iPXE
Macros | Functions | Variables
certstore.c File Reference

Certificate store. More...

#include <string.h>
#include <stdlib.h>
#include <ipxe/init.h>
#include <ipxe/dhcp.h>
#include <ipxe/settings.h>
#include <ipxe/malloc.h>
#include <ipxe/crypto.h>
#include <ipxe/asn1.h>
#include <ipxe/x509.h>
#include <ipxe/certstore.h>

Go to the source code of this file.

Macros

#define CERT(_index, _path)
 Raw certificate data for all permanent stored certificates. More...
 
#define CERT(_index, _path)
 Raw certificate data for all permanent stored certificates. More...
 

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
static struct x509_certificatecertstore_found (struct x509_certificate *cert)
 Mark stored certificate as most recently used. More...
 
struct x509_certificatecertstore_find (struct asn1_cursor *raw)
 Find certificate in store. More...
 
struct x509_certificatecertstore_find_key (struct private_key *key)
 Find certificate in store corresponding to a private key. More...
 
void certstore_add (struct x509_certificate *cert)
 Add certificate to store. More...
 
void certstore_del (struct x509_certificate *cert)
 Remove certificate from store. More...
 
static unsigned int certstore_discard (void)
 Discard a stored certificate. More...
 
struct cache_discarder certstore_discarder __cache_discarder (CACHE_NORMAL)
 Certificate store cache discarder. More...
 
static void certstore_init (void)
 Construct permanent certificate store. More...
 
struct init_fn certstore_init_fn __init_fn (INIT_LATE)
 Certificate store initialisation function. More...
 
static struct setting cert_setting __setting (SETTING_CRYPTO, cert)
 Additional certificate setting. More...
 
static int certstore_apply_settings (void)
 Apply certificate store configuration settings. More...
 

Variables

static struct asn1_cursor certstore_raw []
 
static struct x509_certificate certstore_certs [sizeof(certstore_raw)/sizeof(certstore_raw[0])]
 X.509 certificate structures for all permanent stored certificates. More...
 
struct x509_chain certstore
 Certificate store. More...
 
struct settings_applicator certstore_applicator __settings_applicator
 Certificate store settings applicator. More...
 

Detailed Description

Certificate store.

Definition in file certstore.c.

Macro Definition Documentation

◆ CERT [1/2]

#define CERT (   _index,
  _path 
)
Value:
extern char stored_cert_ ## _index ## _data[]; \
extern char stored_cert_ ## _index ## _len[]; \
__asm__ ( ".section \".rodata\", \"a\", " PROGBITS "\n\t" \
"\nstored_cert_" #_index "_data:\n\t" \
".incbin \"" _path "\"\n\t" \
"\nstored_cert_" #_index "_end:\n\t" \
".equ stored_cert_" #_index "_len, " \
"( stored_cert_" #_index "_end - " \
" stored_cert_" #_index "_data )\n\t" \
".previous\n\t" );
PROGBITS
#define PROGBITS
Definition: compiler.h:61

Raw certificate data for all permanent stored certificates.

Raw certificate cursors for all permanent stored certificates.

Definition at line 60 of file certstore.c.

◆ CERT [2/2]

#define CERT (   _index,
  _path 
)
Value:
{ \
.data = stored_cert_ ## _index ## _data, \
.len = ( size_t ) stored_cert_ ## _index ## _len, \
},
size_t
__SIZE_TYPE__ size_t
Definition: stdint.h:6

Raw certificate data for all permanent stored certificates.

Raw certificate cursors for all permanent stored certificates.

Definition at line 60 of file certstore.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ certstore_found()

static struct x509_certificate* certstore_found ( struct x509_certificate cert)
static

Mark stored certificate as most recently used.

Parameters
certX.509 certificate
Return values
certX.509 certificate

Definition at line 85 of file certstore.c.

85  {
86 
87  /* Mark as most recently used */
88  list_del ( &cert->store.list );
89  list_add ( &cert->store.list, &certstore.links );
90  DBGC2 ( &certstore, "CERTSTORE found certificate %s\n",
91  x509_name ( cert ) );
92 
93  return cert;
94 }
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
list_add
#define list_add(new, head)
Add a new entry to the head of a list.
Definition: list.h:69
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:181
x509_link::list
struct list_head list
List of links.
Definition: x509.h:171
list_del
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition: x509.h:190

References certstore, DBGC2, x509_chain::links, x509_link::list, list_add, list_del, x509_certificate::store, and x509_name().

Referenced by certstore_find(), and certstore_find_key().

◆ certstore_find()

struct x509_certificate* certstore_find ( struct asn1_cursor raw)

Find certificate in store.

Parameters
rawRaw certificate data
Return values
certX.509 certificate, or NULL if not found

Definition at line 102 of file certstore.c.

102  {
103  struct x509_certificate *cert;
104 
105  /* Search for certificate within store */
106  list_for_each_entry ( cert, &certstore.links, store.list ) {
107  if ( asn1_compare ( raw, &cert->raw ) == 0 )
108  return certstore_found ( cert );
109  }
110  return NULL;
111 }
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:181
x509_link::list
struct list_head list
List of links.
Definition: x509.h:171
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:420
x509_certificate
An X.509 certificate.
Definition: x509.h:185
certstore_found
static struct x509_certificate * certstore_found(struct x509_certificate *cert)
Mark stored certificate as most recently used.
Definition: certstore.c:85
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition: x509.h:190
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:200
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References asn1_compare(), certstore, certstore_found(), x509_chain::links, x509_link::list, list_for_each_entry, NULL, raw, x509_certificate::raw, and x509_certificate::store.

Referenced by certstore_init(), and x509_certificate().

◆ certstore_find_key()

struct x509_certificate* certstore_find_key ( struct private_key key)

Find certificate in store corresponding to a private key.

Parameters
keyPrivate key
Return values
certX.509 certificate, or NULL if not found

Definition at line 119 of file certstore.c.

119  {
120  struct x509_certificate *cert;
121 
122  /* Search for certificate within store */
123  list_for_each_entry ( cert, &certstore.links, store.list ) {
124  if ( pubkey_match ( cert->signature_algorithm->pubkey,
125  key->builder.data, key->builder.len,
126  cert->subject.public_key.raw.data,
127  cert->subject.public_key.raw.len ) == 0 )
128  return certstore_found ( cert );
129  }
130  return NULL;
131 }
x509_public_key::raw
struct asn1_cursor raw
Raw public key information.
Definition: x509.h:50
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:181
x509_link::list
struct list_head list
List of links.
Definition: x509.h:171
pubkey_match
static int pubkey_match(struct pubkey_algorithm *pubkey, const void *private_key, size_t private_key_len, const void *public_key, size_t public_key_len)
Definition: crypto.h:297
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:208
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
asn1_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition: asn1.h:312
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:420
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition: x509.h:64
x509_certificate
An X.509 certificate.
Definition: x509.h:185
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:214
certstore_found
static struct x509_certificate * certstore_found(struct x509_certificate *cert)
Mark stored certificate as most recently used.
Definition: certstore.c:85
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition: x509.h:190
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
key
union @382 key
Sense key.
Definition: scsi.h:18

References certstore, certstore_found(), asn1_cursor::data, key, asn1_cursor::len, x509_chain::links, x509_link::list, list_for_each_entry, NULL, asn1_algorithm::pubkey, pubkey_match(), x509_subject::public_key, x509_public_key::raw, x509_certificate::signature_algorithm, x509_certificate::store, and x509_certificate::subject.

Referenced by tls_new_certificate_request().

◆ certstore_add()

void certstore_add ( struct x509_certificate cert)

Add certificate to store.

Parameters
certX.509 certificate

Definition at line 138 of file certstore.c.

138  {
139 
140  /* Add certificate to store */
141  cert->store.cert = cert;
142  x509_get ( cert );
143  list_add ( &cert->store.list, &certstore.links );
144  DBGC ( &certstore, "CERTSTORE added certificate %s\n",
145  x509_name ( cert ) );
146 }
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
x509_get
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:236
list_add
#define list_add(new, head)
Add a new entry to the head of a list.
Definition: list.h:69
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:181
x509_link::list
struct list_head list
List of links.
Definition: x509.h:171
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_link::cert
struct x509_certificate * cert
Certificate.
Definition: x509.h:173
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition: x509.h:190

References x509_link::cert, certstore, DBGC, x509_chain::links, x509_link::list, list_add, x509_certificate::store, x509_get(), and x509_name().

Referenced by certstore_init(), and x509_certificate().

◆ certstore_del()

void certstore_del ( struct x509_certificate cert)

Remove certificate from store.

Parameters
certX.509 certificate

Definition at line 153 of file certstore.c.

153  {
154 
155  /* Ignore attempts to remove permanent certificates */
156  if ( cert->flags & X509_FL_PERMANENT )
157  return;
158 
159  /* Remove certificate from store */
160  DBGC ( &certstore, "CERTSTORE removed certificate %s\n",
161  x509_name ( cert ) );
162  list_del ( &cert->store.list );
163  x509_put ( cert );
164 }
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
x509_link::list
struct list_head list
List of links.
Definition: x509.h:171
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_certificate::flags
unsigned int flags
Flags.
Definition: x509.h:193
list_del
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
X509_FL_PERMANENT
Certificate was added at build time.
Definition: x509.h:224
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:247
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition: x509.h:190

References certstore, DBGC, x509_certificate::flags, x509_link::list, list_del, x509_certificate::store, X509_FL_PERMANENT, x509_name(), and x509_put().

Referenced by certfree_payload(), and certstore_discard().

◆ certstore_discard()

static unsigned int certstore_discard ( void  )
static

Discard a stored certificate.

Return values
discardedNumber of cached items discarded

Definition at line 171 of file certstore.c.

171  {
172  struct x509_certificate *cert;
173 
174  /* Discard the least recently used certificate for which the
175  * only reference is held by the store itself.
176  */
177  list_for_each_entry_reverse ( cert, &certstore.links, store.list ) {
178 
179  /* Skip certificates for which another reference is held */
180  if ( cert->refcnt.count > 0 )
181  continue;
182 
183  /* Skip certificates that were added at build time or
184  * added explicitly at run time.
185  */
186  if ( cert->flags & ( X509_FL_PERMANENT | X509_FL_EXPLICIT ) )
187  continue;
188 
189  /* Discard certificate */
190  certstore_del ( cert );
191  return 1;
192  }
193 
194  return 0;
195 }
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
x509_certificate::refcnt
struct refcnt refcnt
Reference count.
Definition: x509.h:187
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:181
x509_link::list
struct list_head list
List of links.
Definition: x509.h:171
certstore_del
void certstore_del(struct x509_certificate *cert)
Remove certificate from store.
Definition: certstore.c:153
x509_certificate::flags
unsigned int flags
Flags.
Definition: x509.h:193
refcnt::count
int count
Current reference count.
Definition: refcnt.h:32
list_for_each_entry_reverse
#define list_for_each_entry_reverse(pos, head, member)
Iterate over entries in a list in reverse order.
Definition: list.h:433
x509_certificate
An X.509 certificate.
Definition: x509.h:185
X509_FL_PERMANENT
Certificate was added at build time.
Definition: x509.h:224
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition: x509.h:190
X509_FL_EXPLICIT
Certificate was added explicitly at run time.
Definition: x509.h:226

References certstore, certstore_del(), refcnt::count, x509_certificate::flags, x509_chain::links, x509_link::list, list_for_each_entry_reverse, x509_certificate::refcnt, x509_certificate::store, X509_FL_EXPLICIT, and X509_FL_PERMANENT.

◆ __cache_discarder()

struct cache_discarder certstore_discarder __cache_discarder ( CACHE_NORMAL  )

Certificate store cache discarder.

◆ certstore_init()

static void certstore_init ( void  )
static

Construct permanent certificate store.

Definition at line 206 of file certstore.c.

206  {
207  struct asn1_cursor *raw;
208  struct x509_certificate *cert;
209  int i;
210  int rc;
211 
212  /* Skip if we have no permanent stored certificates */
213  if ( ! sizeof ( certstore_raw ) )
214  return;
215 
216  /* Add certificates */
217  for ( i = 0 ; i < ( int ) ( sizeof ( certstore_raw ) /
218  sizeof ( certstore_raw[0] ) ) ; i++ ) {
219 
220  /* Skip if certificate already present in store */
221  raw = &certstore_raw[i];
222  if ( ( cert = certstore_find ( raw ) ) != NULL ) {
223  DBGC ( &certstore, "CERTSTORE permanent certificate %d "
224  "is a duplicate of %s\n", i, x509_name ( cert ));
225  continue;
226  }
227 
228  /* Parse certificate */
229  cert = &certstore_certs[i];
230  ref_init ( &cert->refcnt, ref_no_free );
231  if ( ( rc = x509_parse ( cert, raw ) ) != 0 ) {
232  DBGC ( &certstore, "CERTSTORE could not parse "
233  "permanent certificate %d: %s\n",
234  i, strerror ( rc ) );
235  continue;
236  }
237 
238  /* Add certificate to store. Certificate will never
239  * be discarded from the store, since we retain a
240  * permanent reference to it.
241  */
242  certstore_add ( cert );
243  cert->flags |= X509_FL_PERMANENT;
244  DBGC ( &certstore, "CERTSTORE permanent certificate %d is %s\n",
245  i, x509_name ( cert ) );
246  }
247 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
x509_certificate::refcnt
struct refcnt refcnt
Reference count.
Definition: x509.h:187
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
certstore_raw
static struct asn1_cursor certstore_raw[]
Definition: certstore.c:64
DBGC
#define DBGC(...)
Definition: compiler.h:505
certstore_add
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
Definition: certstore.c:138
x509_certificate::flags
unsigned int flags
Flags.
Definition: x509.h:193
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate
An X.509 certificate.
Definition: x509.h:185
certstore_find
struct x509_certificate * certstore_find(struct asn1_cursor *raw)
Find certificate in store.
Definition: certstore.c:102
X509_FL_PERMANENT
Certificate was added at build time.
Definition: x509.h:224
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
certstore_certs
static struct x509_certificate certstore_certs[sizeof(certstore_raw)/sizeof(certstore_raw[0])]
X.509 certificate structures for all permanent stored certificates.
Definition: certstore.c:69
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
ref_no_free
void ref_no_free(struct refcnt *refcnt __unused)
Do not free reference-counted object.
Definition: refcnt.c:101
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_parse
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
Definition: x509.c:1003

References certstore, certstore_add(), certstore_certs, certstore_find(), certstore_raw, DBGC, x509_certificate::flags, NULL, raw, rc, ref_init, ref_no_free(), x509_certificate::refcnt, strerror(), X509_FL_PERMANENT, x509_name(), and x509_parse().

◆ __init_fn()

struct init_fn certstore_init_fn __init_fn ( INIT_LATE  )

Certificate store initialisation function.

◆ __setting()

static struct setting cert_setting __setting ( SETTING_CRYPTO  ,
cert   
)
static

Additional certificate setting.

◆ certstore_apply_settings()

static int certstore_apply_settings ( void  )
static

Apply certificate store configuration settings.

Return values
rcReturn status code

Definition at line 267 of file certstore.c.

267  {
268  static struct x509_certificate *cert = NULL;
269  struct x509_certificate *old_cert;
270  void *cert_data;
271  int len;
272  int rc;
273 
274  /* Record any existing additional certificate */
275  old_cert = cert;
276  cert = NULL;
277 
278  /* Add additional certificate, if any */
279  if ( ( len = fetch_raw_setting_copy ( NULL, &cert_setting,
280  &cert_data ) ) >= 0 ) {
281  if ( ( rc = x509_certificate ( cert_data, len, &cert ) ) == 0 ){
282  DBGC ( &certstore, "CERTSTORE added additional "
283  "certificate %s\n", x509_name ( cert ) );
284  } else {
285  DBGC ( &certstore, "CERTSTORE could not parse "
286  "additional certificate: %s\n",
287  strerror ( rc ) );
288  /* Do not fail; leave as an unusable certificate */
289  }
290  free ( cert_data );
291  }
292 
293  /* Free old additional certificiate. Do this after reparsing
294  * the additional certificate; in the common case that the
295  * certificate has not changed, this will allow the stored
296  * certificate to be reused.
297  */
298  x509_put ( old_cert );
299 
300  return 0;
301 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
fetch_raw_setting_copy
int fetch_raw_setting_copy(struct settings *settings, const struct setting *setting, void **data)
Fetch value of setting.
Definition: settings.c:821
DBGC
#define DBGC(...)
Definition: compiler.h:505
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate
An X.509 certificate.
Definition: x509.h:185
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
len
uint32_t len
Length.
Definition: ena.h:14
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:247
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References certstore, DBGC, fetch_raw_setting_copy(), free, len, NULL, rc, strerror(), x509_name(), and x509_put().

Variable Documentation

◆ certstore_raw

struct asn1_cursor certstore_raw[]
static
Initial value:
= {
CERT_ALL
}

Definition at line 64 of file certstore.c.

Referenced by certstore_init().

◆ certstore_certs

struct x509_certificate certstore_certs[sizeof(certstore_raw)/ sizeof(certstore_raw[0])]
static

X.509 certificate structures for all permanent stored certificates.

Definition at line 69 of file certstore.c.

Referenced by certstore_init().

◆ certstore

struct x509_chain certstore
Initial value:
= {
.refcnt = REF_INIT ( ref_no_free ),
.links = LIST_HEAD_INIT ( certstore.links ),
}
certstore
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:181
REF_INIT
#define REF_INIT(free_fn)
Initialise a static reference counter.
Definition: refcnt.h:77
LIST_HEAD_INIT
#define LIST_HEAD_INIT(list)
Initialise a static list head.
Definition: list.h:30
ref_no_free
void ref_no_free(struct refcnt *refcnt __unused)
Do not free reference-counted object.
Definition: refcnt.c:101

Certificate store.

Definition at line 73 of file certstore.c.

Referenced by certstore_add(), certstore_apply_settings(), certstore_del(), certstore_discard(), certstore_find(), certstore_find_key(), certstore_found(), certstore_init(), tls_new_certificate_request(), and x509_validate_chain().

◆ __settings_applicator

struct settings_applicator certstore_applicator __settings_applicator
Initial value:
= {
.apply = certstore_apply_settings,
}
certstore_apply_settings
static int certstore_apply_settings(void)
Apply certificate store configuration settings.
Definition: certstore.c:267

Certificate store settings applicator.

Definition at line 304 of file certstore.c.

Generated by   doxygen 1.8.15