iPXE
ocsp.h
Go to the documentation of this file.
1 #ifndef _IPXE_OCSP_H
2 #define _IPXE_OCSP_H
3 
4 /** @file
5  *
6  * Online Certificate Status Protocol
7  *
8  */
9 
10 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
11 
12 #include <stdarg.h>
13 #include <time.h>
14 #include <ipxe/asn1.h>
15 #include <ipxe/x509.h>
16 #include <ipxe/refcnt.h>
17 #include <config/crypto.h>
18 
19 /* Allow OCSP to be disabled completely */
20 #ifdef OCSP_CHECK
21 #define OCSP_ENABLED 1
22 #else
23 #define OCSP_ENABLED 0
24 #endif
25 
26 /** OCSP algorithm identifier */
27 #define OCSP_ALGORITHM_IDENTIFIER( ... ) \
28  ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__, \
29  ASN1_NULL, 0x00
30 
31 /* OCSP response statuses */
32 #define OCSP_STATUS_SUCCESSFUL 0x00
33 #define OCSP_STATUS_MALFORMED_REQUEST 0x01
34 #define OCSP_STATUS_INTERNAL_ERROR 0x02
35 #define OCSP_STATUS_TRY_LATER 0x03
36 #define OCSP_STATUS_SIG_REQUIRED 0x05
37 #define OCSP_STATUS_UNAUTHORIZED 0x06
38 
39 struct ocsp_check;
40 
41 /** An OCSP request */
42 struct ocsp_request {
43  /** Request builder */
45  /** Certificate ID (excluding hashAlgorithm) */
47 };
48 
49 /** An OCSP responder */
51  /**
52  * Check if certificate is the responder's certificate
53  *
54  * @v ocsp OCSP check
55  * @v cert Certificate
56  * @ret difference Difference as returned by memcmp()
57  */
58  int ( * compare ) ( struct ocsp_check *ocsp,
59  struct x509_certificate *cert );
60  /** Responder ID */
61  struct asn1_cursor id;
62 };
63 
64 /** An OCSP response */
65 struct ocsp_response {
66  /** Raw response */
67  void *data;
68  /** Raw tbsResponseData */
69  struct asn1_cursor tbs;
70  /** Responder */
72  /** Time at which status is known to be correct */
74  /** Time at which newer status information will be available */
76  /** Signature algorithm */
78  /** Signature value */
80  /** Signing certificate */
82 };
83 
84 /** An OCSP check */
85 struct ocsp_check {
86  /** Reference count */
87  struct refcnt refcnt;
88  /** Certificate being checked */
90  /** Issuing certificate */
92  /** URI string */
93  char *uri_string;
94  /** Request */
96  /** Response */
98 };
99 
100 /**
101  * Get reference to OCSP check
102  *
103  * @v ocsp OCSP check
104  * @ret ocsp OCSP check
105  */
106 static inline __attribute__ (( always_inline )) struct ocsp_check *
107 ocsp_get ( struct ocsp_check *ocsp ) {
108  ref_get ( &ocsp->refcnt );
109  return ocsp;
110 }
111 
112 /**
113  * Drop reference to OCSP check
114  *
115  * @v ocsp OCSP check
116  */
117 static inline __attribute__ (( always_inline )) void
118 ocsp_put ( struct ocsp_check *ocsp ) {
119  ref_put ( &ocsp->refcnt );
120 }
121 
122 /**
123  * Check if X.509 certificate requires an OCSP check
124  *
125  * @v cert X.509 certificate
126  * @ret ocsp_required An OCSP check is required
127  */
128 static inline int ocsp_required ( struct x509_certificate *cert ) {
129 
130  /* An OCSP check is never required if OCSP checks are disabled */
131  if ( ! OCSP_ENABLED )
132  return 0;
133 
134  /* An OCSP check is required if an OCSP URI exists but the
135  * OCSP status is not (yet) good.
