Skip to content

Add WOLFSSL_X509_TINY minimal-extension profile + WOLFSSL_X509_VERIFY_ONLY#10823

Merged
dgarske merged 3 commits into
wolfSSL:masterfrom
aidangarske:feature/x509-tiny
Jul 10, 2026
Merged

Add WOLFSSL_X509_TINY minimal-extension profile + WOLFSSL_X509_VERIFY_ONLY#10823
dgarske merged 3 commits into
wolfSSL:masterfrom
aidangarske:feature/x509-tiny

Conversation

@aidangarske

@aidangarske aidangarske commented Jul 1, 2026

Copy link
Copy Markdown
Member

Two opt-in, macro-driven profiles for the template X.509 parser. WOLFSSL_X509_TINY strips optional extension/SAN decoding (with per-feature WOLFSSL_X509_TINY_* add-backs); WOLFSSL_X509_VERIFY_ONLY drives a verify-only footprint. Fail-closed on critical/nameConstraints, revocation locators forced when OCSP/CRL enabled. Default build byte-identical; includes a TINY cert test.

Saves ~3.4 KB off the reachable P-256 cert parser (asn.c __TEXT 59,673 -> 56,221 bytes, -Os; ~5.8%). with other size option we can get to aprox 18% down with WOLFSSL_X509_TINY, WOLFSSL_X509_VERIFY_ONLY, IGNORE_NAME_CONSTRAINTS, WOLFSSL_NO_ASN_STRICT

This comment was marked as resolved.

@aidangarske aidangarske marked this pull request as ready for review July 1, 2026 00:46
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

retest this please

SparkiDev
SparkiDev previously approved these changes Jul 2, 2026
@aidangarske aidangarske assigned wolfSSL-Bot and unassigned dgarske and aidangarske Jul 2, 2026

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: reviewOverall recommendation: COMMENT
Findings: 5 total — 2 posted, 3 skipped
2 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [Info] Stale/misleading #endif comment on the reworked NAME_CONS_OID guardwolfcrypt/src/asn.c:21278
  • [Info] Inconsistent preprocessor-directive indentation in reworked extension guardswolfcrypt/src/asn.c:21252-21310

Skipped findings

  • [Medium] WOLFSSL_X509_VERIFY_ONLY silently undefines an explicit user WOLFSSL_KEY_GEN/WOLFSSL_CERT_GEN
  • [Medium] TINY hard-rejects any certificate carrying nameConstraints, including trusted CA certs
  • [Low] Test coverage: cert_x509_tiny_test does not exercise VERIFY_ONLY or SAN-stripping/add-back paths

Review generated by Skoll

Comment thread wolfcrypt/src/asn.c Outdated
Comment thread wolfcrypt/src/asn.c Outdated

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Config __TEXT bytes vs baseline
baseline (neither macro) 56,535 -
WOLFSSL_X509_VERIFY_ONLY 53,747 -2,788 (-4.9%)
WOLFSSL_X509_TINY 53,767 -2,768 (-4.9%)
both 50,979 -5,556 (-9.8%)

Comment thread wolfcrypt/src/asn.c
Comment thread wolfssl/wolfcrypt/settings.h
Comment thread wolfcrypt/src/asn.c
@aidangarske

Copy link
Copy Markdown
Member Author

jenkins retest this please

dgarske
dgarske previously approved these changes Jul 6, 2026
@dgarske dgarske removed their assignment Jul 6, 2026
@dgarske

dgarske commented Jul 9, 2026

Copy link
Copy Markdown
Member

Jenkins retest this please

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unrecognized macros used:
WOLFSSL_X509_CERT_GEN
WOLFSSL_X509_KEY_GEN
WOLFSSL_X509_PEM
WOLFSSL_X509_TINY
WOLFSSL_X509_TINY_AKI
WOLFSSL_X509_TINY_NAME_CONSTRAINTS
WOLFSSL_X509_TINY_POLICIES
WOLFSSL_X509_TINY_SKI
WOLFSSL_X509_VERIFY_ONLY
add well-formed but unknown macros to .wolfssl_known_macro_extras at top of source tree.

SparkiDev
SparkiDev previously approved these changes Jul 9, 2026

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please resolve merge conflicts and check the CI failures. Thanks @aidangarske

@dgarske dgarske assigned aidangarske and unassigned SparkiDev and dgarske Jul 10, 2026
@aidangarske aidangarske requested a review from dgarske July 10, 2026 17:18
@dgarske dgarske merged commit b08b393 into wolfSSL:master Jul 10, 2026
338 of 339 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants