iPXE
Macros | Functions | Variables
x509.c File Reference

X.509 certificates. More...

#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <errno.h>
#include <assert.h>
#include <ipxe/list.h>
#include <ipxe/base16.h>
#include <ipxe/asn1.h>
#include <ipxe/crypto.h>
#include <ipxe/md5.h>
#include <ipxe/sha1.h>
#include <ipxe/sha256.h>
#include <ipxe/rsa.h>
#include <ipxe/rootcert.h>
#include <ipxe/certstore.h>
#include <ipxe/socket.h>
#include <ipxe/in.h>
#include <ipxe/image.h>
#include <ipxe/ocsp.h>
#include <ipxe/x509.h>
#include <config/crypto.h>

Go to the source code of this file.

Macros

#define ENOTSUP_ALGORITHM   __einfo_error ( EINFO_ENOTSUP_ALGORITHM )
 
#define EINFO_ENOTSUP_ALGORITHM   __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )
 
#define ENOTSUP_EXTENSION   __einfo_error ( EINFO_ENOTSUP_EXTENSION )
 
#define EINFO_ENOTSUP_EXTENSION   __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )
 
#define EINVAL_ALGORITHM   __einfo_error ( EINFO_EINVAL_ALGORITHM )
 
#define EINFO_EINVAL_ALGORITHM   __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )
 
#define EINVAL_ALGORITHM_MISMATCH   __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )
 
#define EINFO_EINVAL_ALGORITHM_MISMATCH   __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )
 
#define EINVAL_PATH_LEN   __einfo_error ( EINFO_EINVAL_PATH_LEN )
 
#define EINFO_EINVAL_PATH_LEN   __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )
 
#define EINVAL_VERSION   __einfo_error ( EINFO_EINVAL_VERSION )
 
#define EINFO_EINVAL_VERSION   __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )
 
#define EACCES_WRONG_ISSUER   __einfo_error ( EINFO_EACCES_WRONG_ISSUER )
 
#define EINFO_EACCES_WRONG_ISSUER   __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )
 
#define EACCES_NOT_CA   __einfo_error ( EINFO_EACCES_NOT_CA )
 
#define EINFO_EACCES_NOT_CA   __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )
 
#define EACCES_KEY_USAGE   __einfo_error ( EINFO_EACCES_KEY_USAGE )
 
#define EINFO_EACCES_KEY_USAGE   __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )
 
#define EACCES_EXPIRED   __einfo_error ( EINFO_EACCES_EXPIRED )
 
#define EINFO_EACCES_EXPIRED   __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )
 
#define EACCES_PATH_LEN   __einfo_error ( EINFO_EACCES_PATH_LEN )
 
#define EINFO_EACCES_PATH_LEN   __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
 
#define EACCES_UNTRUSTED   __einfo_error ( EINFO_EACCES_UNTRUSTED )
 
#define EINFO_EACCES_UNTRUSTED   __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )
 
#define EACCES_OUT_OF_ORDER   __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )
 
#define EINFO_EACCES_OUT_OF_ORDER   __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )
 
#define EACCES_EMPTY   __einfo_error ( EINFO_EACCES_EMPTY )
 
#define EINFO_EACCES_EMPTY   __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
 
#define EACCES_OCSP_REQUIRED   __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
 
#define EINFO_EACCES_OCSP_REQUIRED   __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
 
#define EACCES_WRONG_NAME   __einfo_error ( EINFO_EACCES_WRONG_NAME )
 
#define EINFO_EACCES_WRONG_NAME   __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )
 
#define EACCES_USELESS   __einfo_error ( EINFO_EACCES_USELESS )
 
#define EINFO_EACCES_USELESS   __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )
 

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
static void x509_free (struct refcnt *refcnt)
 Free X.509 certificate. More...
 
const char * x509_name (struct x509_certificate *cert)
 Get X.509 certificate display name. More...
 
static int x509_parse_version (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate version. More...
 
static int x509_parse_serial (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate serial number. More...
 
static int x509_parse_issuer (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate issuer. More...
 
static int x509_parse_validity (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate validity. More...
 
static int x509_parse_common_name (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate common name. More...
 
static int x509_parse_subject (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate subject. More...
 
static int x509_parse_public_key (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate public key information. More...
 
static int x509_parse_basic_constraints (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate basic constraints. More...
 
static int x509_parse_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate key usage. More...
 
static int x509_parse_key_purpose (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate key purpose identifier. More...
 
static int x509_parse_extended_key_usage (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate extended key usage. More...
 
static int x509_parse_ocsp (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate OCSP access method. More...
 
static struct x509_access_methodx509_find_access_method (const struct asn1_cursor *oid)
 Identify X.509 access method by OID. More...
 
static int x509_parse_access_description (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate access description. More...
 
static int x509_parse_authority_info_access (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate authority information access. More...
 
static int x509_parse_subject_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate subject alternative name. More...
 
static struct x509_extensionx509_find_extension (const struct asn1_cursor *oid)
 Identify X.509 extension by OID. More...
 
static int x509_parse_extension (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate extension. More...
 
static int x509_parse_extensions (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate extensions, if present. More...
 
static int x509_parse_tbscertificate (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate tbsCertificate. More...
 
int x509_parse (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate from ASN.1 data. More...
 
int x509_certificate (const void *data, size_t len, struct x509_certificate **cert)
 Create X.509 certificate. More...
 
static int x509_check_signature (struct x509_certificate *cert, struct x509_public_key *public_key)
 Check X.509 certificate signature. More...
 
int x509_check_issuer (struct x509_certificate *cert, struct x509_certificate *issuer)
 Check X.509 certificate against issuer certificate. More...
 
void x509_fingerprint (struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
 Calculate X.509 certificate fingerprint. More...
 
int x509_check_root (struct x509_certificate *cert, struct x509_root *root)
 Check X.509 root certificate. More...
 
int x509_check_time (struct x509_certificate *cert, time_t time)
 Check X.509 certificate validity period. More...
 
int x509_is_valid (struct x509_certificate *cert, struct x509_root *root)
 Check if X.509 certificate is valid. More...
 
static void x509_set_valid (struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
 Set X.509 certificate as validated. More...
 
int x509_validate (struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
 Validate X.509 certificate. More...
 
static int x509_check_dnsname (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
 Check X.509 certificate alternative dNSName. More...
 
static int x509_check_ipaddress (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
 Check X.509 certificate alternative iPAddress. More...
 
static int x509_check_alt_name (struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
 Check X.509 certificate alternative name. More...
 
int x509_check_name (struct x509_certificate *cert, const char *name)
 Check X.509 certificate name. More...
 
static void x509_free_chain (struct refcnt *refcnt)
 Free X.509 certificate chain. More...
 
struct x509_chainx509_alloc_chain (void)
 Allocate X.509 certificate chain. More...
 
int x509_append (struct x509_chain *chain, struct x509_certificate *cert)
 Append X.509 certificate to X.509 certificate chain. More...
 
int x509_append_raw (struct x509_chain *chain, const void *data, size_t len)
 Append X.509 certificate to X.509 certificate chain. More...
 
void x509_truncate (struct x509_chain *chain, struct x509_link *link)
 Truncate X.509 certificate chain. More...
 
static struct x509_certificatex509_find_subject (struct x509_chain *certs, const struct asn1_cursor *subject)
 Identify X.509 certificate by subject. More...
 
int x509_auto_append (struct x509_chain *chain, struct x509_chain *certs)
 Append X.509 certificates to X.509 certificate chain. More...
 
int x509_validate_chain (struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root)
 Validate X.509 certificate chain. More...
 
int image_x509 (struct image *image, size_t offset, struct x509_certificate **cert)
 Extract X.509 certificate object from image. More...
 
 REQUIRING_SYMBOL (x509_validate)
 
 REQUIRE_OBJECT (certstore)
 
 REQUIRE_OBJECT (config_crypto)
 

Variables

static uint8_t oid_common_name [] = { ASN1_OID_COMMON_NAME }
 "commonName" object identifier More...
 
static struct asn1_cursor oid_common_name_cursor
 "commonName" object identifier cursor More...
 
static uint8_t oid_code_signing [] = { ASN1_OID_CODESIGNING }
 "id-kp-codeSigning" object identifier More...
 
static uint8_t oid_ocsp_signing [] = { ASN1_OID_OCSPSIGNING }
 "id-kp-OCSPSigning" object identifier More...
 
static struct x509_key_purpose x509_key_purposes []
 Supported key purposes. More...
 
static uint8_t oid_ad_ocsp [] = { ASN1_OID_OCSP }
 "id-ad-ocsp" object identifier More...
 
static struct x509_access_method x509_access_methods []
 Supported access methods. More...
 
static uint8_t oid_ce_basic_constraints []
 "id-ce-basicConstraints" object identifier More...
 
static uint8_t oid_ce_key_usage []
 "id-ce-keyUsage" object identifier More...
 
static uint8_t oid_ce_ext_key_usage []
 "id-ce-extKeyUsage" object identifier More...
 
static uint8_t oid_pe_authority_info_access []
 "id-pe-authorityInfoAccess" object identifier More...
 
static uint8_t oid_ce_subject_alt_name []
 "id-ce-subjectAltName" object identifier More...
 
static struct x509_extension x509_extensions []
 Supported certificate extensions. More...
 

Detailed Description

X.509 certificates.

The structure of X.509v3 certificates is documented in RFC 5280 section 4.1.

Definition in file x509.c.

Macro Definition Documentation

◆ ENOTSUP_ALGORITHM

#define ENOTSUP_ALGORITHM   __einfo_error ( EINFO_ENOTSUP_ALGORITHM )

Definition at line 57 of file x509.c.

◆ EINFO_ENOTSUP_ALGORITHM

#define EINFO_ENOTSUP_ALGORITHM   __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )

Definition at line 59 of file x509.c.

◆ ENOTSUP_EXTENSION

#define ENOTSUP_EXTENSION   __einfo_error ( EINFO_ENOTSUP_EXTENSION )

Definition at line 61 of file x509.c.

◆ EINFO_ENOTSUP_EXTENSION

#define EINFO_ENOTSUP_EXTENSION   __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )

Definition at line 63 of file x509.c.

◆ EINVAL_ALGORITHM

#define EINVAL_ALGORITHM   __einfo_error ( EINFO_EINVAL_ALGORITHM )

Definition at line 65 of file x509.c.

◆ EINFO_EINVAL_ALGORITHM

#define EINFO_EINVAL_ALGORITHM   __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )

Definition at line 67 of file x509.c.

◆ EINVAL_ALGORITHM_MISMATCH

#define EINVAL_ALGORITHM_MISMATCH   __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )

Definition at line 69 of file x509.c.

◆ EINFO_EINVAL_ALGORITHM_MISMATCH

#define EINFO_EINVAL_ALGORITHM_MISMATCH   __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )

Definition at line 71 of file x509.c.

◆ EINVAL_PATH_LEN

#define EINVAL_PATH_LEN   __einfo_error ( EINFO_EINVAL_PATH_LEN )

Definition at line 73 of file x509.c.

◆ EINFO_EINVAL_PATH_LEN

#define EINFO_EINVAL_PATH_LEN   __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )

Definition at line 75 of file x509.c.

◆ EINVAL_VERSION

#define EINVAL_VERSION   __einfo_error ( EINFO_EINVAL_VERSION )

Definition at line 77 of file x509.c.

◆ EINFO_EINVAL_VERSION

#define EINFO_EINVAL_VERSION   __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )

Definition at line 79 of file x509.c.

◆ EACCES_WRONG_ISSUER

#define EACCES_WRONG_ISSUER   __einfo_error ( EINFO_EACCES_WRONG_ISSUER )

Definition at line 81 of file x509.c.

◆ EINFO_EACCES_WRONG_ISSUER

#define EINFO_EACCES_WRONG_ISSUER   __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )

Definition at line 83 of file x509.c.

◆ EACCES_NOT_CA

#define EACCES_NOT_CA   __einfo_error ( EINFO_EACCES_NOT_CA )

Definition at line 85 of file x509.c.

◆ EINFO_EACCES_NOT_CA

#define EINFO_EACCES_NOT_CA   __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )

Definition at line 87 of file x509.c.

◆ EACCES_KEY_USAGE

#define EACCES_KEY_USAGE   __einfo_error ( EINFO_EACCES_KEY_USAGE )

Definition at line 89 of file x509.c.

◆ EINFO_EACCES_KEY_USAGE

#define EINFO_EACCES_KEY_USAGE   __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )

Definition at line 91 of file x509.c.

◆ EACCES_EXPIRED

#define EACCES_EXPIRED   __einfo_error ( EINFO_EACCES_EXPIRED )

Definition at line 93 of file x509.c.

◆ EINFO_EACCES_EXPIRED

#define EINFO_EACCES_EXPIRED   __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )

Definition at line 95 of file x509.c.

◆ EACCES_PATH_LEN

#define EACCES_PATH_LEN   __einfo_error ( EINFO_EACCES_PATH_LEN )

Definition at line 97 of file x509.c.

◆ EINFO_EACCES_PATH_LEN

#define EINFO_EACCES_PATH_LEN   __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )

Definition at line 99 of file x509.c.

◆ EACCES_UNTRUSTED

#define EACCES_UNTRUSTED   __einfo_error ( EINFO_EACCES_UNTRUSTED )

Definition at line 101 of file x509.c.

◆ EINFO_EACCES_UNTRUSTED

#define EINFO_EACCES_UNTRUSTED   __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )

Definition at line 103 of file x509.c.

◆ EACCES_OUT_OF_ORDER

#define EACCES_OUT_OF_ORDER   __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )

Definition at line 105 of file x509.c.

◆ EINFO_EACCES_OUT_OF_ORDER

#define EINFO_EACCES_OUT_OF_ORDER   __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )

Definition at line 107 of file x509.c.

◆ EACCES_EMPTY

#define EACCES_EMPTY   __einfo_error ( EINFO_EACCES_EMPTY )

Definition at line 109 of file x509.c.

◆ EINFO_EACCES_EMPTY

#define EINFO_EACCES_EMPTY   __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )

Definition at line 111 of file x509.c.

◆ EACCES_OCSP_REQUIRED

#define EACCES_OCSP_REQUIRED   __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )

Definition at line 113 of file x509.c.

◆ EINFO_EACCES_OCSP_REQUIRED

#define EINFO_EACCES_OCSP_REQUIRED   __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )

Definition at line 115 of file x509.c.

◆ EACCES_WRONG_NAME

#define EACCES_WRONG_NAME   __einfo_error ( EINFO_EACCES_WRONG_NAME )

Definition at line 117 of file x509.c.

◆ EINFO_EACCES_WRONG_NAME

#define EINFO_EACCES_WRONG_NAME   __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )

Definition at line 119 of file x509.c.

◆ EACCES_USELESS

#define EACCES_USELESS   __einfo_error ( EINFO_EACCES_USELESS )

Definition at line 121 of file x509.c.

◆ EINFO_EACCES_USELESS

#define EINFO_EACCES_USELESS   __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )

Definition at line 123 of file x509.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ x509_free()

static void x509_free ( struct refcnt refcnt)
static

Free X.509 certificate.

Parameters
refcntReference count

Definition at line 131 of file x509.c.

131  {
132  struct x509_certificate *cert =
133  container_of ( refcnt, struct x509_certificate, refcnt );
134 
135  x509_root_put ( cert->root );
136  free ( cert );
137 }
x509_root_put
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition: x509.h:395
refcnt
A reference counter.
Definition: refcnt.h:26
container_of
#define container_of(ptr, type, field)
Get containing structure.
Definition: stddef.h:35
x509_certificate::root
struct x509_root * root
Root against which certificate has been validated (if any)
Definition: x509.h:217
x509_certificate
An X.509 certificate.
Definition: x509.h:207
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54

References container_of, free, x509_certificate::root, and x509_root_put().

Referenced by x509_certificate().

◆ x509_name()

const char* x509_name ( struct x509_certificate cert)

Get X.509 certificate display name.

Parameters
certX.509 certificate
Return values
nameDisplay name

Definition at line 145 of file x509.c.

145  {
146  struct asn1_cursor *common_name = &cert->subject.common_name;
147  struct digest_algorithm *digest = &sha1_algorithm;
148  static char buf[64];
149  uint8_t fingerprint[ digest->digestsize ];
150  size_t len;
151 
152  len = common_name->len;
153  if ( len ) {
154  /* Certificate has a commonName: use that */
155  if ( len > ( sizeof ( buf ) - 1 /* NUL */ ) )
156  len = ( sizeof ( buf ) - 1 /* NUL */ );
157  memcpy ( buf, common_name->data, len );
158  buf[len] = '\0';
159  } else {
160  /* Certificate has no commonName: use SHA-1 fingerprint */
161  x509_fingerprint ( cert, digest, fingerprint );
162  base16_encode ( fingerprint, sizeof ( fingerprint ),
163  buf, sizeof ( buf ) );
164  }
165  return buf;
166 }
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
digest
static void struct digest_algorithm * digest
HMAC-MD5 digest.
Definition: crypto.h:308
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:236
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
x509_fingerprint
void x509_fingerprint(struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
Calculate X.509 certificate fingerprint.
Definition: x509.c:1242
x509_subject::common_name
struct asn1_cursor common_name
Common name.
Definition: x509.h:62
len
uint32_t len
Length.
Definition: ena.h:14
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition: crypto.h:25
digest_algorithm
A message digest algorithm.
Definition: crypto.h:17
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
sha1_algorithm
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition: sha1.c:257

References x509_subject::common_name, asn1_cursor::data, digest, digest_algorithm::digestsize, len, asn1_cursor::len, memcpy(), sha1_algorithm, x509_certificate::subject, and x509_fingerprint().

Referenced by certstat(), certstore_add(), certstore_apply_settings(), certstore_del(), certstore_found(), certstore_init(), cms_parse_certificates(), icert_encode(), ocsp_check_signature(), ocsp_parse_basic_response(), ocsp_parse_cert_id(), ocsp_parse_certs(), ocsp_parse_responder_id(), ocsp_parse_response_status(), ocsp_parse_response_type(), ocsp_parse_responses(), ocsp_request(), ocsp_uri_string(), ocsp_validate(), tls_new_certificate_request(), tls_parse_chain(), tls_send_certificate(), validator_append(), validator_name(), validator_ocsp_validate(), validator_progress(), validator_start_download(), validator_start_ocsp(), validator_step(), x509_append(), x509_check_alt_name(), x509_check_dnsname(), x509_check_ipaddress(), x509_check_issuer(), x509_check_name(), x509_check_root(), x509_check_signature(), x509_check_time(), x509_parse_subject(), and x509_validate().

◆ x509_parse_version()

static int x509_parse_version ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate version.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 182 of file x509.c.

183  {
184  struct asn1_cursor cursor;
185  int version;
186  int rc;
187 
188  /* Enter version */
189  memcpy ( &cursor, raw, sizeof ( cursor ) );
190  asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 0 ) );
191 
192  /* Parse integer */
193  if ( ( rc = asn1_integer ( &cursor, &version ) ) != 0 ) {
194  DBGC ( cert, "X509 %p cannot parse version: %s\n",
195  cert, strerror ( rc ) );
196  DBGC_HDA ( cert, 0, raw->data, raw->len );
197  return rc;
198  }
199 
200  /* Sanity check */
201  if ( version < 0 ) {
202  DBGC ( cert, "X509 %p invalid version %d\n", cert, version );
203  DBGC_HDA ( cert, 0, raw->data, raw->len );
204  return -EINVAL_VERSION;
205  }
206 
207  /* Record version */
208  cert->version = version;
209  DBGC2 ( cert, "X509 %p is a version %d certificate\n",
210  cert, ( cert->version + 1 ) );
211 
212  return 0;
213 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
DBGC
#define DBGC(...)
Definition: compiler.h:505
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
EINVAL_VERSION
#define EINVAL_VERSION
Definition: x509.c:77
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
version
u32 version
Driver version.
Definition: ath9k_hw.c:1983
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
x509_certificate::version
unsigned int version
Version.
Definition: x509.h:224
asn1_integer
int asn1_integer(const struct asn1_cursor *cursor, int *value)
Parse value of ASN.1 integer.
Definition: asn1.c:320
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
ASN1_EXPLICIT_TAG
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition: asn1.h:98
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_EXPLICIT_TAG, asn1_integer(), DBGC, DBGC2, DBGC_HDA, EINVAL_VERSION, memcpy(), raw, rc, strerror(), x509_certificate::version, and version.

Referenced by x509_parse_tbscertificate().

◆ x509_parse_serial()

static int x509_parse_serial ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate serial number.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 222 of file x509.c.

223  {
224  struct x509_serial *serial = &cert->serial;
225  int rc;
226 
227  /* Record raw serial number */
228  memcpy ( &serial->raw, raw, sizeof ( serial->raw ) );
229  if ( ( rc = asn1_shrink ( &serial->raw, ASN1_INTEGER ) ) != 0 ) {
230  DBGC ( cert, "X509 %p cannot shrink serialNumber: %s\n",
231  cert, strerror ( rc ) );
232  return rc;
233  }
234  DBGC2 ( cert, "X509 %p issuer is:\n", cert );
235  DBGC2_HDA ( cert, 0, serial->raw.data, serial->raw.len );
236 
237  return 0;
238 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_shrink
int asn1_shrink(struct asn1_cursor *cursor, unsigned int type)
Shrink ASN.1 cursor to fit object.
Definition: asn1.c:240
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate::serial
struct x509_serial serial
Serial number.
Definition: x509.h:226
serial
uint64_t serial
Serial number.
Definition: edd.h:30
ASN1_INTEGER
#define ASN1_INTEGER
ASN.1 integer.
Definition: asn1.h:62
x509_serial
An X.509 serial number.
Definition: x509.h:22
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28

References ASN1_INTEGER, asn1_shrink(), DBGC, DBGC2, DBGC2_HDA, memcpy(), raw, rc, serial, x509_certificate::serial, and strerror().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_issuer()

static int x509_parse_issuer ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate issuer.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 247 of file x509.c.

248  {
249  struct x509_issuer *issuer = &cert->issuer;
250  int rc;
251 
252  /* Record raw issuer */
253  memcpy ( &issuer->raw, raw, sizeof ( issuer->raw ) );
254  if ( ( rc = asn1_shrink ( &issuer->raw, ASN1_SEQUENCE ) ) != 0 ) {
255  DBGC ( cert, "X509 %p cannot shrink issuer: %s\n",
256  cert, strerror ( rc ) );
257  return rc;
258  }
259  DBGC2 ( cert, "X509 %p issuer is:\n", cert );
260  DBGC2_HDA ( cert, 0, issuer->raw.data, issuer->raw.len );
261 
262  return 0;
263 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_issuer::raw
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:30
x509_certificate::issuer
struct x509_issuer issuer
Issuer.
Definition: x509.h:232
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
asn1_shrink
int asn1_shrink(struct asn1_cursor *cursor, unsigned int type)
Shrink ASN.1 cursor to fit object.
Definition: asn1.c:240
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_issuer
An X.509 issuer.
Definition: x509.h:28
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28

References ASN1_SEQUENCE, asn1_shrink(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, x509_certificate::issuer, asn1_cursor::len, memcpy(), raw, x509_issuer::raw, rc, and strerror().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_validity()

static int x509_parse_validity ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate validity.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 272 of file x509.c.

273  {
274  struct x509_validity *validity = &cert->validity;
275  struct x509_time *not_before = &validity->not_before;
276  struct x509_time *not_after = &validity->not_after;
277  struct asn1_cursor cursor;
278  int rc;
279 
280  /* Enter validity */
281  memcpy ( &cursor, raw, sizeof ( cursor ) );
282  asn1_enter ( &cursor, ASN1_SEQUENCE );
283 
284  /* Parse notBefore */
285  if ( ( rc = asn1_generalized_time ( &cursor,
286  &not_before->time ) ) != 0 ) {
287  DBGC ( cert, "X509 %p cannot parse notBefore: %s\n",
288  cert, strerror ( rc ) );
289  return rc;
290  }
291  DBGC2 ( cert, "X509 %p valid from time %lld\n",
292  cert, not_before->time );
293  asn1_skip_any ( &cursor );
294 
295  /* Parse notAfter */
296  if ( ( rc = asn1_generalized_time ( &cursor,
297  &not_after->time ) ) != 0 ) {
298  DBGC ( cert, "X509 %p cannot parse notAfter: %s\n",
299  cert, strerror ( rc ) );
300  return rc;
301  }
302  DBGC2 ( cert, "X509 %p valid until time %lld\n",
303  cert, not_after->time );
304 
305  return 0;
306 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
asn1_generalized_time
int asn1_generalized_time(const struct asn1_cursor *cursor, time_t *time)
Parse ASN.1 GeneralizedTime.
Definition: asn1.c:629
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_time::time
time_t time
Seconds since the Epoch.
Definition: x509.h:36
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
x509_validity::not_before
struct x509_time not_before
Not valid before.
Definition: x509.h:42
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_validity
An X.509 certificate validity period.
Definition: x509.h:40
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
x509_certificate::validity
struct x509_validity validity
Validity.
Definition: x509.h:234
x509_time
An X.509 time.
Definition: x509.h:34
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
x509_validity::not_after
struct x509_time not_after
Not valid after.
Definition: x509.h:44
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), asn1_generalized_time(), ASN1_SEQUENCE, asn1_skip_any(), DBGC, DBGC2, memcpy(), x509_validity::not_after, x509_validity::not_before, raw, rc, strerror(), x509_time::time, and x509_certificate::validity.

Referenced by x509_parse_tbscertificate().

◆ x509_parse_common_name()

static int x509_parse_common_name ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate common name.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 315 of file x509.c.

316  {
317  struct asn1_cursor cursor;
318  struct asn1_cursor oid_cursor;
319  struct asn1_cursor name_cursor;
320  int rc;
321 
322  /* Enter name */
323  memcpy ( &cursor, raw, sizeof ( cursor ) );
324  asn1_enter ( &cursor, ASN1_SEQUENCE );
325 
326  /* Scan through name list */
327  for ( ; cursor.len ; asn1_skip_any ( &cursor ) ) {
328 
329  /* Check for "commonName" OID */
330  memcpy ( &oid_cursor, &cursor, sizeof ( oid_cursor ) );
331  asn1_enter ( &oid_cursor, ASN1_SET );
332  asn1_enter ( &oid_cursor, ASN1_SEQUENCE );
333  memcpy ( &name_cursor, &oid_cursor, sizeof ( name_cursor ) );
334  asn1_enter ( &oid_cursor, ASN1_OID );
335  if ( asn1_compare ( &oid_common_name_cursor, &oid_cursor ) != 0)
336  continue;
337  asn1_skip_any ( &name_cursor );
338  if ( ( rc = asn1_enter_any ( &name_cursor ) ) != 0 ) {
339  DBGC ( cert, "X509 %p cannot locate name:\n", cert );
340  DBGC_HDA ( cert, 0, raw->data, raw->len );
341  return rc;
342  }
343 
344  /* Record common name */
345  memcpy ( &cert->subject.common_name, &name_cursor,
346  sizeof ( cert->subject.common_name ) );
347 
348  return 0;
349  }
350 
351  /* Certificates may not have a commonName */
352  DBGC2 ( cert, "X509 %p no commonName found:\n", cert );
353  return 0;
354 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
ASN1_SET
#define ASN1_SET
ASN.1 set.
Definition: asn1.h:92
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:236
oid_common_name_cursor
static struct asn1_cursor oid_common_name_cursor
"commonName" object identifier cursor
Definition: x509.c:172
asn1_enter_any
int asn1_enter_any(struct asn1_cursor *cursor)
Enter ASN.1 object of any type.
Definition: asn1.c:266
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
x509_subject::common_name
struct asn1_cursor common_name
Common name.
Definition: x509.h:62
ASN1_OID
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:74
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_compare(), asn1_enter(), asn1_enter_any(), ASN1_OID, ASN1_SEQUENCE, ASN1_SET, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, DBGC_HDA, asn1_cursor::len, memcpy(), oid_common_name_cursor, raw, rc, and x509_certificate::subject.

Referenced by x509_parse_subject().

◆ x509_parse_subject()

static int x509_parse_subject ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate subject.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 363 of file x509.c.

364  {
365  struct x509_subject *subject = &cert->subject;
366  int rc;
367 
368  /* Record raw subject */
369  memcpy ( &subject->raw, raw, sizeof ( subject->raw ) );
370  asn1_shrink_any ( &subject->raw );
371  DBGC2 ( cert, "X509 %p subject is:\n", cert );
372  DBGC2_HDA ( cert, 0, subject->raw.data, subject->raw.len );
373 
374  /* Parse common name */
375  if ( ( rc = x509_parse_common_name ( cert, raw ) ) != 0 )
376  return rc;
377  DBGC2 ( cert, "X509 %p common name is \"%s\":\n", cert,
378  x509_name ( cert ) );
379 
380  return 0;
381 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:236
asn1_shrink_any
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:286
x509_parse_common_name
static int x509_parse_common_name(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate common name.
Definition: x509.c:315
x509_subject::raw
struct asn1_cursor raw
Raw subject.
Definition: x509.h:60
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
x509_subject
An X.509 certificate subject.
Definition: x509.h:58
raw
__be32 raw[7]
Definition: CIB_PRM.h:28

References asn1_shrink_any(), asn1_cursor::data, DBGC2, DBGC2_HDA, asn1_cursor::len, memcpy(), raw, x509_subject::raw, rc, x509_certificate::subject, x509_name(), and x509_parse_common_name().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_public_key()

static int x509_parse_public_key ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate public key information.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 390 of file x509.c.

