Certificate validator. More...

#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <ipxe/refcnt.h>
#include <ipxe/malloc.h>
#include <ipxe/interface.h>
#include <ipxe/xfer.h>
#include <ipxe/open.h>
#include <ipxe/iobuf.h>
#include <ipxe/xferbuf.h>
#include <ipxe/process.h>
#include <ipxe/x509.h>
#include <ipxe/settings.h>
#include <ipxe/dhcp.h>
#include <ipxe/base64.h>
#include <ipxe/crc32.h>
#include <ipxe/ocsp.h>
#include <ipxe/job.h>
#include <ipxe/validator.h>
#include <config/crypto.h>

Data Structures
struct	validator_action
	A certificate validator action. More...
struct	validator
	A certificate validator. More...

Functions
	FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
	FILE_SECBOOT (PERMITTED)
static const char *	validator_name (struct validator *validator)
	Get validator name (for debug messages)
static void	validator_free (struct refcnt *refcnt)
	Free certificate validator.
static void	validator_finished (struct validator *validator, int rc)
	Mark certificate validation as finished.
static int	validator_progress (struct validator validator, struct job_progress progress)
	Report job progress.
const struct setting crosscert_setting	__setting (SETTING_CRYPTO, crosscert)
	Cross-signed certificate source setting.
static void	validator_append (struct validator *validator, int rc)
	Append cross-signing certificates to certificate chain.
static int	validator_start_download (struct validator validator, struct x509_link link)
	Start download of cross-signing certificate.
static void	validator_ocsp_validate (struct validator *validator, int rc)
	Validate OCSP response.
static int	validator_start_ocsp (struct validator validator, struct x509_certificate cert, struct x509_certificate *issuer)
	Start OCSP check.
static void	validator_xfer_close (struct validator *validator, int rc)
	Close data transfer interface.
static int	validator_xfer_deliver (struct validator validator, struct io_buffer iobuf, struct xfer_metadata *meta)
	Receive data.
static void	validator_step (struct validator *validator)
	Certificate validation process.
int	create_validator (struct interface job, struct x509_chain chain, struct x509_root *root)
	Instantiate a certificate validator.

Variables
static struct interface_operation	validator_job_operations []
	Certificate validator job control interface operations.
static struct interface_descriptor	validator_job_desc
	Certificate validator job control interface descriptor.
static const char	crosscert_default [] = CROSSCERT
	Default cross-signed certificate source.
static const struct validator_action	validator_crosscert
	Cross-signing certificate download validator action.
static const struct validator_action	validator_ocsp
	OCSP validator action.
static struct interface_operation	validator_xfer_operations []
	Certificate validator data transfer interface operations.
static struct interface_descriptor	validator_xfer_desc
	Certificate validator data transfer interface descriptor.
static struct process_descriptor	validator_process_desc
	Certificate validator process descriptor.

Detailed Description

Certificate validator.

Definition in file validator.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

◆ validator_name()

const char * validator_name ( struct validator * validator )

static

Get validator name (for debug messages)

Parameters

validator Certificate validator

Return values

name	Validator name

Definition at line 138 of file validator.c.

                                                                   {
        struct x509_certificate *cert;
 
        /* Use name of first certificate in chain, if present */
        cert = x509_first ( validator->chain );
        return ( cert ? x509_name ( cert ) : "<empty>" );
}

References validator::chain, x509_first(), and x509_name().

Referenced by create_validator(), validator_append(), validator_free(), validator_ocsp_validate(), validator_start_download(), validator_start_ocsp(), validator_step(), validator_xfer_close(), and validator_xfer_deliver().

◆ validator_free()

void validator_free ( struct refcnt * refcnt )

static

Free certificate validator.

Parameters

refcnt Reference count

Definition at line 151 of file validator.c.

