iPXE
ocsp.h
Go to the documentation of this file.
1#ifndef _IPXE_OCSP_H
2#define _IPXE_OCSP_H
3
4/** @file
5 *
6 * Online Certificate Status Protocol
7 *
8 */
9
10FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
11FILE_SECBOOT ( PERMITTED );
12
13#include <stdarg.h>
14#include <time.h>
15#include <ipxe/asn1.h>
16#include <ipxe/x509.h>
17#include <ipxe/refcnt.h>
18#include <config/crypto.h>
19
20/* Allow OCSP to be disabled completely */
21#ifdef OCSP_CHECK
22#define OCSP_ENABLED 1
23#else
24#define OCSP_ENABLED 0
25#endif
26
27/** OCSP algorithm identifier */
28#define OCSP_ALGORITHM_IDENTIFIER( ... ) \
29 ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__, \
30 ASN1_NULL, 0x00
31
32/* OCSP response statuses */
33#define OCSP_STATUS_SUCCESSFUL 0x00
34#define OCSP_STATUS_MALFORMED_REQUEST 0x01
35#define OCSP_STATUS_INTERNAL_ERROR 0x02
36#define OCSP_STATUS_TRY_LATER 0x03
37#define OCSP_STATUS_SIG_REQUIRED 0x05
38#define OCSP_STATUS_UNAUTHORIZED 0x06
39
40struct ocsp_check;
41
42/** An OCSP request */
43struct ocsp_request {
44 /** Request builder */
45 struct asn1_builder builder;
46 /** Certificate ID (excluding hashAlgorithm) */
47 struct asn1_cursor cert_id_tail;
48};
49
50/** An OCSP responder */
51struct ocsp_responder {
52 /**
53 * Check if certificate is the responder's certificate
54 *
55 * @v ocsp OCSP check
56 * @v cert Certificate
57 * @ret difference Difference as returned by memcmp()
58 */
59 int ( * compare ) ( struct ocsp_check *ocsp,
60 struct x509_certificate *cert );
61 /** Responder ID */
62 struct asn1_cursor id;
63};
64
65/** An OCSP response */
66struct ocsp_response {
67 /** Raw response */
68 void *data;
69 /** Raw tbsResponseData */
70 struct asn1_cursor tbs;
71 /** Responder */
72 struct ocsp_responder responder;
73 /** Time at which status is known to be correct */
74 time_t this_update;
75 /** Time at which newer status information will be available */
76 time_t next_update;
77 /** Signature algorithm */
78 struct asn1_algorithm *algorithm;
79 /** Signature value */
80 struct asn1_cursor signature;
81 /** Signing certificate */
82 struct x509_certificate *signer;
83};
84
85/** An OCSP check */
86struct ocsp_check {
87 /** Reference count */
88 struct refcnt refcnt;
89 /** Certificate being checked */
90 struct x509_certificate *cert;
91 /** Issuing certificate */
92 struct x509_certificate *issuer;
93 /** URI string */
94 char *uri_string;
95 /** Request */
96 struct ocsp_request request;
97 /** Response */
98 struct ocsp_response response;
99};
100
101/**
102 * Get reference to OCSP check
103 *
104 * @v ocsp OCSP check
105 * @ret ocsp OCSP check
106 */
107static inline __attribute__ (( always_inline )) struct ocsp_check *
108ocsp_get ( struct ocsp_check *ocsp ) {
109 ref_get ( &ocsp->refcnt );
110 return ocsp;
111}
112
113/**
114 * Drop reference to OCSP check
115 *
116 * @v ocsp OCSP check
117 */
118static inline __attribute__ (( always_inline )) void
119ocsp_put ( struct ocsp_check *ocsp ) {
120 ref_put ( &ocsp->refcnt );
121}
122
123/**
124 * Check if X.509 certificate requires an OCSP check
125 *
126 * @v cert X.509 certificate
127 * @ret ocsp_required An OCSP check is required
128 */
129static inline int ocsp_required ( struct x509_certificate *cert ) {
130
131 /* An OCSP check is never required if OCSP checks are disabled */
132 if ( ! OCSP_ENABLED )
133 return 0;
134
135 /* An OCSP check is required if an OCSP URI exists but the
136 * OCSP status is not (yet) good.
137 */
138 return ( cert->extensions.auth_info.ocsp.uri.len &&
139 ( ! cert->extensions.auth_info.ocsp.good ) );
140}
141
142extern int ocsp_check ( struct x509_certificate *cert,
143 struct x509_certificate *issuer,
144 struct ocsp_check **ocsp );
145extern int ocsp_response ( struct ocsp_check *ocsp, const void *data,
146 size_t len );
147extern int ocsp_validate ( struct ocsp_check *check, time_t time );
148
149#endif /* _IPXE_OCSP_H */
asn1.h
ASN.1 encoding.
crypto.h
Cryptographic configuration.
len
ring len
Length.
