iPXE
Data Structures | Macros | Functions
ocsp.h File Reference

Online Certificate Status Protocol. More...

#include <stdarg.h>
#include <time.h>
#include <ipxe/asn1.h>
#include <ipxe/x509.h>
#include <ipxe/refcnt.h>
#include <config/crypto.h>

Go to the source code of this file.

Data Structures

struct  ocsp_request
 An OCSP request. More...
 
struct  ocsp_responder
 An OCSP responder. More...
 
struct  ocsp_response
 An OCSP response. More...
 
struct  ocsp_check
 An OCSP check. More...
 

Macros

#define OCSP_ENABLED   0
 
#define OCSP_ALGORITHM_IDENTIFIER(...)
 OCSP algorithm identifier. More...
 
#define OCSP_STATUS_SUCCESSFUL   0x00
 
#define OCSP_STATUS_MALFORMED_REQUEST   0x01
 
#define OCSP_STATUS_INTERNAL_ERROR   0x02
 
#define OCSP_STATUS_TRY_LATER   0x03
 
#define OCSP_STATUS_SIG_REQUIRED   0x05
 
#define OCSP_STATUS_UNAUTHORIZED   0x06
 

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
static struct ocsp_checkocsp_get (struct ocsp_check *ocsp)
 Get reference to OCSP check. More...
 
static void ocsp_put (struct ocsp_check *ocsp)
 Drop reference to OCSP check. More...
 
static int ocsp_required (struct x509_certificate *cert)
 Check if X.509 certificate requires an OCSP check. More...
 
int ocsp_check (struct x509_certificate *cert, struct x509_certificate *issuer, struct ocsp_check **ocsp)
 Create OCSP check. More...
 
int ocsp_response (struct ocsp_check *ocsp, const void *data, size_t len)
 Receive OCSP response. More...
 
int ocsp_validate (struct ocsp_check *check, time_t time)
 Validate OCSP response. More...
 

Detailed Description

Online Certificate Status Protocol.

Definition in file ocsp.h.

Macro Definition Documentation

◆ OCSP_ENABLED

#define OCSP_ENABLED   0

Definition at line 23 of file ocsp.h.

◆ OCSP_ALGORITHM_IDENTIFIER

#define OCSP_ALGORITHM_IDENTIFIER (   ...)
Value:
ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__, \
ASN1_NULL, 0x00
#define VA_ARG_COUNT(...)
Definition: stdarg.h:27
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:73

OCSP algorithm identifier.

Definition at line 27 of file ocsp.h.

◆ OCSP_STATUS_SUCCESSFUL

#define OCSP_STATUS_SUCCESSFUL   0x00

Definition at line 32 of file ocsp.h.

◆ OCSP_STATUS_MALFORMED_REQUEST

#define OCSP_STATUS_MALFORMED_REQUEST   0x01

Definition at line 33 of file ocsp.h.

◆ OCSP_STATUS_INTERNAL_ERROR

#define OCSP_STATUS_INTERNAL_ERROR   0x02

Definition at line 34 of file ocsp.h.

◆ OCSP_STATUS_TRY_LATER

#define OCSP_STATUS_TRY_LATER   0x03

Definition at line 35 of file ocsp.h.

◆ OCSP_STATUS_SIG_REQUIRED

#define OCSP_STATUS_SIG_REQUIRED   0x05

Definition at line 36 of file ocsp.h.

◆ OCSP_STATUS_UNAUTHORIZED

#define OCSP_STATUS_UNAUTHORIZED   0x06

Definition at line 37 of file ocsp.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ ocsp_get()

static struct ocsp_check* ocsp_get ( struct ocsp_check ocsp)
inlinestatic

Get reference to OCSP check.

Parameters
ocspOCSP check
Return values
ocspOCSP check

Definition at line 107 of file ocsp.h.

107  {
108  ref_get ( &ocsp->refcnt );
109  return ocsp;
110 }
struct refcnt refcnt
Reference count.
Definition: ocsp.h:87
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92

References ref_get, and ocsp_check::refcnt.

◆ ocsp_put()

static void ocsp_put ( struct ocsp_check ocsp)
inlinestatic

Drop reference to OCSP check.

Parameters
ocspOCSP check

Definition at line 118 of file ocsp.h.

118  {
119  ref_put ( &ocsp->refcnt );
120 }
struct refcnt refcnt
Reference count.
Definition: ocsp.h:87
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106

References ref_put, and ocsp_check::refcnt.

Referenced by ocsp_check(), ocsp_test_exec(), validator_free(), and validator_ocsp_validate().

◆ ocsp_required()

static int ocsp_required ( struct x509_certificate cert)
inlinestatic

Check if X.509 certificate requires an OCSP check.

Parameters
certX.509 certificate
Return values
ocsp_requiredAn OCSP check is required

Definition at line 128 of file ocsp.h.

128  {
129 
130  /* An OCSP check is never required if OCSP checks are disabled */
131  if ( ! OCSP_ENABLED )
132  return 0;
133 
134  /* An OCSP check is required if an OCSP URI exists but the
135  * OCSP status is not (yet) good.
136  */
137  return ( cert->extensions.auth_info.ocsp.uri.len &&
138  ( ! cert->extensions.auth_info.ocsp.good ) );
139 }
int good
OCSP status is good.
Definition: x509.h:132
#define OCSP_ENABLED
Definition: ocsp.h:23
size_t len
Length of data.
Definition: asn1.h:23
struct x509_authority_info_access auth_info
Authority information access.
Definition: x509.h:163
struct asn1_cursor uri
URI.
Definition: x509.h:130
struct x509_ocsp_responder ocsp
OCSP responder.
Definition: x509.h:138
struct x509_extensions extensions
Extensions.
Definition: x509.h:216

References x509_extensions::auth_info, ocsp_check::cert, x509_certificate::extensions, x509_ocsp_responder::good, asn1_cursor::len, x509_authority_info_access::ocsp, OCSP_ENABLED, and x509_ocsp_responder::uri.

Referenced by validator_step(), and x509_validate().

◆ ocsp_check()

int ocsp_check ( struct x509_certificate cert,
struct x509_certificate issuer,
struct ocsp_check **  ocsp 
)

Create OCSP check.

Parameters
certCertificate to check
issuerIssuing certificate
Return values
ocspOCSP check
rcReturn status code

Definition at line 279 of file ocsp.c.

281  {
282  int rc;
283 
284  /* Sanity checks */
285  assert ( cert != NULL );
286  assert ( issuer != NULL );
287  assert ( x509_is_valid ( issuer ) );
288 
289  /* Allocate and initialise check */
290  *ocsp = zalloc ( sizeof ( **ocsp ) );
291  if ( ! *ocsp ) {
292  rc = -ENOMEM;
293  goto err_alloc;
294  }
295  ref_init ( &(*ocsp)->refcnt, ocsp_free );
296  (*ocsp)->cert = x509_get ( cert );
297  (*ocsp)->issuer = x509_get ( issuer );
298 
299  /* Build request */
300  if ( ( rc = ocsp_request ( *ocsp ) ) != 0 )
301  goto err_request;
302 
303  /* Build URI string */
304  if ( ( rc = ocsp_uri_string ( *ocsp ) ) != 0 )
305  goto err_uri_string;
306 
307  return 0;
308 
309  err_uri_string:
310  err_request:
311  ocsp_put ( *ocsp );
312  err_alloc:
313  *ocsp = NULL;
314  return rc;
315 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:236
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
An OCSP request.
Definition: ocsp.h:42
static int ocsp_uri_string(struct ocsp_check *ocsp)
Build OCSP URI string.
Definition: ocsp.c:211
#define ENOMEM
Not enough space.
Definition: errno.h:534
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
static int x509_is_valid(struct x509_certificate *cert)
Check if X.509 certificate is valid.
Definition: x509.h:391
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
static void ocsp_put(struct ocsp_check *ocsp)
Drop reference to OCSP check.
Definition: ocsp.h:118
static void ocsp_free(struct refcnt *refcnt)
Free OCSP check.
Definition: ocsp.c:126
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362

References assert(), ENOMEM, NULL, ocsp_free(), ocsp_put(), ocsp_uri_string(), rc, ref_init, x509_get(), x509_is_valid(), and zalloc().