                                                     {
        struct validator *validator =
                container_of ( refcnt, struct validator, refcnt );
 
        DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",
                validator, validator_name ( validator ) );
        x509_root_put ( validator->root );
        x509_chain_put ( validator->chain );
        ocsp_put ( validator->ocsp );
        xferbuf_free ( &validator->buffer );
        free ( validator );
}

References validator::buffer, validator::chain, container_of, DBGC2, free, validator::ocsp, ocsp_put(), validator::root, validator_name(), x509_chain_put(), x509_root_put(), and xferbuf_free().

Referenced by create_validator().

◆ validator_finished()

void validator_finished	(	struct validator *	validator,
		int	rc )

static

Mark certificate validation as finished.

Parameters

validator	Certificate validator
rc	Reason for finishing

Definition at line 170 of file validator.c.

                                                                       {
 
        /* Remove process */
        process_del ( &validator->process );
 
        /* Close all interfaces */
        intf_shutdown ( &validator->xfer, rc );
        intf_shutdown ( &validator->job, rc );
}

References intf_shutdown(), validator::job, validator::process, process_del(), rc, and validator::xfer.

Referenced by create_validator(), and validator_step().

◆ validator_progress()

int validator_progress	(	struct validator *	validator,
		struct job_progress *	progress )

static

Report job progress.

Parameters

validator	Certificate validator
progress	Progress report to fill in

Return values

ongoing_rc Ongoing job status code (if known)

Definition at line 193 of file validator.c.

                                                                {
 
        /* Report current action, if applicable */
        if ( validator->action ) {
                snprintf ( progress->message, sizeof ( progress->message ),
                           "%s %s", validator->action->name,
                           x509_name ( validator->cert ) );
        }
 
        return 0;
}

References validator::action, validator::cert, job_progress::message, validator_action::name, snprintf(), and x509_name().

◆ __setting()

const struct setting crosscert_setting __setting	(	SETTING_CRYPTO	,
		crosscert	)

Cross-signed certificate source setting.

References __setting, DHCP_EB_CROSS_CERT, and SETTING_CRYPTO.

◆ validator_append()

void validator_append	(	struct validator *	validator,
		int	rc )

static

Append cross-signing certificates to certificate chain.

Parameters

validator	Certificate validator
rc	Completion status code

Return values

rc	Return status code

Definition at line 240 of file validator.c.

                                                                     {
        struct asn1_cursor cursor;
        struct x509_chain *certs;
        struct x509_certificate *cert;
        struct x509_link *link;
        struct x509_link *prev;
 
        /* Check for errors */
        if ( rc != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not download ",
                       validator, validator_name ( validator ) );
                DBGC ( validator, "\"%s\" cross-signature: %s\n",
                       x509_name ( validator->cert ), strerror ( rc ) );
                /* If the overall validation is going to fail, then we
                 * will end up attempting multiple downloads for
                 * non-existent cross-signed certificates as we work
                 * our way up the certificate chain.  Do not record
                 * these as relevant errors, since we want to
                 * eventually report whichever much more relevant
                 * error occurred previously.
                 */
                goto err_irrelevant;
        }
        DBGC ( validator, "VALIDATOR %p \"%s\" downloaded ",
               validator, validator_name ( validator ) );
        DBGC ( validator, "\"%s\" cross-signature\n",
               x509_name ( validator->cert ) );
 
        /* Allocate certificate list */
        certs = x509_alloc_chain();
        if ( ! certs ) {
                rc = -ENOMEM;
                goto err_alloc_certs;
        }
 
        /* Initialise cursor */
        cursor.data = validator->buffer.data;
        cursor.len = validator->buffer.len;
 
        /* Enter certificateSet */
        if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not enter "
                       "certificateSet: %s\n", validator,
                       validator_name ( validator ), strerror ( rc ) );
                goto err_certificateset;
        }
 
