From a706a5295d705e8ac77a1d467dc443da1053e0bb Mon Sep 17 00:00:00 2001
From: Arkadiusz Balys <arkadiusz.balys@nordicsemi.no>
Date: Tue, 25 Nov 2025 11:18:45 +0100
Subject: [PATCH 1/2] [nrf toup][crypto] Add define to enable x509 usage

In some cases, we do not want to use x509 for Matter purposes,
but it can be used for different use cases. In order to allow
doing that and reducing the Matter footprint added the
chip_crypto_use_x509 define that can control when the
X509-related functions are added to the compilation.

Signed-off-by: Arkadiusz Balys <arkadiusz.balys@nordicsemi.no>
---
 src/crypto/BUILD.gn                     |  1 +
 src/crypto/CHIPCryptoPALmbedTLS.cpp     |  4 +-
 src/crypto/CHIPCryptoPALmbedTLSCert.cpp | 58 ++++++++++++-------------
 src/crypto/crypto.gni                   |  5 +++
 4 files changed, 37 insertions(+), 31 deletions(-)

diff --git a/src/crypto/BUILD.gn b/src/crypto/BUILD.gn
index d862c7d142..0e7a2df4d5 100644
--- a/src/crypto/BUILD.gn
+++ b/src/crypto/BUILD.gn
@@ -75,6 +75,7 @@ buildconfig_header("crypto_buildconfig") {
     "CHIP_CRYPTO_BORINGSSL=${chip_crypto_boringssl}",
     "CHIP_CRYPTO_PLATFORM=${chip_crypto_platform}",
     "CHIP_CRYPTO_TRUSTY_OS=${chip_with_trusty_os}",
+    "CHIP_CRYPTO_USE_X509=${chip_crypto_use_x509}",
   ]
 }
 
diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp
index b2726424ab..ad0c60626e 100644
--- a/src/crypto/CHIPCryptoPALmbedTLS.cpp
+++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp
@@ -784,7 +784,7 @@ P256Keypair::~P256Keypair()
 
 CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length) const
 {
-#if defined(MBEDTLS_X509_CSR_WRITE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     int result       = 0;
     size_t out_length;
@@ -835,7 +835,7 @@ CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t &
 #else
     ChipLogError(Crypto, "MBEDTLS_X509_CSR_WRITE_C is not enabled. CSR cannot be created");
     return CHIP_ERROR_UNSUPPORTED_CHIP_FEATURE;
-#endif
+#endif // CHIP_CRYPTO_USE_X509
 }
 
 typedef struct Spake2p_Context
diff --git a/src/crypto/CHIPCryptoPALmbedTLSCert.cpp b/src/crypto/CHIPCryptoPALmbedTLSCert.cpp
index 00053ee5b7..63947daeba 100644
--- a/src/crypto/CHIPCryptoPALmbedTLSCert.cpp
+++ b/src/crypto/CHIPCryptoPALmbedTLSCert.cpp
@@ -33,16 +33,16 @@
 #include <mbedtls/x509.h>
 #include <mbedtls/x509_csr.h>
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
 #include <mbedtls/x509_crt.h>
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
 namespace chip {
 namespace Crypto {
 
 CHIP_ERROR VerifyCertificateSigningRequest(const uint8_t * csr_buf, size_t csr_length, P256PublicKey & pubkey)
 {
-#if defined(MBEDTLS_X509_CSR_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     ReturnErrorOnFailure(VerifyCertificateSigningRequestFormat(csr_buf, csr_length));
 
     // TODO: For some embedded targets, mbedTLS library doesn't have mbedtls_x509_csr_parse_der, and mbedtls_x509_csr_parse_free.
@@ -103,7 +103,7 @@ CHIP_ERROR VerifyCertificateSigningRequest(const uint8_t * csr_buf, size_t csr_l
 
 namespace {
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
 bool IsTimeGreaterThanEqual(const mbedtls_x509_time * const timeA, const mbedtls_x509_time * const timeB)
 {
 
@@ -181,13 +181,13 @@ constexpr uint8_t sOID_Extension_CRLDistributionPoint[]   = { 0x55, 0x1D, 0x1F }
      (sizeof(oid) == (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) &&                                                                \
      (memcmp((oid), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(p), (oidBuf).CHIP_CRYPTO_PAL_PRIVATE_X509(len)) == 0))
 
