Merge pull request #3777 from hanno-arm/x509-info-optimization_rebased

Reduce ROM usage due to X.509 info
2025-07-29 11:41:15 +03:00 · 2021-04-28 17:31:55 +01:00
parent e67665ca20 fa1f904990
commit c86f330aed
37 changed files with 493 additions and 239 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -2143,6 +2143,17 @@
 */
 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE

+/**
+ * \def MBEDTLS_X509_REMOVE_INFO
+ *
+ * Disable mbedtls_x509_*_info() and related APIs.
+ *
+ * Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt()
+ * and other functions/constants only used by these functions, thus reducing
+ * the code footprint by several KB.
+ */
+//#define MBEDTLS_X509_REMOVE_INFO
+
 /**
 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
 *
--- a/include/mbedtls/debug.h
+++ b/include/mbedtls/debug.h
@ -59,9 +59,13 @@
 #endif

 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 #define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )                \
    mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
-#endif
+#else
+#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )       do { } while( 0 )
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */

 #if defined(MBEDTLS_ECDH_C)
 #define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )               \
@ -248,7 +252,7 @@ void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
                      const char *text, const mbedtls_ecp_point *X );
 #endif

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
 /**
 * \brief   Print a X.509 certificate structure to the debug output. This
 *          function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@ -441,8 +441,10 @@ typedef struct mbedtls_oid_descriptor_t
 {
    const char *asn1;               /*!< OID ASN.1 representation       */
    size_t asn1_len;                /*!< length of asn1                 */
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
    const char *name;               /*!< official name (e.g. from RFC)  */
    const char *description;        /*!< human friendly description     */
+#endif
 } mbedtls_oid_descriptor_t;

 /**
@ -582,6 +584,7 @@ int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_a
 int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac );
 #endif /* MBEDTLS_MD_C */

+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 /**
 * \brief          Translate Extended Key Usage OID into description
 *
@ -591,6 +594,7 @@ int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_
 * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
 */
 int mbedtls_oid_get_extended_key_usage( const mbedtls_asn1_buf *oid, const char **desc );
+#endif

 /**
 * \brief          Translate certificate policies OID into description
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@ -316,9 +316,11 @@ int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
                     mbedtls_x509_buf *serial );
 int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
                  mbedtls_x509_buf *ext, int tag );
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
                       mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
                       const void *sig_opts );
+#endif
 int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name );
 int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name );
 int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
--- a/include/mbedtls/x509_crl.h
+++ b/include/mbedtls/x509_crl.h
@ -134,6 +134,7 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s
 int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path );
 #endif /* MBEDTLS_FS_IO */

+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 /**
 * \brief          Returns an informational string about the CRL.
 *
@ -147,6 +148,7 @@ int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path );
 */
 int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
                   const mbedtls_x509_crl *crl );
+#endif /* !MBEDTLS_X509_REMOVE_INFO */

 /**
 * \brief          Initialize a CRL (chain)
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -176,6 +176,74 @@ mbedtls_x509_crt_profile;
 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
 #endif

+/* This macro unfolds to the concatenation of macro invocations
+ * X509_CRT_ERROR_INFO( error code,
+ *                             error code as string,
+ *                             human readable description )
+ * where X509_CRT_ERROR_INFO is defined by the user.
+ * See x509_crt.c for an example of how to use this. */
+#define MBEDTLS_X509_CRT_ERROR_INFO_LIST                                  \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_EXPIRED,            \
+                         "MBEDTLS_X509_BADCERT_EXPIRED",          \
+                         "The certificate validity has expired" ) \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_REVOKED,            \
+                         "MBEDTLS_X509_BADCERT_REVOKED",          \
+                         "The certificate has been revoked (is on a CRL)" ) \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_CN_MISMATCH,                  \
+                         "MBEDTLS_X509_BADCERT_CN_MISMATCH",                \
+                         "The certificate Common Name (CN) does not match with the expected CN" ) \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_NOT_TRUSTED,                             \
+                         "MBEDTLS_X509_BADCERT_NOT_TRUSTED",                           \
+                         "The certificate is not correctly signed by the trusted CA" ) \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_NOT_TRUSTED,                      \
+                         "MBEDTLS_X509_BADCRL_NOT_TRUSTED",                    \
+                         "The CRL is not correctly signed by the trusted CA" ) \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_EXPIRED,    \
+                         "MBEDTLS_X509_BADCRL_EXPIRED",  \
+                         "The CRL is expired" )          \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_MISSING,   \
+                         "MBEDTLS_X509_BADCERT_MISSING", \
+                         "Certificate was missing" )     \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_SKIP_VERIFY,         \
+                         "MBEDTLS_X509_BADCERT_SKIP_VERIFY",       \
+                         "Certificate verification was skipped" )  \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_OTHER,                          \
+                         "MBEDTLS_X509_BADCERT_OTHER",                        \
+                         "Other reason (can be used by verify callback)" )    \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_FUTURE,                         \
+                         "MBEDTLS_X509_BADCERT_FUTURE",                       \
+                         "The certificate validity starts in the future" )    \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_FUTURE,     \
+                         "MBEDTLS_X509_BADCRL_FUTURE",   \
+                         "The CRL is from the future" )  \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_KEY_USAGE,                      \
+                         "MBEDTLS_X509_BADCERT_KEY_USAGE",                    \
+                         "Usage does not match the keyUsage extension" )      \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_EXT_KEY_USAGE,                       \
+                         "MBEDTLS_X509_BADCERT_EXT_KEY_USAGE",                     \
+                         "Usage does not match the extendedKeyUsage extension" )   \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_NS_CERT_TYPE,                        \
+                         "MBEDTLS_X509_BADCERT_NS_CERT_TYPE",                      \
+                         "Usage does not match the nsCertType extension" )         \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_MD,                              \
+                         "MBEDTLS_X509_BADCERT_BAD_MD",                            \
+                         "The certificate is signed with an unacceptable hash." )  \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_PK,                                                  \
+                         "MBEDTLS_X509_BADCERT_BAD_PK",                                                \
+                         "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." )  \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_KEY,                                                            \
+                         "MBEDTLS_X509_BADCERT_BAD_KEY",                                                          \
+                         "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." )    \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_MD,                          \
+                         "MBEDTLS_X509_BADCRL_BAD_MD",                        \
+                         "The CRL is signed with an unacceptable hash." )     \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_PK,                                            \
+                         "MBEDTLS_X509_BADCRL_BAD_PK",                                          \
+                         "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." )   \
+    X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_KEY,                                                    \
+                         "MBEDTLS_X509_BADCRL_BAD_KEY",                                                  \
+                         "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." )
+
 /**
 * Container for writing a certificate (CRT)
 */
@ -509,6 +577,8 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
 */
 int mbedtls_x509_parse_subject_alt_name( const mbedtls_x509_buf *san_buf,
                                         mbedtls_x509_subject_alternative_name *san );
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 /**
 * \brief          Returns an informational string about the
 *                 certificate.
@ -538,6 +608,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
 */
 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
                          uint32_t flags );
+#endif /* !MBEDTLS_X509_REMOVE_INFO */

 /**
 * \brief          Verify a chain of certificates.
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@ -121,6 +121,7 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, siz
 int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
 #endif /* MBEDTLS_FS_IO */

+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 /**
 * \brief          Returns an informational string about the
 *                 CSR.
@ -135,6 +136,7 @@ int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
 */
 int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
                   const mbedtls_x509_csr *csr );
+#endif /* !MBEDTLS_X509_REMOVE_INFO */

 /**
 * \brief          Initialize a CSR