        /* Add each certificate to list */
        while ( cursor.len ) {
 
                /* Add certificate to list */
                if ( ( rc = x509_append_raw ( certs, cursor.data,
                                              cursor.len ) ) != 0 ) {
                        DBGC ( validator, "VALIDATOR %p \"%s\" could not "
                               "append certificate: %s\n", validator,
                               validator_name ( validator ), strerror ( rc) );
                        DBGC_HDA ( validator, 0, cursor.data, cursor.len );
                        goto err_append_raw;
                }
                cert = x509_last ( certs );
                DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ",
                       validator, validator_name ( validator ) );
                DBGC ( validator, "%s\n", x509_name ( cert ) );
 
                /* Move to next certificate */
                asn1_skip_any ( &cursor );
        }
 
        /* Truncate existing certificate chain at current link */
        link = validator->link;
        assert ( link->flags & X509_LINK_FL_CROSSED );
        x509_truncate ( validator->chain, link );
 
        /* Append certificates to chain */
        if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not append "
                       "certificates: %s\n", validator,
                       validator_name ( validator ), strerror ( rc ) );
                goto err_auto_append;
        }
 
        /* Record that a cross-signed certificate download has already
         * been performed for all but the last of the appended
         * certificates.  (It may be necessary to perform a further
         * download to complete the chain, if this download did not
         * extend all the way to a root of trust.)
         */
        prev = NULL;
        list_for_each_entry_continue ( link, &validator->chain->links, list ) {
                if ( prev )
                        prev->flags |= X509_LINK_FL_CROSSED;
                prev = link;
        }
 
        /* Success */
        rc = 0;
 
 err_auto_append:
 err_append_raw:
 err_certificateset:
        x509_chain_put ( certs );
 err_alloc_certs:
        validator->rc = rc;
 err_irrelevant:
        /* Do not record irrelevant errors */
        return;
}

References asn1_enter(), ASN1_SET, asn1_skip_any(), assert, validator::buffer, validator::cert, x509_link::cert, validator::chain, asn1_cursor::data, xfer_buffer::data, DBGC, DBGC_HDA, ENOMEM, x509_link::flags, asn1_cursor::len, xfer_buffer::len, link, validator::link, x509_chain::links, x509_link::list, list_for_each_entry_continue, NULL, rc, validator::rc, strerror(), validator_name(), x509_alloc_chain(), x509_append_raw(), x509_auto_append(), x509_chain_put(), x509_last(), X509_LINK_FL_CROSSED, x509_name(), and x509_truncate().

◆ validator_start_download()

int validator_start_download	(	struct validator *	validator,
		struct x509_link *	link )

static

Start download of cross-signing certificate.

Parameters

validator	Certificate validator
link	Link in certificate chain

Return values

rc	Return status code

Definition at line 361 of file validator.c.

                                                               {
        struct x509_certificate *cert = link->cert;
        const struct asn1_cursor *issuer = &cert->issuer.raw;
        const char *crosscert;
        char *crosscert_copy;
        char *uri_string;
        size_t uri_string_len;
        uint32_t crc;
        int len;
        int rc;
 
        /* Determine cross-signed certificate source */
        fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
        crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
        if ( ! crosscert[0] ) {
                rc = -EINVAL;
                goto err_check_uri_string;
        }
 
        /* Allocate URI string */
        uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
                           + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
        uri_string = zalloc ( uri_string_len );
        if ( ! uri_string ) {
                rc = -ENOMEM;
                goto err_alloc_uri_string;
        }
 
        /* Generate CRC32 */
        crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
 
        /* Generate URI string */
        len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",
                         crosscert, crc );
        base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
                        ( uri_string_len - len ) );
        DBGC ( validator, "VALIDATOR %p \"%s\" downloading ",
               validator, validator_name ( validator ) );
        DBGC ( validator, "\"%s\" cross-signature from %s\n",
               x509_name ( cert ), uri_string );
 
        /* Set completion handler */
        validator->action = &validator_crosscert;
        validator->cert = cert;
        validator->link = link;
 
