@@ -4386,9 +4386,14 @@ static int GetSignature(DecodedCert* cert);
43864386static word32 SetAlgoIDImpl(int algoOID, byte* output, int type, int curveSz, byte absentParams);
43874387#ifndef NO_CERTS
43884388static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert);
4389+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP)
43894390static int DecodeCrlDist(const byte* input, word32 sz, DecodedCert* cert);
4391+ #endif
4392+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA)
43904393static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert);
4391- #ifndef IGNORE_NAME_CONSTRAINTS
4394+ #endif
4395+ #if !defined(IGNORE_NAME_CONSTRAINTS) && \
4396+ (!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
43924397static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
43934398 word32 limit, byte* hasUnsupported, void* heap);
43944399static int DecodeNameConstraints(const byte* input, word32 sz, DecodedCert* cert);
@@ -18932,6 +18937,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1893218937 }
1893318938 }
1893418939#ifndef IGNORE_NAME_CONSTRAINTS
18940+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_DIR)
1893518941 /* GeneralName choice: directoryName */
1893618942 else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_DIR_TYPE)) {
1893718943 int strLen;
@@ -18950,6 +18956,8 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1895018956 idx += (word32)len;
1895118957 }
1895218958 }
18959+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_DIR */
18960+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_EMAIL)
1895318961 /* GeneralName choice: rfc822Name */
1895418962 else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RFC822_TYPE)) {
1895518963 ret = DecodeGeneralNameCheckChars(input + idx, len);
@@ -18962,6 +18970,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1896218970 idx += (word32)len;
1896318971 }
1896418972 }
18973+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_EMAIL */
1896518974 /* GeneralName choice: uniformResourceIdentifier */
1896618975 else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_URI_TYPE)) {
1896718976 ret = DecodeGeneralNameCheckChars(input + idx, len);
@@ -19039,13 +19048,15 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1903919048 * surface the raw octets as OCTET_STRING already (see the
1904019049 * ASN_IP_TYPE case under WOLFSSL_GEN_IPADD in src/x509.c).
1904119050 */
19051+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_IP)
1904219052 else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) {
1904319053 ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
1904419054 ASN_IP_TYPE, &cert->altNames);
1904519055 if (ret == 0) {
1904619056 idx += (word32)len;
1904719057 }
1904819058 }
19059+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_IP */
1904919060 /* GeneralName choice: registeredID
1905019061 *
1905119062 * Always parse registeredID into cert->altNames so
@@ -19071,13 +19082,15 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
1907119082 * - X509_print_name_entry: emits "Registered ID:<unavailable>"
1907219083 * when ridString is not generated, instead of failing the
1907319084 * whole print operation. */
19085+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SAN_RID)
1907419086 else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) {
1907519087 ret = SetDNSEntry(cert->heap, (const char*)(input + idx), len,
1907619088 ASN_RID_TYPE, &cert->altNames);
1907719089 if (ret == 0) {
1907819090 idx += (word32)len;
1907919091 }
1908019092 }
19093+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SAN_RID */
1908119094#endif /* IGNORE_NAME_CONSTRAINTS */
1908219095#ifndef IGNORE_NAME_CONSTRAINTS
1908319096 /* GeneralName choice: otherName.
@@ -19366,6 +19379,7 @@ static int DecodeBasicCaConstraintInternal(const byte* input, int sz,
1936619379}
1936719380
1936819381
19382+ #ifndef WOLFSSL_X509_TINY
1936919383static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
1937019384{
1937119385 word32 idx = 0;
@@ -19419,6 +19433,7 @@ static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
1941919433
1942019434 return 0;
1942119435}
19436+ #endif /* !WOLFSSL_X509_TINY */
1942219437
1942319438
1942419439/* Context-Specific value for: DistributionPoint.distributionPoint
@@ -19431,7 +19446,8 @@ static int DecodePolicyConstraints(const byte* input, int sz, DecodedCert* cert)
1943119446 * From RFC3280 SS4.2.1.7, GeneralName */
1943219447#define GENERALNAME_URI (ASN_CONTEXT_SPECIFIC | 6)
1943319448
19434- #ifdef WOLFSSL_ASN_TEMPLATE
19449+ #if defined(WOLFSSL_ASN_TEMPLATE) && \
19450+ (!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP))
1943519451/* ASN.1 template for CRL distribution points.