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
 } // anonymous namespace
 
 CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, AttestationCertType certType)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     int result       = 0;
     mbedtls_x509_crt mbed_cert;
@@ -349,7 +349,7 @@ CHIP_ERROR VerifyAttestationCertificateFormat(const ByteSpan & cert, Attestation
     (void) cert;
     (void) certType;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
@@ -358,7 +358,7 @@ CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t root
                                     size_t caCertificateLen, const uint8_t * leafCertificate, size_t leafCertificateLen,
                                     CertificateChainValidationResult & result)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt certChain;
     mbedtls_x509_crt rootCert;
@@ -425,14 +425,14 @@ CHIP_ERROR ValidateCertificateChain(const uint8_t * rootCertificate, size_t root
     (void) leafCertificateLen;
     (void) result;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & candidateCertificate, const ByteSpan & issuerCertificate)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt mbedCandidateCertificate;
     mbedtls_x509_crt mbedIssuerCertificate;
@@ -463,14 +463,14 @@ CHIP_ERROR IsCertificateValidAtIssuance(const ByteSpan & candidateCertificate, c
     (void) candidateCertificate;
     (void) issuerCertificate;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR IsCertificateValidAtCurrentTime(const ByteSpan & certificate)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt mbedCertificate;
     int result;
@@ -497,14 +497,14 @@ CHIP_ERROR IsCertificateValidAtCurrentTime(const ByteSpan & certificate)
 #else
     (void) certificate;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR ExtractPubkeyFromX509Cert(const ByteSpan & certificate, Crypto::P256PublicKey & pubkey)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt mbed_cert;
     mbedtls_ecp_keypair * keypair = nullptr;
@@ -536,7 +536,7 @@ CHIP_ERROR ExtractPubkeyFromX509Cert(const ByteSpan & certificate, Crypto::P256P
     (void) certificate;
     (void) pubkey;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
@@ -545,7 +545,7 @@ namespace {
 
 CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate, MutableByteSpan & kid)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_ERROR_NOT_FOUND;
     mbedtls_x509_crt mbed_cert;
     unsigned char * p         = nullptr;
@@ -622,7 +622,7 @@ CHIP_ERROR ExtractKIDFromX509Cert(bool extractSKID, const ByteSpan & certificate
     (void) certificate;
     (void) kid;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
@@ -641,7 +641,7 @@ CHIP_ERROR ExtractAKIDFromX509Cert(const ByteSpan & certificate, MutableByteSpan
 
 CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certificate, MutableCharSpan & cdpurl)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_ERROR_NOT_FOUND;
     mbedtls_x509_crt mbed_cert;
     unsigned char * p         = nullptr;
@@ -761,14 +761,14 @@ CHIP_ERROR ExtractCRLDistributionPointURIFromX509Cert(const ByteSpan & certifica
     (void) certificate;
     (void) cdpurl;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR ExtractCDPExtensionCRLIssuerFromX509Cert(const ByteSpan & certificate, MutableByteSpan & crlIssuer)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_ERROR_NOT_FOUND;
     mbedtls_x509_crt mbed_cert;
     unsigned char * p         = nullptr;
@@ -877,14 +877,14 @@ CHIP_ERROR ExtractCDPExtensionCRLIssuerFromX509Cert(const ByteSpan & certificate
     (void) certificate;
     (void) crlIssuer;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, MutableByteSpan & serialNumber)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     int result       = 0;
     uint8_t * p      = nullptr;
@@ -911,14 +911,14 @@ CHIP_ERROR ExtractSerialNumberFromX509Cert(const ByteSpan & certificate, Mutable
     (void) certificate;
     (void) serialNumber;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
 
 CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCertVidPid & vidpid)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     mbedtls_x509_crt mbed_cert;
     mbedtls_asn1_named_data * dnIterator = nullptr;
@@ -967,7 +967,7 @@ CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCe
     (void) certificate;
     (void) vidpid;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
@@ -975,7 +975,7 @@ CHIP_ERROR ExtractVIDPIDFromX509Cert(const ByteSpan & certificate, AttestationCe
 namespace {
 CHIP_ERROR ExtractRawDNFromX509Cert(bool extractSubject, const ByteSpan & certificate, MutableByteSpan & dn)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     CHIP_ERROR error = CHIP_NO_ERROR;
     int result       = 0;
     uint8_t * p      = nullptr;
@@ -1011,7 +1011,7 @@ CHIP_ERROR ExtractRawDNFromX509Cert(bool extractSubject, const ByteSpan & certif
     (void) certificate;
     (void) dn;
     CHIP_ERROR error = CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 
     return error;
 }
@@ -1030,7 +1030,7 @@ CHIP_ERROR ExtractIssuerFromX509Cert(const ByteSpan & certificate, MutableByteSp
 CHIP_ERROR ReplaceCertIfResignedCertFound(const ByteSpan & referenceCertificate, const ByteSpan * candidateCertificates,
                                           size_t candidateCertificatesCount, ByteSpan & outCertificate)
 {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if CHIP_CRYPTO_USE_X509
     uint8_t referenceSubjectBuf[kMaxCertificateDistinguishedNameLength];
     uint8_t referenceSKIDBuf[kSubjectKeyIdentifierLength];
     MutableByteSpan referenceSubject(referenceSubjectBuf);
@@ -1068,7 +1068,7 @@ CHIP_ERROR ReplaceCertIfResignedCertFound(const ByteSpan & referenceCertificate,
     (void) candidateCertificatesCount;
     (void) outCertificate;
     return CHIP_ERROR_NOT_IMPLEMENTED;
-#endif // defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif // CHIP_CRYPTO_USE_X509
 }
 