        /* Open URI */
        if ( ( rc = xfer_open_uri_string ( &validator->xfer,
                                           uri_string ) ) != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
                       "%s\n", validator, validator_name ( validator ),
                       uri_string, strerror ( rc ) );
                goto err_open_uri_string;
        }
 
        /* Free temporary allocations */
        free ( uri_string );
        free ( crosscert_copy );
 
        /* Success */
        return 0;
 
        intf_restart ( &validator->xfer, rc );
 err_open_uri_string:
        free ( uri_string );
 err_alloc_uri_string:
 err_check_uri_string:
        free ( crosscert_copy );
        validator->rc = rc;
        return rc;
}

References validator::action, base64_encode(), base64_encoded_len(), validator::cert, crc32_le(), crosscert_default, asn1_cursor::data, DBGC, EINVAL, ENOMEM, fetch_string_setting_copy(), free, intf_restart(), x509_certificate::issuer, asn1_cursor::len, len, link, validator::link, NULL, x509_issuer::raw, rc, validator::rc, snprintf(), strerror(), strlen(), validator_crosscert, validator_name(), x509_name(), validator::xfer, xfer_open_uri_string(), and zalloc().

Referenced by validator_step().

◆ validator_ocsp_validate()

void validator_ocsp_validate	(	struct validator *	validator,
		int	rc )

static

Validate OCSP response.

Parameters

validator	Certificate validator
rc	Completion status code

Definition at line 446 of file validator.c.

                                                                            {
        const void *data = validator->buffer.data;
        size_t len = validator->buffer.len;
        time_t now;
 
        /* Check for errors */
        if ( rc != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not fetch OCSP "
                       "response: %s\n", validator,
                       validator_name ( validator ), strerror ( rc ) );
                goto err_status;
        }
 
        /* Record OCSP response */
        if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP "
                       "response: %s\n", validator,
                       validator_name ( validator ), strerror ( rc ) );
                goto err_response;
        }
 
        /* Validate OCSP response */
        now = time ( NULL );
        if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not validate "
                       "OCSP response: %s\n", validator,
                       validator_name ( validator ), strerror ( rc ) );
                goto err_validate;
        }
 
        /* Success */
        DBGC ( validator, "VALIDATOR %p \"%s\" checked ",
               validator, validator_name ( validator ) );
        DBGC ( validator, "\"%s\" via OCSP\n", x509_name ( validator->cert ) );
 
 err_validate:
 err_response:
 err_status:
        ocsp_put ( validator->ocsp );
        validator->ocsp = NULL;
        validator->rc = rc;
}

References validator::buffer, validator::cert, data, xfer_buffer::data, DBGC, len, xfer_buffer::len, NULL, validator::ocsp, ocsp_put(), ocsp_validate(), rc, validator::rc, strerror(), validator_name(), and x509_name().

◆ validator_start_ocsp()

int validator_start_ocsp	(	struct validator *	validator,
		struct x509_certificate *	cert,
		struct x509_certificate *	issuer )

static

Start OCSP check.

Parameters

validator	Certificate validator
cert	Certificate to check
issuer	Issuing certificate

Return values

rc	Return status code

Definition at line 503 of file validator.c.

                                                                    {
        const char *uri_string;
        int rc;
 
        /* Create OCSP check */
        assert ( validator->ocsp == NULL );
        if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP "
                       "check: %s\n", validator, validator_name ( validator ),
                       strerror ( rc ) );
                goto err_check;
        }
 
        /* Set completion handler */
        validator->action = &validator_ocsp;
        validator->cert = cert;
 
