58 #define ENOTSUP_ALGORITHM \ 59 __einfo_error ( EINFO_ENOTSUP_ALGORITHM ) 60 #define EINFO_ENOTSUP_ALGORITHM \ 61 __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" ) 62 #define ENOTSUP_EXTENSION \ 63 __einfo_error ( EINFO_ENOTSUP_EXTENSION ) 64 #define EINFO_ENOTSUP_EXTENSION \ 65 __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" ) 66 #define EINVAL_ALGORITHM \ 67 __einfo_error ( EINFO_EINVAL_ALGORITHM ) 68 #define EINFO_EINVAL_ALGORITHM \ 69 __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" ) 70 #define EINVAL_ALGORITHM_MISMATCH \ 71 __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH ) 72 #define EINFO_EINVAL_ALGORITHM_MISMATCH \ 73 __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" ) 74 #define EINVAL_PATH_LEN \ 75 __einfo_error ( EINFO_EINVAL_PATH_LEN ) 76 #define EINFO_EINVAL_PATH_LEN \ 77 __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" ) 78 #define EINVAL_VERSION \ 79 __einfo_error ( EINFO_EINVAL_VERSION ) 80 #define EINFO_EINVAL_VERSION \ 81 __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" ) 82 #define EACCES_WRONG_ISSUER \ 83 __einfo_error ( EINFO_EACCES_WRONG_ISSUER ) 84 #define EINFO_EACCES_WRONG_ISSUER \ 85 __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" ) 86 #define EACCES_NOT_CA \ 87 __einfo_error ( EINFO_EACCES_NOT_CA ) 88 #define EINFO_EACCES_NOT_CA \ 89 __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" ) 90 #define EACCES_KEY_USAGE \ 91 __einfo_error ( EINFO_EACCES_KEY_USAGE ) 92 #define EINFO_EACCES_KEY_USAGE \ 93 __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" ) 94 #define EACCES_EXPIRED \ 95 __einfo_error ( EINFO_EACCES_EXPIRED ) 96 #define EINFO_EACCES_EXPIRED \ 97 __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" ) 98 #define EACCES_PATH_LEN \ 99 __einfo_error ( EINFO_EACCES_PATH_LEN ) 100 #define EINFO_EACCES_PATH_LEN \ 101 __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" ) 102 #define EACCES_UNTRUSTED \ 103 __einfo_error ( EINFO_EACCES_UNTRUSTED ) 104 #define EINFO_EACCES_UNTRUSTED \ 105 __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" ) 106 #define EACCES_OUT_OF_ORDER \ 107 __einfo_error ( EINFO_EACCES_OUT_OF_ORDER ) 108 #define EINFO_EACCES_OUT_OF_ORDER \ 109 __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" ) 110 #define EACCES_EMPTY \ 111 __einfo_error ( EINFO_EACCES_EMPTY ) 112 #define EINFO_EACCES_EMPTY \ 113 __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" ) 114 #define EACCES_OCSP_REQUIRED \ 115 __einfo_error ( EINFO_EACCES_OCSP_REQUIRED ) 116 #define EINFO_EACCES_OCSP_REQUIRED \ 117 __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" ) 118 #define EACCES_WRONG_NAME \ 119 __einfo_error ( EINFO_EACCES_WRONG_NAME ) 120 #define EINFO_EACCES_WRONG_NAME \ 121 __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" ) 122 #define EACCES_USELESS \ 123 __einfo_error ( EINFO_EACCES_USELESS ) 124 #define EINFO_EACCES_USELESS \ 125 __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" ) 156 if (
len > (
sizeof ( buf ) - 1 ) )
157 len = (
sizeof ( buf ) - 1 );
163 base16_encode ( fingerprint,
sizeof ( fingerprint ),
164 buf,
sizeof ( buf ) );