1943619452 * X.509: RFC 5280, 4.2.1.13 - CRL Distribution Points.
1943719453 */
@@ -19482,6 +19498,7 @@ enum {
1948219498 * @return BUFFER_E when data in buffer is too small.
1948319499 */
1948419500#ifdef WOLFSSL_ASN_TEMPLATE
19501+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP)
1948519502static int DecodeCrlDist(const byte* input, word32 sz, DecodedCert* cert)
1948619503{
1948719504 DECL_ASNGETDATA(dataASN, crlDistASN_Length);
@@ -19539,8 +19556,10 @@ static int DecodeCrlDist(const byte* input, word32 sz, DecodedCert* cert)
1953919556 FREE_ASNGETDATA(dataASN, cert->heap);
1954019557 return ret;
1954119558}
19559+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_CRL_DP */
1954219560#endif /* WOLFSSL_ASN_TEMPLATE */
19543- #ifdef WOLFSSL_ASN_TEMPLATE
19561+ #if defined(WOLFSSL_ASN_TEMPLATE) && \
19562+ (!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA))
1954419563/* ASN.1 template for the access description.
1954519564 * X.509: RFC 5280, 4.2.2.1 - Authority Information Access.
1954619565 */
@@ -19577,6 +19596,7 @@ enum {
1957719596 * @return ASN_UNKNOWN_OID_E when the OID cannot be verified.
1957819597 */
1957919598#ifdef WOLFSSL_ASN_TEMPLATE
19599+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA)
1958019600static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
1958119601{
1958219602 word32 idx = 0;
@@ -19645,6 +19665,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
1964519665
1964619666 return ret;
1964719667}
19668+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AIA */
1964819669#endif /* WOLFSSL_ASN_TEMPLATE */
1964919670
1965019671#ifdef WOLFSSL_ASN_TEMPLATE
@@ -19785,6 +19806,7 @@ int DecodeAuthKeyId(const byte* input, word32 sz, const byte **extAuthKeyId,
1978519806 * is invalid.
1978619807 * @return BUFFER_E when data in buffer is too small.
1978719808 */
19809+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AKI)
1978819810static int DecodeAuthKeyIdInternal(const byte* input, word32 sz,
1978919811 DecodedCert* cert)
1979019812{
@@ -19842,6 +19864,7 @@ static int DecodeAuthKeyIdInternal(const byte* input, word32 sz,
1984219864
1984319865 return ret;
1984419866}
19867+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AKI */
1984519868
1984619869/* Decode subject key id extension.
1984719870 *
@@ -19886,6 +19909,7 @@ int DecodeSubjKeyId(const byte* input, word32 sz, const byte **extSubjKeyId,
1988619909 * invalid.
1988719910 * @return MEMORY_E on dynamic memory allocation failure.
1988819911 */
19912+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SKI)
1988919913static int DecodeSubjKeyIdInternal(const byte* input, word32 sz,
1989019914 DecodedCert* cert)
1989119915{
@@ -19909,6 +19933,7 @@ static int DecodeSubjKeyIdInternal(const byte* input, word32 sz,
1990919933
1991019934 return ret;
1991119935}
19936+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SKI */
1991219937
1991319938#ifdef WOLFSSL_ASN_TEMPLATE
1991419939/* ASN.1 template for KeyUsage.
@@ -20181,6 +20206,7 @@ static int DecodeExtKeyUsageInternal(const byte* input, word32 sz,
2018120206
2018220207#ifndef IGNORE_NETSCAPE_CERT_TYPE
2018320208
20209+ #ifndef WOLFSSL_X509_TINY
2018420210static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert)
2018520211{
2018620212 word32 idx = 0;
@@ -20200,11 +20226,13 @@ static int DecodeNsCertType(const byte* input, int sz, DecodedCert* cert)
2020020226
2020120227 return 0;
2020220228}
20229+ #endif /* !WOLFSSL_X509_TINY (DecodeNsCertType) */
2020320230#endif
2020420231
2020520232
2020620233#ifndef IGNORE_NAME_CONSTRAINTS
20207- #ifdef WOLFSSL_ASN_TEMPLATE
20234+ #if defined(WOLFSSL_ASN_TEMPLATE) && \
20235+ (!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2020820236/* ASN.1 template for GeneralSubtree.