        /* Open URI */
        uri_string = validator->ocsp->uri_string;
        DBGC ( validator, "VALIDATOR %p \"%s\" checking ",
               validator, validator_name ( validator ) );
        DBGC ( validator, "\"%s\" via %s\n",
               x509_name ( cert ), uri_string );
        if ( ( rc = xfer_open_uri_string ( &validator->xfer,
                                           uri_string ) ) != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
                       "%s\n", validator, validator_name ( validator ),
                       uri_string, strerror ( rc ) );
                goto err_open;
        }
 
        return 0;
 
        intf_restart ( &validator->xfer, rc );
 err_open:
        ocsp_put ( validator->ocsp );
        validator->ocsp = NULL;
 err_check:
        validator->rc = rc;
        return rc;
}

References validator::action, assert, validator::cert, DBGC, intf_restart(), NULL, validator::ocsp, ocsp_put(), rc, validator::rc, strerror(), ocsp_check::uri_string, validator_name(), validator_ocsp, x509_name(), validator::xfer, and xfer_open_uri_string().

Referenced by validator_step().

◆ validator_xfer_close()

void validator_xfer_close	(	struct validator *	validator,
		int	rc )

static

Close data transfer interface.

Parameters

validator	Certificate validator
rc	Reason for close

Definition at line 559 of file validator.c.

                                                                         {
 
        /* Close data transfer interface */
        intf_restart ( &validator->xfer, rc );
        DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n",
                validator, validator_name ( validator ) );
 
        /* Process completed download */
        assert ( validator->action != NULL );
        validator->action->done ( validator, rc );
 
        /* Free downloaded data */
        xferbuf_free ( &validator->buffer );
 
        /* Resume validation process */
        process_add ( &validator->process );
}

References validator::action, assert, validator::buffer, DBGC2, validator_action::done, intf_restart(), NULL, validator::process, process_add(), rc, validator_name(), validator::xfer, and xferbuf_free().

Referenced by validator_xfer_deliver().

◆ validator_xfer_deliver()

int validator_xfer_deliver	(	struct validator *	validator,
		struct io_buffer *	iobuf,
		struct xfer_metadata *	meta )

static

Receive data.

Parameters

validator	Certificate validator
iobuf	I/O buffer
meta	Data transfer metadata

Return values

rc	Return status code

Definition at line 585 of file validator.c.

                                                                 {
        int rc;
 
        /* Add data to buffer */
        if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
                                      meta ) ) != 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" could not receive "
                       "data: %s\n", validator, validator_name ( validator ),
                       strerror ( rc ) );
                validator_xfer_close ( validator, rc );
                return rc;
        }
 
        return 0;
}

References validator::buffer, DBGC, iob_disown, meta, rc, strerror(), validator_name(), validator_xfer_close(), and xferbuf_deliver().

◆ validator_step()

void validator_step ( struct validator * validator )

static

Certificate validation process.

Parameters

validator Certificate validator

Definition at line 624 of file validator.c.

                                                           {
        struct x509_chain *chain = validator->chain;
        struct x509_link *link;
        struct x509_link *prev;
        struct x509_certificate *cert;
        time_t now;
        int rc;
 
        /* Try validating chain.  Try even if the chain is incomplete,
         * since certificates may already have been validated
         * previously.
         */
        now = time ( NULL );
        if ( ( rc = x509_validate_chain ( chain, now, NULL,
                                          validator->root ) ) == 0 ) {
                DBGC ( validator, "VALIDATOR %p \"%s\" validated\n",
                       validator, validator_name ( validator ) );
                validator_finished ( validator, 0 );
                return;
        }
        DBGC ( validator, "VALIDATOR %p \"%s\" not yet valid: %s\n",
               validator, validator_name ( validator ), strerror ( rc ) );
 
        /* Record as the most relevant error, if no more relevant
         * error has already been recorded.
         */
        if ( validator->rc == 0 )
                validator->rc = rc;
 
        /* Find the first valid link in the chain, if any
         *
         * There is no point in attempting OCSP or cross-signed
         * certificate downloads for certificates after the first
         * valid link in the chain, since they cannot make a
         * difference to the overall validation of the chain.
         */
        prev = NULL;
        list_for_each_entry ( link, &chain->links, list ) {
 