190 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
195 DBGC ( cert,
"X509 %p cannot parse version: %s\n",
203 DBGC ( cert,
"X509 %p invalid version %d\n", cert,
version );
210 DBGC2 ( cert,
"X509 %p is a version %d certificate\n",
231 DBGC ( cert,
"X509 %p cannot shrink serialNumber: %s\n",
235 DBGC2 ( cert,
"X509 %p issuer is:\n", cert );
256 DBGC ( cert,
"X509 %p cannot shrink issuer: %s\n",
260 DBGC2 ( cert,
"X509 %p issuer is:\n", cert );
282 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
287 ¬_before->
time ) ) != 0 ) {
288 DBGC ( cert,
"X509 %p cannot parse notBefore: %s\n",
292 DBGC2 ( cert,
"X509 %p valid from time %lld\n",
293 cert, not_before->
time );
298 ¬_after->
time ) ) != 0 ) {
299 DBGC ( cert,
"X509 %p cannot parse notAfter: %s\n",
303 DBGC2 ( cert,
"X509 %p valid until time %lld\n",
304 cert, not_after->
time );
324 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
331 memcpy ( &oid_cursor, &cursor,
sizeof ( oid_cursor ) );
334 memcpy ( &name_cursor, &oid_cursor,
sizeof ( name_cursor ) );
340 DBGC ( cert,
"X509 %p cannot locate name:\n", cert );
353 DBGC2 ( cert,
"X509 %p no commonName found:\n", cert );
372 DBGC2 ( cert,
"X509 %p subject is:\n", cert );
378 DBGC2 ( cert,
"X509 %p common name is \"%s\":\n", cert,
400 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
402 memcpy ( &public_key->
raw, &cursor, sizeof ( public_key->
raw ) );
403 DBGC2 ( cert,
"X509 %p public key is:\n", cert );
411 DBGC ( cert,
"X509 %p could not parse public key algorithm: " 415 DBGC2 ( cert,
"X509 %p public key algorithm is %s\n",
416 cert, (*algorithm)->name );
421 DBGC ( cert,
"X509 %p could not parse public key bits: %s\n",
445 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
453 DBGC ( cert,
"X509 %p cannot parse cA: %s\n",
461 DBGC2 ( cert,
"X509 %p is %sa CA certificate\n",
462 cert, ( basic->
ca ?
"" :
"not " ) );
472 DBGC ( cert,
"X509 %p cannot parse pathLenConstraint: " 477 if ( path_len < 0 ) {
478 DBGC ( cert,
"X509 %p invalid pathLenConstraint %d\n",
484 DBGC2 ( cert,
"X509 %p path length constraint is %d\n",
512 DBGC ( cert,
"X509 %p could not parse key usage: %s\n",
520 if (
len >
sizeof ( usage->
bits ) )
522 for ( i = 0 ; i <
len ; i++ ) {
523 usage->
bits |= ( *(
bytes++) << ( 8 * i ) );
525 DBGC2 ( cert,
"X509 %p key usage is %08x\n", cert, usage->
bits );
539 .
name =
"codeSigning",
544 .name =
"ocspSigning",
566 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
568 DBGC ( cert,
"X509 %p invalid keyPurposeId:\n", cert );
578 DBGC2 ( cert,
"X509 %p has key purpose %s\n",
579 cert, purpose->
name );
602 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
606 while ( cursor.
len ) {
631 DBGC ( cert,
"X509 %p OCSP does not contain " 632 "uniformResourceIdentifier:\n", cert );
636 DBGC2 ( cert,
"X509 %p OCSP URI is:\n", cert );
690 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
694 memcpy ( &subcursor, &cursor,
sizeof ( subcursor ) );
698 DBGC2 ( cert,
"X509 %p found access method %s\n",
702 if (
method && ( (
rc =
method->parse ( cert, &cursor ) ) != 0 ) )
721 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
725 while ( cursor.