◆ ocsp_response()

int ocsp_response ( struct ocsp_check ocsp,
const void *  data,
size_t  len 
)

Receive OCSP response.

Parameters
ocspOCSP check
dataResponse data
lenLength of response data
Return values
rcReturn status code

Definition at line 812 of file ocsp.c.

812  {
813  struct ocsp_response *response = &ocsp->response;
814  struct asn1_cursor cursor;
815  int rc;
816 
817  /* Duplicate data */
818  x509_put ( response->signer );
819  response->signer = NULL;
820  free ( response->data );
821  response->data = malloc ( len );
822  if ( ! response->data )
823  return -ENOMEM;
824  memcpy ( response->data, data, len );
825  cursor.data = response->data;
826  cursor.len = len;
827 
828  /* Parse response */
829  if ( ( rc = ocsp_parse_response ( ocsp, &cursor ) ) != 0 )
830  return rc;
831 
832  return 0;
833 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct x509_certificate * signer
Signing certificate.
Definition: ocsp.h:81
struct ocsp_response response
Response.
Definition: ocsp.h:97
#define ENOMEM
Not enough space.
Definition: errno.h:534
void * memcpy(void *dest, const void *src, size_t len) __nonnull
static int ocsp_parse_response(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP response.
Definition: ocsp.c:783
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
void * data
Raw response.
Definition: ocsp.h:67
void * malloc(size_t size)
Allocate memory.
Definition: malloc.c:583
An OCSP response.
Definition: ocsp.h:65
uint32_t len
Length.
Definition: ena.h:14
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:247
struct arbelprm_port_state_change_st data
Message.
Definition: arbel.h:12
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
An ASN.1 object cursor.
Definition: asn1.h:19

References data, asn1_cursor::data, ocsp_response::data, ENOMEM, free, len, asn1_cursor::len, malloc(), memcpy(), NULL, ocsp_parse_response(), rc, ocsp_check::response, ocsp_response::signer, and x509_put().

◆ ocsp_validate()

int ocsp_validate ( struct ocsp_check ocsp,
time_t  time 
)

Validate OCSP response.

Parameters
ocspOCSP check
timeTime at which to validate response
Return values
rcReturn status code

Definition at line 904 of file ocsp.c.