391  {
392  struct x509_public_key *public_key = &cert->subject.public_key;
393  struct asn1_algorithm **algorithm = &public_key->algorithm;
394  struct asn1_bit_string *raw_bits = &public_key->raw_bits;
395  struct asn1_cursor cursor;
396  int rc;
397 
398  /* Record raw subjectPublicKeyInfo */
399  memcpy ( &cursor, raw, sizeof ( cursor ) );
400  asn1_shrink_any ( &cursor );
401  memcpy ( &public_key->raw, &cursor, sizeof ( public_key->raw ) );
402  DBGC2 ( cert, "X509 %p public key is:\n", cert );
403  DBGC2_HDA ( cert, 0, public_key->raw.data, public_key->raw.len );
404 
405  /* Enter subjectPublicKeyInfo */
406  asn1_enter ( &cursor, ASN1_SEQUENCE );
407 
408  /* Parse algorithm */
409  if ( ( rc = asn1_pubkey_algorithm ( &cursor, algorithm ) ) != 0 ) {
410  DBGC ( cert, "X509 %p could not parse public key algorithm: "
411  "%s\n", cert, strerror ( rc ) );
412  return rc;
413  }
414  DBGC2 ( cert, "X509 %p public key algorithm is %s\n",
415  cert, (*algorithm)->name );
416  asn1_skip_any ( &cursor );
417 
418  /* Parse bit string */
419  if ( ( rc = asn1_bit_string ( &cursor, raw_bits ) ) != 0 ) {
420  DBGC ( cert, "X509 %p could not parse public key bits: %s\n",
421  cert, strerror ( rc ) );
422  return rc;
423  }
424 
425  return 0;
426 }
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition: asn1.h:311
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
public_key
static const void size_t const void * public_key
Definition: crypto.h:327
x509_public_key
An X.509 certificate public key.
Definition: x509.h:48
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition: x509.h:64
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:236
asn1_pubkey_algorithm
int asn1_pubkey_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified public-key algorithm.
Definition: asn1.c:513
asn1_shrink_any
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:286
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
algorithm
u16 algorithm
Authentication algorithm (Open System or Shared Key)
Definition: ieee80211.h:1030
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
asn1_bit_string
An ASN.1 bit string.
Definition: asn1.h:354

References algorithm, asn1_enter(), asn1_pubkey_algorithm(), ASN1_SEQUENCE, asn1_shrink_any(), asn1_skip_any(), DBGC, DBGC2, DBGC2_HDA, memcpy(), x509_subject::public_key, public_key, raw, rc, strerror(), and x509_certificate::subject.

Referenced by x509_parse_tbscertificate().

◆ x509_parse_basic_constraints()

static int x509_parse_basic_constraints ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate basic constraints.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 435 of file x509.c.

436  {
437  struct x509_basic_constraints *basic = &cert->extensions.basic;
438  struct asn1_cursor cursor;
439  int ca = 0;
440  int path_len;
441  int rc;
442 
443  /* Enter basicConstraints */
444  memcpy ( &cursor, raw, sizeof ( cursor ) );
445  asn1_enter ( &cursor, ASN1_SEQUENCE );
446 
447  /* Parse "cA", if present */
448  if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
449  ca = asn1_boolean ( &cursor );
450  if ( ca < 0 ) {
451  rc = ca;
452  DBGC ( cert, "X509 %p cannot parse cA: %s\n",
453  cert, strerror ( rc ) );
454  DBGC_HDA ( cert, 0, raw->data, raw->len );
455  return rc;
456  }
457  asn1_skip_any ( &cursor );
458  }
459  basic->ca = ca;
460  DBGC2 ( cert, "X509 %p is %sa CA certificate\n",
461  cert, ( basic->ca ? "" : "not " ) );
462 
463  /* Ignore everything else unless "cA" is true */
464  if ( ! ca )
465  return 0;
466 
467  /* Parse "pathLenConstraint", if present and applicable */
468  basic->path_len = X509_PATH_LEN_UNLIMITED;
469  if ( asn1_type ( &cursor ) == ASN1_INTEGER ) {
470  if ( ( rc = asn1_integer ( &cursor, &path_len ) ) != 0 ) {
471  DBGC ( cert, "X509 %p cannot parse pathLenConstraint: "
472  "%s\n", cert, strerror ( rc ) );
473  DBGC_HDA ( cert, 0, raw->data, raw->len );
474  return rc;
475  }
476  if ( path_len < 0 ) {
477  DBGC ( cert, "X509 %p invalid pathLenConstraint %d\n",
478  cert, path_len );
479  DBGC_HDA ( cert, 0, raw->data, raw->len );
480  return -EINVAL;
481  }
482  basic->path_len = path_len;
483  DBGC2 ( cert, "X509 %p path length constraint is %d\n",
484  cert, basic->path_len );
485  }
486 
487  return 0;
488 }
EINVAL
#define EINVAL
Invalid argument.
Definition: errno.h:428
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_basic_constraints::path_len
unsigned int path_len
Path length.
Definition: x509.h:80
x509_basic_constraints
An X.509 certificate basic constraints set.
Definition: x509.h:76
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
ASN1_BOOLEAN
#define ASN1_BOOLEAN
ASN.1 boolean.
Definition: asn1.h:59
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_type
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Definition: asn1.h:380
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
asn1_boolean
int asn1_boolean(const struct asn1_cursor *cursor)
Parse value of ASN.1 boolean.
Definition: asn1.c:296
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_basic_constraints::ca
int ca
Subject is a CA.
Definition: x509.h:78
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
ASN1_INTEGER
#define ASN1_INTEGER
ASN.1 integer.
Definition: asn1.h:62
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
asn1_integer
int asn1_integer(const struct asn1_cursor *cursor, int *value)
Parse value of ASN.1 integer.
Definition: asn1.c:320
X509_PATH_LEN_UNLIMITED
#define X509_PATH_LEN_UNLIMITED
Unlimited path length.
Definition: x509.h:88
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_extensions::basic
struct x509_basic_constraints basic
Basic constraints.
Definition: x509.h:157
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:240

References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_INTEGER, asn1_integer(), ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), x509_extensions::basic, x509_basic_constraints::ca, DBGC, DBGC2, DBGC_HDA, EINVAL, x509_certificate::extensions, memcpy(), x509_basic_constraints::path_len, raw, rc, strerror(), and X509_PATH_LEN_UNLIMITED.

◆ x509_parse_key_usage()

static int x509_parse_key_usage ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate key usage.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 497 of file x509.c.

498  {
499  struct x509_key_usage *usage = &cert->extensions.usage;
500  struct asn1_bit_string bit_string;
501  const uint8_t *bytes;
502  size_t len;
503  unsigned int i;
504  int rc;
505 
506  /* Mark extension as present */
507  usage->present = 1;
508 
509  /* Parse bit string */
510  if ( ( rc = asn1_bit_string ( raw, &bit_string ) ) != 0 ) {
511  DBGC ( cert, "X509 %p could not parse key usage: %s\n",
512  cert, strerror ( rc ) );
513  return rc;
514  }
515 
516  /* Parse key usage bits */
517  bytes = bit_string.data;
518  len = bit_string.len;
519  if ( len > sizeof ( usage->bits ) )
520  len = sizeof ( usage->bits );
521  for ( i = 0 ; i < len ; i++ ) {
522  usage->bits |= ( *(bytes++) << ( 8 * i ) );
523  }
524  DBGC2 ( cert, "X509 %p key usage is %08x\n", cert, usage->bits );
525 
526  return 0;
527 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_key_usage::present
int present
Key usage extension is present.
Definition: x509.h:93
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
x509_key_usage
An X.509 certificate key usage.
Definition: x509.h:91
len
uint32_t len
Length.
Definition: ena.h:14
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
x509_key_usage::bits
unsigned int bits
Usage bits.
Definition: x509.h:95
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
x509_extensions::usage
struct x509_key_usage usage
Key usage.
Definition: x509.h:159
bytes
uint8_t bytes[64]
Definition: ib_mad.h:16
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:240
asn1_bit_string
An ASN.1 bit string.
Definition: asn1.h:354

References x509_key_usage::bits, bytes, asn1_bit_string::data, DBGC, DBGC2, x509_certificate::extensions, len, asn1_bit_string::len, x509_key_usage::present, raw, rc, strerror(), and x509_extensions::usage.

◆ x509_parse_key_purpose()

static int x509_parse_key_purpose ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate key purpose identifier.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 556 of file x509.c.

557  {
558  struct x509_extended_key_usage *ext_usage = &cert->extensions.ext_usage;
559  struct x509_key_purpose *purpose;
560  struct asn1_cursor cursor;
561  unsigned int i;
562  int rc;
563 
564  /* Enter keyPurposeId */
565  memcpy ( &cursor, raw, sizeof ( cursor ) );
566  if ( ( rc = asn1_enter ( &cursor, ASN1_OID ) ) != 0 ) {
567  DBGC ( cert, "X509 %p invalid keyPurposeId:\n", cert );
568  DBGC_HDA ( cert, 0, raw->data, raw->len );
569  return rc;
570  }
571 
572  /* Identify key purpose */
573  for ( i = 0 ; i < ( sizeof ( x509_key_purposes ) /
574  sizeof ( x509_key_purposes[0] ) ) ; i++ ) {
575  purpose = &x509_key_purposes[i];
576  if ( asn1_compare ( &cursor, &purpose->oid ) == 0 ) {
577  DBGC2 ( cert, "X509 %p has key purpose %s\n",
578  cert, purpose->name );
579  ext_usage->bits |= purpose->bits;
580  return 0;
581  }
582  }
583 
584  /* Ignore unrecognised key purposes */
585  return 0;
586 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_extensions::ext_usage
struct x509_extended_key_usage ext_usage
Extended key usage.
Definition: x509.h:161
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
x509_extended_key_usage::bits
unsigned int bits
Usage bits.
Definition: x509.h:114
x509_key_purpose::name
const char * name
Name.
Definition: x509.h:342
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_key_purpose::oid
struct asn1_cursor oid
Object identifier.
Definition: x509.h:344
x509_key_purpose
An X.509 key purpose.
Definition: x509.h:340
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
x509_key_purposes
static struct x509_key_purpose x509_key_purposes[]
Supported key purposes.
Definition: x509.c:536
x509_key_purpose::bits
unsigned int bits
Extended key usage bits.
Definition: x509.h:346
ASN1_OID
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:74
x509_extended_key_usage
An X.509 certificate extended key usage.
Definition: x509.h:112
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:240

References asn1_compare(), asn1_enter(), ASN1_OID, x509_extended_key_usage::bits, x509_key_purpose::bits, DBGC, DBGC2, DBGC_HDA, x509_extensions::ext_usage, x509_certificate::extensions, memcpy(), x509_key_purpose::name, x509_key_purpose::oid, raw, rc, and x509_key_purposes.

Referenced by x509_parse_extended_key_usage().

◆ x509_parse_extended_key_usage()

static int x509_parse_extended_key_usage ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate extended key usage.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 595 of file x509.c.

596  {
597  struct asn1_cursor cursor;
598  int rc;
599 
600  /* Enter extKeyUsage */
601  memcpy ( &cursor, raw, sizeof ( cursor ) );
602  asn1_enter ( &cursor, ASN1_SEQUENCE );
603 
604  /* Parse each extended key usage in turn */
605  while ( cursor.len ) {
606  if ( ( rc = x509_parse_key_purpose ( cert, &cursor ) ) != 0 )
607  return rc;
608  asn1_skip_any ( &cursor );
609  }
610 
611  return 0;
612 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
x509_parse_key_purpose
static int x509_parse_key_purpose(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate key purpose identifier.
Definition: x509.c:556
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_key_purpose().

◆ x509_parse_ocsp()

static int x509_parse_ocsp ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate OCSP access method.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 621 of file x509.c.

622  {
623  struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
624  struct asn1_cursor *uri = &ocsp->uri;
625  int rc;
626 
627  /* Enter accessLocation */
628  memcpy ( uri, raw, sizeof ( *uri ) );
629  if ( ( rc = asn1_enter ( uri, X509_GENERAL_NAME_URI ) ) != 0 ) {
630  DBGC ( cert, "X509 %p OCSP does not contain "
631  "uniformResourceIdentifier:\n", cert );
632  DBGC_HDA ( cert, 0, raw->data, raw->len );
633  return rc;
634  }
635  DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
636  DBGC2_HDA ( cert, 0, uri->data, uri->len );
637 
638  return 0;
639 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_ocsp_responder
X.509 certificate OCSP responder.
Definition: x509.h:128
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
x509_extensions::auth_info
struct x509_authority_info_access auth_info
Authority information access.
Definition: x509.h:163
x509_ocsp_responder::uri
struct asn1_cursor uri
URI.
Definition: x509.h:130
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
uri
A Uniform Resource Identifier.
Definition: uri.h:64
x509_authority_info_access::ocsp
struct x509_ocsp_responder ocsp
OCSP responder.
Definition: x509.h:138
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:240

References asn1_enter(), x509_extensions::auth_info, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, memcpy(), x509_authority_info_access::ocsp, raw, rc, x509_ocsp_responder::uri, and X509_GENERAL_NAME_URI.

◆ x509_find_access_method()

static struct x509_access_method* x509_find_access_method ( const struct asn1_cursor oid)
static

Identify X.509 access method by OID.

Parameters
oidOID
Return values
methodAccess method, or NULL

Definition at line 660 of file x509.c.

660  {
661  struct x509_access_method *method;
662  unsigned int i;
663 
664  for ( i = 0 ; i < ( sizeof ( x509_access_methods ) /
665  sizeof ( x509_access_methods[0] ) ) ; i++ ) {
666  method = &x509_access_methods[i];
667  if ( asn1_compare ( &method->oid, oid ) == 0 )
668  return method;
669  }
670 
671  return NULL;
672 }
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
method
uint8_t method
Definition: ib_mad.h:14
x509_access_methods
static struct x509_access_method x509_access_methods[]
Supported access methods.
Definition: x509.c:645
x509_access_method::oid
struct asn1_cursor oid
Object identifier.
Definition: x509.h:354
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
x509_access_method
An X.509 access method.
Definition: x509.h:350

References asn1_compare(), method, NULL, x509_access_method::oid, and x509_access_methods.

Referenced by x509_parse_access_description().

◆ x509_parse_access_description()

static int x509_parse_access_description ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate access description.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 681 of file x509.c.

