Add WOLFSSL_X509_TINY minimal-extension profile + WOLFSSL_X509_VERIFY_ONLY#10823
Open
aidangarske wants to merge 3 commits into
Open
Add WOLFSSL_X509_TINY minimal-extension profile + WOLFSSL_X509_VERIFY_ONLY#10823aidangarske wants to merge 3 commits into
aidangarske wants to merge 3 commits into
Conversation
|
retest this please |
…SSL_X509_VERIFY_ONLY + fail-closed cert test
372c75a to
a7aaa51
Compare
|
SparkiDev
previously approved these changes
Jul 2, 2026
dgarske
reviewed
Jul 2, 2026
dgarske
left a comment
Member
There was a problem hiding this comment.
Skoll Code Review
Scan type: reviewOverall recommendation: COMMENT
Findings: 5 total — 2 posted, 3 skipped
2 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [Info] Stale/misleading #endif comment on the reworked NAME_CONS_OID guard —
wolfcrypt/src/asn.c:21278 - [Info] Inconsistent preprocessor-directive indentation in reworked extension guards —
wolfcrypt/src/asn.c:21252-21310
Skipped findings
- [Medium]
WOLFSSL_X509_VERIFY_ONLY silently undefines an explicit user WOLFSSL_KEY_GEN/WOLFSSL_CERT_GEN - [Medium]
TINY hard-rejects any certificate carrying nameConstraints, including trusted CA certs - [Low]
Test coverage: cert_x509_tiny_test does not exercise VERIFY_ONLY or SAN-stripping/add-back paths
Review generated by Skoll
dgarske
requested changes
Jul 2, 2026
dgarske
left a comment
Member
There was a problem hiding this comment.
| Config | __TEXT bytes |
vs baseline |
|---|---|---|
| baseline (neither macro) | 56,535 | - |
WOLFSSL_X509_VERIFY_ONLY |
53,747 | -2,788 (-4.9%) |
WOLFSSL_X509_TINY |
53,767 | -2,768 (-4.9%) |
| both | 50,979 | -5,556 (-9.8%) |
…osed on critical stripped extensions under TINY
92c94ae to
c970a81
Compare
Member
Author
|
jenkins retest this please |
dgarske
approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two opt-in, macro-driven profiles for the template X.509 parser. WOLFSSL_X509_TINY strips optional extension/SAN decoding (with per-feature WOLFSSL_X509_TINY_* add-backs); WOLFSSL_X509_VERIFY_ONLY drives a verify-only footprint. Fail-closed on critical/nameConstraints, revocation locators forced when OCSP/CRL enabled. Default build byte-identical; includes a TINY cert test.
Saves ~3.4 KB off the reachable P-256 cert parser (asn.c __TEXT 59,673 -> 56,221 bytes, -Os; ~5.8%). with other size option we can get to aprox 18% down with
WOLFSSL_X509_TINY, WOLFSSL_X509_VERIFY_ONLY, IGNORE_NAME_CONSTRAINTS, WOLFSSL_NO_ASN_STRICT