Skip to content

Add WOLFSSL_X509_TINY minimal-extension profile + WOLFSSL_X509_VERIFY_ONLY#10823

Open
aidangarske wants to merge 3 commits into
wolfSSL:masterfrom
aidangarske:feature/x509-tiny
Open

Add WOLFSSL_X509_TINY minimal-extension profile + WOLFSSL_X509_VERIFY_ONLY#10823
aidangarske wants to merge 3 commits into
wolfSSL:masterfrom
aidangarske:feature/x509-tiny

Conversation

@aidangarske

@aidangarske aidangarske commented Jul 1, 2026

Copy link
Copy Markdown
Member

Two opt-in, macro-driven profiles for the template X.509 parser. WOLFSSL_X509_TINY strips optional extension/SAN decoding (with per-feature WOLFSSL_X509_TINY_* add-backs); WOLFSSL_X509_VERIFY_ONLY drives a verify-only footprint. Fail-closed on critical/nameConstraints, revocation locators forced when OCSP/CRL enabled. Default build byte-identical; includes a TINY cert test.

Saves ~3.4 KB off the reachable P-256 cert parser (asn.c __TEXT 59,673 -> 56,221 bytes, -Os; ~5.8%). with other size option we can get to aprox 18% down with WOLFSSL_X509_TINY, WOLFSSL_X509_VERIFY_ONLY, IGNORE_NAME_CONSTRAINTS, WOLFSSL_NO_ASN_STRICT

This comment was marked as resolved.

@aidangarske aidangarske marked this pull request as ready for review July 1, 2026 00:46
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

retest this please

…SSL_X509_VERIFY_ONLY + fail-closed cert test
SparkiDev
SparkiDev previously approved these changes Jul 2, 2026
@aidangarske aidangarske assigned wolfSSL-Bot and unassigned dgarske and aidangarske Jul 2, 2026

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: reviewOverall recommendation: COMMENT
Findings: 5 total — 2 posted, 3 skipped
2 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [Info] Stale/misleading #endif comment on the reworked NAME_CONS_OID guardwolfcrypt/src/asn.c:21278
  • [Info] Inconsistent preprocessor-directive indentation in reworked extension guardswolfcrypt/src/asn.c:21252-21310

Skipped findings

  • [Medium] WOLFSSL_X509_VERIFY_ONLY silently undefines an explicit user WOLFSSL_KEY_GEN/WOLFSSL_CERT_GEN
  • [Medium] TINY hard-rejects any certificate carrying nameConstraints, including trusted CA certs
  • [Low] Test coverage: cert_x509_tiny_test does not exercise VERIFY_ONLY or SAN-stripping/add-back paths

Review generated by Skoll

Comment thread wolfcrypt/src/asn.c Outdated
Comment thread wolfcrypt/src/asn.c Outdated

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Config __TEXT bytes vs baseline
baseline (neither macro) 56,535 -
WOLFSSL_X509_VERIFY_ONLY 53,747 -2,788 (-4.9%)
WOLFSSL_X509_TINY 53,767 -2,768 (-4.9%)
both 50,979 -5,556 (-9.8%)

Comment thread wolfcrypt/src/asn.c
Comment thread wolfssl/wolfcrypt/settings.h
Comment thread wolfcrypt/src/asn.c
…osed on critical stripped extensions under TINY
@aidangarske aidangarske requested a review from dgarske July 2, 2026 21:19
@aidangarske aidangarske assigned dgarske and unassigned aidangarske Jul 2, 2026
@aidangarske

Copy link
Copy Markdown
Member Author

jenkins retest this please

@dgarske dgarske assigned SparkiDev and unassigned dgarske Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants