pem: do not parse ASN1 data after decryption (removes ASN1 dependency)

Now that we have padding verification after decryption and since this can be used to validate the password as well there is no need to parse ASN1 content any more, so we can simplify/remove that dependency. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-08-01 10:06:53 +03:00 · 2024-02-16 14:40:42 +01:00
parent 8aff4ef274
commit 4cc6522a85
6 changed files with 8 additions and 42 deletions
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@ -8,7 +8,7 @@
 #include "common.h"

 #if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \
-    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) || defined(MBEDTLS_PEM_PARSE_C)
+    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)

 #include "mbedtls/asn1.h"
 #include "mbedtls/platform_util.h"
@ -74,8 +74,7 @@ int mbedtls_asn1_get_tag(unsigned char **p,

    return mbedtls_asn1_get_len(p, end, len);
 }
-#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C ||
-          MBEDTLS_PSA_UTIL_HAVE_ECDSA || MBEDTLS_PEM_PARSE_C */
+#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */

 #if defined(MBEDTLS_ASN1_PARSE_C)
 int mbedtls_asn1_get_bool(unsigned char **p,
--- a/library/pem.c
+++ b/library/pem.c
@ -17,7 +17,6 @@
 #include "mbedtls/cipher.h"
 #include "mbedtls/platform_util.h"
 #include "mbedtls/error.h"
-#include "mbedtls/asn1.h"

 #include <string.h>

@ -466,28 +465,6 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const
            mbedtls_zeroize_and_free(buf, len);
            return ret;
        }
-
-        /*
-         * In RFC1421 PEM is used as container for DER (ASN.1) content so we
-         * can use ASN.1 functions to parse the main SEQUENCE tag and to get its
-         * length.
-         */
-        unsigned char *p = buf;
-        size_t sequence_len;
-        ret = mbedtls_asn1_get_tag(&p, buf + len, &sequence_len,
-                                   MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED);
-        if (ret != 0) {
-            mbedtls_free(buf);
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PEM_INVALID_DATA, ret);
-        }
-        /* Add also the sequence block (tag + len) to the total amount of valid data. */
-        sequence_len += (p - buf);
-
-        /* Ensure that the reported SEQUENCE length matches the data len (i.e. no
-         * trailing garbage data). */
-        if (len != sequence_len) {
-            return MBEDTLS_ERR_PEM_BAD_INPUT_DATA;
-        }
 #else
        mbedtls_zeroize_and_free(buf, len);
        return MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE;