Skip to content

mbedtls: Enable time cert validation. #9089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

mbedtls: Enable time cert validation. #9089

wants to merge 1 commit into from

Conversation

Carglglz
Copy link
Contributor

This enables date/time certificate validation for UNIX, STM32* and MIMXRT* ports.

I'm not sure if in STM32 or MIMXRT ports work (I have not tested it since I do not have the required hardware) but if that is not the case it should be close (I hope).

The problem with these two ports is that they do not include <time.h> which is required for MBED_TLS_HAVE_TIME_DATE to work. From mbedtls config.h

* \def MBEDTLS_HAVE_TIME_DATE
* System has time.h, time(), and an implementation for
 * mbedtls_platform_gmtime_r() (see below).
 * The time needs to be correct (not necessarily very accurate, but at least
 * the date should be correct). This is used to verify the validity period of
 * X.509 certificates.
 *
 * Comment if your system does not have a correct clock.
 *
 * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
 * behaves similarly to the gmtime_r() function from the C standard. Refer to
 * the documentation for mbedtls_platform_gmtime_r() for more information.
 *
 * \note It is possible to configure an implementation for
 * mbedtls_platform_gmtime_r() at compile-time by using the macro
 * MBEDTLS_PLATFORM_GMTIME_R_ALT.
 */

The solution is to use this macro MBEDTLS_PLATFORM_GMTIME_R_ALT

/**
 * Uncomment the macro to let Mbed TLS use your alternate implementation of
 * mbedtls_platform_gmtime_r(). This replaces the default implementation in
 * platform_util.c.
 *
 * gmtime() is not a thread-safe function as defined in the C standard. The
 * library will try to use safer implementations of this function, such as
 * gmtime_r() when available. However, if Mbed TLS cannot identify the target
 * system, the implementation of mbedtls_platform_gmtime_r() will default to
 * using the standard gmtime(). In this case, calls from the library to
 * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex
 * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the
 * library are also guarded with this mutex to avoid race conditions. However,
 * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will
 * unconditionally use the implementation for mbedtls_platform_gmtime_r()
 * supplied at compile time.
 */
//#define MBEDTLS_PLATFORM_GMTIME_R_ALT

So I tried to implement this function in both ports following modutime.c but not sure if it would work as expected. If anyone with the required hardware could do a test, it would be nice. 👍🏼

For ESP32 port I have a working solution in #8968 , but it cannot be implemented yet I guess.

@Carglglz Carglglz mentioned this pull request Aug 23, 2022
Closed
@Carglglz Carglglz marked this pull request as ready for review August 23, 2022 19:57
@dpgeorge dpgeorge added the extmod Relates to extmod/ directory in source label Aug 25, 2022
@Carglglz Carglglz closed this Jun 30, 2023
@Carglglz Carglglz deleted the ssl-cert-time-verify branch January 21, 2024 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
extmod Relates to extmod/ directory in source
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Carglglz @dpgeorge