Introduce MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID removing IDs
diff --git a/configs/baremetal.h b/configs/baremetal.h
index 9023981..ce503aa 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -105,6 +105,7 @@
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define MBEDTLS_X509_REMOVE_INFO
#define MBEDTLS_X509_CRT_REMOVE_TIME
+#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
#define MBEDTLS_X509_ON_DEMAND_PARSING
#define MBEDTLS_X509_ALWAYS_FLUSH
#define MBEDTLS_ASN1_PARSE_C
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 3ae1d0d..39b1cb1 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1956,6 +1956,16 @@
//#define MBEDTLS_X509_CRT_REMOVE_TIME
/**
+ * \def MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
+ *
+ * Don't store subject and issuer ID in X.509 certificate structures.
+ *
+ * Uncomment this to save some code and RAM on constrained systems which
+ * don't need to inspect issuer and subject ID fields in certificates.
+ */
+//#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
+
+/**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
*
* Enable parsing and verification of X.509 certificates, CRLs and CSRS
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 88e3e7b..c8f488c 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -82,10 +82,12 @@
mbedtls_x509_buf_raw pubkey_raw; /**< The raw public key data (DER). */
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
mbedtls_x509_buf_raw issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
- mbedtls_x509_buf_raw issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
-
mbedtls_x509_buf_raw subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
+#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
+
+ mbedtls_x509_buf_raw issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
mbedtls_x509_buf_raw subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
mbedtls_x509_buf_raw sig; /**< Signature: hash of the tbs part signed with the private key. */
@@ -133,8 +135,10 @@
mbedtls_x509_buf pk_raw;
mbedtls_pk_context pk; /**< Container for the public key context. */
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
+#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
diff --git a/library/x509_crt.c b/library/x509_crt.c
index eb746de..4e5ff43 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -235,8 +235,10 @@
x509_buf_to_buf_raw( &frame->pubkey_raw, &crt->pk_raw );
x509_buf_to_buf_raw( &frame->issuer_raw, &crt->issuer_raw );
x509_buf_to_buf_raw( &frame->subject_raw, &crt->subject_raw );
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
x509_buf_to_buf_raw( &frame->subject_id, &crt->subject_id );
x509_buf_to_buf_raw( &frame->issuer_id, &crt->issuer_id );
+#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
x509_buf_to_buf_raw( &frame->sig, &crt->sig );
x509_buf_to_buf_raw( &frame->v3_ext, &crt->v3_ext );
@@ -751,6 +753,7 @@
}
#endif /* MBEDTLS_X509_CRT_REMOVE_TIME */
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
/*
* X.509 v2/v3 unique identifier (not parsed)
*/
@@ -777,6 +780,30 @@
return( 0 );
}
+#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
+static int x509_skip_uid( unsigned char **p,
+ const unsigned char *end,
+ int n )
+{
+ int ret;
+ size_t len;
+
+ if( *p == end )
+ return( 0 );
+
+ if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 )
+ {
+ if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+ return( 0 );
+
+ return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ }
+
+ *p += len;
+ return( 0 );
+}
+#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
static int x509_get_basic_constraints( unsigned char **p,
const unsigned char *end,
@@ -1365,6 +1392,7 @@
if( frame->version != 1 )
{
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
/*
* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
* -- If present, version shall be v2 or v3
@@ -1380,6 +1408,14 @@
ret = x509_get_uid( &p, end, &frame->subject_id, 2 /* implicit tag */ );
if( ret != 0 )
return( ret );
+#else /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
+ ret = x509_skip_uid( &p, end, 1 /* implicit tag */ );
+ if( ret != 0 )
+ return( ret );
+ ret = x509_skip_uid( &p, end, 2 /* implicit tag */ );
+ if( ret != 0 )
+ return( ret );
+#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
}
/*
@@ -1562,8 +1598,10 @@
x509_buf_raw_to_buf( &crt->serial, &frame->serial );
x509_buf_raw_to_buf( &crt->issuer_raw, &frame->issuer_raw );
x509_buf_raw_to_buf( &crt->subject_raw, &frame->subject_raw );
+#if !defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
x509_buf_raw_to_buf( &crt->issuer_id, &frame->issuer_id );
x509_buf_raw_to_buf( &crt->subject_id, &frame->subject_id );
+#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
x509_buf_raw_to_buf( &crt->pk_raw, &frame->pubkey_raw );
x509_buf_raw_to_buf( &crt->sig, &frame->sig );
x509_buf_raw_to_buf( &crt->v3_ext, &frame->v3_ext );
diff --git a/scripts/config.pl b/scripts/config.pl
index 308af4a..e4648de 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -40,6 +40,7 @@
# - this could be enabled if the respective tests were adapted
# MBEDTLS_X509_REMOVE_INFO
# MBEDTLS_X509_CRT_REMOVE_TIME
+# MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
# MBEDTLS_ZLIB_SUPPORT
# MBEDTLS_PKCS11_C
# and any symbol beginning _ALT
@@ -104,6 +105,7 @@
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
MBEDTLS_X509_REMOVE_INFO
MBEDTLS_X509_CRT_REMOVE_TIME
+MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
MBEDTLS_ZLIB_SUPPORT
MBEDTLS_PKCS11_C
MBEDTLS_NO_UDBL_DIVISION