iPXE
Data Structures | Macros | Functions
ocsp.h File Reference

Online Certificate Status Protocol. More...

#include <stdarg.h>
#include <time.h>
#include <ipxe/asn1.h>
#include <ipxe/x509.h>
#include <ipxe/refcnt.h>
#include <config/crypto.h>

Go to the source code of this file.

Data Structures

struct  ocsp_request
 An OCSP request. More...
 
struct  ocsp_responder
 An OCSP responder. More...
 
struct  ocsp_response
 An OCSP response. More...
 
struct  ocsp_check
 An OCSP check. More...
 

Macros

#define OCSP_ENABLED   0
 
#define OCSP_ALGORITHM_IDENTIFIER(...)
 OCSP algorithm identifier. More...
 
#define OCSP_STATUS_SUCCESSFUL   0x00
 
#define OCSP_STATUS_MALFORMED_REQUEST   0x01
 
#define OCSP_STATUS_INTERNAL_ERROR   0x02
 
#define OCSP_STATUS_TRY_LATER   0x03
 
#define OCSP_STATUS_SIG_REQUIRED   0x05
 
#define OCSP_STATUS_UNAUTHORIZED   0x06
 

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
static struct ocsp_checkocsp_get (struct ocsp_check *ocsp)
 Get reference to OCSP check. More...
 
static void ocsp_put (struct ocsp_check *ocsp)
 Drop reference to OCSP check. More...
 
static int ocsp_required (struct x509_certificate *cert)
 Check if X.509 certificate requires an OCSP check. More...
 
int ocsp_check (struct x509_certificate *cert, struct x509_certificate *issuer, struct ocsp_check **ocsp)
 Create OCSP check. More...
 
int ocsp_response (struct ocsp_check *ocsp, const void *data, size_t len)
 Receive OCSP response. More...
 
int ocsp_validate (struct ocsp_check *check, time_t time)
 Validate OCSP response. More...
 

Detailed Description

Online Certificate Status Protocol.

Definition in file ocsp.h.

Macro Definition Documentation

◆ OCSP_ENABLED

#define OCSP_ENABLED   0

Definition at line 23 of file ocsp.h.

◆ OCSP_ALGORITHM_IDENTIFIER

#define OCSP_ALGORITHM_IDENTIFIER (   ...)
Value:
ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__, \
ASN1_NULL, 0x00
#define VA_ARG_COUNT(...)
Definition: stdarg.h:27
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:73

OCSP algorithm identifier.

Definition at line 27 of file ocsp.h.

◆ OCSP_STATUS_SUCCESSFUL

#define OCSP_STATUS_SUCCESSFUL   0x00

Definition at line 32 of file ocsp.h.

◆ OCSP_STATUS_MALFORMED_REQUEST

#define OCSP_STATUS_MALFORMED_REQUEST   0x01

Definition at line 33 of file ocsp.h.

◆ OCSP_STATUS_INTERNAL_ERROR

#define OCSP_STATUS_INTERNAL_ERROR   0x02

Definition at line 34 of file ocsp.h.

◆ OCSP_STATUS_TRY_LATER

#define OCSP_STATUS_TRY_LATER   0x03

Definition at line 35 of file ocsp.h.

◆ OCSP_STATUS_SIG_REQUIRED

#define OCSP_STATUS_SIG_REQUIRED   0x05

Definition at line 36 of file ocsp.h.

◆ OCSP_STATUS_UNAUTHORIZED

#define OCSP_STATUS_UNAUTHORIZED   0x06

Definition at line 37 of file ocsp.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ ocsp_get()

static struct ocsp_check* ocsp_get ( struct ocsp_check ocsp)
inlinestatic

Get reference to OCSP check.

Parameters
ocspOCSP check
Return values
ocspOCSP check

Definition at line 107 of file ocsp.h.

107  {
108  ref_get ( &ocsp->refcnt );
109  return ocsp;
110 }
struct refcnt refcnt
Reference count.
Definition: ocsp.h:87
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92

References ref_get, and ocsp_check::refcnt.

◆ ocsp_put()

static void ocsp_put ( struct ocsp_check ocsp)
inlinestatic

Drop reference to OCSP check.

Parameters
ocspOCSP check

Definition at line 118 of file ocsp.h.

