iPXE
Data Structures | Functions
cms.h File Reference

Cryptographic Message Syntax (PKCS #7) More...

#include <time.h>
#include <ipxe/asn1.h>
#include <ipxe/crypto.h>
#include <ipxe/x509.h>
#include <ipxe/refcnt.h>
#include <ipxe/uaccess.h>

Go to the source code of this file.

Data Structures

struct  cms_signer_info
 CMS signer information. More...
struct  cms_signature
 A CMS signature. More...

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
static struct cms_signaturecms_get (struct cms_signature *sig)
 Get reference to CMS signature.
static void cms_put (struct cms_signature *sig)
 Drop reference to CMS signature.
int cms_signature (const void *data, size_t len, struct cms_signature **sig)
 Create CMS signature.
int cms_verify (struct cms_signature *sig, userptr_t data, size_t len, const char *name, time_t time, struct x509_chain *store, struct x509_root *root)
 Verify CMS signature.

Detailed Description

Cryptographic Message Syntax (PKCS #7)

Definition in file cms.h.


Function Documentation

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )
static struct cms_signature* cms_get ( struct cms_signature sig) [static, read]

Get reference to CMS signature.

Parameters:
sigCMS signature
Return values:
sigCMS signature

Definition at line 55 of file cms.h.

References ref_get, and sig.

                                      {
        ref_get ( &sig->refcnt );
        return sig;
}
static void cms_put ( struct cms_signature sig) [inline, static]

Drop reference to CMS signature.

Parameters:
sigCMS signature

Definition at line 66 of file cms.h.

References ref_put.

Referenced by cms_signature(), cms_test_exec(), and imgverify().

                                      {
        ref_put ( &sig->refcnt );
}
int cms_signature ( const void *  data,
size_t  len,
struct cms_signature **  sig 
)

Create CMS signature.

Parameters:
dataRaw signature data
lenLength of raw data
Return values:
sigCMS signature
rcReturn status code

On success, the caller holds a reference to the CMS signature, and is responsible for ultimately calling cms_put().

Definition at line 492 of file cms.c.

References asn1_shrink_any(), cms_free(), cms_parse(), cms_put(), asn1_cursor::data, data, ENOMEM, INIT_LIST_HEAD, asn1_cursor::len, len, rc, ref_init, x509_alloc_chain(), and zalloc().

                                                                               {
        struct asn1_cursor cursor;
        int rc;

        /* Allocate and initialise signature */
        *sig = zalloc ( sizeof ( **sig ) );
        if ( ! *sig ) {
                rc = -ENOMEM;
                goto err_alloc;
        }
        ref_init ( &(*sig)->refcnt, cms_free );
        INIT_LIST_HEAD ( &(*sig)->info );

        /* Allocate certificate list */
        (*sig)->certificates = x509_alloc_chain();
        if ( ! (*sig)->certificates ) {
                rc = -ENOMEM;
                goto err_alloc_chain;
        }

        /* Initialise cursor */
        cursor.data = data;
        cursor.len = len;
        asn1_shrink_any ( &cursor );

        /* Parse signature */
        if ( ( rc = cms_parse ( *sig, &cursor ) ) != 0 )
                goto err_parse;

        return 0;

 err_parse:
 err_alloc_chain:
        cms_put ( *sig );
 err_alloc:
        return rc;
}
int cms_verify ( struct cms_signature sig,
userptr_t  data,
size_t  len,
const char *  name,
time_t  time,
struct x509_chain store,
struct x509_root root 
)

Verify CMS signature.

Parameters:
sigCMS signature
dataSigned data
lenLength of signed data
nameRequired common name, or NULL to check all signatures
timeTime at which to validate certificates
storeCertificate store, or NULL to use default
rootRoot certificate list, or NULL to use default
Return values:
rcReturn status code

Definition at line 681 of file cms.c.

References cms_signer_info::chain, cms_verify_signer_info(), count, DBGC, EACCES_NO_SIGNATURES, EACCES_WRONG_NAME, cms_signature::info, info, list_for_each_entry, rc, x509_check_name(), and x509_first().

Referenced by cms_verify_fail_okx(), cms_verify_okx(), and imgverify().

                                          {
        struct cms_signer_info *info;
        struct x509_certificate *cert;
        int count = 0;
        int rc;

        /* Verify using all signerInfos */
        list_for_each_entry ( info, &sig->info, list ) {
                cert = x509_first ( info->chain );
                if ( name && ( x509_check_name ( cert, name ) != 0 ) )
                        continue;
                if ( ( rc = cms_verify_signer_info ( sig, info, data, len, time,
                                                     store, root ) ) != 0 )
                        return rc;
                count++;
        }

        /* Check that we have verified at least one signature */
        if ( count == 0 ) {
                if ( name ) {
                        DBGC ( sig, "CMS %p had no signatures matching name "
                               "%s\n", sig, name );
                        return -EACCES_WRONG_NAME;
                } else {
                        DBGC ( sig, "CMS %p had no signatures\n", sig );
                        return -EACCES_NO_SIGNATURES;
                }
        }

        return 0;
}