Definition dwmac.h:226
data
uint8_t data[48]
Additional event data.
Definition ena.h:11
FILE_LICENCE
#define FILE_LICENCE(_licence)
Declare a particular licence as applying to a file.
Definition compiler.h:896
FILE_SECBOOT
#define FILE_SECBOOT(_status)
Declare a file's UEFI Secure Boot permission status.
Definition compiler.h:926
__attribute__
#define __attribute__(x)
Definition compiler.h:10
time.h
Time source.
time_t
int64_t time_t
Seconds since the Epoch.
Definition time.h:19
ocsp_required
static int ocsp_required(struct x509_certificate *cert)
Check if X.509 certificate requires an OCSP check.
Definition ocsp.h:129
ocsp_check
int ocsp_check(struct x509_certificate *cert, struct x509_certificate *issuer, struct ocsp_check **ocsp)
Create OCSP check.
Definition ocsp.c:280
ocsp_validate
int ocsp_validate(struct ocsp_check *check, time_t time)
Validate OCSP response.
Definition ocsp.c:880
ocsp_get
static struct ocsp_check * ocsp_get(struct ocsp_check *ocsp)
Get reference to OCSP check.
Definition ocsp.h:108
ocsp_put
static void ocsp_put(struct ocsp_check *ocsp)
Drop reference to OCSP check.
Definition ocsp.h:119
OCSP_ENABLED
#define OCSP_ENABLED
Definition ocsp.h:24
ocsp_response
int ocsp_response(struct ocsp_check *ocsp, const void *data, size_t len)
Receive OCSP response.
Definition ocsp.c:814
refcnt.h
Reference counting.
ref_get
#define ref_get(refcnt)
Get additional reference to object.
Definition refcnt.h:93
ref_put
#define ref_put(refcnt)
Drop reference to object.
Definition refcnt.h:107
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition asn1.h:408
asn1_builder
An ASN.1 object builder.
Definition asn1.h:29
asn1_cursor
An ASN.1 object cursor.
Definition asn1.h:21
asn1_cursor::len
size_t len
Length of data.
Definition asn1.h:25
ocsp_check
An OCSP check.
Definition ocsp.h:86
ocsp_check::uri_string
char * uri_string
URI string.
Definition ocsp.h:94
ocsp_check::refcnt
struct refcnt refcnt
Reference count.
Definition ocsp.h:88
ocsp_check::response
struct ocsp_response response
Response.
Definition ocsp.h:98
ocsp_check::request
struct ocsp_request request
Request.
Definition ocsp.h:96
ocsp_check::issuer
struct x509_certificate * issuer
Issuing certificate.
Definition ocsp.h:92
ocsp_check::cert
struct x509_certificate * cert
Certificate being checked.
Definition ocsp.h:90
ocsp_request
An OCSP request.
Definition ocsp.h:43
ocsp_request::cert_id_tail
struct asn1_cursor cert_id_tail
Certificate ID (excluding hashAlgorithm)
Definition ocsp.h:47
ocsp_request::builder
struct asn1_builder builder
Request builder.
Definition ocsp.h:45
ocsp_responder
An OCSP responder.
Definition ocsp.h:51
ocsp_responder::id
struct asn1_cursor id
Responder ID.
Definition ocsp.h:62
ocsp_responder::compare
int(* compare)(struct ocsp_check *ocsp, struct x509_certificate *cert)
Check if certificate is the responder's certificate.
Definition ocsp.h:59
ocsp_response
An OCSP response.
Definition ocsp.h:66
ocsp_response::algorithm
struct asn1_algorithm * algorithm
Signature algorithm.
Definition ocsp.h:78
ocsp_response::signer
struct x509_certificate * signer
Signing certificate.
Definition ocsp.h:82
ocsp_response::data
void * data
Raw response.
Definition ocsp.h:68
ocsp_response::next_update
time_t next_update
Time at which newer status information will be available.
Definition ocsp.h:76
ocsp_response::this_update
time_t this_update
Time at which status is known to be correct.
Definition ocsp.h:74
ocsp_response::tbs
struct asn1_cursor tbs
Raw tbsResponseData.
Definition ocsp.h:70
ocsp_response::responder
struct ocsp_responder responder
Responder.
Definition ocsp.h:72
ocsp_response::signature
struct asn1_cursor signature
Signature value.
Definition ocsp.h:80
x509_authority_info_access::ocsp
struct x509_ocsp_responder ocsp
OCSP responder.
Definition x509.h:140
x509_certificate
An X.509 certificate.
Definition x509.h:216
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition x509.h:249
x509_extensions::auth_info
struct x509_authority_info_access auth_info
Authority information access.
Definition x509.h:165
x509_ocsp_responder::good
int good
OCSP status is good.
Definition x509.h:134
x509_ocsp_responder::uri
struct asn1_cursor uri
URI.
Definition x509.h:132
x509.h
X.509 certificates.
Generated by doxygen 1.14.0