682  {
683  struct asn1_cursor cursor;
684  struct asn1_cursor subcursor;
685  struct x509_access_method *method;
686  int rc;
687 
688  /* Enter keyPurposeId */
689  memcpy ( &cursor, raw, sizeof ( cursor ) );
690  asn1_enter ( &cursor, ASN1_SEQUENCE );
691 
692  /* Try to identify access method */
693  memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
694  asn1_enter ( &subcursor, ASN1_OID );
695  method = x509_find_access_method ( &subcursor );
696  asn1_skip_any ( &cursor );
697  DBGC2 ( cert, "X509 %p found access method %s\n",
698  cert, ( method ? method->name : "<unknown>" ) );
699 
700  /* Parse access location, if applicable */
701  if ( method && ( ( rc = method->parse ( cert, &cursor ) ) != 0 ) )
702  return rc;
703 
704  return 0;
705 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
method
uint8_t method
Definition: ib_mad.h:14
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
ASN1_OID
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:74
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_find_access_method
static struct x509_access_method * x509_find_access_method(const struct asn1_cursor *oid)
Identify X.509 access method by OID.
Definition: x509.c:660
x509_access_method
An X.509 access method.
Definition: x509.h:350

References asn1_enter(), ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), DBGC2, memcpy(), method, raw, rc, and x509_find_access_method().

Referenced by x509_parse_authority_info_access().

◆ x509_parse_authority_info_access()

static int x509_parse_authority_info_access ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate authority information access.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 714 of file x509.c.

715  {
716  struct asn1_cursor cursor;
717  int rc;
718 
719  /* Enter authorityInfoAccess */
720  memcpy ( &cursor, raw, sizeof ( cursor ) );
721  asn1_enter ( &cursor, ASN1_SEQUENCE );
722 
723  /* Parse each access description in turn */
724  while ( cursor.len ) {
725  if ( ( rc = x509_parse_access_description ( cert,
726  &cursor ) ) != 0 )
727  return rc;
728  asn1_skip_any ( &cursor );
729  }
730 
731  return 0;
732 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
x509_parse_access_description
static int x509_parse_access_description(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate access description.
Definition: x509.c:681
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_access_description().

◆ x509_parse_subject_alt_name()

static int x509_parse_subject_alt_name ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate subject alternative name.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 741 of file x509.c.

742  {
743  struct x509_subject_alt_name *alt_name = &cert->extensions.alt_name;
744  struct asn1_cursor *names = &alt_name->names;
745  int rc;
746 
747  /* Enter subjectAltName */
748  memcpy ( names, raw, sizeof ( *names ) );
749  if ( ( rc = asn1_enter ( names, ASN1_SEQUENCE ) ) != 0 ) {
750  DBGC ( cert, "X509 %p invalid subjectAltName: %s\n",
751  cert, strerror ( rc ) );
752  DBGC_HDA ( cert, 0, raw->data, raw->len );
753  return rc;
754  }
755  DBGC2 ( cert, "X509 %p has subjectAltName:\n", cert );
756  DBGC2_HDA ( cert, 0, names->data, names->len );
757 
758  return 0;
759 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_subject_alt_name::names
struct asn1_cursor names
Names.
Definition: x509.h:144
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
x509_extensions::alt_name
struct x509_subject_alt_name alt_name
Subject alternative name.
Definition: x509.h:165
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
x509_subject_alt_name
X.509 certificate subject alternative name.
Definition: x509.h:142
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:240

References x509_extensions::alt_name, asn1_enter(), ASN1_SEQUENCE, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, DBGC_HDA, x509_certificate::extensions, asn1_cursor::len, memcpy(), x509_subject_alt_name::names, raw, rc, and strerror().

◆ x509_find_extension()

static struct x509_extension* x509_find_extension ( const struct asn1_cursor oid)
static

Identify X.509 extension by OID.

Parameters
oidOID
Return values
extensionExtension, or NULL

Definition at line 817 of file x509.c.

817  {
818  struct x509_extension *extension;
819  unsigned int i;
820 
821  for ( i = 0 ; i < ( sizeof ( x509_extensions ) /
822  sizeof ( x509_extensions[0] ) ) ; i++ ) {
823  extension = &x509_extensions[i];
824  if ( asn1_compare ( &extension->oid, oid ) == 0 )
825  return extension;
826  }
827 
828  return NULL;
829 }
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
x509_extension::oid
struct asn1_cursor oid
Object identifier.
Definition: x509.h:328
x509_extensions
static struct x509_extension x509_extensions[]
Supported certificate extensions.
Definition: x509.c:782
x509_extensions
An X.509 certificate extensions set.
Definition: x509.h:155
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
x509_extension
An X.509 extension.
Definition: x509.h:324

References asn1_compare(), NULL, x509_extension::oid, and x509_extensions.

Referenced by x509_parse_extension().

◆ x509_parse_extension()

static int x509_parse_extension ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate extension.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 838 of file x509.c.

839  {
840  struct asn1_cursor cursor;
841  struct asn1_cursor subcursor;
842  struct x509_extension *extension;
843  int is_critical = 0;
844  int rc;
845 
846  /* Enter extension */
847  memcpy ( &cursor, raw, sizeof ( cursor ) );
848  asn1_enter ( &cursor, ASN1_SEQUENCE );
849 
850  /* Try to identify extension */
851  memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
852  asn1_enter ( &subcursor, ASN1_OID );
853  extension = x509_find_extension ( &subcursor );
854  asn1_skip_any ( &cursor );
855  DBGC2 ( cert, "X509 %p found extension %s\n",
856  cert, ( extension ? extension->name : "<unknown>" ) );
857 
858  /* Identify criticality */
859  if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
860  is_critical = asn1_boolean ( &cursor );
861  if ( is_critical < 0 ) {
862  rc = is_critical;
863  DBGC ( cert, "X509 %p cannot parse extension "
864  "criticality: %s\n", cert, strerror ( rc ) );
865  DBGC_HDA ( cert, 0, raw->data, raw->len );
866  return rc;
867  }
868  asn1_skip_any ( &cursor );
869  }
870 
871  /* Handle unknown extensions */
872  if ( ! extension ) {
873  if ( is_critical ) {
874  /* Fail if we cannot handle a critical extension */
875  DBGC ( cert, "X509 %p cannot handle critical "
876  "extension:\n", cert );
877  DBGC_HDA ( cert, 0, raw->data, raw->len );
878  return -ENOTSUP_EXTENSION;
879  } else {
880  /* Ignore unknown non-critical extensions */
881  return 0;
882  }
883  };
884 
885  /* Extract extnValue */
886  if ( ( rc = asn1_enter ( &cursor, ASN1_OCTET_STRING ) ) != 0 ) {
887  DBGC ( cert, "X509 %p extension missing extnValue:\n", cert );
888  DBGC_HDA ( cert, 0, raw->data, raw->len );
889  return rc;
890  }
891 
892  /* Parse extension */
893  if ( ( rc = extension->parse ( cert, &cursor ) ) != 0 )
894  return rc;
895 
896  return 0;
897 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
ASN1_BOOLEAN
#define ASN1_BOOLEAN
ASN.1 boolean.
Definition: asn1.h:59
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_type
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Definition: asn1.h:380
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
asn1_boolean
int asn1_boolean(const struct asn1_cursor *cursor)
Parse value of ASN.1 boolean.
Definition: asn1.c:296
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
x509_extension::name
const char * name
Name.
Definition: x509.h:326
ASN1_OID
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:74
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
ENOTSUP_EXTENSION
#define ENOTSUP_EXTENSION
Definition: x509.c:61
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
x509_find_extension
static struct x509_extension * x509_find_extension(const struct asn1_cursor *oid)
Identify X.509 extension by OID.
Definition: x509.c:817
ASN1_OCTET_STRING
#define ASN1_OCTET_STRING
ASN.1 octet string.
Definition: asn1.h:68
x509_extension::parse
int(* parse)(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse extension.
Definition: x509.h:335
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_extension
An X.509 extension.
Definition: x509.h:324

References ASN1_BOOLEAN, asn1_boolean(), asn1_enter(), ASN1_OCTET_STRING, ASN1_OID, ASN1_SEQUENCE, asn1_skip_any(), asn1_type(), DBGC, DBGC2, DBGC_HDA, ENOTSUP_EXTENSION, memcpy(), x509_extension::name, x509_extension::parse, raw, rc, strerror(), and x509_find_extension().

Referenced by x509_parse_extensions().

◆ x509_parse_extensions()

static int x509_parse_extensions ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate extensions, if present.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 906 of file x509.c.

907  {
908  struct asn1_cursor cursor;
909  int rc;
910 
911  /* Enter extensions, if present */
912  memcpy ( &cursor, raw, sizeof ( cursor ) );
913  asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 3 ) );
914  asn1_enter ( &cursor, ASN1_SEQUENCE );
915 
916  /* Parse each extension in turn */
917  while ( cursor.len ) {
918  if ( ( rc = x509_parse_extension ( cert, &cursor ) ) != 0 )
919  return rc;
920  asn1_skip_any ( &cursor );
921  }
922 
923  return 0;
924 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
x509_parse_extension
static int x509_parse_extension(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extension.
Definition: x509.c:838
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
ASN1_EXPLICIT_TAG
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition: asn1.h:98
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_skip_any(), asn1_cursor::len, memcpy(), raw, rc, and x509_parse_extension().

Referenced by x509_parse_tbscertificate().

◆ x509_parse_tbscertificate()

static int x509_parse_tbscertificate ( struct x509_certificate cert,
const struct asn1_cursor raw 
)
static

Parse X.509 certificate tbsCertificate.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 933 of file x509.c.

934  {
935  struct asn1_algorithm **algorithm = &cert->signature_algorithm;
936  struct asn1_cursor cursor;
937  int rc;
938 
939  /* Record raw tbsCertificate */
940  memcpy ( &cursor, raw, sizeof ( cursor ) );
941  asn1_shrink_any ( &cursor );
942  memcpy ( &cert->tbs, &cursor, sizeof ( cert->tbs ) );
943 
944  /* Enter tbsCertificate */
945  asn1_enter ( &cursor, ASN1_SEQUENCE );
946 
947  /* Parse version, if present */
948  if ( asn1_type ( &cursor ) == ASN1_EXPLICIT_TAG ( 0 ) ) {
949  if ( ( rc = x509_parse_version ( cert, &cursor ) ) != 0 )
950  return rc;
951  asn1_skip_any ( &cursor );
952  }
953 
954  /* Parse serialNumber */
955  if ( ( rc = x509_parse_serial ( cert, &cursor ) ) != 0 )
956  return rc;
957  asn1_skip_any ( &cursor );
958 
959  /* Parse signature */
960  if ( ( rc = asn1_signature_algorithm ( &cursor, algorithm ) ) != 0 ) {
961  DBGC ( cert, "X509 %p could not parse signature algorithm: "
962  "%s\n", cert, strerror ( rc ) );
963  return rc;
964  }
965  DBGC2 ( cert, "X509 %p tbsCertificate signature algorithm is %s\n",
966  cert, (*algorithm)->name );
967  asn1_skip_any ( &cursor );
968 
969  /* Parse issuer */
970  if ( ( rc = x509_parse_issuer ( cert, &cursor ) ) != 0 )
971  return rc;
972  asn1_skip_any ( &cursor );
973 
974  /* Parse validity */
975  if ( ( rc = x509_parse_validity ( cert, &cursor ) ) != 0 )
976  return rc;
977  asn1_skip_any ( &cursor );
978 
979  /* Parse subject */
980  if ( ( rc = x509_parse_subject ( cert, &cursor ) ) != 0 )
981  return rc;
982  asn1_skip_any ( &cursor );
983 
984  /* Parse subjectPublicKeyInfo */
985  if ( ( rc = x509_parse_public_key ( cert, &cursor ) ) != 0 )
986  return rc;
987  asn1_skip_any ( &cursor );
988 
989  /* Parse extensions, if present */
990  if ( ( rc = x509_parse_extensions ( cert, &cursor ) ) != 0 )
991  return rc;
992 
993  return 0;
994 }
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition: asn1.h:311
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:230
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_parse_issuer
static int x509_parse_issuer(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate issuer.
Definition: x509.c:247
asn1_type
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Definition: asn1.h:380
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
asn1_signature_algorithm
int asn1_signature_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified signature algorithm.
Definition: asn1.c:565
x509_parse_serial
static int x509_parse_serial(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate serial number.
Definition: x509.c:222
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
x509_parse_version
static int x509_parse_version(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate version.
Definition: x509.c:182
x509_parse_validity
static int x509_parse_validity(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate validity.
Definition: x509.c:272
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
asn1_shrink_any
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:286
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
algorithm
u16 algorithm
Authentication algorithm (Open System or Shared Key)
Definition: ieee80211.h:1030
x509_parse_subject
static int x509_parse_subject(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate subject.
Definition: x509.c:363
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
x509_certificate::tbs
struct asn1_cursor tbs
Raw tbsCertificate.
Definition: x509.h:228
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
ASN1_EXPLICIT_TAG
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition: asn1.h:98
x509_parse_extensions
static int x509_parse_extensions(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extensions, if present.
Definition: x509.c:906
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_parse_public_key
static int x509_parse_public_key(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate public key information.
Definition: x509.c:390

References algorithm, asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_shrink_any(), asn1_signature_algorithm(), asn1_skip_any(), asn1_type(), DBGC, DBGC2, memcpy(), raw, rc, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, x509_parse_extensions(), x509_parse_issuer(), x509_parse_public_key(), x509_parse_serial(), x509_parse_subject(), x509_parse_validity(), and x509_parse_version().

Referenced by x509_parse().

◆ x509_parse()

int x509_parse ( struct x509_certificate cert,
const struct asn1_cursor raw 
)

Parse X.509 certificate from ASN.1 data.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 1003 of file x509.c.

