iPXE
Defines | Functions | Variables
certstore.c File Reference

Certificate store. More...

#include <string.h>
#include <stdlib.h>
#include <ipxe/init.h>
#include <ipxe/dhcp.h>
#include <ipxe/settings.h>
#include <ipxe/malloc.h>
#include <ipxe/crypto.h>
#include <ipxe/asn1.h>
#include <ipxe/x509.h>
#include <ipxe/certstore.h>

Go to the source code of this file.

Defines

#define CERT(_index, _path)
 Raw certificate data for all permanent stored certificates.
#define CERT(_index, _path)
 Raw certificate data for all permanent stored certificates.

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
static struct x509_certificatecertstore_found (struct x509_certificate *cert)
 Mark stored certificate as most recently used.
struct x509_certificatecertstore_find (struct asn1_cursor *raw)
 Find certificate in store.
struct x509_certificatecertstore_find_key (struct asn1_cursor *key)
 Find certificate in store corresponding to a private key.
void certstore_add (struct x509_certificate *cert)
 Add certificate to store.
void certstore_del (struct x509_certificate *cert)
 Remove certificate from store.
static unsigned int certstore_discard (void)
 Discard a stored certificate.
struct cache_discarder
certstore_discarder 
__cache_discarder (CACHE_NORMAL)
 Certificate store cache discarder.
static void certstore_init (void)
 Construct permanent certificate store.
struct init_fn certstore_init_fn __init_fn (INIT_LATE)
 Certificate store initialisation function.
static struct setting cert_setting __setting (SETTING_CRYPTO, cert)
 Additional certificate setting.
static int certstore_apply_settings (void)
 Apply certificate store configuration settings.

Variables

static struct asn1_cursor certstore_raw []
static struct x509_certificate certstore_certs [sizeof(certstore_raw)/sizeof(certstore_raw[0])]
 X.509 certificate structures for all permanent stored certificates.
struct x509_chain certstore
 Certificate store.
struct settings_applicator
certstore_applicator 
__settings_applicator
 Certificate store settings applicator.

Detailed Description

Certificate store.

Definition in file certstore.c.


Define Documentation

#define CERT (   _index,
  _path 
)
Value:
extern char stored_cert_ ## _index ## _data[];                  \
        extern char stored_cert_ ## _index ## _len[];                   \
        __asm__ ( ".section \".rodata\", \"a\", " PROGBITS "\n\t"       \
                  "\nstored_cert_" #_index "_data:\n\t"                 \
                  ".incbin \"" _path "\"\n\t"                           \
                  "\nstored_cert_" #_index "_end:\n\t"                  \
                  ".equ stored_cert_" #_index "_len, "                  \
                        "( stored_cert_" #_index "_end - "              \
                        "  stored_cert_" #_index "_data )\n\t"          \
                  ".previous\n\t" );

Raw certificate data for all permanent stored certificates.

Raw certificate cursors for all permanent stored certificates.

Definition at line 60 of file certstore.c.

#define CERT (   _index,
  _path 
)
Value:
{                                               \
        .data = stored_cert_ ## _index ## _data,                        \
        .len = ( size_t ) stored_cert_ ## _index ## _len,               \
},

Raw certificate data for all permanent stored certificates.

Raw certificate cursors for all permanent stored certificates.

Definition at line 60 of file certstore.c.


Function Documentation

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )
static struct x509_certificate* certstore_found ( struct x509_certificate cert) [static, read]

Mark stored certificate as most recently used.

Parameters:
certX.509 certificate
Return values:
certX.509 certificate

Definition at line 85 of file certstore.c.

References DBGC2, x509_chain::links, x509_link::list, list_add, list_del, x509_certificate::store, and x509_name().

Referenced by certstore_find(), and certstore_find_key().

                                                  {

        /* Mark as most recently used */
        list_del ( &cert->store.list );
        list_add ( &cert->store.list, &certstore.links );
        DBGC2 ( &certstore, "CERTSTORE found certificate %s\n",
                x509_name ( cert ) );

        return cert;
}
struct x509_certificate* certstore_find ( struct asn1_cursor raw) [read]

Find certificate in store.

Parameters:
rawRaw certificate data
Return values:
certX.509 certificate, or NULL if not found

Definition at line 102 of file certstore.c.

