Replace MBEDTLS_OID_C by function-specific dependencies
For each function in `x509_oid.c`, determine where it is used and only
include it in the build if it is needed by the X.509 code. Define the
corresponding internal tables only when they are consumed by a function.
This makes Mbed TLS completely independent of the compilation option
`MBEDTLS_OID_C`. This option remains present only in sample configs for
crypto, where it must stay until TF-PSA-Crypto no longer relies on this
option.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 4328f71..22ddaa8 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -287,14 +287,12 @@
#endif
#if defined(MBEDTLS_X509_USE_C) && \
- (!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) || \
- !defined(MBEDTLS_PK_PARSE_C))
+ (!defined(MBEDTLS_ASN1_PARSE_C) || !defined(MBEDTLS_PK_PARSE_C))
#error "MBEDTLS_X509_USE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CREATE_C) && \
- (!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) || \
- !defined(MBEDTLS_PK_PARSE_C))
+ (!defined(MBEDTLS_ASN1_WRITE_C) || !defined(MBEDTLS_PK_PARSE_C))
#error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
#endif
@@ -389,7 +387,7 @@
#endif
#if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \
- ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \
+ ( !defined(MBEDTLS_PK_PARSE_C) ) || \
( !defined(MBEDTLS_X509_CRT_PARSE_C) ) || \
( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || \
( !defined(MBEDTLS_MD_C) ) )
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index d5a4883..ddab7d0 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1100,7 +1100,7 @@
*
* Module: library/pkcs7.c
*
- * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_PK_PARSE_C,
* MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C,
* MBEDTLS_BIGNUM_C, MBEDTLS_MD_C
*
@@ -1115,7 +1115,7 @@
*
* Module: library/x509_create.c
*
- * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
+ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_PK_PARSE_C,
*
* \warning You must call psa_crypto_init() before doing any X.509 operation.
*
@@ -1247,7 +1247,7 @@
* library/x509_crt.c
* library/x509_csr.c
*
- * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_PK_PARSE_C
*
* \warning You must call psa_crypto_init() before doing any X.509 operation.
*
diff --git a/library/x509_oid.c b/library/x509_oid.c
index 06a9e92..80c8873 100644
--- a/library/x509_oid.c
+++ b/library/x509_oid.c
@@ -9,7 +9,10 @@
#include "x509_internal.h"
-#if defined(MBEDTLS_OID_C)
+/* Each group of tables and functions has its own dependencies, but
+ * don't even bother to define helper macros if X.509 is completely
+ * disabled. */
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
#include "mbedtls/oid.h"
#include "x509_oid.h"
@@ -145,6 +148,7 @@
/*
* For X520 attribute types
*/
+#if defined(MBEDTLS_X509_USE_C)
typedef struct {
mbedtls_x509_oid_descriptor_t descriptor;
const char *short_name;
@@ -259,10 +263,12 @@
x520_attr,
const char *,
short_name)
+#endif /* MBEDTLS_X509_USE_C */
/*
* For X509 extensions
*/
+#if defined(MBEDTLS_X509_OID_HAVE_GET_X509_EXT_TYPE)
typedef struct {
mbedtls_x509_oid_descriptor_t descriptor;
int ext_type;
@@ -324,8 +330,9 @@
FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
FN_OID_GET_ATTR1(mbedtls_x509_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