1004  {
1005  struct x509_signature *signature = &cert->signature;
1006  struct asn1_algorithm **signature_algorithm = &signature->algorithm;
1007  struct asn1_bit_string *signature_value = &signature->value;
1008  struct asn1_cursor cursor;
1009  int rc;
1010 
1011  /* Record raw certificate */
1012  memcpy ( &cursor, raw, sizeof ( cursor ) );
1013  memcpy ( &cert->raw, &cursor, sizeof ( cert->raw ) );
1014 
1015  /* Enter certificate */
1016  asn1_enter ( &cursor, ASN1_SEQUENCE );
1017 
1018  /* Parse tbsCertificate */
1019  if ( ( rc = x509_parse_tbscertificate ( cert, &cursor ) ) != 0 )
1020  return rc;
1021  asn1_skip_any ( &cursor );
1022 
1023  /* Parse signatureAlgorithm */
1024  if ( ( rc = asn1_signature_algorithm ( &cursor,
1025  signature_algorithm ) ) != 0 ) {
1026  DBGC ( cert, "X509 %p could not parse signature algorithm: "
1027  "%s\n", cert, strerror ( rc ) );
1028  return rc;
1029  }
1030  DBGC2 ( cert, "X509 %p signatureAlgorithm is %s\n",
1031  cert, (*signature_algorithm)->name );
1032  asn1_skip_any ( &cursor );
1033 
1034  /* Parse signatureValue */
1035  if ( ( rc = asn1_integral_bit_string ( &cursor,
1036  signature_value ) ) != 0 ) {
1037  DBGC ( cert, "X509 %p could not parse signature value: %s\n",
1038  cert, strerror ( rc ) );
1039  return rc;
1040  }
1041  DBGC2 ( cert, "X509 %p signatureValue is:\n", cert );
1042  DBGC2_HDA ( cert, 0, signature_value->data, signature_value->len );
1043 
1044  /* Check that algorithm in tbsCertificate matches algorithm in
1045  * signature
1046  */
1047  if ( signature->algorithm != (*signature_algorithm) ) {
1048  DBGC ( cert, "X509 %p signature algorithm %s does not match "
1049  "signatureAlgorithm %s\n",
1050  cert, signature->algorithm->name,
1051  (*signature_algorithm)->name );
1052  return -EINVAL_ALGORITHM_MISMATCH;
1053  }
1054 
1055  return 0;
1056 }
asn1_bit_string::data
const void * data
Data.
Definition: asn1.h:356
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition: asn1.h:311
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
asn1_signature_algorithm
int asn1_signature_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified signature algorithm.
Definition: asn1.c:565
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
x509_certificate::signature
struct x509_signature signature
Signature.
Definition: x509.h:238
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
asn1_integral_bit_string
int asn1_integral_bit_string(const struct asn1_cursor *cursor, struct asn1_bit_string *bits)
Parse ASN.1 bit string that must be an integral number of bytes.
Definition: asn1.c:414
x509_parse_tbscertificate
static int x509_parse_tbscertificate(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate tbsCertificate.
Definition: x509.c:933
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
asn1_bit_string::len
size_t len
Length.
Definition: asn1.h:358
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
EINVAL_ALGORITHM_MISMATCH
#define EINVAL_ALGORITHM_MISMATCH
Definition: x509.c:69
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:222
signature
u8 signature
Signature.
Definition: CIB_PRM.h:35
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
asn1_bit_string
An ASN.1 bit string.
Definition: asn1.h:354
x509_signature
An X.509 certificate signature.
Definition: x509.h:68

References asn1_enter(), asn1_integral_bit_string(), ASN1_SEQUENCE, asn1_signature_algorithm(), asn1_skip_any(), asn1_bit_string::data, DBGC, DBGC2, DBGC2_HDA, EINVAL_ALGORITHM_MISMATCH, asn1_bit_string::len, memcpy(), raw, x509_certificate::raw, rc, signature, x509_certificate::signature, strerror(), and x509_parse_tbscertificate().

Referenced by certstore_init(), and x509_certificate().

◆ x509_certificate()

int x509_certificate ( const void *  data,
size_t  len,
struct x509_certificate **  cert 
)

Create X.509 certificate.

Parameters
dataRaw certificate data
lenLength of raw data
Return values
certX.509 certificate
rcReturn status code

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1069 of file x509.c.

1070  {
1071  struct asn1_cursor cursor;
1072  void *raw;
1073  int rc;
1074 
1075  /* Initialise cursor */
1076  cursor.data = data;
1077  cursor.len = len;
1078  asn1_shrink_any ( &cursor );
1079 
1080  /* Return stored certificate, if present */
1081  if ( ( *cert = certstore_find ( &cursor ) ) != NULL ) {
1082 
1083  /* Add caller's reference */
1084  x509_get ( *cert );
1085  return 0;
1086  }
1087 
1088  /* Allocate and initialise certificate */
1089  *cert = zalloc ( sizeof ( **cert ) + cursor.len );
1090  if ( ! *cert )
1091  return -ENOMEM;
1092  ref_init ( &(*cert)->refcnt, x509_free );
1093  raw = ( *cert + 1 );
1094 
1095  /* Copy raw data */
1096  memcpy ( raw, cursor.data, cursor.len );
1097  cursor.data = raw;
1098 
1099  /* Parse certificate */
1100  if ( ( rc = x509_parse ( *cert, &cursor ) ) != 0 ) {
1101  x509_put ( *cert );
1102  *cert = NULL;
1103  return rc;
1104  }
1105 
1106  /* Add certificate to store */
1107  certstore_add ( *cert );
1108 
1109  return 0;
1110 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_get
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:258
x509_free
static void x509_free(struct refcnt *refcnt)
Free X.509 certificate.
Definition: x509.c:131
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
certstore_add
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
Definition: certstore.c:138
ENOMEM
#define ENOMEM
Not enough space.
Definition: errno.h:534
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
asn1_shrink_any
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:286
certstore_find
struct x509_certificate * certstore_find(struct asn1_cursor *raw)
Find certificate in store.
Definition: certstore.c:102
len
uint32_t len
Length.
Definition: ena.h:14
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:269
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
arbelprm_rc_send_wqe::data
struct arbelprm_wqe_segment_data_ptr data[ARBEL_MAX_GATHER]
Definition: arbel.h:237
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_parse
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
Definition: x509.c:1003

References asn1_shrink_any(), certstore_add(), certstore_find(), data, asn1_cursor::data, ENOMEM, len, asn1_cursor::len, memcpy(), NULL, raw, rc, ref_init, x509_free(), x509_get(), x509_parse(), x509_put(), and zalloc().

◆ x509_check_signature()

static int x509_check_signature ( struct x509_certificate cert,
struct x509_public_key public_key 
)
static

Check X.509 certificate signature.

Parameters
certX.509 certificate
public_keyX.509 public key
Return values
rcReturn status code

Definition at line 1119 of file x509.c.

1120  {
1121  struct x509_signature *signature = &cert->signature;
1122  struct asn1_algorithm *algorithm = signature->algorithm;
1123  struct digest_algorithm *digest = algorithm->digest;
1124  struct pubkey_algorithm *pubkey = algorithm->pubkey;
1125  uint8_t digest_ctx[ digest->ctxsize ];
1126  uint8_t digest_out[ digest->digestsize ];
1127  uint8_t pubkey_ctx[ pubkey->ctxsize ];
1128  int rc;
1129 
1130  /* Sanity check */
1131  assert ( cert->signature_algorithm == cert->signature.algorithm );
1132 
1133  /* Calculate certificate digest */
1134  digest_init ( digest, digest_ctx );
1135  digest_update ( digest, digest_ctx, cert->tbs.data, cert->tbs.len );
1136  digest_final ( digest, digest_ctx, digest_out );
1137  DBGC2 ( cert, "X509 %p \"%s\" digest:\n", cert, x509_name ( cert ) );
1138  DBGC2_HDA ( cert, 0, digest_out, sizeof ( digest_out ) );
1139 
1140  /* Check that signature public key algorithm matches signer */
1141  if ( public_key->algorithm->pubkey != pubkey ) {
1142  DBGC ( cert, "X509 %p \"%s\" signature algorithm %s does not "
1143  "match signer's algorithm %s\n",
1144  cert, x509_name ( cert ), algorithm->name,
1145  public_key->algorithm->name );
1146  rc = -EINVAL_ALGORITHM_MISMATCH;
1147  goto err_mismatch;
1148  }
1149 
1150  /* Verify signature using signer's public key */
1151  if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, public_key->raw.data,
1152  public_key->raw.len ) ) != 0 ) {
1153  DBGC ( cert, "X509 %p \"%s\" cannot initialise public key: "
1154  "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
1155  goto err_pubkey_init;
1156  }
1157  if ( ( rc = pubkey_verify ( pubkey, pubkey_ctx, digest, digest_out,
1158  signature->value.data,
1159  signature->value.len ) ) != 0 ) {
1160  DBGC ( cert, "X509 %p \"%s\" signature verification failed: "
1161  "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
1162  goto err_pubkey_verify;
1163  }
1164 
1165  /* Success */
1166  rc = 0;
1167 
1168  err_pubkey_verify:
1169  pubkey_final ( pubkey, pubkey_ctx );
1170  err_pubkey_init:
1171  err_mismatch:
1172  return rc;
1173 }
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition: asn1.h:311
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:230
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_signature::algorithm
struct asn1_algorithm * algorithm
Signature algorithm.
Definition: x509.h:70
pubkey_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:124
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
public_key
static const void size_t const void * public_key
Definition: crypto.h:327
x509_certificate::signature
struct x509_signature signature
Signature.
Definition: x509.h:238
digest
static void struct digest_algorithm * digest
HMAC-MD5 digest.
Definition: crypto.h:308
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
algorithm
u16 algorithm
Authentication algorithm (Open System or Shared Key)
Definition: ieee80211.h:1030
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
digest_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:21
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition: crypto.h:25
x509_certificate::tbs
struct asn1_cursor tbs
Raw tbsCertificate.
Definition: x509.h:228
digest_algorithm
A message digest algorithm.
Definition: crypto.h:17
EINVAL_ALGORITHM_MISMATCH
#define EINVAL_ALGORITHM_MISMATCH
Definition: x509.c:69
signature
u8 signature
Signature.
Definition: CIB_PRM.h:35
pubkey_algorithm
A public key algorithm.
Definition: crypto.h:120
x509_signature
An X.509 certificate signature.
Definition: x509.h:68

References x509_signature::algorithm, algorithm, assert(), digest_algorithm::ctxsize, pubkey_algorithm::ctxsize, asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, digest, digest_algorithm::digestsize, EINVAL_ALGORITHM_MISMATCH, asn1_cursor::len, public_key, rc, signature, x509_certificate::signature, x509_certificate::signature_algorithm, strerror(), x509_certificate::tbs, and x509_name().

Referenced by x509_check_issuer().

◆ x509_check_issuer()

int x509_check_issuer ( struct x509_certificate cert,
struct x509_certificate issuer 
)

Check X.509 certificate against issuer certificate.

Parameters
certX.509 certificate
issuerX.509 issuer certificate
Return values
rcReturn status code

Definition at line 1182 of file x509.c.

1183  {
1184  struct x509_public_key *public_key = &issuer->subject.public_key;
1185  int rc;
1186 
1187  /* Check issuer. In theory, this should be a full X.500 DN
1188  * comparison, which would require support for a plethora of
1189  * abominations such as TeletexString (which allows the
1190  * character set to be changed mid-string using escape codes).
1191  * In practice, we assume that anyone who deliberately changes
1192  * the encoding of the issuer DN is probably a masochist who
1193  * will rather enjoy the process of figuring out exactly why
1194  * their certificate doesn't work.
1195  *
1196  * See http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
1197  * for some enjoyable ranting on this subject.
1198  */
1199  if ( asn1_compare ( &cert->issuer.raw, &issuer->subject.raw ) != 0 ) {
1200  DBGC ( cert, "X509 %p \"%s\" issuer does not match ",
1201  cert, x509_name ( cert ) );
1202  DBGC ( cert, "X509 %p \"%s\" subject\n",
1203  issuer, x509_name ( issuer ) );
1204  DBGC_HDA ( cert, 0, cert->issuer.raw.data,
1205  cert->issuer.raw.len );
1206  DBGC_HDA ( issuer, 0, issuer->subject.raw.data,
1207  issuer->subject.raw.len );
1208  return -EACCES_WRONG_ISSUER;
1209  }
1210 
1211  /* Check that issuer is allowed to sign certificates */
1212  if ( ! issuer->extensions.basic.ca ) {
1213  DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1214  issuer, x509_name ( issuer ) );
1215  DBGC ( issuer, "X509 %p \"%s\": not a CA certificate\n",
1216  cert, x509_name ( cert ) );
1217  return -EACCES_NOT_CA;
1218  }
1219  if ( issuer->extensions.usage.present &&
1220  ( ! ( issuer->extensions.usage.bits & X509_KEY_CERT_SIGN ) ) ) {
1221  DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1222  issuer, x509_name ( issuer ) );
1223  DBGC ( issuer, "X509 %p \"%s\": no keyCertSign usage\n",
1224  cert, x509_name ( cert ) );
1225  return -EACCES_KEY_USAGE;
1226  }
1227 
1228  /* Check signature */
1229  if ( ( rc = x509_check_signature ( cert, public_key ) ) != 0 )
1230  return rc;
1231 
1232  return 0;
1233 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_issuer::raw
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:30
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
x509_certificate::issuer
struct x509_issuer issuer
Issuer.
Definition: x509.h:232
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_key_usage::present
int present
Key usage extension is present.
Definition: x509.h:93
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
public_key
static const void size_t const void * public_key
Definition: crypto.h:327
EACCES_KEY_USAGE
#define EACCES_KEY_USAGE
Definition: x509.c:89
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
x509_public_key
An X.509 certificate public key.
Definition: x509.h:48
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition: x509.h:64
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:236
x509_basic_constraints::ca
int ca
Subject is a CA.
Definition: x509.h:78
EACCES_NOT_CA
#define EACCES_NOT_CA
Definition: x509.c:85
x509_subject::raw
struct asn1_cursor raw
Raw subject.
Definition: x509.h:60
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
x509_check_signature
static int x509_check_signature(struct x509_certificate *cert, struct x509_public_key *public_key)
Check X.509 certificate signature.
Definition: x509.c:1119
x509_key_usage::bits
unsigned int bits
Usage bits.
Definition: x509.h:95
x509_extensions::usage
struct x509_key_usage usage
Key usage.
Definition: x509.h:159
EACCES_WRONG_ISSUER
#define EACCES_WRONG_ISSUER
Definition: x509.c:81
x509_extensions::basic
struct x509_basic_constraints basic
Basic constraints.
Definition: x509.h:157
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:240

References asn1_compare(), x509_extensions::basic, x509_key_usage::bits, x509_basic_constraints::ca, asn1_cursor::data, DBGC, DBGC_HDA, EACCES_KEY_USAGE, EACCES_NOT_CA, EACCES_WRONG_ISSUER, x509_certificate::extensions, x509_certificate::issuer, asn1_cursor::len, x509_key_usage::present, x509_subject::public_key, public_key, x509_subject::raw, x509_issuer::raw, rc, x509_certificate::subject, x509_extensions::usage, x509_check_signature(), X509_KEY_CERT_SIGN, and x509_name().

Referenced by x509_check_issuer_fail_okx(), x509_check_issuer_okx(), and x509_validate().

◆ x509_fingerprint()

void x509_fingerprint ( struct x509_certificate cert,
struct digest_algorithm digest,
void *  fingerprint 
)

Calculate X.509 certificate fingerprint.

Parameters
certX.509 certificate
digestDigest algorithm
fingerprintFingerprint buffer

Definition at line 1242 of file x509.c.

1244  {
1245  uint8_t ctx[ digest->ctxsize ];
1246 
1247  /* Calculate fingerprint */
1248  digest_init ( digest, ctx );
1249  digest_update ( digest, ctx, cert->raw.data, cert->raw.len );
1250  digest_final ( digest, ctx, fingerprint );
1251 }
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
digest
static void struct digest_algorithm * digest
HMAC-MD5 digest.
Definition: crypto.h:308
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
digest_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:21
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:222

References ctx, digest_algorithm::ctxsize, asn1_cursor::data, digest, asn1_cursor::len, and x509_certificate::raw.