118  {
119  ref_put ( &ocsp->refcnt );
120 }
struct refcnt refcnt
Reference count.
Definition: ocsp.h:87
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106

References ref_put, and ocsp_check::refcnt.

Referenced by ocsp_check(), ocsp_test_exec(), validator_free(), and validator_ocsp_validate().

◆ ocsp_required()

static int ocsp_required ( struct x509_certificate cert)
inlinestatic

Check if X.509 certificate requires an OCSP check.

Parameters
certX.509 certificate
Return values
ocsp_requiredAn OCSP check is required

Definition at line 128 of file ocsp.h.

128  {
129 
130  /* An OCSP check is never required if OCSP checks are disabled */
131  if ( ! OCSP_ENABLED )
132  return 0;
133 
134  /* An OCSP check is required if an OCSP URI exists but the
135  * OCSP status is not (yet) good.
136  */
137  return ( cert->extensions.auth_info.ocsp.uri.len &&
138  ( ! cert->extensions.auth_info.ocsp.good ) );
139 }
int good
OCSP status is good.
Definition: x509.h:132
#define OCSP_ENABLED
Definition: ocsp.h:23
size_t len
Length of data.
Definition: asn1.h:23
struct x509_authority_info_access auth_info
Authority information access.
Definition: x509.h:163
struct asn1_cursor uri
URI.
Definition: x509.h:130
struct x509_ocsp_responder ocsp
OCSP responder.
Definition: x509.h:138
struct x509_extensions extensions
Extensions.
Definition: x509.h:216

References x509_extensions::auth_info, ocsp_check::cert, x509_certificate::extensions, x509_ocsp_responder::good, asn1_cursor::len, x509_authority_info_access::ocsp, OCSP_ENABLED, and x509_ocsp_responder::uri.

Referenced by validator_step(), and x509_validate().

◆ ocsp_check()

int ocsp_check ( struct x509_certificate cert,
struct x509_certificate issuer,
struct ocsp_check **  ocsp 
)

Create OCSP check.

Parameters
certCertificate to check
issuerIssuing certificate
Return values
ocspOCSP check
rcReturn status code

Definition at line 279 of file ocsp.c.

281  {
282  int rc;
283 
284  /* Sanity checks */
285  assert ( cert != NULL );
286  assert ( issuer != NULL );
287  assert ( x509_is_valid ( issuer ) );
288 
289  /* Allocate and initialise check */
290  *ocsp = zalloc ( sizeof ( **ocsp ) );
291  if ( ! *ocsp ) {
292  rc = -ENOMEM;
293  goto err_alloc;
294  }
295  ref_init ( &(*ocsp)->refcnt, ocsp_free );
296  (*ocsp)->cert = x509_get ( cert );
297  (*ocsp)->issuer = x509_get ( issuer );
298 
299  /* Build request */
300  if ( ( rc = ocsp_request ( *ocsp ) ) != 0 )
301  goto err_request;
302 
303  /* Build URI string */
304  if ( ( rc = ocsp_uri_string ( *ocsp ) ) != 0 )
305  goto err_uri_string;
306 
307  return 0;
308 
309  err_uri_string:
310  err_request:
311  ocsp_put ( *ocsp );
312  err_alloc:
313  *ocsp = NULL;
314  return rc;
315 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:236
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
An OCSP request.
Definition: ocsp.h:42
static int ocsp_uri_string(struct ocsp_check *ocsp)
Build OCSP URI string.
Definition: ocsp.c:211
#define ENOMEM
Not enough space.
Definition: errno.h:534
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
static int x509_is_valid(struct x509_certificate *cert)
Check if X.509 certificate is valid.
Definition: x509.h:391
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
static void ocsp_put(struct ocsp_check *ocsp)
Drop reference to OCSP check.
Definition: ocsp.h:118
static void ocsp_free(struct refcnt *refcnt)
Free OCSP check.
Definition: ocsp.c:126
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362

References assert(), ENOMEM, NULL, ocsp_free(), ocsp_put(), ocsp_uri_string(), rc, ref_init, x509_get(), x509_is_valid(), and zalloc().

◆ ocsp_response()

int ocsp_response ( struct ocsp_check ocsp,
const void *  data,
size_t  len 
)

Receive OCSP response.

