iPXE
certstore.c
Go to the documentation of this file.
1/*
2 * Copyright (C) 2014 Michael Brown <mbrown@fensystems.co.uk>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 *
19 * You can also choose to distribute this program under the terms of
20 * the Unmodified Binary Distribution Licence (as given in the file
21 * COPYING.UBDL), provided that you have satisfied its requirements.
22 */
23
24FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25FILE_SECBOOT ( PERMITTED );
26
27#include <string.h>
28#include <stdlib.h>
29#include <ipxe/init.h>
30#include <ipxe/dhcp.h>
31#include <ipxe/settings.h>
32#include <ipxe/malloc.h>
33#include <ipxe/crypto.h>
34#include <ipxe/asn1.h>
35#include <ipxe/x509.h>
36#include <ipxe/certstore.h>
37
38/** @file
39 *
40 * Certificate store
41 *
42 */
43
44/** Raw certificate data for all permanent stored certificates */
45#undef CERT
46#define CERT( _index, _path ) \
47 extern char stored_cert_ ## _index ## _data[]; \
48 extern size_t ABS_SYMBOL ( stored_cert_ ## _index ## _len ); \
49 __asm__ ( ".section \".rodata\", \"a\", " PROGBITS "\n\t" \
50 "\nstored_cert_" #_index "_data:\n\t" \
51 ".incbin \"" _path "\"\n\t" \
52 "\nstored_cert_" #_index "_end:\n\t" \
53 ".equ stored_cert_" #_index "_len, " \
54 "( stored_cert_" #_index "_end - " \
55 " stored_cert_" #_index "_data )\n\t" \
56 ".previous\n\t" );
57CERT_ALL
58
59/** Raw certificate cursors for all permanent stored certificates */
60#undef CERT
61#define CERT( _index, _path ) { \
62 .data = stored_cert_ ## _index ## _data, \
63 .len = ABS_VALUE_INIT ( stored_cert_ ## _index ## _len ), \
64},
65static struct asn1_cursor certstore_raw[] = {
66 CERT_ALL
67};
68
69/** X.509 certificate structures for all permanent stored certificates */
70static struct x509_certificate certstore_certs[ sizeof ( certstore_raw ) /
71 sizeof ( certstore_raw[0] ) ];
72
73/**
74 * Mark stored certificate as most recently used
75 *
76 * @v store Certificate store
77 * @v cert X.509 certificate
78 */
79static void certstore_found ( struct x509_chain *store,
80 struct x509_certificate *cert ) {
81
82 /* Mark as most recently used */
83 list_del ( &cert->store.list );
84 list_add ( &cert->store.list, &store->links );
85 DBGC2 ( store, "CERTSTORE found certificate %s\n",
86 x509_name ( cert ) );
87}
88
89/** Certificate store */
90struct x509_chain certstore = {
91 .refcnt = REF_INIT ( ref_no_free ),
92 .links = LIST_HEAD_INIT ( certstore.links ),
93 .found = certstore_found,
94};
95
96/**
97 * Add certificate to store
98 *
99 * @v cert X.509 certificate
100 */
101void certstore_add ( struct x509_certificate *cert ) {
102
103 /* Add certificate to store */
104 cert->store.cert = cert;
105 x509_get ( cert );
106 list_add ( &cert->store.list, &certstore.links );
107 DBGC ( &certstore, "CERTSTORE added certificate %s\n",
108 x509_name ( cert ) );
109}
110
111/**
112 * Remove certificate from store
113 *
114 * @v cert X.509 certificate
115 */
116void certstore_del ( struct x509_certificate *cert ) {
117
118 /* Ignore attempts to remove permanent certificates */
119 if ( cert->flags & X509_FL_PERMANENT )
120 return;
121
122 /* Remove certificate from store */
123 DBGC ( &certstore, "CERTSTORE removed certificate %s\n",
124 x509_name ( cert ) );
125 list_del ( &cert->store.list );
126 x509_put ( cert );
127}
128
129/**
130 * Discard a stored certificate
131 *
132 * @ret discarded Number of cached items discarded
133 */
134static unsigned int certstore_discard ( void ) {
135 struct x509_certificate *cert;
136
137 /* Discard the least recently used certificate for which the
138 * only reference is held by the store itself.
139 */
140 list_for_each_entry_reverse ( cert, &certstore.links, store.list ) {
141
142 /* Skip certificates for which another reference is held */
143 if ( cert->refcnt.count > 0 )
144 continue;
145
146 /* Skip certificates that were added at build time or
147 * added explicitly at run time.