Referenced by certstat(), icert_certs(), x509_check_root(), x509_fingerprint_okx(), and x509_name().

◆ x509_check_root()

int x509_check_root ( struct x509_certificate cert,
struct x509_root root 
)

Check X.509 root certificate.

Parameters
certX.509 certificate
rootX.509 root certificate list
Return values
rcReturn status code

Definition at line 1260 of file x509.c.

1260  {
1261  struct digest_algorithm *digest = root->digest;
1262  uint8_t fingerprint[ digest->digestsize ];
1263  const uint8_t *root_fingerprint = root->fingerprints;
1264  unsigned int i;
1265 
1266  /* Calculate certificate fingerprint */
1267  x509_fingerprint ( cert, digest, fingerprint );
1268 
1269  /* Check fingerprint against all root certificates */
1270  for ( i = 0 ; i < root->count ; i++ ) {
1271  if ( memcmp ( fingerprint, root_fingerprint,
1272  sizeof ( fingerprint ) ) == 0 ) {
1273  DBGC ( cert, "X509 %p \"%s\" is a root certificate\n",
1274  cert, x509_name ( cert ) );
1275  return 0;
1276  }
1277  root_fingerprint += sizeof ( fingerprint );
1278  }
1279 
1280  DBGC2 ( cert, "X509 %p \"%s\" is not a root certificate\n",
1281  cert, x509_name ( cert ) );
1282  return -ENOENT;
1283 }
root
struct stp_switch root
Root switch.
Definition: stp.h:26
DBGC
#define DBGC(...)
Definition: compiler.h:505
ENOENT
#define ENOENT
No such file or directory.
Definition: errno.h:514
digest
static void struct digest_algorithm * digest
HMAC-MD5 digest.
Definition: crypto.h:308
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
x509_fingerprint
void x509_fingerprint(struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
Calculate X.509 certificate fingerprint.
Definition: x509.c:1242
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition: crypto.h:25
digest_algorithm
A message digest algorithm.
Definition: crypto.h:17
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114

References DBGC, DBGC2, digest, digest_algorithm::digestsize, ENOENT, memcmp(), root, x509_fingerprint(), and x509_name().

Referenced by x509_check_root_fail_okx(), x509_check_root_okx(), and x509_validate().

◆ x509_check_time()

int x509_check_time ( struct x509_certificate cert,
time_t  time 
)

Check X.509 certificate validity period.

Parameters
certX.509 certificate
timeTime at which to check certificate
Return values
rcReturn status code

Definition at line 1292 of file x509.c.

1292  {
1293  struct x509_validity *validity = &cert->validity;
1294 
1295  /* Check validity period */
1296  if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
1297  DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
1298  cert, x509_name ( cert ), time );
1299  return -EACCES_EXPIRED;
1300  }
1301  if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
1302  DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
1303  cert, x509_name ( cert ), time );
1304  return -EACCES_EXPIRED;
1305  }
1306 
1307  DBGC2 ( cert, "X509 %p \"%s\" is valid (at time %lld)\n",
1308  cert, x509_name ( cert ), time );
1309  return 0;
1310 }
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_time::time
time_t time
Seconds since the Epoch.
Definition: x509.h:36
x509_validity::not_before
struct x509_time not_before
Not valid before.
Definition: x509.h:42
EACCES_EXPIRED
#define EACCES_EXPIRED
Definition: x509.c:93
x509_validity
An X.509 certificate validity period.
Definition: x509.h:40
x509_certificate::validity
struct x509_validity validity
Validity.
Definition: x509.h:234
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
TIMESTAMP_ERROR_MARGIN
#define TIMESTAMP_ERROR_MARGIN
Margin of error (in seconds) allowed in signed timestamps.
Definition: crypto.h:69
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
x509_validity::not_after
struct x509_time not_after
Not valid after.
Definition: x509.h:44
time
uint64_t time
Current time.
Definition: ntlm.h:20

References DBGC, DBGC2, EACCES_EXPIRED, x509_validity::not_after, x509_validity::not_before, time, x509_time::time, TIMESTAMP_ERROR_MARGIN, x509_certificate::validity, and x509_name().

Referenced by x509_check_time_fail_okx(), x509_check_time_okx(), and x509_validate().

◆ x509_is_valid()

int x509_is_valid ( struct x509_certificate cert,
struct x509_root root 
)

Check if X.509 certificate is valid.

Parameters
certX.509 certificate
rootRoot certificate list, or NULL to use default

Definition at line 1318 of file x509.c.

1318  {
1319 
1320  /* Use default root certificate store if none specified */
1321  if ( ! root )
1322  root = &root_certificates;
1323 
1324  return ( cert->root == root );
1325 }
root
struct stp_switch root
Root switch.
Definition: stp.h:26
root_certificates
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:73
x509_certificate::root
struct x509_root * root
Root against which certificate has been validated (if any)
Definition: x509.h:217

References root, x509_certificate::root, and root_certificates.

Referenced by certstat(), ipair_window_changed(), validator_step(), x509_validate(), and x509_validate_chain_okx().

◆ x509_set_valid()

static void x509_set_valid ( struct x509_certificate cert,
struct x509_certificate issuer,
struct x509_root root 
)
static

Set X.509 certificate as validated.

Parameters
certX.509 certificate
issuerIssuing X.509 certificate (or NULL)
rootRoot certificate list

Definition at line 1334 of file x509.c.

1336  {
1337  unsigned int max_path_remaining;
1338 
1339  /* Sanity checks */
1340  assert ( root != NULL );
1341  assert ( ( issuer == NULL ) || ( issuer->path_remaining >= 1 ) );
1342 
1343  /* Record validation root */
1344  x509_root_put ( cert->root );
1345  cert->root = x509_root_get ( root );
1346 
1347  /* Calculate effective path length */
1348  cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
1349  if ( issuer ) {
1350  max_path_remaining = ( issuer->path_remaining - 1 );
1351  if ( cert->path_remaining > max_path_remaining )
1352  cert->path_remaining = max_path_remaining;
1353  }
1354 }
x509_certificate::path_remaining
unsigned int path_remaining
Maximum number of subsequent certificates in chain.
Definition: x509.h:219
x509_basic_constraints::path_len
unsigned int path_len
Path length.
Definition: x509.h:80
root
struct stp_switch root
Root switch.
Definition: stp.h:26
x509_root_put
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition: x509.h:395
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
x509_certificate::root
struct x509_root * root
Root against which certificate has been validated (if any)
Definition: x509.h:217
x509_root_get
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
Definition: x509.h:384
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
x509_extensions::basic
struct x509_basic_constraints basic
Basic constraints.
Definition: x509.h:157
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:240

References assert(), x509_extensions::basic, x509_certificate::extensions, NULL, x509_basic_constraints::path_len, x509_certificate::path_remaining, root, x509_certificate::root, x509_root_get(), and x509_root_put().

Referenced by x509_validate().

◆ x509_validate()

int x509_validate ( struct x509_certificate cert,
struct x509_certificate issuer,
time_t  time,
struct x509_root root 
)

Validate X.509 certificate.

Parameters
certX.509 certificate
issuerIssuing X.509 certificate (or NULL)
timeTime at which to validate certificate
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

The issuing certificate must have already been validated.

Validation results are cached: if a certificate has already been successfully validated then issuer, time, and root will be ignored.

Definition at line 1371 of file x509.c.

1373  {
1374  int rc;
1375 
1376  /* Use default root certificate store if none specified */
1377  if ( ! root )
1378  root = &root_certificates;
1379 
1380  /* Return success if certificate has already been validated */
1381  if ( x509_is_valid ( cert, root ) )
1382  return 0;
1383 
1384  /* Fail if certificate is invalid at specified time */
1385  if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
1386  return rc;
1387 
1388  /* Succeed if certificate is a trusted root certificate */
1389  if ( x509_check_root ( cert, root ) == 0 ) {
1390  x509_set_valid ( cert, NULL, root );
1391  return 0;
1392  }
1393 
1394  /* Fail unless we have an issuer */
1395  if ( ! issuer ) {
1396  DBGC2 ( cert, "X509 %p \"%s\" has no trusted issuer\n",
1397  cert, x509_name ( cert ) );
1398  return -EACCES_UNTRUSTED;
1399  }
1400 
1401  /* Fail unless issuer has already been validated */
1402  if ( ! x509_is_valid ( issuer, root ) ) {
1403  DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1404  DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
1405  issuer, x509_name ( issuer ) );
1406  return -EACCES_OUT_OF_ORDER;
1407  }
1408 
1409  /* Fail if issuing certificate cannot validate this certificate */
1410  if ( ( rc = x509_check_issuer ( cert, issuer ) ) != 0 )
1411  return rc;
1412 
1413  /* Fail if path length constraint is violated */
1414  if ( issuer->path_remaining == 0 ) {
1415  DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1416  DBGC ( cert, "issuer %p \"%s\" path length exceeded\n",
1417  issuer, x509_name ( issuer ) );
1418  return -EACCES_PATH_LEN;
1419  }
1420 
1421  /* Fail if OCSP is required */
1422  if ( ocsp_required ( cert ) ) {
1423  DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1424  cert, x509_name ( cert ) );
1425  return -EACCES_OCSP_REQUIRED;
1426  }
1427 
1428  /* Mark certificate as valid */
1429  x509_set_valid ( cert, issuer, root );
1430 
1431  DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
1432  cert, x509_name ( cert ) );
1433  DBGC ( cert, "issuer %p \"%s\"\n", issuer, x509_name ( issuer ) );
1434  return 0;
1435 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_certificate::path_remaining
unsigned int path_remaining
Maximum number of subsequent certificates in chain.
Definition: x509.h:219
root
struct stp_switch root
Root switch.
Definition: stp.h:26
x509_set_valid
static void x509_set_valid(struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
Set X.509 certificate as validated.
Definition: x509.c:1334
root_certificates
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:73
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_is_valid
int x509_is_valid(struct x509_certificate *cert, struct x509_root *root)
Check if X.509 certificate is valid.
Definition: x509.c:1318
ocsp_required
static int ocsp_required(struct x509_certificate *cert)
Check if X.509 certificate requires an OCSP check.
Definition: ocsp.h:128
EACCES_OCSP_REQUIRED
#define EACCES_OCSP_REQUIRED
Definition: x509.c:113
EACCES_OUT_OF_ORDER
#define EACCES_OUT_OF_ORDER
Definition: x509.c:105
EACCES_PATH_LEN
#define EACCES_PATH_LEN
Definition: x509.c:97
x509_check_root
int x509_check_root(struct x509_certificate *cert, struct x509_root *root)
Check X.509 root certificate.
Definition: x509.c:1260
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
x509_check_issuer
int x509_check_issuer(struct x509_certificate *cert, struct x509_certificate *issuer)
Check X.509 certificate against issuer certificate.
Definition: x509.c:1182
EACCES_UNTRUSTED
#define EACCES_UNTRUSTED
Definition: x509.c:101
time
uint64_t time
Current time.
Definition: ntlm.h:20
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
x509_check_time
int x509_check_time(struct x509_certificate *cert, time_t time)
Check X.509 certificate validity period.
Definition: x509.c:1292

References DBGC, DBGC2, EACCES_OCSP_REQUIRED, EACCES_OUT_OF_ORDER, EACCES_PATH_LEN, EACCES_UNTRUSTED, NULL, ocsp_required(), x509_certificate::path_remaining, rc, root, root_certificates, time, x509_check_issuer(), x509_check_root(), x509_check_time(), x509_is_valid(), x509_name(), and x509_set_valid().

Referenced by ocsp_validate(), and x509_validate_chain().

◆ x509_check_dnsname()

static int x509_check_dnsname ( struct x509_certificate cert,
const struct asn1_cursor raw,
const char *  name 
)
static

Check X.509 certificate alternative dNSName.

Parameters
certX.509 certificate
rawASN.1 cursor
nameName
Return values
rcReturn status code

Definition at line 1445 of file x509.c.

1447  {
1448  const char *fullname = name;
1449  const char *dnsname = raw->data;
1450  size_t len = raw->len;
1451 
1452  /* Check for wildcards */
1453  if ( ( len >= 2 ) && ( dnsname[0] == '*' ) && ( dnsname[1] == '.' ) ) {
1454 
1455  /* Skip initial "*." */
1456  dnsname += 2;
1457  len -= 2;
1458 
1459  /* Skip initial portion of name to be tested */
1460  name = strchr ( name, '.' );
1461  if ( ! name )
1462  return -ENOENT;
1463  name++;
1464  }
1465 
1466  /* Compare names */
1467  if ( ! ( ( strlen ( name ) == len ) &&
1468  ( strncasecmp ( name, dnsname, len ) == 0 ) ) )
1469  return -ENOENT;
1470 
1471  if ( name != fullname ) {
1472  DBGC2 ( cert, "X509 %p \"%s\" found wildcard match for "
1473  "\"*.%s\"\n", cert, x509_name ( cert ), name );
1474  }
1475  return 0;
1476 }
name
const char * name
Definition: ath9k_hw.c:1984
ENOENT
#define ENOENT
No such file or directory.
Definition: errno.h:514
strncasecmp
int strncasecmp(const char *first, const char *second, size_t max)
Compare case-insensitive strings.
Definition: string.c:221
strchr
char * strchr(const char *src, int character)
Find character within a string.
Definition: string.c:271
strlen
size_t strlen(const char *src)
Get length of string.
Definition: string.c:243
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
len
uint32_t len
Length.
Definition: ena.h:14
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28

References DBGC2, ENOENT, len, name, raw, strchr(), strlen(), strncasecmp(), and x509_name().

Referenced by x509_check_alt_name(), and x509_check_name().

◆ x509_check_ipaddress()

static int x509_check_ipaddress ( struct x509_certificate cert,
const struct asn1_cursor raw,
const char *  name 
)
static

Check X.509 certificate alternative iPAddress.

Parameters
certX.509 certificate
rawASN.1 cursor
nameName
Return values
rcReturn status code

Definition at line 1486 of file x509.c.