References asn1_compare(), certstore_found(), x509_chain::links, x509_link::list, list_for_each_entry, NULL, x509_certificate::raw, and x509_certificate::store.

Referenced by certstore_init(), and x509_certificate().

                                                                     {
        struct x509_certificate *cert;

        /* Search for certificate within store */
        list_for_each_entry ( cert, &certstore.links, store.list ) {
                if ( asn1_compare ( raw, &cert->raw ) == 0 )
                        return certstore_found ( cert );
        }
        return NULL;
}
struct x509_certificate* certstore_find_key ( struct asn1_cursor key) [read]

Find certificate in store corresponding to a private key.

Parameters:
keyPrivate key
Return values:
certX.509 certificate, or NULL if not found

Definition at line 119 of file certstore.c.

References certstore_found(), asn1_cursor::data, asn1_cursor::len, x509_chain::links, x509_link::list, list_for_each_entry, NULL, asn1_algorithm::pubkey, pubkey_match(), x509_subject::public_key, x509_public_key::raw, x509_certificate::signature_algorithm, x509_certificate::store, and x509_certificate::subject.

Referenced by tls_new_certificate_request().

                                                                         {
        struct x509_certificate *cert;

        /* Search for certificate within store */
        list_for_each_entry ( cert, &certstore.links, store.list ) {
                if ( pubkey_match ( cert->signature_algorithm->pubkey,
                                    key->data, key->len,
                                    cert->subject.public_key.raw.data,
                                    cert->subject.public_key.raw.len ) == 0 )
                        return certstore_found ( cert );
        }
        return NULL;
}
void certstore_add ( struct x509_certificate cert)

Add certificate to store.

Parameters:
certX.509 certificate

Definition at line 138 of file certstore.c.

References x509_link::cert, DBGC, x509_chain::links, x509_link::list, list_add, x509_certificate::store, x509_get(), and x509_name().

Referenced by certstore_init(), and x509_certificate().

                                                     {

        /* Add certificate to store */
        cert->store.cert = cert;
        x509_get ( cert );
        list_add ( &cert->store.list, &certstore.links );
        DBGC ( &certstore, "CERTSTORE added certificate %s\n",
               x509_name ( cert ) );
}
void certstore_del ( struct x509_certificate cert)

Remove certificate from store.

Parameters:
certX.509 certificate

Definition at line 153 of file certstore.c.

References DBGC, x509_certificate::flags, x509_link::list, list_del, x509_certificate::store, X509_FL_PERMANENT, x509_name(), and x509_put().

Referenced by certfree_payload(), and certstore_discard().

                                                     {

        /* Ignore attempts to remove permanent certificates */
        if ( cert->flags & X509_FL_PERMANENT )
                return;

        /* Remove certificate from store */
        DBGC ( &certstore, "CERTSTORE removed certificate %s\n",
               x509_name ( cert ) );
        list_del ( &cert->store.list );
        x509_put ( cert );
}
static unsigned int certstore_discard ( void  ) [static]

Discard a stored certificate.

Return values:
discardedNumber of cached items discarded

Definition at line 171 of file certstore.c.

References certstore_del(), refcnt::count, x509_certificate::flags, x509_chain::links, x509_link::list, list_for_each_entry_reverse, x509_certificate::refcnt, x509_certificate::store, X509_FL_EXPLICIT, and X509_FL_PERMANENT.

                                               {
        struct x509_certificate *cert;

        /* Discard the least recently used certificate for which the
         * only reference is held by the store itself.
         */
        list_for_each_entry_reverse ( cert, &certstore.links, store.list ) {

                /* Skip certificates for which another reference is held */
                if ( cert->refcnt.count > 0 )
                        continue;

                /* Skip certificates that were added at build time or
                 * added explicitly at run time.
                 */
                if ( cert->flags & ( X509_FL_PERMANENT | X509_FL_EXPLICIT ) )
                        continue;

                /* Discard certificate */
                certstore_del ( cert );
                return 1;
        }

        return 0;
}
struct cache_discarder certstore_discarder __cache_discarder ( CACHE_NORMAL  ) [read]

Certificate store cache discarder.

static void certstore_init ( void  ) [static]

Construct permanent certificate store.

Definition at line 206 of file certstore.c.