Parameters
ocspOCSP check
dataResponse data
lenLength of response data
Return values
rcReturn status code

Definition at line 802 of file ocsp.c.

802  {
803  struct ocsp_response *response = &ocsp->response;
804  struct asn1_cursor cursor;
805  int rc;
806 
807  /* Duplicate data */
808  x509_put ( response->signer );
809  response->signer = NULL;
810  free ( response->data );
811  response->data = malloc ( len );
812  if ( ! response->data )
813  return -ENOMEM;
814  memcpy ( response->data, data, len );
815  cursor.data = response->data;
816  cursor.len = len;
817 
818  /* Parse response */
819  if ( ( rc = ocsp_parse_response ( ocsp, &cursor ) ) != 0 )
820  return rc;
821 
822  return 0;
823 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct x509_certificate * signer
Signing certificate.
Definition: ocsp.h:81
struct ocsp_response response
Response.
Definition: ocsp.h:97
#define ENOMEM
Not enough space.
Definition: errno.h:534
void * memcpy(void *dest, const void *src, size_t len) __nonnull
static int ocsp_parse_response(struct ocsp_check *ocsp, const struct asn1_cursor *raw)
Parse OCSP response.
Definition: ocsp.c:773
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
void * data
Raw response.
Definition: ocsp.h:67
void * malloc(size_t size)
Allocate memory.
Definition: malloc.c:583
An OCSP response.
Definition: ocsp.h:65
uint32_t len
Length.
Definition: ena.h:14
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:247
struct arbelprm_port_state_change_st data
Message.
Definition: arbel.h:12
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
An ASN.1 object cursor.
Definition: asn1.h:19

References data, asn1_cursor::data, ocsp_response::data, ENOMEM, free, len, asn1_cursor::len, malloc(), memcpy(), NULL, ocsp_parse_response(), rc, ocsp_check::response, ocsp_response::signer, and x509_put().

◆ ocsp_validate()

int ocsp_validate ( struct ocsp_check ocsp,
time_t  time 
)

Validate OCSP response.

Parameters
ocspOCSP check
timeTime at which to validate response
Return values
rcReturn status code

Definition at line 894 of file ocsp.c.

