iPXE
ocsp.h
Go to the documentation of this file.
1 #ifndef _IPXE_OCSP_H
2 #define _IPXE_OCSP_H
3 
4 /** @file
5  *
6  * Online Certificate Status Protocol
7  *
8  */
9 
10 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
11 FILE_SECBOOT ( PERMITTED );
12 
13 #include <stdarg.h>
14 #include <time.h>
15 #include <ipxe/asn1.h>
16 #include <ipxe/x509.h>
17 #include <ipxe/refcnt.h>
18 #include <config/crypto.h>
19 
20 /* Allow OCSP to be disabled completely */
21 #ifdef OCSP_CHECK
22 #define OCSP_ENABLED 1
23 #else
24 #define OCSP_ENABLED 0
25 #endif
26 
27 /** OCSP algorithm identifier */
28 #define OCSP_ALGORITHM_IDENTIFIER( ... ) \
29  ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__, \
30  ASN1_NULL, 0x00
31 
32 /* OCSP response statuses */
33 #define OCSP_STATUS_SUCCESSFUL 0x00
34 #define OCSP_STATUS_MALFORMED_REQUEST 0x01
35 #define OCSP_STATUS_INTERNAL_ERROR 0x02
36 #define OCSP_STATUS_TRY_LATER 0x03
37 #define OCSP_STATUS_SIG_REQUIRED 0x05
38 #define OCSP_STATUS_UNAUTHORIZED 0x06
39 
40 struct ocsp_check;
41 
42 /** An OCSP request */
43 struct ocsp_request {
44  /** Request builder */
45  struct asn1_builder builder;
46  /** Certificate ID (excluding hashAlgorithm) */
47  struct asn1_cursor cert_id_tail;
48 };
49 
50 /** An OCSP responder */
51 struct ocsp_responder {
52  /**
53  * Check if certificate is the responder's certificate
54  *
55  * @v ocsp OCSP check
56  * @v cert Certificate
57  * @ret difference Difference as returned by memcmp()
58  */
59  int ( * compare ) ( struct ocsp_check *ocsp,
60  struct x509_certificate *cert );
61  /** Responder ID */
62  struct asn1_cursor id;
63 };
64 
65 /** An OCSP response */
66 struct ocsp_response {
67  /** Raw response */
68  void *data;
69  /** Raw tbsResponseData */
70  struct asn1_cursor tbs;
71  /** Responder */
72  struct ocsp_responder responder;
73  /** Time at which status is known to be correct */
74  time_t this_update;
75  /** Time at which newer status information will be available */
76  time_t next_update;
77  /** Signature algorithm */
78  struct asn1_algorithm *algorithm;
79  /** Signature value */
80  struct asn1_cursor signature;
81  /** Signing certificate */
82  struct x509_certificate *signer;
83 };
84 
85 /** An OCSP check */
86 struct ocsp_check {
87  /** Reference count */
88  struct refcnt refcnt;
89  /** Certificate being checked */
90  struct x509_certificate *cert;
91  /** Issuing certificate */
92  struct x509_certificate *issuer;
93  /** URI string */
94  char *uri_string;
95  /** Request */
96  struct ocsp_request request;
97  /** Response */
98  struct ocsp_response response;
99 };
100 
101 /**
102  * Get reference to OCSP check
103  *
104  * @v ocsp OCSP check
105  * @ret ocsp OCSP check
106  */
107 static inline __attribute__ (( always_inline )) struct ocsp_check *
108 ocsp_get ( struct ocsp_check *ocsp ) {
109  ref_get ( &ocsp->refcnt );
110  return ocsp;
111 }
112 
113 /**
114  * Drop reference to OCSP check
115  *
116  * @v ocsp OCSP check
117  */
118 static inline __attribute__ (( always_inline )) void
119 ocsp_put ( struct ocsp_check *ocsp ) {
120  ref_put ( &ocsp->refcnt );
121 }
122 
123 /**
124  * Check if X.509 certificate requires an OCSP check
125  *
126  * @v cert X.509 certificate
127  * @ret ocsp_required An OCSP check is required
128  */
129 static inline int ocsp_required ( struct x509_certificate *cert ) {
130 
131  /* An OCSP check is never required if OCSP checks are disabled */
132  if ( ! OCSP_ENABLED )
133  return 0;
134 
135  /* An OCSP check is required if an OCSP URI exists but the
136  * OCSP status is not (yet) good.
137  */
138  return ( cert->extensions.auth_info.ocsp.uri.len &&
139  ( ! cert->extensions.auth_info.ocsp.good ) );
140 }
141 
142 extern int ocsp_check ( struct x509_certificate *cert,
143  struct x509_certificate *issuer,
144  struct ocsp_check **ocsp );
145 extern int ocsp_response ( struct ocsp_check *ocsp, const void *data,
146  size_t len );
147 extern int ocsp_validate ( struct ocsp_check *check, time_t time );
148 
149 #endif /* _IPXE_OCSP_H */
ocsp_responder::id
struct asn1_cursor id
Responder ID.