148 */
149 if ( cert->flags & ( X509_FL_PERMANENT | X509_FL_EXPLICIT ) )
150 continue;
151
152 /* Discard certificate */
153 certstore_del ( cert );
154 return 1;
155 }
156
157 return 0;
158}
159
160/** Certificate store cache discarder */
161struct cache_discarder certstore_discarder __cache_discarder ( CACHE_NORMAL ) ={
162 .discard = certstore_discard,
163};
164
165/**
166 * Construct permanent certificate store
167 *
168 */
169static void certstore_init ( void ) {
170 struct asn1_cursor *raw;
171 struct x509_certificate *cert;
172 int i;
173 int rc;
174
175 /* Skip if we have no permanent stored certificates */
176 if ( ! sizeof ( certstore_raw ) )
177 return;
178
179 /* Add certificates */
180 for ( i = 0 ; i < ( int ) ( sizeof ( certstore_raw ) /
181 sizeof ( certstore_raw[0] ) ) ; i++ ) {
182
183 /* Skip if certificate already present in store */
184 raw = &certstore_raw[i];
185 if ( ( cert = x509_find ( &certstore, raw ) ) != NULL ) {
186 DBGC ( &certstore, "CERTSTORE permanent certificate %d "
187 "is a duplicate of %s\n", i, x509_name ( cert ));
188 continue;
189 }
190
191 /* Parse certificate */
192 cert = &certstore_certs[i];
193 ref_init ( &cert->refcnt, ref_no_free );
194 if ( ( rc = x509_parse ( cert, raw ) ) != 0 ) {
195 DBGC ( &certstore, "CERTSTORE could not parse "
196 "permanent certificate %d: %s\n",
197 i, strerror ( rc ) );
198 continue;
199 }
200
201 /* Add certificate to store. Certificate will never
202 * be discarded from the store, since we retain a
203 * permanent reference to it.
204 */
205 certstore_add ( cert );
206 cert->flags |= X509_FL_PERMANENT;
207 DBGC ( &certstore, "CERTSTORE permanent certificate %d is %s\n",
208 i, x509_name ( cert ) );
209 }
210}
211
212/** Certificate store initialisation function */
213struct init_fn certstore_init_fn __init_fn ( INIT_LATE ) = {
214 .name = "certstore",
215 .initialise = certstore_init,
216};
217
218/** Additional certificate setting */
219static struct setting cert_setting __setting ( SETTING_CRYPTO, cert ) = {
220 .name = "cert",
221 .description = "Certificate",
222 .tag = DHCP_EB_CERT,
223 .type = &setting_type_hex,
224};
225
226/**
227 * Apply certificate store configuration settings
228 *
229 * @ret rc Return status code
230 */
231static int certstore_apply_settings ( void ) {
232 static struct x509_certificate *cert = NULL;
233 struct x509_certificate *old_cert;
234 void *cert_data;
235 int len;
236 int rc;
237
238 /* Record any existing additional certificate */
239 old_cert = cert;
240 cert = NULL;
241
242 /* Add additional certificate, if any */
243 if ( ( len = fetch_raw_setting_copy ( NULL, &cert_setting,
244 &cert_data ) ) >= 0 ) {
245 if ( ( rc = x509_certificate ( cert_data, len, &cert ) ) == 0 ){
246 DBGC ( &certstore, "CERTSTORE added additional "
247 "certificate %s\n", x509_name ( cert ) );
248 } else {
249 DBGC ( &certstore, "CERTSTORE could not parse "
250 "additional certificate: %s\n",
251 strerror ( rc ) );
252 /* Do not fail; leave as an unusable certificate */
253 }
254 free ( cert_data );
255 }
256
257 /* Free old additional certificiate. Do this after reparsing
258 * the additional certificate; in the common case that the
259 * certificate has not changed, this will allow the stored
260 * certificate to be reused.
261 */
262 x509_put ( old_cert );
263
264 return 0;
265}
266
267/** Certificate store settings applicator */
268struct settings_applicator certstore_applicator __settings_applicator = {
269 .apply = certstore_apply_settings,
270};
271
272/* Drag in objects via certificate store */
273REQUIRING_SYMBOL ( certstore );
274
275/* Drag in alternative certificate sources */
276REQUIRE_OBJECT ( config_certs );
NULL
#define NULL
NULL pointer (VOID *)
Definition Base.h:322
raw
__be32 raw[7]
Definition CIB_PRM.h:0
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
asn1.h
ASN.1 encoding.
certstore_init
static void certstore_init(void)
Construct permanent certificate store.
Definition certstore.c:169
certstore_del
void certstore_del(struct x509_certificate *cert)
Remove certificate from store.
Definition certstore.c:116
certstore_discard
static unsigned int certstore_discard(void)
Discard a stored certificate.
Definition certstore.c:134
certstore_apply_settings
static int certstore_apply_settings(void)
Apply certificate store configuration settings.
Definition certstore.c:231
certstore_found
static void certstore_found(struct x509_chain *store, struct x509_certificate *cert)
Mark stored certificate as most recently used.