894  {
895  struct ocsp_response *response = &ocsp->response;
896  struct x509_certificate *signer;
897  int rc;
898 
899  /* Sanity checks */
900  assert ( response->data != NULL );
901 
902  /* The response may include a signer certificate; if this is
903  * not present then the response must have been signed
904  * directly by the issuer.
905  */
906  signer = ( response->signer ? response->signer : ocsp->issuer );
907 
908  /* Validate signer, if applicable. If the signer is not the
909  * issuer, then it must be signed directly by the issuer.
910  */
911  if ( signer != ocsp->issuer ) {
912  /* Forcibly invalidate the signer, since we need to
913  * ensure that it was signed by our issuer (and not
914  * some other issuer). This prevents a sub-CA's OCSP
915  * certificate from fraudulently signing OCSP
916  * responses from the parent CA.
917  */
918  x509_invalidate ( signer );
919  if ( ( rc = x509_validate ( signer, ocsp->issuer, time,
920  &ocsp_root ) ) != 0 ) {
921  DBGC ( ocsp, "OCSP %p \"%s\" could not validate ",
922  ocsp, x509_name ( ocsp->cert ) );
923  DBGC ( ocsp, "signer \"%s\": %s\n",
924  x509_name ( signer ), strerror ( rc ) );
925  return rc;
926  }
927 
928  /* If signer is not the issuer, then it must have the
929  * extendedKeyUsage id-kp-OCSPSigning.
930  */
931  if ( ! ( signer->extensions.ext_usage.bits &
932  X509_OCSP_SIGNING ) ) {
933  DBGC ( ocsp, "OCSP %p \"%s\" ",
934  ocsp, x509_name ( ocsp->cert ) );
935  DBGC ( ocsp, "signer \"%s\" is not an OCSP-signing "
936  "certificate\n", x509_name ( signer ) );
937  return -EACCES_NON_OCSP_SIGNING;
938  }
939  }
940 
941  /* Check OCSP response signature */
942  if ( ( rc = ocsp_check_signature ( ocsp, signer ) ) != 0 )
943  return rc;
944 
945  /* Check OCSP response is valid at the specified time
946  * (allowing for some margin of error).
947  */
948  if ( response->this_update > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
949  DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
950  "time %lld)\n", ocsp, x509_name ( ocsp->cert ), time );
951  return -EACCES_STALE;
952  }
953  if ( response->next_update < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
954  DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
955  "%lld)\n", ocsp, x509_name ( ocsp->cert ), time );
956  return -EACCES_STALE;
957  }
958  DBGC2 ( ocsp, "OCSP %p \"%s\" response is valid (at time %lld)\n",
959  ocsp, x509_name ( ocsp->cert ), time );
960 
961  /* Mark certificate as passing OCSP verification */
962  ocsp->cert->extensions.auth_info.ocsp.good = 1;
963 
964  /* Validate certificate against issuer */
965  if ( ( rc = x509_validate ( ocsp->cert, ocsp->issuer, time,
966  &ocsp_root ) ) != 0 ) {
967  DBGC ( ocsp, "OCSP %p \"%s\" could not validate certificate: "
968  "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ));
969  return rc;
970  }
971  DBGC ( ocsp, "OCSP %p \"%s\" successfully validated ",
972  ocsp, x509_name ( ocsp->cert ) );
973  DBGC ( ocsp, "using \"%s\"\n", x509_name ( signer ) );
974 
975  return 0;
976 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct x509_extended_key_usage ext_usage
Extended key usage.
Definition: x509.h:161
int good
OCSP status is good.
Definition: x509.h:132
unsigned int bits
Usage bits.
Definition: x509.h:114
time_t next_update
Time at which newer status information will be available.
Definition: ocsp.h:75
struct x509_certificate * signer
Signing certificate.
Definition: ocsp.h:81
struct ocsp_response response
Response.
Definition: ocsp.h:97
struct x509_certificate * cert
Certificate being checked.
Definition: ocsp.h:89
#define DBGC(...)
Definition: compiler.h:505
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
int x509_validate(struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
Validate X.509 certificate.
Definition: x509.c:1313
#define EACCES_NON_OCSP_SIGNING
Definition: ocsp.c:52
struct x509_authority_info_access auth_info
Authority information access.
Definition: x509.h:163
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
An X.509 certificate.
Definition: x509.h:185
struct x509_certificate * issuer
Issuing certificate.
Definition: ocsp.h:91
time_t this_update
Time at which status is known to be correct.
Definition: ocsp.h:73
void * data
Raw response.
Definition: ocsp.h:67
An OCSP response.
Definition: ocsp.h:65
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:131
#define TIMESTAMP_ERROR_MARGIN
Margin of error (in seconds) allowed in signed timestamps.
Definition: crypto.h:51
#define DBGC2(...)
Definition: compiler.h:522
#define EACCES_STALE
Definition: ocsp.c:57
static struct x509_root ocsp_root
OCSP dummy root certificate store.
Definition: ocsp.c:831
uint64_t time
Current time.
Definition: ntlm.h:20
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
struct x509_ocsp_responder ocsp
OCSP responder.
Definition: x509.h:138
static int ocsp_check_signature(struct ocsp_check *ocsp, struct x509_certificate *signer)
Check OCSP response signature.
Definition: ocsp.c:844
struct x509_extensions extensions
Extensions.
Definition: x509.h:216
static void x509_invalidate(struct x509_certificate *cert)
Invalidate X.509 certificate.
Definition: x509.h:400

References assert(), x509_extensions::auth_info, x509_extended_key_usage::bits, ocsp_check::cert, ocsp_response::data, DBGC, DBGC2, EACCES_NON_OCSP_SIGNING, EACCES_STALE, x509_extensions::ext_usage, x509_certificate::extensions, x509_ocsp_responder::good, ocsp_check::issuer, ocsp_response::next_update, NULL, x509_authority_info_access::ocsp, ocsp_check_signature(), ocsp_root, rc, ocsp_check::response, ocsp_response::signer, strerror(), ocsp_response::this_update, time, TIMESTAMP_ERROR_MARGIN, x509_invalidate(), x509_name(), X509_OCSP_SIGNING, and x509_validate().

Referenced by validator_ocsp_validate().