Add compile-time option to remove legacy CRT fields
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index e5d5933..4b8913b 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1758,6 +1758,38 @@
#define MBEDTLS_VERSION_FEATURES
/**
+ * \def MBEDTLS_X509_ON_DEMAND_PARSING
+ *
+ * Save RAM by reducing mbedtls_x509_crt to a pointer
+ * to the raw CRT data and parsing CRTs on demand only.
+ *
+ * \warning This option changes the API by removing most of
+ * the structure fields of mbedtls_x509_crt.
+ *
+ * \warning This option and its corresponding X.509 API are currently
+ * under development and may change at any time.
+ *
+ * Regardless of whether this option is enabled or not, direct access of
+ * structure fields of `mbedtls_x509_crt` should be replaced by calls to
+ * one of the following functions:
+ * - mbedtls_x509_crt_get_frame(), to obtain a CRT frame giving
+ * access to several basic CRT fields (such as the CRT version),
+ * as well as pointers to the raw ASN.1 data of more complex fields
+ * (such as the issuer).
+ * - mbedtls_x509_crt_get_pk(), to obtain a public key context
+ * for the public key contained in the certificate.
+ * - mbedtls_x509_crt_get_issuer(), to obtain the issuer name.
+ * - mbedtls_x509_crt_get_subject(), to obtain the subject name.
+ * - mbedtls_x509_crt_get_subject_alt_names(), to obtain the
+ * alternative names from the subject alternative names extension.
+ * - mbedtls_x509_crt_get_ext_key_usage(), to obtain the state of
+ * the extended key usage extension.
+ *
+ * Uncomment this to enable on-demand CRT parsing to save RAM.
+ */
+//#define MBEDTLS_X509_ON_DEMAND_PARSING
+
+/**
* \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
*
* If set, the X509 parser will not break-off when parsing an X509 certificate
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 3f8350a..db99aab 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -122,8 +122,14 @@
typedef struct mbedtls_x509_crt
{
int own_buffer; /**< Indicates if \c raw is owned
- * by the structure or not. */
- mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
+ * by the structure or not. */
+ mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
+ mbedtls_x509_crt_cache *cache; /**< Internal parsing cache. */
+
+ struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */
+
+ /* Legacy fields */
+#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING)
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
@@ -166,10 +172,7 @@
mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
-
- mbedtls_x509_crt_cache *cache; /**< Internal parsing cache. */
-
- struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */
+#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */
}
mbedtls_x509_crt;
@@ -746,7 +749,7 @@
#endif
}
-static inline int mbedtls_x509_crt_pk_acquire( mbedtls_x509_crt *crt,
+static inline int mbedtls_x509_crt_pk_acquire( mbedtls_x509_crt const *crt,
mbedtls_pk_context **pk_ptr )
{
#if defined(MBEDTLS_THREADING_C)
@@ -772,7 +775,7 @@
return( 0 );
}
-static inline void mbedtls_x509_crt_pk_release( mbedtls_x509_crt *crt,
+static inline void mbedtls_x509_crt_pk_release( mbedtls_x509_crt const *crt,
mbedtls_pk_context *pk )
{
((void) pk);