                /* Dump link information (for debugging) */
                DBGC ( validator, "VALIDATOR %p \"%s\" has link ",
                       validator, validator_name ( validator ) );
                DBGC ( validator, "\"%s\"%s%s%s%s%s\n",
                       x509_name ( link->cert ),
                       ( ocsp_required ( link->cert ) ? " [NEEDOCSP]" : "" ),
                       ( ( link->flags & X509_LINK_FL_OCSPED ) ?
                         " [OCSPED]" : "" ),
                       ( ( link->flags & X509_LINK_FL_CROSSED ) ?
                         " [CROSSED]" : "" ),
                       ( x509_is_self_signed ( link->cert ) ? " [SELF]" : "" ),
                       ( x509_is_valid ( link->cert, validator->root ) ?
                         " [VALID]" : "" ) );
 
                /* Stop at first valid link */
                if ( x509_is_valid ( link->cert, validator->root ) )
                        break;
                prev = link;
        }
 
        /* If this link is the issuer for a certificate that is
         * pending an OCSP check attempt, then start OCSP to validate
         * that certificate.
         *
         * If OCSP is not required for the issued certificate, or has
         * already been attempted, or if we were unable to start OCSP
         * for any reason, then proceed to attempting a cross-signed
         * certificate download (which may end up replacing this
         * issuer anyway).
         */
        if ( ( ! list_is_head_entry ( link, &chain->links, list ) ) &&
             ( ! ( link->flags & X509_LINK_FL_OCSPED ) ) &&
             ( prev != NULL ) && ocsp_required ( prev->cert ) ) {
 
                /* Mark OCSP as attempted with this issuer */
                link->flags |= X509_LINK_FL_OCSPED;
 
                /* Start OCSP */
                if ( ( rc = validator_start_ocsp ( validator, prev->cert,
                                                   link->cert ) ) == 0 ) {
                        /* Sleep until OCSP is complete */
                        return;
                }
        }
 
        /* Work back up the chain (starting from the already
         * identified first valid link, if any) to find a not-yet
         * valid certificate for which we could attempt to download a
         * cross-signed certificate chain.
         */
        list_for_each_entry_continue_reverse ( link, &chain->links, list ) {
                cert = link->cert;
 
                /* Sanity check */
                assert ( ! x509_is_valid ( cert, validator->root ) );
 
                /* Skip self-signed certificates (cannot be cross-signed) */
                if ( x509_is_self_signed ( cert ) )
                        continue;
 
                /* Skip previously attempted cross-signed downloads */
                if ( link->flags & X509_LINK_FL_CROSSED )
                        continue;
 
                /* Mark cross-signed certificate download as attempted */
                link->flags |= X509_LINK_FL_CROSSED;
 
                /* Start cross-signed certificate download */
                if ( ( rc = validator_start_download ( validator,
                                                       link ) ) == 0 ) {
                        /* Sleep until download is complete */
                        return;
                }
        }
 
        /* Nothing more to try: fail the validation */
        validator_finished ( validator, validator->rc );
}

References assert, x509_link::cert, validator::chain, DBGC, link, x509_chain::links, list_for_each_entry, list_for_each_entry_continue_reverse, list_is_head_entry, NULL, ocsp_required(), rc, validator::rc, validator::root, strerror(), validator_finished(), validator_name(), validator_start_download(), validator_start_ocsp(), x509_is_self_signed(), x509_is_valid(), X509_LINK_FL_CROSSED, X509_LINK_FL_OCSPED, x509_name(), and x509_validate_chain().

◆ create_validator()

int create_validator	(	struct interface *	job,
		struct x509_chain *	chain,
		struct x509_root *	root )

Instantiate a certificate validator.

Parameters

job	Job control interface
chain	X.509 certificate chain
root	Root of trust, or NULL to use default

Return values

rc	Return status code

Definition at line 760 of file validator.c.

