• State Not Answered
  • Replies 5 replies
  • Subscribers 74 subscribers
  • Views 102 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 345411
Options

NCS 2.9.1: Proper way of enabling x509 expiration verification when CONFIG_NRF_SECURITY is enabled

Ladivin

Dear DevZone,

While reviewing the implementation of x509_crt_verify_chain() in
C:\ncs\v2.9.1\modules\crypto\mbedtls\library\x509_crt.c, I noticed that certificate expiration (i.e., the valid_from and valid_to fields) is only verified when the MBEDTLS_HAVE_TIME_DATE macro is defined. However, in our current setup, this macro is not defined.

The only method I’ve found to enable it is by uncommenting its definition in
C:\ncs\v2.9.1\nrf\subsys\nrf_security\configs\legacy_crypto_config.h.template (line 149). A similar situation applies to the MBEDTLS_HAVE_TIME macro, which is also required.

Modifying the SDK directly is not an ideal solution. I’m aware of KConfig options like CONFIG_MBEDTLS_USER_CONFIG_ENABLE and CONFIG_MBEDTLS_USER_CONFIG_FILE, which should allow the use of a custom header for macro definitions. Unfortunately, these options don’t seem to work in our case, likely because they require CONFIG_MBEDTLS_BUILTIN=y, whereas we are using CONFIG_NRF_SECURITY=y.

Is there a recommended way to enable these macros without modifying the SDK directly, particularly when using CONFIG_NRF_SECURITY?

Thank you for your support.

Best regards,
Ladivin

Parents Reply
  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Thank you for sharing the link. The post is indeed very similar to the issue I'm encountering. From what I can see, it’s currently not possible to enable the certificate expiration check without modifying the SDK.

    It looks like the PR mentioned in the post was closed due to inactivity. Do you know if there are any plans to revisit this or include it in an upcoming release?

    Best regards,

    Ladivin

Children
Related
Terms of service