Definition: ocsp.h:62
__attribute__
#define __attribute__(x)
Definition: compiler.h:10
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition: asn1.h:408
ocsp_response
int ocsp_response(struct ocsp_check *ocsp, const void *data, size_t len)
Receive OCSP response.
Definition: ocsp.c:814
x509_ocsp_responder::good
int good
OCSP status is good.
Definition: x509.h:134
ocsp_response::next_update
time_t next_update
Time at which newer status information will be available.
Definition: ocsp.h:76
ocsp_response::signer
struct x509_certificate * signer
Signing certificate.
Definition: ocsp.h:82
OCSP_ENABLED
#define OCSP_ENABLED
Definition: ocsp.h:24
ocsp_check::refcnt
struct refcnt refcnt
Reference count.
Definition: ocsp.h:88
ocsp_check::response
struct ocsp_response response
Response.
Definition: ocsp.h:98
FILE_LICENCE
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
ocsp_check::cert
struct x509_certificate * cert
Certificate being checked.
Definition: ocsp.h:90
ocsp_get
static struct ocsp_check * ocsp_get(struct ocsp_check *ocsp)
Get reference to OCSP check.
Definition: ocsp.h:108
ocsp_response::algorithm
struct asn1_algorithm * algorithm
Signature algorithm.
Definition: ocsp.h:78
ocsp_required
static int ocsp_required(struct x509_certificate *cert)
Check if X.509 certificate requires an OCSP check.
Definition: ocsp.h:129
ocsp_request
An OCSP request.
Definition: ocsp.h:43
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:25
refcnt
A reference counter.
Definition: refcnt.h:27
ocsp_request::cert_id_tail
struct asn1_cursor cert_id_tail
Certificate ID (excluding hashAlgorithm)
Definition: ocsp.h:47
ocsp_responder
An OCSP responder.
Definition: ocsp.h:51
asn1.h
ASN.1 encoding.
ocsp_response::tbs
struct asn1_cursor tbs
Raw tbsResponseData.
Definition: ocsp.h:70
len
ring len
Length.
Definition: dwmac.h:231
x509_extensions::auth_info
struct x509_authority_info_access auth_info
Authority information access.
Definition: x509.h:165
ocsp_validate
int ocsp_validate(struct ocsp_check *check, time_t time)
Validate OCSP response.
Definition: ocsp.c:880
x509_ocsp_responder::uri
struct asn1_cursor uri
URI.
Definition: x509.h:132
x509_certificate
An X.509 certificate.
Definition: x509.h:216
ocsp_responder::compare
int(* compare)(struct ocsp_check *ocsp, struct x509_certificate *cert)
Check if certificate is the responder's certificate.
Definition: ocsp.h:59
ocsp_check::issuer
struct x509_certificate * issuer
Issuing certificate.
Definition: ocsp.h:92
ref_get
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:93
asn1_builder
An ASN.1 object builder.
Definition: asn1.h:29
ocsp_put
static void ocsp_put(struct ocsp_check *ocsp)
Drop reference to OCSP check.
Definition: ocsp.h:119
ocsp_response::this_update
time_t this_update
Time at which status is known to be correct.
Definition: ocsp.h:74
x509.h
X.509 certificates.
ocsp_response::data
void * data
Raw response.
Definition: ocsp.h:68
ocsp_check::request
struct ocsp_request request
Request.
Definition: ocsp.h:96
ocsp_response
An OCSP response.
Definition: ocsp.h:66
crypto.h
Cryptographic configuration.
FILE_SECBOOT
FILE_SECBOOT(PERMITTED)
refcnt.h
Reference counting.
ocsp_response::signature
struct asn1_cursor signature
Signature value.
Definition: ocsp.h:80
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
ocsp_response::responder
struct ocsp_responder responder
Responder.
Definition: ocsp.h:72
ocsp_check
int ocsp_check(struct x509_certificate *cert, struct x509_certificate *issuer, struct ocsp_check **ocsp)
Create OCSP check.
Definition: ocsp.c:280
time_t
int64_t time_t
Seconds since the Epoch.
Definition: time.h:19
time.h
Time source.
ocsp_check
An OCSP check.
Definition: ocsp.h:86
x509_authority_info_access::ocsp
struct x509_ocsp_responder ocsp
OCSP responder.
Definition: x509.h:140
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:21
ocsp_request::builder
struct asn1_builder builder
Request builder.
Definition: ocsp.h:45
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:249
ref_put
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:107
ocsp_check::uri_string
char * uri_string
URI string.
Definition: ocsp.h:94
Generated by   doxygen 1.8.15