References certstore_add(), certstore_certs, certstore_find(), DBGC, x509_certificate::flags, NULL, raw, rc, ref_init, ref_no_free(), x509_certificate::refcnt, strerror(), X509_FL_PERMANENT, x509_name(), and x509_parse().

                                    {
        struct asn1_cursor *raw;
        struct x509_certificate *cert;
        int i;
        int rc;

        /* Skip if we have no permanent stored certificates */
        if ( ! sizeof ( certstore_raw ) )
                return;

        /* Add certificates */
        for ( i = 0 ; i < ( int ) ( sizeof ( certstore_raw ) /
                                    sizeof ( certstore_raw[0] ) ) ; i++ ) {

                /* Skip if certificate already present in store */
                raw = &certstore_raw[i];
                if ( ( cert = certstore_find ( raw ) ) != NULL ) {
                        DBGC ( &certstore, "CERTSTORE permanent certificate %d "
                               "is a duplicate of %s\n", i, x509_name ( cert ));
                        continue;
                }

                /* Parse certificate */
                cert = &certstore_certs[i];
                ref_init ( &cert->refcnt, ref_no_free );
                if ( ( rc = x509_parse ( cert, raw ) ) != 0 ) {
                        DBGC ( &certstore, "CERTSTORE could not parse "
                               "permanent certificate %d: %s\n",
                               i, strerror ( rc ) );
                        continue;
                }

                /* Add certificate to store.  Certificate will never
                 * be discarded from the store, since we retain a
                 * permanent reference to it.
                 */
                certstore_add ( cert );
                cert->flags |= X509_FL_PERMANENT;
                DBGC ( &certstore, "CERTSTORE permanent certificate %d is %s\n",
                       i, x509_name ( cert ) );
        }
}
struct init_fn certstore_init_fn __init_fn ( INIT_LATE  ) [read]

Certificate store initialisation function.

static struct setting cert_setting __setting ( SETTING_CRYPTO  ,
cert   
) [static, read]

Additional certificate setting.

static int certstore_apply_settings ( void  ) [static]

Apply certificate store configuration settings.

Return values:
rcReturn status code

Definition at line 267 of file certstore.c.

References DBGC, fetch_raw_setting_copy(), free, len, NULL, rc, strerror(), x509_name(), and x509_put().

                                             {
        static struct x509_certificate *cert = NULL;
        struct x509_certificate *old_cert;
        void *cert_data;
        int len;
        int rc;

        /* Record any existing additional certificate */
        old_cert = cert;
        cert = NULL;

        /* Add additional certificate, if any */
        if ( ( len = fetch_raw_setting_copy ( NULL, &cert_setting,
                                              &cert_data ) ) >= 0 ) {
                if ( ( rc = x509_certificate ( cert_data, len, &cert ) ) == 0 ){
                        DBGC ( &certstore, "CERTSTORE added additional "
                               "certificate %s\n", x509_name ( cert ) );
                } else {
                        DBGC ( &certstore, "CERTSTORE could not parse "
                               "additional certificate: %s\n",
                               strerror ( rc ) );
                        /* Do not fail; leave as an unusable certificate */
                }
                free ( cert_data );
        }

        /* Free old additional certificiate.  Do this after reparsing
         * the additional certificate; in the common case that the
         * certificate has not changed, this will allow the stored
         * certificate to be reused.
         */
        x509_put ( old_cert );

        return 0;
}

Variable Documentation

struct asn1_cursor certstore_raw[] [static]
Initial value:
 {
        CERT_ALL
}

Definition at line 64 of file certstore.c.

struct x509_certificate certstore_certs[sizeof(certstore_raw)/sizeof(certstore_raw[0])] [static]

X.509 certificate structures for all permanent stored certificates.

Definition at line 69 of file certstore.c.

Referenced by certstore_init().

Initial value:
 {
        .refcnt = REF_INIT ( ref_no_free ),
        .links = LIST_HEAD_INIT ( certstore.links ),
}

Certificate store.

Definition at line 73 of file certstore.c.

Referenced by cert_exec(), and x509_validate_chain().

struct settings_applicator certstore_applicator __settings_applicator
Initial value:
 {
        .apply = certstore_apply_settings,
}

Certificate store settings applicator.

Definition at line 304 of file certstore.c.