904  {
905  struct ocsp_response *response = &ocsp->response;
906  struct x509_certificate *signer;
907  int rc;
908 
909  /* Sanity checks */
910  assert ( response->data != NULL );
911 
912  /* The response may include a signer certificate; if this is
913  * not present then the response must have been signed
914  * directly by the issuer.
915  */
916  signer = ( response->signer ? response->signer : ocsp->issuer );
917 
918  /* Validate signer, if applicable. If the signer is not the
919  * issuer, then it must be signed directly by the issuer.
920  */
921  if ( signer != ocsp->issuer ) {
922  /* Forcibly invalidate the signer, since we need to
923  * ensure that it was signed by our issuer (and not
924  * some other issuer). This prevents a sub-CA's OCSP
925  * certificate from fraudulently signing OCSP
926  * responses from the parent CA.
927  */
928  x509_invalidate ( signer );
929  if ( ( rc = x509_validate ( signer, ocsp->issuer, time,
930  &ocsp_root ) ) != 0 ) {
931  DBGC ( ocsp, "OCSP %p \"%s\" could not validate ",
932  ocsp, x509_name ( ocsp->cert ) );
933  DBGC ( ocsp, "signer \"%s\": %s\n",
934  x509_name ( signer ), strerror ( rc ) );
935  return rc;
936  }
937 
938  /* If signer is not the issuer, then it must have the
939  * extendedKeyUsage id-kp-OCSPSigning.
940  */
941  if ( ! ( signer->extensions.ext_usage.bits &
942  X509_OCSP_SIGNING ) ) {
943  DBGC ( ocsp, "OCSP %p \"%s\" ",
944  ocsp, x509_name ( ocsp->cert ) );
945  DBGC ( ocsp, "signer \"%s\" is not an OCSP-signing "
946  "certificate\n", x509_name ( signer ) );
947  return -EACCES_NON_OCSP_SIGNING;
948  }
949  }
950 
951  /* Check OCSP response signature */
952  if ( ( rc = ocsp_check_signature ( ocsp, signer ) ) != 0 )
953  return rc;
954 
955  /* Check OCSP response is valid at the specified time
956  * (allowing for some margin of error).
957  */
958  if ( response->this_update > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
959  DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
960  "time %lld)\n", ocsp, x509_name ( ocsp->cert ), time );
961  return -EACCES_STALE;
962  }
963  if ( response->next_update < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
964  DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
965  "%lld)\n", ocsp, x509_name ( ocsp->cert ), time );
966  return -EACCES_STALE;
967  }
968  DBGC2 ( ocsp, "OCSP %p \"%s\" response is valid (at time %lld)\n",
969  ocsp, x509_name ( ocsp->cert ), time );
970 
971  /* Mark certificate as passing OCSP verification */
972  ocsp->cert->extensions.auth_info.ocsp.good = 1;
973 
974  /* Validate certificate against issuer */
975  if ( ( rc = x509_validate ( ocsp->cert, ocsp->issuer, time,
976  &ocsp_root ) ) != 0 ) {
977  DBGC ( ocsp, "OCSP %p \"%s\" could not validate certificate: "
978  "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ));
979  return rc;
980  }
981  DBGC ( ocsp, "OCSP %p \"%s\" successfully validated ",
982  ocsp, x509_name ( ocsp->cert ) );
983  DBGC ( ocsp, "using \"%s\"\n", x509_name ( signer ) );
984 
985  return 0;
986 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct x509_extended_key_usage ext_usage
Extended key usage.
Definition: x509.h:161
int good
OCSP status is good.
Definition: x509.h:132
unsigned int bits
Usage bits.
Definition: x509.h:114
time_t next_update
Time at which newer status information will be available.
Definition: ocsp.h:75
struct x509_certificate * signer
Signing certificate.
Definition: ocsp.h:81
struct ocsp_response response
Response.
Definition: ocsp.h:97
struct x509_certificate * cert
Certificate being checked.
Definition: ocsp.h:89
#define DBGC(...)
Definition: compiler.h:505
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
int x509_validate(struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
Validate X.509 certificate.
Definition: x509.c:1313
#define EACCES_NON_OCSP_SIGNING
Definition: ocsp.c:52
struct x509_authority_info_access auth_info
Authority information access.
Definition: x509.h:163
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
An X.509 certificate.
Definition: x509.h:185
struct x509_certificate * issuer
Issuing certificate.
Definition: ocsp.h:91
time_t this_update
Time at which status is known to be correct.
Definition: ocsp.h:73
void * data
Raw response.
Definition: ocsp.h:67
An OCSP response.
Definition: ocsp.h:65
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:131
#define TIMESTAMP_ERROR_MARGIN
SHA-512/224 digest algorithm.
Definition: crypto.h:54
#define DBGC2(...)
Definition: compiler.h:522
#define EACCES_STALE
Definition: ocsp.c:57
static struct x509_root ocsp_root
OCSP dummy root certificate store.
Definition: ocsp.c:841
uint64_t time
Current time.
Definition: ntlm.h:20
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
struct x509_ocsp_responder ocsp
OCSP responder.
Definition: x509.h:138
static int ocsp_check_signature(struct ocsp_check *ocsp, struct x509_certificate *signer)
Check OCSP response signature.
Definition: ocsp.c:854
struct x509_extensions extensions
Extensions.
Definition: x509.h:216
static void x509_invalidate(struct x509_certificate *cert)
Invalidate X.509 certificate.
Definition: x509.h:400

References assert(), x509_extensions::auth_info, x509_extended_key_usage::bits, ocsp_check::cert, ocsp_response::data, DBGC, DBGC2, EACCES_NON_OCSP_SIGNING, EACCES_STALE, x509_extensions::ext_usage, x509_certificate::extensions, x509_ocsp_responder::good, ocsp_check::issuer, ocsp_response::next_update, NULL, x509_authority_info_access::ocsp, ocsp_check_signature(), ocsp_root, rc, ocsp_check::response, ocsp_response::signer, strerror(), ocsp_response::this_update, time, TIMESTAMP_ERROR_MARGIN, x509_invalidate(), x509_name(), X509_OCSP_SIGNING, and x509_validate().

Referenced by validator_ocsp_validate().