_cnt;
     unsigned char hash[MBEDTLS_MD_MAX_SIZE];
     const mbedtls_md_info_t *md_info;
     mbedtls_x509_crt *future_past_ca = NULL;
@@ -1950,6 +1949,14 @@
     if( trust_ca == NULL )
         goto callback;
 
+    /* Special case #2: child == trust_ca: trust and that's it */
+    if( child->raw.len == trust_ca->raw.len &&
+        memcmp( child->raw.p, trust_ca->raw.p, child->raw.len ) == 0 )
+    {
+        *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+        goto callback;
+    }
+
     md_info = mbedtls_md_info_from_type( child->sig_md );
     if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
     {
@@ -1963,22 +1970,9 @@
         if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 )
             continue;
 
-        check_path_cnt = path_cnt + 1;
-
-        /*
-         * Reduce check_path_cnt to check against if top of the chain is
-         * the same as the trusted CA
-         */
-        if( child->subject_raw.len == trust_ca->subject_raw.len &&
-            memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
-                            child->issuer_raw.len ) == 0 )
-        {
-            check_path_cnt--;
-        }
-
         /* Self signed certificates do not count towards the limit */
         if( trust_ca->max_pathlen > 0 &&
-            trust_ca->max_pathlen < check_path_cnt - self_cnt )
+            trust_ca->max_pathlen < 1 + path_cnt - self_cnt )
         {
             continue;
         }
@@ -2018,10 +2012,7 @@
      * to the callback for any issues with validity and CRL presence for the
      * trusted CA certificate.
      */
-    if( trust_ca != NULL &&
-        ( child->subject_raw.len != trust_ca->subject_raw.len ||
-          memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
-                            child->issuer_raw.len ) != 0 ) )
+    if( trust_ca != NULL )
     {
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
         /* Check trusted CA's CRL for the chain's top crt */