2020920237 * X.509: RFC 5280, 4.2.1.10 - Name Constraints.
2021020238 */
@@ -20228,7 +20256,8 @@ enum {
2022820256#define subTreeASN_Length (sizeof(subTreeASN) / sizeof(ASNItem))
2022920257#endif
2023020258
20231- #ifdef WOLFSSL_ASN_TEMPLATE
20259+ #if defined(WOLFSSL_ASN_TEMPLATE) && \
20260+ (!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2023220261/* Decode the Subtree's GeneralName.
2023320262 *
2023420263 * @param [in] input Buffer holding data.
@@ -20316,7 +20345,8 @@ static int DecodeSubtreeGeneralName(const byte* input, word32 sz, byte tag,
2031620345 * @return MEMORY_E when dynamic memory allocation fails.
2031720346 * @return ASN_PARSE_E when SEQUENCE is not found as expected.
2031820347 */
20319- #ifdef WOLFSSL_ASN_TEMPLATE
20348+ #if defined(WOLFSSL_ASN_TEMPLATE) && \
20349+ (!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2032020350/* Decode a sub-tree of name constraints.
2032120351 *
2032220352 * @param [out] hasUnsupported Set to 1 when an entry with a GeneralName
@@ -20396,7 +20426,8 @@ static int DecodeSubtree(const byte* input, word32 sz, Base_entry** head,
2039620426 return ret;
2039720427}
2039820428#endif /* WOLFSSL_ASN_TEMPLATE */
20399- #ifdef WOLFSSL_ASN_TEMPLATE
20429+ #if defined(WOLFSSL_ASN_TEMPLATE) && \
20430+ (!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2040020431/* ASN.1 template for NameConstraints.
2040120432 * X.509: RFC 5280, 4.2.1.10 - Name Constraints.
2040220433 */
@@ -20430,6 +20461,7 @@ enum {
2043020461 * @return MEMORY_E on dynamic memory allocation failure.
2043120462 */
2043220463#ifdef WOLFSSL_ASN_TEMPLATE
20464+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS)
2043320465static int DecodeNameConstraints(const byte* input, word32 sz,
2043420466 DecodedCert* cert)
2043520467{
@@ -20474,6 +20506,7 @@ static int DecodeNameConstraints(const byte* input, word32 sz,
2047420506
2047520507 return ret;
2047620508}
20509+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_NAME_CONSTRAINTS */
2047720510#endif /* WOLFSSL_ASN_TEMPLATE */
2047820511#endif /* IGNORE_NAME_CONSTRAINTS */
2047920512
@@ -21043,6 +21076,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2104321076 int ret = 0;
2104421077 word32 idx = 0;
2104521078
21079+ (void)idx; /* unused when optional extension cases are gated out (X509_TINY) */
2104621080 if (isUnknownExt != NULL)
2104721081 *isUnknownExt = 0;
2104821082
@@ -21056,6 +21090,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2105621090 }
2105721091 break;
2105821092
21093+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_CRL_DP)
2105921094 /* CRL Distribution point. */
2106021095 case CRL_DIST_OID:
2106121096 VERIFY_AND_SET_OID(cert->extCRLdistSet);
@@ -21064,7 +21099,9 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2106421099 ret = ASN_PARSE_E;
2106521100 }
2106621101 break;
21102+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_CRL_DP */
2106721103
21104+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AIA)
2106821105 /* Authority information access. */
2106921106 case AUTH_INFO_OID:
2107021107 VERIFY_AND_SET_OID(cert->extAuthInfoSet);
@@ -21085,6 +21122,15 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2108521122 ret = ASN_PARSE_E;
2108621123 }
2108721124 break;
21125+ #elif defined(WOLFSSL_X509_TINY)
21126+ /* Stripped: reject critical even under ALLOW_CRIT_AIA - can't honor an
21127+ * undecoded extension (RFC 5280 4.2.2.1). No SET_OID, bit means decoded. */
21128+ case AUTH_INFO_OID:
21129+ if (critical) {
21130+ ret = ASN_CRIT_EXT_E;
21131+ }
21132+ break;
21133+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AIA */