1488  {
1489  struct sockaddr sa;
1490  sa_family_t family;
1491  const void *address;
1492  int rc;
1493 
1494  /* Determine address family */
1495  if ( raw->len == sizeof ( struct in_addr ) ) {
1496  struct sockaddr_in *sin = ( ( struct sockaddr_in * ) &sa );
1497  family = AF_INET;
1498  address = &sin->sin_addr;
1499  } else if ( raw->len == sizeof ( struct in6_addr ) ) {
1500  struct sockaddr_in6 *sin6 = ( ( struct sockaddr_in6 * ) &sa );
1501  family = AF_INET6;
1502  address = &sin6->sin6_addr;
1503  } else {
1504  DBGC ( cert, "X509 %p \"%s\" has iPAddress with unexpected "
1505  "length %zd\n", cert, x509_name ( cert ), raw->len );
1506  DBGC_HDA ( cert, 0, raw->data, raw->len );
1507  return -EINVAL;
1508  }
1509 
1510  /* Attempt to convert name to a socket address */
1511  if ( ( rc = sock_aton ( name, &sa ) ) != 0 ) {
1512  DBGC2 ( cert, "X509 %p \"%s\" cannot parse \"%s\" as "
1513  "iPAddress: %s\n", cert, x509_name ( cert ), name,
1514  strerror ( rc ) );
1515  return rc;
1516  }
1517  if ( sa.sa_family != family )
1518  return -ENOENT;
1519 
1520  /* Compare addresses */
1521  if ( memcmp ( address, raw->data, raw->len ) != 0 )
1522  return -ENOENT;
1523 
1524  DBGC2 ( cert, "X509 %p \"%s\" found iPAddress match for \"%s\"\n",
1525  cert, x509_name ( cert ), sock_ntoa ( &sa ) );
1526  return 0;
1527 }
EINVAL
#define EINVAL
Invalid argument.
Definition: errno.h:428
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
name
const char * name
Definition: ath9k_hw.c:1984
AF_INET6
#define AF_INET6
IPv6 Internet addresses.
Definition: socket.h:64
address
uint64_t address
Base address.
Definition: ena.h:24
sockaddr::sa_family
sa_family_t sa_family
Socket address family.
Definition: socket.h:101
DBGC
#define DBGC(...)
Definition: compiler.h:505
sin6
struct sockaddr_in6 sin6
Definition: syslog.c:58
ENOENT
#define ENOENT
No such file or directory.
Definition: errno.h:514
sockaddr_in
IPv4 socket address.
Definition: in.h:82
sock_aton
int sock_aton(const char *string, struct sockaddr *sa)
Parse socket address.
Definition: socket.c:59
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
sa_family_t
uint16_t sa_family_t
A socket address family.
Definition: socket.h:85
sa
struct sockaddr sa
Definition: syslog.c:55
in6_addr
IP6 address structure.
Definition: in.h:48
sockaddr
Generalized socket address structure.
Definition: socket.h:96
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
in_addr
IP address structure.
Definition: in.h:39
sockaddr_in::sin_addr
struct in_addr sin_addr
IPv4 address.
Definition: in.h:98
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
sock_ntoa
const char * sock_ntoa(struct sockaddr *sa)
Transcribe socket address.
Definition: socket.c:42
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
sockaddr_in6
IPv6 socket address.
Definition: in.h:115
sin
struct sockaddr_in sin
Definition: syslog.c:57
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114
AF_INET
#define AF_INET
IPv4 Internet addresses.
Definition: socket.h:63
sockaddr_in6::sin6_addr
struct in6_addr sin6_addr
IPv6 address.
Definition: in.h:132

References address, AF_INET, AF_INET6, DBGC, DBGC2, DBGC_HDA, EINVAL, ENOENT, memcmp(), name, raw, rc, sa, sockaddr::sa_family, sin, sin6, sockaddr_in6::sin6_addr, sockaddr_in::sin_addr, sock_aton(), sock_ntoa(), strerror(), and x509_name().

Referenced by x509_check_alt_name().

◆ x509_check_alt_name()

static int x509_check_alt_name ( struct x509_certificate cert,
const struct asn1_cursor raw,
const char *  name 
)
static

Check X.509 certificate alternative name.

Parameters
certX.509 certificate
rawASN.1 cursor
nameName
Return values
rcReturn status code

Definition at line 1537 of file x509.c.

1539  {
1540  struct asn1_cursor alt_name;
1541  unsigned int type;
1542 
1543  /* Enter generalName */
1544  memcpy ( &alt_name, raw, sizeof ( alt_name ) );
1545  type = asn1_type ( &alt_name );
1546  asn1_enter_any ( &alt_name );
1547 
1548  /* Check this name */
1549  switch ( type ) {
1550  case X509_GENERAL_NAME_DNS :
1551  return x509_check_dnsname ( cert, &alt_name, name );
1552  case X509_GENERAL_NAME_IP :
1553  return x509_check_ipaddress ( cert, &alt_name, name );
1554  default:
1555  DBGC2 ( cert, "X509 %p \"%s\" unknown name of type %#02x:\n",
1556  cert, x509_name ( cert ), type );
1557  DBGC2_HDA ( cert, 0, alt_name.data, alt_name.len );
1558  return -ENOTSUP;
1559  }
1560 }
name
const char * name
Definition: ath9k_hw.c:1984
asn1_type
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
Definition: asn1.h:380
ENOTSUP
#define ENOTSUP
Operation not supported.
Definition: errno.h:589
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
x509_check_dnsname
static int x509_check_dnsname(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative dNSName.
Definition: x509.c:1445
DBGC2_HDA
#define DBGC2_HDA(...)
Definition: compiler.h:523
asn1_enter_any
int asn1_enter_any(struct asn1_cursor *cursor)
Enter ASN.1 object of any type.
Definition: asn1.c:266
x509_check_ipaddress
static int x509_check_ipaddress(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative iPAddress.
Definition: x509.c:1486
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
type
uint32_t type
Operating system type.
Definition: ena.h:12
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter_any(), asn1_type(), asn1_cursor::data, DBGC2, DBGC2_HDA, ENOTSUP, asn1_cursor::len, memcpy(), name, raw, type, x509_check_dnsname(), x509_check_ipaddress(), X509_GENERAL_NAME_DNS, X509_GENERAL_NAME_IP, and x509_name().

Referenced by x509_check_name().

◆ x509_check_name()

int x509_check_name ( struct x509_certificate cert,
const char *  name 
)

Check X.509 certificate name.

Parameters
certX.509 certificate
nameName
Return values
rcReturn status code

Definition at line 1569 of file x509.c.

1569  {
1570  struct asn1_cursor *common_name = &cert->subject.common_name;
1571  struct asn1_cursor alt_name;
1572  int rc;
1573 
1574  /* Check commonName */
1575  if ( x509_check_dnsname ( cert, common_name, name ) == 0 ) {
1576  DBGC2 ( cert, "X509 %p \"%s\" commonName matches \"%s\"\n",
1577  cert, x509_name ( cert ), name );
1578  return 0;
1579  }
1580 
1581  /* Check any subjectAlternativeNames */
1582  memcpy ( &alt_name, &cert->extensions.alt_name.names,
1583  sizeof ( alt_name ) );
1584  for ( ; alt_name.len ; asn1_skip_any ( &alt_name ) ) {
1585  if ( ( rc = x509_check_alt_name ( cert, &alt_name,
1586  name ) ) == 0 ) {
1587  DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches "
1588  "\"%s\"\n", cert, x509_name ( cert ), name );
1589  return 0;
1590  }
1591  }
1592 
1593  DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n",
1594  cert, x509_name ( cert ), name );
1595  return -EACCES_WRONG_NAME;
1596 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
name
const char * name
Definition: ath9k_hw.c:1984
x509_subject_alt_name::names
struct asn1_cursor names
Names.
Definition: x509.h:144
x509_check_alt_name
static int x509_check_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative name.
Definition: x509.c:1537
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
EACCES_WRONG_NAME
#define EACCES_WRONG_NAME
Definition: x509.c:117
x509_check_dnsname
static int x509_check_dnsname(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative dNSName.
Definition: x509.c:1445
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:236
x509_subject::common_name
struct asn1_cursor common_name
Common name.
Definition: x509.h:62
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
x509_extensions::alt_name
struct x509_subject_alt_name alt_name
Subject alternative name.
Definition: x509.h:165
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:240

References x509_extensions::alt_name, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, EACCES_WRONG_NAME, x509_certificate::extensions, asn1_cursor::len, memcpy(), name, x509_subject_alt_name::names, rc, x509_certificate::subject, x509_check_alt_name(), x509_check_dnsname(), and x509_name().

Referenced by cert_exec(), cms_verify(), tls_validator_done(), x509_check_name_fail_okx(), and x509_check_name_okx().

◆ x509_free_chain()

static void x509_free_chain ( struct refcnt refcnt)
static

Free X.509 certificate chain.

Parameters
refcntReference count

Definition at line 1603 of file x509.c.

1603  {
1604  struct x509_chain *chain =
1605  container_of ( refcnt, struct x509_chain, refcnt );
1606 
1607  DBGC2 ( chain, "X509 chain %p freed\n", chain );
1608 
1609  /* Free chain */
1610  x509_truncate ( chain, NULL );
1611  assert ( list_empty ( &chain->links ) );
1612  free ( chain );
1613 }
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:203
x509_truncate
void x509_truncate(struct x509_chain *chain, struct x509_link *link)
Truncate X.509 certificate chain.
Definition: x509.c:1698
refcnt
A reference counter.
Definition: refcnt.h:26
list_empty
#define list_empty(list)
Test whether a list is empty.
Definition: list.h:136
x509_chain
An X.509 certificate chain.
Definition: x509.h:199
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
container_of
#define container_of(ptr, type, field)
Get containing structure.
Definition: stddef.h:35
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References assert(), container_of, DBGC2, free, x509_chain::links, list_empty, NULL, and x509_truncate().

Referenced by x509_alloc_chain().

◆ x509_alloc_chain()

struct x509_chain* x509_alloc_chain ( void  )

Allocate X.509 certificate chain.

Return values
chainX.509 certificate chain, or NULL

Definition at line 1620 of file x509.c.

1620  {
1621  struct x509_chain *chain;
1622 
1623  /* Allocate chain */
1624  chain = zalloc ( sizeof ( *chain ) );
1625  if ( ! chain )
1626  return NULL;
1627 
1628  /* Initialise chain */
1629  ref_init ( &chain->refcnt, x509_free_chain );
1630  INIT_LIST_HEAD ( &chain->links );
1631 
1632  DBGC2 ( chain, "X509 chain %p allocated\n", chain );
1633  return chain;
1634 }
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:203
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
x509_free_chain
static void x509_free_chain(struct refcnt *refcnt)
Free X.509 certificate chain.
Definition: x509.c:1603
x509_chain
An X.509 certificate chain.
Definition: x509.h:199
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
INIT_LIST_HEAD
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition: list.h:45
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
x509_chain::refcnt
struct refcnt refcnt
Reference count.
Definition: x509.h:201

References DBGC2, INIT_LIST_HEAD, x509_chain::links, NULL, ref_init, x509_chain::refcnt, x509_free_chain(), and zalloc().

Referenced by cms_parse(), cms_signature(), tls_new_certificate_request(), tls_parse_chain(), validator_append(), and x509_chain_okx().

◆ x509_append()

int x509_append ( struct x509_chain chain,
struct x509_certificate cert 
)

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
certX.509 certificate
Return values
rcReturn status code

Definition at line 1643 of file x509.c.

1643  {
1644  struct x509_link *link;
1645 
1646  /* Allocate link */
1647  link = zalloc ( sizeof ( *link ) );
1648  if ( ! link )
1649  return -ENOMEM;
1650 
1651  /* Add link to chain */
1652  link->cert = x509_get ( cert );
1653  list_add_tail ( &link->list, &chain->links );
1654  DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
1655  chain, cert, x509_name ( cert ) );
1656 
1657  return 0;
1658 }
x509_get
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:258
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:203
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_link::cert
struct x509_certificate * cert
Certificate.
Definition: x509.h:173
ENOMEM
#define ENOMEM
Not enough space.
Definition: errno.h:534
list_add_tail
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition: list.h:93
link
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
x509_link
A link in an X.509 certificate chain.
Definition: x509.h:169
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145

References x509_link::cert, DBGC, ENOMEM, link, x509_chain::links, list_add_tail, x509_get(), x509_name(), and zalloc().

Referenced by cms_parse_signer_identifier(), tls_new_certificate_request(), x509_append_raw(), x509_auto_append(), and x509_chain_okx().

◆ x509_append_raw()

int x509_append_raw ( struct x509_chain chain,
const void *  data,
size_t  len 
)

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
dataRaw certificate data
lenLength of raw data
Return values
rcReturn status code

Definition at line 1668 of file x509.c.

1669  {
1670  struct x509_certificate *cert;
1671  int rc;
1672 
1673  /* Parse certificate */
1674  if ( ( rc = x509_certificate ( data, len, &cert ) ) != 0 )
1675  goto err_parse;
1676 
1677  /* Append certificate to chain */
1678  if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1679  goto err_append;
1680 
1681  /* Drop reference to certificate */
1682  x509_put ( cert );
1683 
1684  return 0;
1685 
1686  err_append:
1687  x509_put ( cert );
1688  err_parse:
1689  return rc;
1690 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_append
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1643
x509_certificate
An X.509 certificate.
Definition: x509.h:207
len
uint32_t len
Length.
Definition: ena.h:14
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:269
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22

References data, len, rc, x509_append(), and x509_put().

Referenced by cms_parse_certificates(), tls_parse_chain(), and validator_append().

◆ x509_truncate()

void x509_truncate ( struct x509_chain chain,
struct x509_link link 
)

Truncate X.509 certificate chain.

Parameters
chainX.509 certificate chain
linkLink after which to truncate chain, or NULL

Definition at line 1698 of file x509.c.

1698  {
1699  struct x509_link *tmp;
1700 
1701  /* Truncate entire chain if no link is specified */
1702  if ( ! link )
1703  link = list_entry ( &chain->links, struct x509_link, list );
1704 
1705  /* Free each link in the chain */
1706  list_for_each_entry_safe_continue ( link, tmp, &chain->links, list ) {
1707  x509_put ( link->cert );
1708  list_del ( &link->list );
1709  free ( link );
1710  }
1711 }
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:203
x509_link::list
struct list_head list
List of links.
Definition: x509.h:171
tmp
unsigned long tmp
Definition: linux_pci.h:53
list_del
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
list_for_each_entry_safe_continue
#define list_for_each_entry_safe_continue(pos, tmp, head, member)
Iterate over subsequent entries in a list, safe against deletion.
Definition: list.h:500
link
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
x509_link
A link in an X.509 certificate chain.
Definition: x509.h:169
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:269
list_entry
#define list_entry(list, type, member)
Get the container of a list entry.
Definition: list.h:321

References free, link, x509_chain::links, x509_link::list, list_del, list_entry, list_for_each_entry_safe_continue, tmp, and x509_put().

Referenced by validator_append(), x509_free_chain(), and x509_test_exec().

◆ x509_find_subject()

static struct x509_certificate* x509_find_subject ( struct x509_chain certs,
const struct asn1_cursor subject 
)
static

Identify X.509 certificate by subject.

Parameters
certsX.509 certificate list
subjectSubject
Return values
certX.509 certificate, or NULL if not found

Definition at line 1721 of file x509.c.

1722  {
1723  struct x509_link *link;
1724  struct x509_certificate *cert;
1725 
1726  /* Scan through certificate list */
1727  list_for_each_entry ( link, &certs->links, list ) {
1728 
1729  /* Check subject */
1730  cert = link->cert;
1731  if ( asn1_compare ( subject, &cert->subject.raw ) == 0 )
1732  return cert;
1733  }
1734 
1735  return NULL;
1736 }
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:203
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
link
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
x509_link
A link in an X.509 certificate chain.
Definition: x509.h:169
x509_certificate
An X.509 certificate.
Definition: x509.h:207
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:236
x509_subject::raw
struct asn1_cursor raw
Raw subject.
Definition: x509.h:60
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References asn1_compare(), link, x509_chain::links, list_for_each_entry, NULL, x509_subject::raw, and x509_certificate::subject.