 } // namespace Crypto
diff --git a/src/crypto/crypto.gni b/src/crypto/crypto.gni
index a77ec430a2..6fb462b909 100644
--- a/src/crypto/crypto.gni
+++ b/src/crypto/crypto.gni
@@ -35,6 +35,11 @@ declare_args() {
   # Trusty TEE, please refer the website listed below:
   # https://source.android.com/docs/security/features/trusty
   chip_with_trusty_os = false
+
+  # Enable support for x509 certificates.
+  # Disable this argument to reduce the code footprint if your device does not
+  # need to manage the x509 certificates.
+  chip_crypto_use_x509 = true
 }
 
 assert(

From 73307ce6d0af3a21585f4d0cc11f8fc2331ebaca Mon Sep 17 00:00:00 2001
From: Arkadiusz Balys <arkadiusz.balys@nordicsemi.no>
Date: Tue, 25 Nov 2025 11:25:15 +0100
Subject: [PATCH 2/2] [nrf toup][nrfconnect] Add kconfig to control X509 usage

Added the CHIP_CRYPTO_USE_X509 kconfig option to enable or disable
the x509 certificate processing for nrfconnect devices.

Signed-off-by: Arkadiusz Balys <arkadiusz.balys@nordicsemi.no>
---
 config/nrfconnect/chip-module/CMakeLists.txt | 1 +
 config/nrfconnect/chip-module/Kconfig        | 7 +++++++
 src/test_driver/nrfconnect/prj.conf          | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/config/nrfconnect/chip-module/CMakeLists.txt b/config/nrfconnect/chip-module/CMakeLists.txt
index 76497c0b7a..ac94b4e355 100644
--- a/config/nrfconnect/chip-module/CMakeLists.txt
+++ b/config/nrfconnect/chip-module/CMakeLists.txt
@@ -161,6 +161,7 @@ matter_add_gn_arg_bool  ("chip_enable_read_client"                CONFIG_CHIP_EN
 matter_add_gn_arg_bool  ("chip_mdns_minimal"                      CONFIG_WIFI_NRF70)
 matter_add_gn_arg_bool  ("chip_mdns_platform"                     CONFIG_OPENTHREAD)
 matter_add_gn_arg_bool  ("enable_im_pretty_print"                 CONFIG_CHIP_IM_PRETTY_PRINT)
+matter_add_gn_arg_bool  ("chip_crypto_use_x509"                   CONFIG_CHIP_CRYPTO_USE_X509)
 
 matter_add_gn_arg_bool  ("chip_system_config_use_sockets"                   NOT CONFIG_CHIP_USE_OPENTHREAD_ENDPOINT)
 matter_add_gn_arg_bool  ("chip_system_config_use_openthread_inet_endpoints" CONFIG_CHIP_USE_OPENTHREAD_ENDPOINT)
diff --git a/config/nrfconnect/chip-module/Kconfig b/config/nrfconnect/chip-module/Kconfig
index b4fc8fdb06..5eff392202 100644
--- a/config/nrfconnect/chip-module/Kconfig
+++ b/config/nrfconnect/chip-module/Kconfig
@@ -493,4 +493,11 @@ config CHIP_IM_PRETTY_PRINT
 	  Request). This option helps in debugging and development of message exchanges within the Matter
 	  protocol.
 
+config CHIP_CRYPTO_USE_X509
+	bool "X.509 certificate support"
+	default n if CHIP_CRYPTO_PSA
+	default y if MBEDTLS_X509_LIBRARY # We still need it to be enabled if we use mbedTLS as the crypto backend
+	help
+	  Enables X.509 certificate support for Matter.
+
 endif # CHIP
diff --git a/src/test_driver/nrfconnect/prj.conf b/src/test_driver/nrfconnect/prj.conf
index 16aeaa1c04..0f0414c40d 100644
--- a/src/test_driver/nrfconnect/prj.conf
+++ b/src/test_driver/nrfconnect/prj.conf
@@ -94,3 +94,6 @@ CONFIG_CHIP_FACTORY_RESET_ERASE_SETTINGS=n
 # Use default ICD poll intervals to keep compatibility with tests
 CONFIG_CHIP_ICD_SLOW_POLL_INTERVAL=5000
 CONFIG_CHIP_ICD_FAST_POLLING_INTERVAL=200
+
+# Enable X.509 certificate support
+CONFIG_CHIP_CRYPTO_USE_X509=y