len ) {
749 memcpy ( names,
raw,
sizeof ( *names ) );
751 DBGC ( cert,
"X509 %p invalid subjectAltName: %s\n",
756 DBGC2 ( cert,
"X509 %p has subjectAltName:\n", cert );
785 .name =
"basicConstraints",
795 .name =
"extKeyUsage",
800 .name =
"authorityInfoAccess",
805 .name =
"subjectAltName",
848 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
852 memcpy ( &subcursor, &cursor,
sizeof ( subcursor ) );
856 DBGC2 ( cert,
"X509 %p found extension %s\n",
857 cert, ( extension ? extension->
name :
"<unknown>" ) );
862 if ( is_critical < 0 ) {
864 DBGC ( cert,
"X509 %p cannot parse extension " 876 DBGC ( cert,
"X509 %p cannot handle critical " 877 "extension:\n", cert );
888 DBGC ( cert,
"X509 %p extension missing extnValue:\n", cert );
894 if ( (
rc = extension->
parse ( cert, &cursor ) ) != 0 )
913 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
918 while ( cursor.
len ) {
941 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
962 DBGC ( cert,
"X509 %p could not parse signature algorithm: " 966 DBGC2 ( cert,
"X509 %p tbsCertificate signature algorithm is %s\n",
967 cert, (*algorithm)->name );
1013 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
1026 signature_algorithm ) ) != 0 ) {
1027 DBGC ( cert,
"X509 %p could not parse signature algorithm: " 1031 DBGC2 ( cert,
"X509 %p signatureAlgorithm is %s\n",
1032 cert, (*signature_algorithm)->name );
1037 signature_value ) ) != 0 ) {
1038 DBGC ( cert,
"X509 %p could not parse signature value: %s\n",
1042 DBGC2 ( cert,
"X509 %p signatureValue is:\n", cert );
1048 if (
signature->algorithm != (*signature_algorithm) ) {
1049 DBGC ( cert,
"X509 %p signature algorithm %s does not match " 1050 "signatureAlgorithm %s\n",
1052 (*signature_algorithm)->name );
1090 *cert =
zalloc (
sizeof ( **cert ) + cursor.
len );
1094 raw = ( *cert + 1 );
1137 DBGC2 ( cert,
"X509 %p \"%s\" digest:\n", cert,
x509_name ( cert ) );
1138 DBGC2_HDA ( cert, 0, digest_out,
sizeof ( digest_out ) );
1142 DBGC ( cert,
"X509 %p \"%s\" signature algorithm %s does not " 1143 "match signer's algorithm %s\n",
1154 DBGC ( cert,
"X509 %p \"%s\" signature verification failed: " 1156 goto err_pubkey_verify;
1192 DBGC ( cert,
"X509 %p \"%s\" issuer does not match ",
1194 DBGC ( cert,
"X509 %p \"%s\" subject\n",
1205 DBGC ( issuer,
"X509 %p \"%s\" cannot sign ",
1207 DBGC ( issuer,
"X509 %p \"%s\": not a CA certificate\n",
1213 DBGC ( issuer,
"X509 %p \"%s\" cannot sign ",
1215 DBGC ( issuer,
"X509 %p \"%s\": no keyCertSign usage\n",
1236 void *fingerprint ) {
1255 const uint8_t *root_fingerprint =
root->fingerprints;
1262 for ( i = 0 ; i <
root->count ; i++ ) {
1263 if (
memcmp ( fingerprint, root_fingerprint,
1264 sizeof ( fingerprint ) ) == 0 ) {
1265 DBGC ( cert,
"X509 %p \"%s\" is a root certificate\n",
1269 root_fingerprint +=
sizeof ( fingerprint );
1272 DBGC2 ( cert,
"X509 %p \"%s\" is not a root certificate\n",
1289 DBGC ( cert,
"X509 %p \"%s\" is not yet valid (at time %lld)\n",
1294 DBGC ( cert,
"X509 %p \"%s\" has expired (at time %lld)\n",
1299 DBGC2 ( cert,
"X509 %p \"%s\" is valid (at time %lld)\n",
1329 unsigned int max_path_remaining;
1388 DBGC2 ( cert,
"X509 %p \"%s\" has no trusted issuer\n",
1396 DBGC ( cert,
"issuer %p \"%s\" has not yet been validated\n",
1408 DBGC ( cert,
"issuer %p \"%s\" path length exceeded\n",
1415 DBGC ( cert,
"X509 %p \"%s\" requires an OCSP check\n",
1423 DBGC ( cert,
