Introduce MBEDTLS_X509_CRT_REMOVE_TIME removing time fields from CRT
diff --git a/configs/baremetal.h b/configs/baremetal.h
index 7ff7b07..9023981 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -104,6 +104,7 @@
#define MBEDTLS_X509_CHECK_KEY_USAGE
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_X509_REMOVE_INFO
+#define MBEDTLS_X509_CRT_REMOVE_TIME
#define MBEDTLS_X509_ON_DEMAND_PARSING
#define MBEDTLS_X509_ALWAYS_FLUSH
#define MBEDTLS_ASN1_PARSE_C
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 764fba4..43f8896 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -750,6 +750,11 @@
#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_X509_CRT_REMOVE_TIME) && \
+ defined(MBEDTLS_HAVE_TIME_DATE)
+#error "MBEDTLS_X509_CRT_REMOVE_TIME and MBEDTLS_HAVE_TIME_DATE cannot be defined simultaneously"
+#endif
+
#if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
#error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
#endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 95dd4cd..3ae1d0d 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1943,6 +1943,19 @@
//#define MBEDTLS_X509_REMOVE_INFO
/**
+ * \def MBEDTLS_X509_CRT_REMOVE_TIME
+ *
+ * Don't store time validity fields in X.509 certificate structures.
+ *
+ * Uncomment this to save some code and RAM on constrained systems which
+ * don't have time and where there's no use of the time validity fields
+ * in a certificate.
+ *
+ * Requires: !MBEDTLS_HAVE_TIME_DATE
+ */
+//#define MBEDTLS_X509_CRT_REMOVE_TIME
+
+/**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
*
* Enable parsing and verification of X.509 certificates, CRLs and CSRS
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 5212e67..88e3e7b 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -70,8 +70,10 @@
uint32_t ext_types; /**< Bitfield indicating which extensions are present.
* See the values in x509.h. */
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
mbedtls_x509_time valid_from; /**< The start time of certificate validity. */
mbedtls_x509_time valid_to; /**< The end time of certificate validity. */
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
mbedtls_x509_buf_raw raw; /**< The raw certificate data in DER. */
mbedtls_x509_buf_raw tbs; /**< The part of the CRT that is [T]o [B]e [S]igned. */
@@ -123,8 +125,10 @@
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
mbedtls_x509_time valid_to; /**< End time of certificate validity. */
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
mbedtls_x509_buf pk_raw;
mbedtls_pk_context pk; /**< Container for the public key context. */
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 24ef0e6..eb746de 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -223,8 +223,12 @@
frame->version = crt->version;
frame->sig_md = crt->sig_md;
frame->sig_pk = crt->sig_pk;
+
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
frame->valid_from = crt->valid_from;
frame->valid_to = crt->valid_to;
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
+
x509_buf_to_buf_raw( &frame->raw, &crt->raw );
x509_buf_to_buf_raw( &frame->tbs, &crt->tbs );
x509_buf_to_buf_raw( &frame->serial, &crt->serial );
@@ -694,6 +698,7 @@
return( 0 );
}
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
/*
* Validity ::= SEQUENCE {
* notBefore Time,
@@ -725,6 +730,26 @@
return( 0 );
}
+#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
+static int x509_skip_dates( unsigned char **p,
+ const unsigned char *end )
+{
+ int ret;
+ size_t len;
+
+ if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+ return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+
+ end = *p + len;
+
+ if( *p != end )
+ return( MBEDTLS_ERR_X509_INVALID_DATE +
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+ return( 0 );
+}
+#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
/*
* X.509 v2/v3 unique identifier (not parsed)
@@ -1293,9 +1318,15 @@
/*
* Validity ::= SEQUENCE { ...
*/
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
ret = x509_get_dates( &p, end, &frame->valid_from, &frame->valid_to );
if( ret != 0 )
return( ret );
+#else /* !MBEDTLS_X509_CRT_REMOVE_TIME */
+ ret = x509_skip_dates( &p, end );
+ if( ret != 0 )
+ return( ret );
+#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
/*
* subject Name
@@ -1536,8 +1567,12 @@
x509_buf_raw_to_buf( &crt->pk_raw, &frame->pubkey_raw );
x509_buf_raw_to_buf( &crt->sig, &frame->sig );
x509_buf_raw_to_buf( &crt->v3_ext, &frame->v3_ext );
+
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
crt->valid_from = frame->valid_from;
crt->valid_to = frame->valid_to;
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
+
crt->version = frame->version;
crt->ca_istrue = frame->ca_istrue;
crt->max_pathlen = frame->max_pathlen;
@@ -2270,6 +2305,7 @@
ret = mbedtls_x509_dn_gets( p, n, subject );
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
ret = mbedtls_snprintf( p, n, "\n%sissued on : " \
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
frame.valid_from.year, frame.valid_from.mon,
@@ -2283,6 +2319,7 @@
frame.valid_to.day, frame.valid_to.hour,
frame.valid_to.min, frame.valid_to.sec );
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
+#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
MBEDTLS_X509_SAFE_SNPRINTF_WITH_CLEANUP;
@@ -2897,11 +2934,13 @@
if( ret != 0 )
return( MBEDTLS_ERR_X509_FATAL_ERROR );
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
if( !mbedtls_x509_time_is_past( &parent->valid_to ) &&
!mbedtls_x509_time_is_future( &parent->valid_from ) )
{
parent_valid = 1;
}
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
/* basic parenting skills (name, CA bit, key usage) */
if( x509_crt_check_parent( child_sig, parent, top ) == 0 )
@@ -3198,11 +3237,13 @@
if( ret != 0 )
return( MBEDTLS_ERR_X509_FATAL_ERROR );
+#if !defined(MBEDTLS_X509_CRT_REMOVE_TIME)
/* Check time-validity (all certificates) */
if( mbedtls_x509_time_is_past( &child->valid_to ) )
*flags |= MBEDTLS_X509_BADCERT_EXPIRED;
if( mbedtls_x509_time_is_future( &child->valid_from ) )
*flags |= MBEDTLS_X509_BADCERT_FUTURE;
+#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */
/* Stop here for trusted roots (but not for trusted EE certs) */
if( child_is_trusted )
diff --git a/scripts/config.pl b/scripts/config.pl
index 1c7c736..308af4a 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -39,6 +39,7 @@
# MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
# - this could be enabled if the respective tests were adapted
# MBEDTLS_X509_REMOVE_INFO
+# MBEDTLS_X509_CRT_REMOVE_TIME
# MBEDTLS_ZLIB_SUPPORT
# MBEDTLS_PKCS11_C
# and any symbol beginning _ALT
@@ -102,6 +103,7 @@
MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
MBEDTLS_X509_REMOVE_INFO
+MBEDTLS_X509_CRT_REMOVE_TIME
MBEDTLS_ZLIB_SUPPORT
MBEDTLS_PKCS11_C
MBEDTLS_NO_UDBL_DIVISION