+#endif /* MBEDTLS_X509_CRT_PARSE_C || MBEDTLS_X509_CSR_PARSE_C */
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
static const mbedtls_x509_oid_descriptor_t oid_ext_key_usage[] =
{
OID_DESCRIPTOR(MBEDTLS_OID_SERVER_AUTH,
@@ -364,11 +371,13 @@
certificate_policies,
const char *,
description)
-#endif /* MBEDTLS_X509_REMOVE_INFO */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_INFO */
/*
* For SignatureAlgorithmIdentifier
*/
+#if defined(MBEDTLS_X509_USE_C) || \
+ defined(MBEDTLS_X509_CRT_WRITE_C) || defined(MBEDTLS_X509_CSR_WRITE_C)
typedef struct {
mbedtls_x509_oid_descriptor_t descriptor;
mbedtls_md_type_t md_alg;
@@ -471,14 +480,15 @@
FN_OID_TYPED_FROM_ASN1(oid_sig_alg_t, sig_alg, oid_sig_alg)
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#if defined(MBEDTLS_X509_USE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
FN_OID_GET_DESCRIPTOR_ATTR1(mbedtls_x509_oid_get_sig_alg_desc,
oid_sig_alg_t,
sig_alg,
const char *,
description)
-#endif
+#endif /* MBEDTLS_X509_USE_C && !MBEDTLS_X509_REMOVE_INFO */
+#if defined(MBEDTLS_X509_USE_C)
FN_OID_GET_ATTR2(mbedtls_x509_oid_get_sig_alg,
oid_sig_alg_t,
sig_alg,
@@ -486,6 +496,8 @@
md_alg,
mbedtls_pk_type_t,
pk_alg)
+#endif /* MBEDTLS_X509_USE_C */
+#if defined(MBEDTLS_X509_CRT_WRITE_C) || defined(MBEDTLS_X509_CSR_WRITE_C)
FN_OID_GET_OID_BY_ATTR2(mbedtls_x509_oid_get_oid_by_sig_alg,
oid_sig_alg_t,
oid_sig_alg,
@@ -493,10 +505,17 @@
pk_alg,
mbedtls_md_type_t,
md_alg)
+#endif /* MBEDTLS_X509_CRT_WRITE_C || MBEDTLS_X509_CSR_WRITE_C */
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CRT_WRITE_C || MBEDTLS_X509_CSR_WRITE_C */
+
+#if defined(MBEDTLS_X509_OID_HAVE_GET_MD_ALG)
/*
* For digestAlgorithm
*/
+/* The table of digest OIDs is duplicated in TF-PSA-Crypto (which uses it to
+ * look up the OID for a hash algorithm in RSA PKCS#1v1.5 signature and
+ * verification). */
typedef struct {
mbedtls_x509_oid_descriptor_t descriptor;
mbedtls_md_type_t md_alg;
@@ -579,4 +598,6 @@
FN_OID_TYPED_FROM_ASN1(oid_md_alg_t, md_alg, oid_md_alg)
FN_OID_GET_ATTR1(mbedtls_x509_oid_get_md_alg, oid_md_alg_t, md_alg, mbedtls_md_type_t, md_alg)
-#endif /* MBEDTLS_OID_C */
+#endif /* (MBEDTLS_X509_USE_C && MBEDTLS_X509_RSASSA_PSS_SUPPORT) || MBEDTLS_PKCS7_C */
+
+#endif /* some X.509 is enabled */
diff --git a/library/x509_oid.h b/library/x509_oid.h
index f3646f8..c2fe8dc 100644
--- a/library/x509_oid.h
+++ b/library/x509_oid.h
@@ -40,6 +40,8 @@
#endif
} mbedtls_x509_oid_descriptor_t;
+#if defined(MBEDTLS_X509_CRT_PARSE_C) || defined(MBEDTLS_X509_CSR_PARSE_C)
+#define MBEDTLS_X509_OID_HAVE_GET_X509_EXT_TYPE
/**
* \brief Translate an X.509 extension OID into local values
*
@@ -49,7 +51,9 @@
* \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID
*/
int mbedtls_x509_oid_get_x509_ext_type(const mbedtls_asn1_buf *oid, int *ext_type);
+#endif /* MBEDTLS_X509_OID_HAVE_GET_X509_EXT_TYPE */
+#if defined(MBEDTLS_X509_USE_C)
/**
* \brief Translate an X.509 attribute type OID into the short name
* (e.g. the OID for an X520 Common Name into "CN")
@@ -60,7 +64,9 @@
* \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID
*/
int mbedtls_x509_oid_get_attr_short_name(const mbedtls_asn1_buf *oid, const char **short_name);
+#endif /* MBEDTLS_X509_USE_C */
+#if defined(MBEDTLS_X509_USE_C)
/**
* \brief Translate SignatureAlgorithm OID into md_type and pk_type
*
@@ -73,6 +79,7 @@