Definition certstore.c:79
certstore_add
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
Definition certstore.c:101
certstore_raw
static struct asn1_cursor certstore_raw[]
Definition certstore.c:65
certstore
struct x509_chain certstore
Certificate store.
Definition certstore.c:90
certstore_certs
static struct x509_certificate certstore_certs[sizeof(certstore_raw)/sizeof(certstore_raw[0])]
X.509 certificate structures for all permanent stored certificates.
Definition certstore.c:70
certstore.h
Certificate store.
len
ring len
Length.
Definition dwmac.h:226
CACHE_NORMAL
#define CACHE_NORMAL
Items with a normal replacement cost.
Definition malloc.h:114
DBGC2
#define DBGC2(...)
Definition compiler.h:522
DBGC
#define DBGC(...)
Definition compiler.h:505
DHCP_EB_CERT
#define DHCP_EB_CERT
Client certficate.
Definition dhcp.h:420
INIT_LATE
#define INIT_LATE
Late initialisation.
Definition init.h:33
FILE_LICENCE
#define FILE_LICENCE(_licence)
Declare a particular licence as applying to a file.
Definition compiler.h:896
REQUIRE_OBJECT
#define REQUIRE_OBJECT(object)
Require an object.
Definition compiler.h:202
FILE_SECBOOT
#define FILE_SECBOOT(_status)
Declare a file's UEFI Secure Boot permission status.
Definition compiler.h:926
SETTING_CRYPTO
#define SETTING_CRYPTO
Cryptography settings.
Definition settings.h:80
REQUIRING_SYMBOL
#define REQUIRING_SYMBOL(symbol)
Specify the file's requiring symbol.
Definition compiler.h:140
crypto.h
Cryptographic API.
dhcp.h
Dynamic Host Configuration Protocol.
settings.h
Configuration settings.
__setting
#define __setting(setting_order, name)
Declare a configuration setting.
Definition settings.h:57
__settings_applicator
#define __settings_applicator
Declare a settings applicator.
Definition settings.h:265
string.h
String functions.
__init_fn
#define __init_fn(init_order)
Declare an initialisation functon.
Definition init.h:24
LIST_HEAD_INIT
#define LIST_HEAD_INIT(list)
Initialise a static list head.
Definition list.h:31
list_del
#define list_del(list)
Delete an entry from a list.
Definition list.h:120
list_for_each_entry_reverse
#define list_for_each_entry_reverse(pos, head, member)
Iterate over entries in a list in reverse order.
Definition list.h:445
list_add
#define list_add(new, head)
Add a new entry to the head of a list.
Definition list.h:70
malloc.h
Dynamic memory allocation.
__cache_discarder
#define __cache_discarder(cost)
Declare a cache discarder.
Definition malloc.h:106
ref_no_free
void ref_no_free(struct refcnt *refcnt __unused)
Do not free reference-counted object.
Definition refcnt.c:102
free
static void(* free)(struct refcnt *refcnt))
Definition refcnt.h:55
REF_INIT
#define REF_INIT(free_fn)
Initialise a static reference counter.
Definition refcnt.h:78
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition refcnt.h:65
fetch_raw_setting_copy
int fetch_raw_setting_copy(struct settings *settings, const struct setting *setting, void **data)
Fetch value of setting.
Definition settings.c:822
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition strerror.c:79
asn1_cursor
An ASN.1 object cursor.
Definition asn1.h:21
cache_discarder
A cache discarder.
Definition malloc.h:93
init_fn
An initialisation function.
Definition init.h:15
refcnt::count
int count
Current reference count.
Definition refcnt.h:33
setting
A setting.
Definition settings.h:24
settings_applicator
A settings applicator.
Definition settings.h:252
x509_certificate
An X.509 certificate.
Definition x509.h:216
x509_certificate::flags
unsigned int flags
Flags.
Definition x509.h:224
x509_certificate::refcnt
struct refcnt refcnt
Reference count.
Definition x509.h:218
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition x509.h:221
x509_chain
An X.509 certificate chain.
Definition x509.h:201
x509_link::list
struct list_head list
List of links.
Definition x509.h:173
x509_link::cert
struct x509_certificate * cert
Certificate.
Definition x509.h:175
x509_parse
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
Definition x509.c:1008
x509_find
struct x509_certificate * x509_find(struct x509_chain *store, const struct asn1_cursor *raw)
Identify X.509 certificate by raw certificate data.
Definition x509.c:1746
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition x509.c:147
x509.h
X.509 certificates.
x509_get
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition x509.h:267
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition x509.h:278
X509_FL_EXPLICIT
@ X509_FL_EXPLICIT
Certificate was added explicitly at run time.
Definition x509.h:257
X509_FL_PERMANENT
@ X509_FL_PERMANENT
Certificate was added at build time.
Definition x509.h:255
Generated by doxygen 1.14.0