2108821134
2108921135 /* Subject alternative name. */
2109021136 case ALT_NAMES_OID:
@@ -21093,6 +21139,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2109321139 ret = DecodeAltNames(input, length, cert);
2109421140 break;
2109521141
21142+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_AKI)
2109621143 /* Authority Key Identifier. */
2109721144 case AUTH_KEY_OID:
2109821145 VERIFY_AND_SET_OID(cert->extAuthKeyIdSet);
@@ -21113,7 +21160,17 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2111321160 ret = ASN_PARSE_E;
2111421161 }
2111521162 break;
21163+ #elif defined(WOLFSSL_X509_TINY)
21164+ /* Stripped: reject critical even under ALLOW_CRIT_AKID - can't honor an
21165+ * undecoded extension (RFC 5280 4.2.1.1). No SET_OID, bit means decoded. */
21166+ case AUTH_KEY_OID:
21167+ if (critical) {
21168+ ret = ASN_CRIT_EXT_E;
21169+ }
21170+ break;
21171+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_AKI */
2111621172
21173+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_SKI)
2111721174 /* Subject Key Identifier. */
2111821175 case SUBJ_KEY_OID:
2111921176 VERIFY_AND_SET_OID(cert->extSubjKeyIdSet);
@@ -21135,7 +21192,17 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2113521192 ret = ASN_PARSE_E;
2113621193 }
2113721194 break;
21195+ #elif defined(WOLFSSL_X509_TINY)
21196+ /* Stripped: reject critical even under ALLOW_CRIT_SKID - can't honor an
21197+ * undecoded extension (RFC 5280 4.2.1.2). No SET_OID, bit means decoded. */
21198+ case SUBJ_KEY_OID:
21199+ if (critical) {
21200+ ret = ASN_CRIT_EXT_E;
21201+ }
21202+ break;
21203+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_SKI */
2113821204
21205+ #if !defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_POLICIES)
2113921206 /* Certificate policies. */
2114021207 case CERT_POLICY_OID:
2114121208 #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
@@ -21162,6 +21229,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2116221229 #endif
2116321230 #endif
2116421231 break;
21232+ #endif /* !WOLFSSL_X509_TINY || WOLFSSL_X509_TINY_POLICIES */
2116521233
2116621234 /* Key usage. */
2116721235 case KEY_USAGE_OID:
@@ -21181,7 +21249,8 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2118121249 }
2118221250 break;
2118321251
21184- #ifndef IGNORE_NAME_CONSTRAINTS
21252+ #if !defined(IGNORE_NAME_CONSTRAINTS) && \
21253+ (!defined(WOLFSSL_X509_TINY) || defined(WOLFSSL_X509_TINY_NAME_CONSTRAINTS))
2118521254 /* Name constraints. */
2118621255 case NAME_CONS_OID:
2118721256 #ifndef WOLFSSL_NO_ASN_STRICT
@@ -21200,8 +21269,15 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2120021269 ret = ASN_PARSE_E;
2120121270 }
2120221271 break;
21272+ #elif !defined(IGNORE_NAME_CONSTRAINTS)
21273+ /* TINY can't enforce name constraints; fail closed rather than ignore. */
21274+ case NAME_CONS_OID:
21275+ WOLFSSL_ERROR_VERBOSE(ASN_NAME_INVALID_E);
21276+ ret = ASN_NAME_INVALID_E;
21277+ break;
2120321278 #endif /* IGNORE_NAME_CONSTRAINTS */
2120421279
21280+ #ifndef WOLFSSL_X509_TINY
2120521281 /* Inhibit anyPolicy. */
2120621282 case INHIBIT_ANY_OID:
2120721283 VERIFY_AND_SET_OID(cert->inhibitAnyOidSet);
@@ -21231,6 +21307,7 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length,
2123121307 if (DecodePolicyConstraints(&input[idx], (int)length, cert) < 0)
2123221308 return ASN_PARSE_E;
2123321309 break;
21310+ #endif /* !WOLFSSL_X509_TINY (inhibitAny/netscape/ocsp-nocheck/policyConstraints) */
2123421311 #ifdef WOLFSSL_SUBJ_DIR_ATTR
2123521312 case SUBJ_DIR_ATTR_OID:
2123621313 VERIFY_AND_SET_OID(cert->extSubjDirAttrSet);
0 commit comments