"X509 %p \"%s\" successfully validated using ",
1425 DBGC ( cert,
"issuer %p \"%s\"\n", issuer,
x509_name ( issuer ) );
1439 const char *
name ) {
1440 const char *fullname =
name;
1441 const char *dnsname =
raw->data;
1445 if ( (
len >= 2 ) && ( dnsname[0] ==
'*' ) && ( dnsname[1] ==
'.' ) ) {
1463 if (
name != fullname ) {
1464 DBGC2 ( cert,
"X509 %p \"%s\" found wildcard match for " 1480 const char *
name ) {
1487 if (
raw->len == sizeof (
struct in_addr ) ) {
1491 }
else if (
raw->len == sizeof (
struct in6_addr ) ) {
1496 DBGC ( cert,
"X509 %p \"%s\" has iPAddress with unexpected " 1504 DBGC2 ( cert,
"X509 %p \"%s\" cannot parse \"%s\" as " 1516 DBGC2 ( cert,
"X509 %p \"%s\" found iPAddress match for \"%s\"\n",
1531 const char *
name ) {
1536 memcpy ( &alt_name,
raw,
sizeof ( alt_name ) );
1547 DBGC2 ( cert,
"X509 %p \"%s\" unknown name of type %#02x:\n",
1568 DBGC2 ( cert,
"X509 %p \"%s\" commonName matches \"%s\"\n",
1575 sizeof ( alt_name ) );
1579 DBGC2 ( cert,
"X509 %p \"%s\" subjectAltName matches " 1585 DBGC ( cert,
"X509 %p \"%s\" does not match name \"%s\"\n",
1599 DBGC2 ( chain,
"X509 chain %p freed\n", chain );
1616 chain =
zalloc (
sizeof ( *chain ) );
1624 DBGC2 ( chain,
"X509 chain %p allocated\n", chain );
1646 DBGC ( chain,
"X509 chain %p added X509 %p \"%s\"\n",
1862 DBGC ( chain,
"X509 chain %p has no certificates\n", chain );
1874 if ( cert == previous )
1918 issuer =
link->cert;
1926 issuer =
link->cert;
1932 DBGC ( chain,
"X509 chain %p found no usable certificates\n", chain );
1963 goto err_certificate;
struct asn1_bit_string raw_bits
Raw public key bit string.
#define EINVAL
Invalid argument.
An ASN.1 OID-identified algorithm.
struct asn1_cursor raw
Raw public key information.
struct arbelprm_rc_send_wqe rc
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
struct x509_extended_key_usage ext_usage
Extended key usage.
struct asn1_cursor raw
Raw issuer.
static int pubkey_verify(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, const void *signature, size_t signature_len)
unsigned int path_remaining
Maximum number of subsequent certificates in chain.
#define AF_INET6
IPv6 Internet addresses.
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
struct x509_chain certstore
Certificate store.
struct asn1_cursor names
Names.
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
unsigned int path_len
Path length.
An X.509 certificate basic constraints set.
static void x509_free(struct refcnt *refcnt)
Free X.509 certificate.
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
int asn1_generalized_time(const struct asn1_cursor *cursor, time_t *time)
Parse ASN.1 GeneralizedTime.
struct stp_switch root
Root switch.
static void x509_set_valid(struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
Set X.509 certificate as validated.
unsigned int bits
Usage bits.
uint32_t next
Next descriptor address.
struct list_head links
List of links.
#define ASN1_BOOLEAN
ASN.1 boolean.
#define ref_init(refcnt, free)
Initialise a reference counter.
int x509_check_name(struct x509_certificate *cert, const char *name)
Check X.509 certificate name.
#define ASN1_OID_SUBJECTALTNAME
ASN.1 OID for id-ce-subjectAltName (2.5.29.17)
struct list_head list
List of links.
uint64_t address
Base address.
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
uint32_t type
Operating system type.
struct x509_issuer issuer
Issuer.
