Dear DevZone,
While reviewing the implementation of x509_crt_verify_chain() inC:\ncs\v2.9.1\modules\crypto\mbedtls\library\x509_crt.c, I noticed that certificate expiration (i.e., the valid_from and valid_to fields) is only verified when the MBEDTLS_HAVE_TIME_DATE macro is defined. However, in our current setup, this macro is not defined.
The only method I’ve found to enable it is by uncommenting its definition inC:\ncs\v2.9.1\nrf\subsys\nrf_security\configs\legacy_crypto_config.h.template (line 149). A similar situation applies to the MBEDTLS_HAVE_TIME macro, which is also required.
Modifying the SDK directly is not an ideal solution. I’m aware of KConfig options like CONFIG_MBEDTLS_USER_CONFIG_ENABLE and CONFIG_MBEDTLS_USER_CONFIG_FILE, which should allow the use of a custom header for macro definitions. Unfortunately, these options don’t seem to work in our case, likely because they require CONFIG_MBEDTLS_BUILTIN=y, whereas we are using CONFIG_NRF_SECURITY=y.
Is there a recommended way to enable these macros without modifying the SDK directly, particularly when using CONFIG_NRF_SECURITY?
Thank you for your support.
Best regards,
Ladivin