int mbedtls_x509_oid_get_sig_alg(const mbedtls_asn1_buf *oid,
mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg);
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Translate SignatureAlgorithm OID into description
*
@@ -82,7 +89,10 @@
* \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID
*/
int mbedtls_x509_oid_get_sig_alg_desc(const mbedtls_asn1_buf *oid, const char **desc);
+#endif /* !MBEDTLS_X509_REMOVE_INFO */
+#endif /* MBEDTLS_X509_USE_C */
+#if defined(MBEDTLS_X509_CRT_WRITE_C) || defined(MBEDTLS_X509_CSR_WRITE_C)
/**
* \brief Translate md_type and pk_type into SignatureAlgorithm OID
*
@@ -95,7 +105,11 @@
*/
int mbedtls_x509_oid_get_oid_by_sig_alg(mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
const char **oid, size_t *olen);
+#endif /* MBEDTLS_X509_CRT_WRITE_C || MBEDTLS_X509_CSR_WRITE_C */
+#if (defined(MBEDTLS_X509_USE_C) && defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)) || \
+ defined(MBEDTLS_PKCS7_C)
+#define MBEDTLS_X509_OID_HAVE_GET_MD_ALG
/**
* \brief Translate hash algorithm OID into md_type
*
@@ -105,8 +119,9 @@
* \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID
*/
int mbedtls_x509_oid_get_md_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg);
+#endif /* MBEDTLS_X509_OID_HAVE_GET_MD_ALG */
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Translate Extended Key Usage OID into description
*
@@ -116,7 +131,6 @@
* \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID
*/
int mbedtls_x509_oid_get_extended_key_usage(const mbedtls_asn1_buf *oid, const char **desc);
-#endif
/**
* \brief Translate certificate policies OID into description
@@ -127,6 +141,7 @@
* \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID
*/
int mbedtls_x509_oid_get_certificate_policies(const mbedtls_asn1_buf *oid, const char **desc);
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_INFO */
#ifdef __cplusplus
}
diff --git a/tests/suites/test_suite_x509_oid.function b/tests/suites/test_suite_x509_oid.function
index f10c68d..b988aa0 100644
--- a/tests/suites/test_suite_x509_oid.function
+++ b/tests/suites/test_suite_x509_oid.function
@@ -5,12 +5,7 @@
#include "string.h"
/* END_HEADER */
-/* BEGIN_DEPENDENCIES
- * depends_on:MBEDTLS_OID_C:!MBEDTLS_X509_REMOVE_INFO
- * END_DEPENDENCIES
- */
-
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
void oid_get_certificate_policies(data_t *oid, char *result_str)
{
mbedtls_asn1_buf asn1_buf = { 0, 0, NULL };
@@ -31,7 +26,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
void oid_get_extended_key_usage(data_t *oid, char *result_str)
{
mbedtls_asn1_buf asn1_buf = { 0, 0, NULL };
@@ -52,7 +47,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_OID_HAVE_GET_X509_EXT_TYPE */
void oid_get_x509_extension(data_t *oid, int exp_type)
{
mbedtls_asn1_buf ext_oid = { 0, 0, NULL };
@@ -73,7 +68,7 @@
}
/* END_CASE */
-/* BEGIN_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_OID_HAVE_GET_MD_ALG */
void oid_get_md_alg_id(data_t *oid, int exp_md_id)
{
mbedtls_asn1_buf md_oid = { 0, 0, NULL };
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index d03884f..9ee693e 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -1504,7 +1504,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C:!MBEDTLS_X509_REMOVE_INFO */
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_INFO */
void x509_oid_desc(data_t *buf, char *ref_desc)
{
mbedtls_x509_buf oid;