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
struct x509_root root_certificates
Root certificates.
static int x509_check_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative name.
struct asn1_algorithm * signature_algorithm
Signature algorithm.
sa_family_t sa_family
Socket address family.
const void * data
Start of data.
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
struct asn1_cursor oid
Object identifier.
#define ENOENT
No such file or directory.
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
struct x509_certificate * cert
Certificate.
struct asn1_algorithm * algorithm
Signature algorithm.
struct asn1_cursor raw
Raw serial number.
static void x509_free_chain(struct refcnt *refcnt)
Free X.509 certificate chain.
static int x509_parse_key_usage(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate key usage.
int image_asn1(struct image *image, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from image.
struct asn1_cursor oid
Object identifier.
int strncasecmp(const char *first, const char *second, size_t max)
Compare case-insensitive strings.
void x509_truncate(struct x509_chain *chain, struct x509_link *link)
Truncate X.509 certificate chain.
static uint8_t oid_ce_basic_constraints[]
"id-ce-basicConstraints" object identifier
static int x509_parse_issuer(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate issuer.
int x509_is_valid(struct x509_certificate *cert, struct x509_root *root)
Check if X.509 certificate is valid.
static int ocsp_required(struct x509_certificate *cert)
Check if X.509 certificate requires an OCSP check.
struct golan_eq_context ctx
static unsigned int asn1_type(const struct asn1_cursor *cursor)
Extract ASN.1 type.
int sock_aton(const char *string, struct sockaddr *sa)
Parse socket address.
static int x509_parse_ocsp(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate OCSP access method.
time_t time
Seconds since the Epoch.
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
#define ASN1_SET
ASN.1 set.
static int pubkey_match(struct pubkey_algorithm *pubkey, const struct asn1_cursor *private_key, const struct asn1_cursor *public_key)
int asn1_signature_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified signature algorithm.
static int x509_parse_serial(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate serial number.
#define ENOTSUP
Operation not supported.
int present
Key usage extension is present.
size_t len
Length of data.
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
static int x509_parse_basic_constraints(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate basic constraints.
#define list_empty(list)
Test whether a list is empty.
X.509 certificate OCSP responder.
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
#define list_del(list)
Delete an entry from a list.
An X.509 certificate chain.
#define ENOMEM
Not enough space.
static int x509_parse_extended_key_usage(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extended key usage.
int asn1_shrink(struct asn1_cursor *cursor, unsigned int type)
Shrink ASN.1 cursor to fit object.
void * memcpy(void *dest, const void *src, size_t len) __nonnull
static int x509_parse_version(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate version.
#define EACCES_OCSP_REQUIRED
#define list_for_each_entry_safe_continue(pos, tmp, head, member)
Iterate over subsequent entries in a list, safe against deletion.
struct x509_time not_before
Not valid before.
u32 version
Driver version.
int asn1_boolean(const struct asn1_cursor *cursor)
Parse value of ASN.1 boolean.
#define ASN1_OID_BASICCONSTRAINTS
ASN.1 OID for id-ce-basicConstraints (2.5.29.19)
#define EACCES_OUT_OF_ORDER
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
#define container_of(ptr, type, field)
Get containing structure.
struct x509_root * root
Root against which certificate has been validated (if any)
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
struct x509_signature signature
Signature.
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
int x509_validate(struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
Validate X.509 certificate.
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
static int x509_parse_validity(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate validity.
#define EACCES_WRONG_NAME
uint16_t sa_family_t
A socket address family.
u32 link
Link to next descriptor.
static int x509_parse_extension(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extension.
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
static struct x509_access_method x509_access_methods[]
Supported access methods.
An X.509 certificate public key.
static int x509_check_dnsname(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative dNSName.
#define ASN1_OID_COMMON_NAME
ASN.1 OID for commonName (2.5.4.3)
struct x509_authority_info_access auth_info
Authority information access.
struct x509_public_key public_key
Public key information.
int x509_validate_chain(struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root)
Validate X.509 certificate chain.
struct asn1_cursor uri
URI.
static void digest_init(struct digest_algorithm *digest, void *ctx)
int asn1_integral_bit_string(const struct asn1_cursor *cursor, struct asn1_bit_string *bits)
Parse ASN.1 bit string that must be an integral number of bytes.
static int x509_parse_tbscertificate(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate tbsCertificate.
Generalized socket address structure.
int x509_check_root(struct x509_certificate *cert, struct x509_root *root)
Check X.509 root certificate.
A link in an X.509 certificate chain.
int x509_auto_append(struct x509_chain *chain, struct x509_chain *store)
Append X.509 certificates to X.509 certificate chain.
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
char * strerror(int errno)
Retrieve string representation of error number.
static void(* free)(struct refcnt *refcnt))
struct x509_serial serial
Serial number.
void * zalloc(size_t size)
Allocate cleared memory.
#define ASN1_OID_CODESIGNING
ASN.1 OID for id-kp-codeSigning (1.3.6.1.5.5.7.3.3)
struct x509_subject subject
Subject.
char * strchr(const char *src, int character)
Find character within a string.
static struct x509_extension x509_extensions[]
Supported certificate extensions.
int asn1_pubkey_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified public-key algorithm.
struct x509_certificate * x509_find_issuer_serial(struct x509_chain *store, const struct asn1_cursor *issuer, const struct asn1_cursor *serial)
Identify X.509 certificate by issuer and serial number.
struct x509_certificate * x509_find_subject(struct x509_chain *store, const struct asn1_cursor *subject)
Identify X.509 certificate by subject.
struct asn1_algorithm * algorithm
Public key algorithm.
static struct asn1_cursor oid_common_name_cursor
"commonName" object identifier cursor
int asn1_enter_any(struct asn1_cursor *cursor)
Enter ASN.1 object of any type.
uint64_t serial
Serial number.
struct x509_certificate * x509_find(struct x509_chain *store, const struct asn1_cursor *raw)
Identify X.509 certificate by raw certificate data.
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
size_t strlen(const char *src)
Get length of string.
Online Certificate Status Protocol.
static int x509_parse_common_name(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate common name.
An X.509 certificate key usage.
static uint8_t oid_ce_subject_alt_name[]
"id-ce-subjectAltName" object identifier
static struct x509_key_purpose x509_key_purposes[]
Supported key purposes.
#define ASN1_OID_EXTKEYUSAGE
ASN.1 OID for id-ce-extKeyUsage (2.5.29.37)
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
An X.509 certificate validity period.
#define ASN1_SEQUENCE
ASN.1 sequence.
static uint8_t oid_code_signing[]
"id-kp-codeSigning" object identifier
struct asn1_cursor raw
Raw subject.
#define ASN1_OID_AUTHORITYINFOACCESS
ASN.1 OID for id-pe-authorityInfoAccess (1.3.6.1.5.5.7.1.1)
#define ASN1_OID_OCSPSIGNING
ASN.1 OID for id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9)
unsigned int bits
Extended key usage bits.
void x509_fingerprint(struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
Calculate X.509 certificate fingerprint.
Cryptographic configuration.
#define ASN1_INTEGER
ASN.1 integer.
static int x509_check_ipaddress(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative iPAddress.
An X.509 root certificate list.
u16 algorithm
Authentication algorithm (Open System or Shared Key)
RSA public-key cryptography.
struct in_addr sin_addr
IPv4 address.
#define list_for_each_entry_continue_reverse(pos, head, member)
Iterate over entries in a list in reverse, starting after current position.
struct x509_validity validity
Validity.
#define INIT_LIST_HEAD(list)
Initialise a list head.
struct asn1_cursor common_name
Common name.
