iPXE
certstore.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2014 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  *
19  * You can also choose to distribute this program under the terms of
20  * the Unmodified Binary Distribution Licence (as given in the file
21  * COPYING.UBDL), provided that you have satisfied its requirements.
22  */
23 
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25 
26 #include <string.h>
27 #include <stdlib.h>
28 #include <ipxe/init.h>
29 #include <ipxe/dhcp.h>
30 #include <ipxe/settings.h>
31 #include <ipxe/malloc.h>
32 #include <ipxe/crypto.h>
33 #include <ipxe/asn1.h>
34 #include <ipxe/x509.h>
35 #include <ipxe/certstore.h>
36 
37 /** @file
38  *
39  * Certificate store
40  *
41  */
42 
43 /** Raw certificate data for all permanent stored certificates */
44 #undef CERT
45 #define CERT( _index, _path ) \
46  extern char stored_cert_ ## _index ## _data[]; \
47  extern char stored_cert_ ## _index ## _len[]; \
48  __asm__ ( ".section \".rodata\", \"a\", " PROGBITS "\n\t" \
49  "\nstored_cert_" #_index "_data:\n\t" \
50  ".incbin \"" _path "\"\n\t" \
51  "\nstored_cert_" #_index "_end:\n\t" \
52  ".equ stored_cert_" #_index "_len, " \
53  "( stored_cert_" #_index "_end - " \
54  " stored_cert_" #_index "_data )\n\t" \
55  ".previous\n\t" );
56 CERT_ALL
57 
58 /** Raw certificate cursors for all permanent stored certificates */
59 #undef CERT
60 #define CERT( _index, _path ) { \
61  .data = stored_cert_ ## _index ## _data, \
62  .len = ( size_t ) stored_cert_ ## _index ## _len, \
63 },
64 static struct asn1_cursor certstore_raw[] = {
65  CERT_ALL
66 };
67 
68 /** X.509 certificate structures for all permanent stored certificates */
69 static struct x509_certificate certstore_certs[ sizeof ( certstore_raw ) /
70  sizeof ( certstore_raw[0] ) ];
71 
72 /** Certificate store */
75  .links = LIST_HEAD_INIT ( certstore.links ),
76 };
77 
78 /**
79  * Mark stored certificate as most recently used
80  *
81  * @v cert X.509 certificate
82  * @ret cert X.509 certificate
83  */
84 static struct x509_certificate *
86 
87  /* Mark as most recently used */
88  list_del ( &cert->store.list );
89  list_add ( &cert->store.list, &certstore.links );
90  DBGC2 ( &certstore, "CERTSTORE found certificate %s\n",
91  x509_name ( cert ) );
92 
93  return cert;
94 }
95 
96 /**
97  * Find certificate in store
98  *
99  * @v raw Raw certificate data
100  * @ret cert X.509 certificate, or NULL if not found
101  */
103  struct x509_certificate *cert;
104 
105  /* Search for certificate within store */
107  if ( asn1_compare ( raw, &cert->raw ) == 0 )
108  return certstore_found ( cert );
109  }
110  return NULL;
111 }
112 
113 /**
114  * Find certificate in store corresponding to a private key
115  *
116  * @v key Private key
117  * @ret cert X.509 certificate, or NULL if not found
118  */
120  struct x509_certificate *cert;
121 
122  /* Search for certificate within store */
124  if ( pubkey_match ( cert->signature_algorithm->pubkey,
125  key->builder.data, key->builder.len,
126  cert->subject.public_key.raw.data,
127  cert->subject.public_key.raw.len ) == 0 )
128  return certstore_found ( cert );
129  }
130  return NULL;
131 }
132 
133 /**
134  * Add certificate to store
135  *
136  * @v cert X.509 certificate
137  */
138 void certstore_add ( struct x509_certificate *cert ) {
139 
140  /* Add certificate to store */
141  cert->store.cert = cert;
142  x509_get ( cert );
143  list_add ( &cert->store.list, &certstore.links );
144  DBGC ( &certstore, "CERTSTORE added certificate %s\n",
145  x509_name ( cert ) );
146 }
147 
148 /**
149  * Remove certificate from store
150  *
151  * @v cert X.509 certificate
152  */
153 void certstore_del ( struct x509_certificate *cert ) {
154 
155  /* Ignore attempts to remove permanent certificates */
156  if ( cert->flags & X509_FL_PERMANENT )
157  return;
158 
159  /* Remove certificate from store */
160  DBGC ( &certstore, "CERTSTORE removed certificate %s\n",
161  x509_name ( cert ) );
162  list_del ( &cert->store.list );
163  x509_put ( cert );
164 }
165 
166 /**
167  * Discard a stored certificate
168  *
169  * @ret discarded Number of cached items discarded
170  */
171 static unsigned int certstore_discard ( void ) {
172  struct x509_certificate *cert;
173 
174  /* Discard the least recently used certificate for which the
175  * only reference is held by the store itself.
176  */
178 
179  /* Skip certificates for which another reference is held */
180  if ( cert->refcnt.count > 0 )
181  continue;
182 
183  /* Skip certificates that were added at build time or
184  * added explicitly at run time.
185  */
186  if ( cert->flags & ( X509_FL_PERMANENT | X509_FL_EXPLICIT ) )
187  continue;
188 
189  /* Discard certificate */
190  certstore_del ( cert );
191  return 1;
192  }
193 
194  return 0;
195 }
196 
197 /** Certificate store cache discarder */
198 struct cache_discarder certstore_discarder __cache_discarder ( CACHE_NORMAL ) ={
200 };
201 
202 /**
203  * Construct permanent certificate store
204  *
205  */
206 static void certstore_init ( void ) {
207  struct asn1_cursor *raw;
208  struct x509_certificate *cert;
209  int i;
210  int rc;
211 
212  /* Skip if we have no permanent stored certificates */
213  if ( ! sizeof ( certstore_raw ) )
214  return;
215 
216  /* Add certificates */
217  for ( i = 0 ; i < ( int ) ( sizeof ( certstore_raw ) /
218  sizeof ( certstore_raw[0] ) ) ; i++ ) {
219 
220  /* Skip if certificate already present in store */
221  raw = &certstore_raw[i];
222  if ( ( cert = certstore_find ( raw ) ) != NULL ) {
223  DBGC ( &certstore, "CERTSTORE permanent certificate %d "
224  "is a duplicate of %s\n", i, x509_name ( cert ));
225  continue;
226  }
227 
228  /* Parse certificate */
229  cert = &certstore_certs[i];
230  ref_init ( &cert->refcnt, ref_no_free );
231  if ( ( rc = x509_parse ( cert, raw ) ) != 0 ) {
232  DBGC ( &certstore, "CERTSTORE could not parse "
233  "permanent certificate %d: %s\n",
234  i, strerror ( rc ) );
235  continue;
236  }
237 
238  /* Add certificate to store. Certificate will never
239  * be discarded from the store, since we retain a
240  * permanent reference to it.
241  */
242  certstore_add ( cert );
243  cert->flags |= X509_FL_PERMANENT;
244  DBGC ( &certstore, "CERTSTORE permanent certificate %d is %s\n",
245  i, x509_name ( cert ) );
246  }
247 }
248 
249 /** Certificate store initialisation function */
250 struct init_fn certstore_init_fn __init_fn ( INIT_LATE ) = {
252 };
253 
254 /** Additional certificate setting */
255 static struct setting cert_setting __setting ( SETTING_CRYPTO, cert ) = {
256  .name = "cert",
257  .description = "Certificate",
258  .tag = DHCP_EB_CERT,
259  .type = &setting_type_hex,
260 };
261 
262 /**
263  * Apply certificate store configuration settings
264  *
265  * @ret rc Return status code
266  */
267 static int certstore_apply_settings ( void ) {
268  static struct x509_certificate *cert = NULL;
269  struct x509_certificate *old_cert;
270  void *cert_data;
271  int len;
272  int rc;
273 
274  /* Record any existing additional certificate */
275  old_cert = cert;
276  cert = NULL;
277 
278  /* Add additional certificate, if any */
279  if ( ( len = fetch_raw_setting_copy ( NULL, &cert_setting,
280  &cert_data ) ) >= 0 ) {
281  if ( ( rc = x509_certificate ( cert_data, len, &cert ) ) == 0 ){
282  DBGC ( &certstore, "CERTSTORE added additional "
283  "certificate %s\n", x509_name ( cert ) );
284  } else {
285  DBGC ( &certstore, "CERTSTORE could not parse "
286  "additional certificate: %s\n",
287  strerror ( rc ) );
288  /* Do not fail; leave as an unusable certificate */
289  }
290  free ( cert_data );
291  }
292 
293  /* Free old additional certificiate. Do this after reparsing
294  * the additional certificate; in the common case that the
295  * certificate has not changed, this will allow the stored
296  * certificate to be reused.
297  */
298  x509_put ( old_cert );
299 
300  return 0;
301 }
302 
303 /** Certificate store settings applicator */
304 struct settings_applicator certstore_applicator __settings_applicator = {
306 };
struct asn1_cursor raw
Raw public key information.
Definition: x509.h:50
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
Dynamic Host Configuration Protocol.