136  */
137  return ( cert->extensions.auth_info.ocsp.uri.len &&
138  ( ! cert->extensions.auth_info.ocsp.good ) );
139 }
140 
141 extern int ocsp_check ( struct x509_certificate *cert,
142  struct x509_certificate *issuer,
143  struct ocsp_check **ocsp );
144 extern int ocsp_response ( struct ocsp_check *ocsp, const void *data,
145  size_t len );
146 extern int ocsp_validate ( struct ocsp_check *check, time_t time );
147 
148 #endif /* _IPXE_OCSP_H */
struct asn1_cursor id
Responder ID.
Definition: ocsp.h:61
#define __attribute__(x)
Definition: compiler.h:10
An ASN.1 OID-identified algorithm.
Definition: asn1.h:311
int ocsp_response(struct ocsp_check *ocsp, const void *data, size_t len)
Receive OCSP response.
Definition: ocsp.c:812
int good
OCSP status is good.
Definition: x509.h:132
time_t next_update
Time at which newer status information will be available.
Definition: ocsp.h:75
struct x509_certificate * signer
Signing certificate.
Definition: ocsp.h:81
#define OCSP_ENABLED
Definition: ocsp.h:23
struct refcnt refcnt
Reference count.
Definition: ocsp.h:87
struct ocsp_response response
Response.
Definition: ocsp.h:97
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
struct x509_certificate * cert
Certificate being checked.
Definition: ocsp.h:89
static struct ocsp_check * ocsp_get(struct ocsp_check *ocsp)
Get reference to OCSP check.
Definition: ocsp.h:107
struct asn1_algorithm * algorithm
Signature algorithm.
Definition: ocsp.h:77
static int ocsp_required(struct x509_certificate *cert)
Check if X.509 certificate requires an OCSP check.
Definition: ocsp.h:128
An OCSP request.
Definition: ocsp.h:42
size_t len
Length of data.
Definition: asn1.h:24
A reference counter.
Definition: refcnt.h:26
struct asn1_bit_string signature
Signature value.
Definition: ocsp.h:79
struct asn1_cursor cert_id_tail
Certificate ID (excluding hashAlgorithm)
Definition: ocsp.h:46
An OCSP responder.
Definition: ocsp.h:50
ASN.1 encoding.
struct asn1_cursor tbs
Raw tbsResponseData.
Definition: ocsp.h:69
struct x509_authority_info_access auth_info
Authority information access.
Definition: x509.h:163
int ocsp_validate(struct ocsp_check *check, time_t time)
Validate OCSP response.
Definition: ocsp.c:892
struct asn1_cursor uri
URI.
Definition: x509.h:130
An X.509 certificate.
Definition: x509.h:207
int(* compare)(struct ocsp_check *ocsp, struct x509_certificate *cert)
Check if certificate is the responder's certificate.
Definition: ocsp.h:58
struct x509_certificate * issuer
Issuing certificate.
Definition: ocsp.h:91
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92
An ASN.1 object builder.
Definition: asn1.h:28
static void ocsp_put(struct ocsp_check *ocsp)
Drop reference to OCSP check.
Definition: ocsp.h:118
time_t this_update
Time at which status is known to be correct.
Definition: ocsp.h:73
X.509 certificates.
void * data
Raw response.
Definition: ocsp.h:67
struct ocsp_request request
Request.
Definition: ocsp.h:95
An OCSP response.
Definition: ocsp.h:65
Cryptographic configuration.
uint32_t len
Length.
Definition: ena.h:14
Reference counting.
uint8_t data[48]
Additional event data.
Definition: ena.h:22
struct ocsp_responder responder
Responder.
Definition: ocsp.h:71
int ocsp_check(struct x509_certificate *cert, struct x509_certificate *issuer, struct ocsp_check **ocsp)
Create OCSP check.
Definition: ocsp.c:279
int64_t time_t
Seconds since the Epoch.
Definition: time.h:18
Time source.
uint64_t time
Current time.
Definition: ntlm.h:20
An OCSP check.
Definition: ocsp.h:85
struct x509_ocsp_responder ocsp
OCSP responder.
Definition: x509.h:138
An ASN.1 object cursor.
Definition: asn1.h:20
struct asn1_builder builder
Request builder.
Definition: ocsp.h:44
struct x509_extensions extensions
Extensions.
Definition: x509.h:240
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106
char * uri_string
URI string.
Definition: ocsp.h:93
An ASN.1 bit string.
Definition: asn1.h:354