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
#define ASN1_OID
ASN.1 object identifier.
static uint8_t oid_ocsp_signing[]
"id-kp-OCSPSigning" object identifier
#define TIMESTAMP_ERROR_MARGIN
Margin of error (in seconds) allowed in signed timestamps.
const char * sock_ntoa(struct sockaddr *sa)
Transcribe socket address.
struct x509_subject_alt_name alt_name
Subject alternative name.
static uint8_t oid_pe_authority_info_access[]
"id-pe-authorityInfoAccess" object identifier
static int x509_parse_key_purpose(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate key purpose identifier.
size_t ctxsize
Context size.
static int x509_check_signature(struct x509_certificate *cert, struct x509_public_key *public_key)
Check X.509 certificate signature.
An X.509 certificate extended key usage.
static int x509_parse_subject(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate subject.
An X.509 certificate subject.
static uint8_t oid_common_name[]
"commonName" object identifier
unsigned int bits
Usage bits.
size_t digestsize
Digest size.
unsigned int version
Version.
#define ENOTSUP_EXTENSION
static int x509_parse_subject_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate subject alternative name.
int asn1_integer(const struct asn1_cursor *cursor, int *value)
Parse value of ASN.1 integer.
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
REQUIRING_SYMBOL(x509_validate)
int x509_check_issuer(struct x509_certificate *cert, struct x509_certificate *issuer)
Check X.509 certificate against issuer certificate.
struct asn1_cursor tbs
Raw tbsCertificate.
#define X509_PATH_LEN_UNLIMITED
Unlimited path length.
A message digest algorithm.
#define EINVAL_ALGORITHM_MISMATCH
X.509 certificate subject alternative name.
struct x509_link store
Link in certificate store.
uint8_t data[48]
Additional event data.
struct x509_time not_after
Not valid after.
static uint8_t oid_ad_ocsp[]
"id-ad-ocsp" object identifier
static struct x509_certificate * x509_found(struct x509_chain *store, struct x509_certificate *cert)
Mark X.509 certificate as found.
struct x509_certificate * x509_find_key(struct x509_chain *store, struct private_key *key)
Identify X.509 certificate by corresponding public key.
A Uniform Resource Identifier.
static int x509_parse_authority_info_access(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate authority information access.
uint16_t offset
Offset to command line.
struct asn1_cursor oid
Object identifier.
int image_x509(struct image *image, size_t offset, struct x509_certificate **cert)
Extract X.509 certificate object from image.
An X.509 certificate extensions set.
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
struct asn1_cursor raw
Raw certificate.
struct x509_key_usage usage
Key usage.
REQUIRE_OBJECT(certstore)
static uint8_t oid_ce_key_usage[]
"id-ce-keyUsage" object identifier
int64_t time_t
Seconds since the Epoch.
static int x509_parse_access_description(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate access description.
static struct x509_extension * x509_find_extension(const struct asn1_cursor *oid)
Identify X.509 extension by OID.
#define ASN1_OCTET_STRING
ASN.1 octet string.
int(* parse)(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse extension.
u8 signature
CPU signature.
#define list_entry(list, type, member)
Get the container of a list entry.
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
#define ASN1_OID_OCSP
ASN.1 OID for id-ad-ocsp (1.3.6.1.5.5.7.48.1)
#define NULL
NULL pointer (VOID *)
static int x509_parse_extensions(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate extensions, if present.
#define EACCES_WRONG_ISSUER
struct x509_ocsp_responder ocsp
OCSP responder.
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
int x509_check_time(struct x509_certificate *cert, time_t time)
Check X.509 certificate validity period.
struct x509_basic_constraints basic
Basic constraints.
#define AF_INET
IPv4 Internet addresses.
struct refcnt refcnt
Reference count.
struct in6_addr sin6_addr
IPv6 address.
struct x509_extensions extensions
Extensions.
static int x509_parse_public_key(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate public key information.
#define ASN1_OID_KEYUSAGE
ASN.1 OID for id-ce-keyUsage (2.5.29.15)
int x509_certificate(const void *data, size_t len, struct x509_certificate **cert)
Create X.509 certificate.
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
An X.509 certificate signature.
static struct x509_access_method * x509_find_access_method(const struct asn1_cursor *oid)
Identify X.509 access method by OID.
static uint8_t oid_ce_ext_key_usage[]
"id-ce-extKeyUsage" object identifier