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
struct x509_certificate * certstore_find_key(struct private_key *key)
Find certificate in store corresponding to a private key.
Definition: certstore.c:119
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
void(* initialise)(void)
Definition: init.h:15
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:258
struct refcnt refcnt
Reference count.
Definition: x509.h:209
#define list_add(new, head)
Add a new entry to the head of a list.
Definition: list.h:69
int fetch_raw_setting_copy(struct settings *settings, const struct setting *setting, void **data)
Fetch value of setting.
Definition: settings.c:821
struct list_head links
List of links.
Definition: x509.h:203
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
static struct asn1_cursor certstore_raw[]
Definition: certstore.c:64
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition: x509.h:230
const void * data
Start of data.
Definition: asn1.h:22
#define DBGC(...)
Definition: compiler.h:505
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
Definition: certstore.c:138
A settings applicator.
Definition: settings.h:251
Cryptographic API.
void certstore_del(struct x509_certificate *cert)
Remove certificate from store.
Definition: certstore.c:153
unsigned int flags
Flags.
Definition: x509.h:215
Dynamic memory allocation.
size_t len
Length of data.
Definition: asn1.h:24
const char * name
Name.
Definition: settings.h:28
struct init_fn certstore_init_fn __init_fn(INIT_LATE)
Certificate store initialisation function.
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition: asn1.h:317
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
An X.509 certificate chain.
Definition: x509.h:199
Certificate store.
int count
Current reference count.
Definition: refcnt.h:32
An initialisation function.
Definition: init.h:14
static int certstore_apply_settings(void)
Apply certificate store configuration settings.
Definition: certstore.c:267
ASN.1 encoding.
unsigned int(* discard)(void)
Discard some cached data.
Definition: malloc.h:89
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
#define list_for_each_entry_reverse(pos, head, member)
Iterate over entries in a list in reverse order.
Definition: list.h:444
struct x509_public_key public_key
Public key information.
Definition: x509.h:64
Configuration settings.
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
An X.509 certificate.
Definition: x509.h:207
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
struct x509_subject subject
Subject.
Definition: x509.h:236
A cache discarder.
Definition: malloc.h:83
X.509 certificates.
struct x509_certificate * certstore_find(struct asn1_cursor *raw)
Find certificate in store.
Definition: certstore.c:102
struct cache_discarder certstore_discarder __cache_discarder(CACHE_NORMAL)
Certificate store cache discarder.
#define CACHE_NORMAL
Items with a normal replacement cost.
Definition: malloc.h:104
A setting.
Definition: settings.h:23
Certificate was added at build time.
Definition: x509.h:246
static unsigned int certstore_discard(void)
Discard a stored certificate.
Definition: certstore.c:171
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
uint32_t len
Length.
Definition: ena.h:14
static struct x509_certificate * certstore_found(struct x509_certificate *cert)
Mark stored certificate as most recently used.
Definition: certstore.c:85
#define DBGC2(...)
Definition: compiler.h:522
#define DHCP_EB_CERT
Client certficate.
Definition: dhcp.h:417
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:269
static struct x509_certificate certstore_certs[sizeof(certstore_raw)/sizeof(certstore_raw[0])]
X.509 certificate structures for all permanent stored certificates.
Definition: certstore.c:69
struct x509_link store
Link in certificate store.
Definition: x509.h:212
A private key.
Definition: privkey.h:16
#define REF_INIT(free_fn)
Initialise a static reference counter.
Definition: refcnt.h:77
__be32 raw[7]
Definition: CIB_PRM.h:28
int(* apply)(void)
Apply updated settings.
Definition: settings.h:256
#define SETTING_CRYPTO
Cryptography settings.
Definition: settings.h:79
#define INIT_LATE
Late initialisation.
Definition: init.h:31
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:222
#define LIST_HEAD_INIT(list)
Initialise a static list head.
Definition: list.h:30
struct settings_applicator certstore_applicator __settings_applicator
Certificate store settings applicator.
Definition: certstore.c:304
static void certstore_init(void)
Construct permanent certificate store.
Definition: certstore.c:206
void ref_no_free(struct refcnt *refcnt __unused)
Do not free reference-counted object.
Definition: refcnt.c:101
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
Certificate was added explicitly at run time.
Definition: x509.h:248
String functions.
An ASN.1 object cursor.
Definition: asn1.h:20
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
Definition: x509.c:1003
union @382 key
Sense key.
Definition: crypto.h:284
struct refcnt refcnt
Reference count.
Definition: x509.h:201
static struct setting cert_setting __setting(SETTING_CRYPTO, cert)
Additional certificate setting.