                                                {
        struct validator *validator;
        int rc;
 
        /* Sanity check */
        if ( ! chain ) {
                rc = -EINVAL;
                goto err_sanity;
        }
 
        /* Allocate and initialise structure */
        validator = zalloc ( sizeof ( *validator ) );
        if ( ! validator ) {
                rc = -ENOMEM;
                goto err_alloc;
        }
        ref_init ( &validator->refcnt, validator_free );
        intf_init ( &validator->job, &validator_job_desc,
                    &validator->refcnt );
        intf_init ( &validator->xfer, &validator_xfer_desc,
                    &validator->refcnt );
        process_init ( &validator->process, &validator_process_desc,
                       &validator->refcnt );
        validator->root = x509_root_get ( root );
        validator->chain = x509_chain_get ( chain );
        xferbuf_malloc_init ( &validator->buffer );
 
        /* Attach parent interface, mortalise self, and return */
        intf_plug_plug ( &validator->job, job );
        ref_put ( &validator->refcnt );
        DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n",
                validator, validator_name ( validator ), validator->chain );
        return 0;
 
        validator_finished ( validator, rc );
        ref_put ( &validator->refcnt );
 err_alloc:
 err_sanity:
        return rc;
}

References validator::buffer, validator::chain, DBGC2, EINVAL, ENOMEM, intf_init(), intf_plug_plug(), validator::job, validator::process, process_init(), rc, ref_init, ref_put, validator::refcnt, root, validator::root, validator_finished(), validator_free(), validator_job_desc, validator_name(), validator_process_desc, validator_xfer_desc, x509_chain_get(), x509_root_get(), validator::xfer, xferbuf_malloc_init(), and zalloc().

Referenced by imgverify(), and tls_new_server_hello_done().

Variable Documentation

◆ validator_job_operations

struct interface_operation validator_job_operations[]

static

Initial value:

= {
        INTF_OP ( job_progress, struct validator *, validator_progress ),
        INTF_OP ( intf_close, struct validator *, validator_finished ),
}

Certificate validator job control interface operations.

Definition at line 207 of file validator.c.

                                                               {
        INTF_OP ( job_progress, struct validator *, validator_progress ),
        INTF_OP ( intf_close, struct validator *, validator_finished ),
};

◆ validator_job_desc

struct interface_descriptor validator_job_desc

static

Initial value:

=

INTF_DESC ( struct validator, job, validator_job_operations )

INTF_DESC

#define INTF_DESC(object_type, intf, operations)

Define an object interface descriptor.

Definition interface.h:81

validator_job_operations

static struct interface_operation validator_job_operations[]

Certificate validator job control interface operations.

Definition validator.c:207

Certificate validator job control interface descriptor.

Definition at line 213 of file validator.c.

Referenced by create_validator().

◆ crosscert_default

const char crosscert_default[] = CROSSCERT

static

Default cross-signed certificate source.

Definition at line 231 of file validator.c.

Referenced by validator_start_download().

◆ validator_crosscert

const struct validator_action validator_crosscert

static

Initial value:

= {
        .name = "XCRT",
        .done = validator_append,
}

Cross-signing certificate download validator action.

Definition at line 349 of file validator.c.

                                                           {
        .name = "XCRT",
        .done = validator_append,
};

Referenced by validator_start_download().

◆ validator_ocsp

const struct validator_action validator_ocsp

static

Initial value:

= {
        .name = "OCSP",
        .done = validator_ocsp_validate,
}

OCSP validator action.

Definition at line 490 of file validator.c.

                                                      {
        .name = "OCSP",
        .done = validator_ocsp_validate,
};

Referenced by validator_start_ocsp().

◆ validator_xfer_operations

struct interface_operation validator_xfer_operations[]

static

Initial value:

= {
        INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
        INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
}

Certificate validator data transfer interface operations.

Definition at line 604 of file validator.c.

                                                                {
        INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
        INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
};