Referenced by x509_auto_append().

◆ x509_auto_append()

int x509_auto_append ( struct x509_chain chain,
struct x509_chain certs 
)

Append X.509 certificates to X.509 certificate chain.

Parameters
chainX.509 certificate chain
certsX.509 certificate list
Return values
rcReturn status code

Certificates will be automatically appended to the chain based upon the subject and issuer names.

Definition at line 1748 of file x509.c.

1748  {
1749  struct x509_certificate *cert;
1750  struct x509_certificate *previous;
1751  int rc;
1752 
1753  /* Get current certificate */
1754  cert = x509_last ( chain );
1755  if ( ! cert ) {
1756  DBGC ( chain, "X509 chain %p has no certificates\n", chain );
1757  return -EACCES_EMPTY;
1758  }
1759 
1760  /* Append certificates, in order */
1761  while ( 1 ) {
1762 
1763  /* Find issuing certificate */
1764  previous = cert;
1765  cert = x509_find_subject ( certs, &cert->issuer.raw );
1766  if ( ! cert )
1767  break;
1768  if ( cert == previous )
1769  break;
1770 
1771  /* Append certificate to chain */
1772  if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1773  return rc;
1774  }
1775 
1776  return 0;
1777 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_issuer::raw
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:30
EACCES_EMPTY
#define EACCES_EMPTY
Definition: x509.c:109
x509_certificate::issuer
struct x509_issuer issuer
Issuer.
Definition: x509.h:232
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_append
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1643
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition: x509.h:316
x509_certificate
An X.509 certificate.
Definition: x509.h:207
x509_find_subject
static struct x509_certificate * x509_find_subject(struct x509_chain *certs, const struct asn1_cursor *subject)
Identify X.509 certificate by subject.
Definition: x509.c:1721

References DBGC, EACCES_EMPTY, x509_certificate::issuer, x509_issuer::raw, rc, x509_append(), x509_find_subject(), and x509_last().

Referenced by cms_parse_signer_identifier(), tls_new_certificate_request(), validator_append(), and x509_validate_chain().

◆ x509_validate_chain()

int x509_validate_chain ( struct x509_chain chain,
time_t  time,
struct x509_chain store,
struct x509_root root 
)

Validate X.509 certificate chain.

Parameters
chainX.509 certificate chain
timeTime at which to validate certificates
storeCertificate store, or NULL to use default
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

Definition at line 1788 of file x509.c.

1789  {
1790  struct x509_certificate *issuer = NULL;
1791  struct x509_link *link;
1792  int rc;
1793 
1794  /* Use default certificate store if none specified */
1795  if ( ! store )
1796  store = &certstore;
1797 
1798  /* Append any applicable certificates from the certificate store */
1799  if ( ( rc = x509_auto_append ( chain, store ) ) != 0 )
1800  return rc;
1801 
1802  /* Find first certificate that can be validated as a
1803  * standalone (i.e. is already valid, or can be validated as
1804  * a trusted root certificate).
1805  */
1806  list_for_each_entry ( link, &chain->links, list ) {
1807 
1808  /* Try validating this certificate as a standalone */
1809  if ( ( rc = x509_validate ( link->cert, NULL, time,
1810  root ) ) != 0 )
1811  continue;
1812 
1813  /* Work back up to start of chain, performing pairwise
1814  * validation.
1815  */
1816  issuer = link->cert;
1817  list_for_each_entry_continue_reverse ( link, &chain->links,
1818  list ) {
1819 
1820  /* Validate this certificate against its issuer */
1821  if ( ( rc = x509_validate ( link->cert, issuer, time,
1822  root ) ) != 0 )
1823  return rc;
1824  issuer = link->cert;
1825  }
1826 
1827  return 0;
1828  }
1829 
1830  DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
1831  return -EACCES_USELESS;
1832 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
root
struct stp_switch root
Root switch.
Definition: stp.h:26
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:203
x509_link::list
struct list_head list
List of links.
Definition: x509.h:171
x509_certificate::issuer
struct x509_issuer issuer
Issuer.
Definition: x509.h:232
DBGC
#define DBGC(...)
Definition: compiler.h:505
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
x509_validate
int x509_validate(struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
Validate X.509 certificate.
Definition: x509.c:1371
link
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
x509_link
A link in an X.509 certificate chain.
Definition: x509.h:169
x509_certificate
An X.509 certificate.
Definition: x509.h:207
list_for_each_entry_continue_reverse
#define list_for_each_entry_continue_reverse(pos, head, member)
Iterate over entries in a list in reverse, starting after current position.
Definition: list.h:486
x509_auto_append
int x509_auto_append(struct x509_chain *chain, struct x509_chain *certs)
Append X.509 certificates to X.509 certificate chain.
Definition: x509.c:1748
EACCES_USELESS
#define EACCES_USELESS
Definition: x509.c:121
time
uint64_t time
Current time.
Definition: ntlm.h:20
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References certstore, DBGC, EACCES_USELESS, x509_certificate::issuer, link, x509_chain::links, x509_link::list, list_for_each_entry, list_for_each_entry_continue_reverse, NULL, rc, root, time, x509_auto_append(), and x509_validate().

Referenced by cms_verify_signer_info(), validator_step(), x509_validate_chain_fail_okx(), and x509_validate_chain_okx().

◆ image_x509()

int image_x509 ( struct image image,
size_t  offset,
struct x509_certificate **  cert 
)

Extract X.509 certificate object from image.

Parameters
imageImage
offsetOffset within image
Return values
certX.509 certificate
nextOffset to next image, or negative error

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1845 of file x509.c.

1846  {
1847  struct asn1_cursor *cursor;
1848  int next;
1849  int rc;
1850 
1851  /* Get ASN.1 object */
1852  next = image_asn1 ( image, offset, &cursor );
1853  if ( next < 0 ) {
1854  rc = next;
1855  goto err_asn1;
1856  }
1857 
1858  /* Parse certificate */
1859  if ( ( rc = x509_certificate ( cursor->data, cursor->len,
1860  cert ) ) != 0 )
1861  goto err_certificate;
1862 
1863  /* Free ASN.1 object */
1864  free ( cursor );
1865 
1866  return next;
1867 
1868  x509_put ( *cert );
1869  err_certificate:
1870  free ( cursor );
1871  err_asn1:
1872  return rc;
1873 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
next
uint32_t next
Next descriptor address.
Definition: myson.h:18
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
image_asn1
int image_asn1(struct image *image, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from image.
Definition: asn1.c:880
image
An executable image.
Definition: image.h:24
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
offset
static userptr_t size_t offset
Offset of the first segment within the content.
Definition: deflate.h:259
x509_certificate
An X.509 certificate.
Definition: x509.h:207
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:269
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_cursor::data, free, image_asn1(), asn1_cursor::len, next, offset, rc, and x509_put().

Referenced by cert_exec().

◆ REQUIRING_SYMBOL()

REQUIRING_SYMBOL ( x509_validate  )

◆ REQUIRE_OBJECT() [1/2]

REQUIRE_OBJECT ( certstore  )

◆ REQUIRE_OBJECT() [2/2]

REQUIRE_OBJECT ( config_crypto  )

Variable Documentation

◆ oid_common_name

uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME }
static

"commonName" object identifier

Definition at line 169 of file x509.c.

◆ oid_common_name_cursor

struct asn1_cursor oid_common_name_cursor
static
Initial value:
=
ASN1_CURSOR ( oid_common_name )
ASN1_CURSOR
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition: asn1.h:305
oid_common_name
static uint8_t oid_common_name[]
"commonName" object identifier
Definition: x509.c:169

"commonName" object identifier cursor

Definition at line 172 of file x509.c.

Referenced by x509_parse_common_name().

◆ oid_code_signing

uint8_t oid_code_signing[] = { ASN1_OID_CODESIGNING }
static

"id-kp-codeSigning" object identifier

Definition at line 530 of file x509.c.

◆ oid_ocsp_signing

uint8_t oid_ocsp_signing[] = { ASN1_OID_OCSPSIGNING }
static

"id-kp-OCSPSigning" object identifier

Definition at line 533 of file x509.c.

◆ x509_key_purposes

struct x509_key_purpose x509_key_purposes[]
static
Initial value:
= {
{
.name = "codeSigning",
.bits = X509_CODE_SIGNING,
.oid = ASN1_CURSOR ( oid_code_signing ),
},
{
.name = "ocspSigning",
.bits = X509_OCSP_SIGNING,
.oid = ASN1_CURSOR ( oid_ocsp_signing ),
},
}
ASN1_CURSOR
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition: asn1.h:305
oid_code_signing
static uint8_t oid_code_signing[]
"id-kp-codeSigning" object identifier
Definition: x509.c:530
oid_ocsp_signing
static uint8_t oid_ocsp_signing[]
"id-kp-OCSPSigning" object identifier
Definition: x509.c:533

Supported key purposes.

Definition at line 536 of file x509.c.

Referenced by x509_parse_key_purpose().

◆ oid_ad_ocsp

uint8_t oid_ad_ocsp[] = { ASN1_OID_OCSP }
static

"id-ad-ocsp" object identifier

Definition at line 642 of file x509.c.

◆ x509_access_methods

struct x509_access_method x509_access_methods[]
static
Initial value:
= {
{
.name = "OCSP",
.oid = ASN1_CURSOR ( oid_ad_ocsp ),
.parse = x509_parse_ocsp,
},
}
x509_parse_ocsp
static int x509_parse_ocsp(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate OCSP access method.
Definition: x509.c:621
ASN1_CURSOR
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition: asn1.h:305
oid_ad_ocsp
static uint8_t oid_ad_ocsp[]
"id-ad-ocsp" object identifier
Definition: x509.c:642

Supported access methods.

Definition at line 645 of file x509.c.

Referenced by x509_find_access_method().

◆ oid_ce_basic_constraints

uint8_t oid_ce_basic_constraints[]
static
Initial value:
=
{ ASN1_OID_BASICCONSTRAINTS }
ASN1_OID_BASICCONSTRAINTS
#define ASN1_OID_BASICCONSTRAINTS
ASN.1 OID for id-ce-basicConstraints (2.5.29.19)
Definition: asn1.h:248

"id-ce-basicConstraints" object identifier

Definition at line 762 of file x509.c.

◆ oid_ce_key_usage

uint8_t oid_ce_key_usage[]
static
Initial value:
=
{ ASN1_OID_KEYUSAGE }
ASN1_OID_KEYUSAGE
#define ASN1_OID_KEYUSAGE
ASN.1 OID for id-ce-keyUsage (2.5.29.15)
Definition: asn1.h:243

"id-ce-keyUsage" object identifier

Definition at line 766 of file x509.c.

◆ oid_ce_ext_key_usage

uint8_t oid_ce_ext_key_usage[]
static
Initial value:
=
{ ASN1_OID_EXTKEYUSAGE }
ASN1_OID_EXTKEYUSAGE
#define ASN1_OID_EXTKEYUSAGE
ASN.1 OID for id-ce-extKeyUsage (2.5.29.37)
Definition: asn1.h:253

"id-ce-extKeyUsage" object identifier

Definition at line 770 of file x509.c.

◆ oid_pe_authority_info_access

uint8_t oid_pe_authority_info_access[]
static
Initial value:
=
{ ASN1_OID_AUTHORITYINFOACCESS }
ASN1_OID_AUTHORITYINFOACCESS
#define ASN1_OID_AUTHORITYINFOACCESS
ASN.1 OID for id-pe-authorityInfoAccess (1.3.6.1.5.5.7.1.1)
Definition: asn1.h:271

"id-pe-authorityInfoAccess" object identifier

Definition at line 774 of file x509.c.

◆ oid_ce_subject_alt_name

uint8_t oid_ce_subject_alt_name[]
static
Initial value:
=
{ ASN1_OID_SUBJECTALTNAME }
ASN1_OID_SUBJECTALTNAME
#define ASN1_OID_SUBJECTALTNAME
ASN.1 OID for id-ce-subjectAltName (2.5.29.17)
Definition: asn1.h:300

"id-ce-subjectAltName" object identifier

Definition at line 778 of file x509.c.

◆ x509_extensions

struct x509_extension x509_extensions[]
static
Initial value:
= {
{
.name = "basicConstraints",
.oid = ASN1_CURSOR ( oid_ce_basic_constraints ),
.parse = x509_parse_basic_constraints,
},
{
.name = "keyUsage",
.oid = ASN1_CURSOR ( oid_ce_key_usage ),
.parse = x509_parse_key_usage,
},
{
.name = "extKeyUsage",
.oid = ASN1_CURSOR ( oid_ce_ext_key_usage ),
.parse = x509_parse_extended_key_usage,
},
{
.name = "authorityInfoAccess",
.oid = ASN1_CURSOR ( oid_pe_authority_info_access ),
.parse = x509_parse_authority_info_access,
},
{
.name = "subjectAltName",
.oid = ASN1_CURSOR ( oid_ce_subject_alt_name ),
.parse = x509_parse_subject_alt_name,
},
}
x509_parse_key_usage
static int x509_parse_key_usage(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate key usage.
Definition: x509.c:497
oid_ce_basic_constraints
static uint8_t oid_ce_basic_constraints[]
"id-ce-basicConstraints" object identifier
Definition: x509.c:762
x509_parse_basic_constraints
static int x509_parse_basic_constraints(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate basic constraints.
Definition: x509.c:435
x509_parse_extended_key_usage
static int x509_parse_extended_key_usage(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extended key usage.
Definition: x509.c:595
ASN1_CURSOR
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition: asn1.h:305
oid_ce_subject_alt_name
static uint8_t oid_ce_subject_alt_name[]
"id-ce-subjectAltName" object identifier
Definition: x509.c:778
oid_pe_authority_info_access
static uint8_t oid_pe_authority_info_access[]
"id-pe-authorityInfoAccess" object identifier
Definition: x509.c:774
x509_parse_subject_alt_name
static int x509_parse_subject_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate subject alternative name.
Definition: x509.c:741
x509_parse_authority_info_access
static int x509_parse_authority_info_access(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate authority information access.
Definition: x509.c:714
oid_ce_key_usage
static uint8_t oid_ce_key_usage[]
"id-ce-keyUsage" object identifier
Definition: x509.c:766
oid_ce_ext_key_usage
static uint8_t oid_ce_ext_key_usage[]
"id-ce-extKeyUsage" object identifier
Definition: x509.c:770

Supported certificate extensions.

Definition at line 782 of file x509.c.

Referenced by x509_find_extension().

Generated by   doxygen 1.8.15