iPXE
Data Structures | Macros | Enumerations | Functions
x509.h File Reference

X.509 certificates. More...

#include <stdint.h>
#include <stddef.h>
#include <time.h>
#include <ipxe/asn1.h>
#include <ipxe/refcnt.h>
#include <ipxe/list.h>

Go to the source code of this file.

Data Structures

struct  x509_serial
 An X.509 serial number. More...
struct  x509_issuer
 An X.509 issuer. More...
struct  x509_time
 An X.509 time. More...
struct  x509_validity
 An X.509 certificate validity period. More...
struct  x509_public_key
 An X.509 certificate public key. More...
struct  x509_subject
 An X.509 certificate subject. More...
struct  x509_signature
 An X.509 certificate signature. More...
struct  x509_basic_constraints
 An X.509 certificate basic constraints set. More...
struct  x509_key_usage
 An X.509 certificate key usage. More...
struct  x509_extended_key_usage
 An X.509 certificate extended key usage. More...
struct  x509_ocsp_responder
 X.509 certificate OCSP responder. More...
struct  x509_authority_info_access
 X.509 certificate authority information access. More...
struct  x509_subject_alt_name
 X.509 certificate subject alternative name. More...
struct  x509_extensions
 An X.509 certificate extensions set. More...
 A link in an X.509 certificate chain. More...
struct  x509_chain
 An X.509 certificate chain. More...
struct  x509_certificate
 An X.509 certificate. More...
struct  x509_extension
 An X.509 extension. More...
struct  x509_key_purpose
 An X.509 key purpose. More...
struct  x509_access_method
 An X.509 access method. More...
struct  x509_root
 An X.509 root certificate list. More...

Macros

#define X509_PATH_LEN_UNLIMITED   -2U
 Unlimited path length.

Enumerations

enum  x509_key_usage_bits {
  X509_DIGITAL_SIGNATURE = 0x0080 , X509_NON_REPUDIATION = 0x0040 , X509_KEY_ENCIPHERMENT = 0x0020 , X509_DATA_ENCIPHERMENT = 0x0010 ,
  X509_KEY_AGREEMENT = 0x0008 , X509_KEY_CERT_SIGN = 0x0004 , X509_CRL_SIGN = 0x0002 , X509_ENCIPHER_ONLY = 0x0001 ,
  X509_DECIPHER_ONLY = 0x8000
}
 X.509 certificate key usage bits. More...
enum  x509_extended_key_usage_bits { X509_CODE_SIGNING = 0x0001 , X509_OCSP_SIGNING = 0x0002 }
 X.509 certificate extended key usage bits. More...
enum  x509_general_name_types { X509_GENERAL_NAME_DNS = ASN1_IMPLICIT_TAG ( 2 ) , X509_GENERAL_NAME_URI = ASN1_IMPLICIT_TAG ( 6 ) , X509_GENERAL_NAME_IP = ASN1_IMPLICIT_TAG ( 7 ) }
 X.509 certificate general name types. More...
enum  x509_link_flags { X509_LINK_FL_CROSSED = 0x0001 , X509_LINK_FL_OCSPED = 0x0002 }
 X.509 certficate chain link flags. More...
enum  x509_flags { X509_FL_PERMANENT = 0x0001 , X509_FL_EXPLICIT = 0x0002 }
 X.509 certificate flags. More...

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 FILE_SECBOOT (PERMITTED)
static struct x509_certificatex509_get (struct x509_certificate *cert)
 Get reference to X.509 certificate.
static void x509_put (struct x509_certificate *cert)
 Drop reference to X.509 certificate.
static struct x509_chainx509_chain_get (struct x509_chain *chain)
 Get reference to X.509 certificate chain.
static void x509_chain_put (struct x509_chain *chain)
 Drop reference to X.509 certificate chain.
static struct x509_certificatex509_first (struct x509_chain *chain)
 Get first certificate in X.509 certificate chain.
static struct x509_certificatex509_last (struct x509_chain *chain)
 Get last certificate in X.509 certificate chain.
static struct x509_rootx509_root_get (struct x509_root *root)
 Get reference to X.509 root certificate list.
static void x509_root_put (struct x509_root *root)
 Drop reference to X.509 root certificate list.
static int x509_is_self_signed (struct x509_certificate *cert)
 Check if X.509 certificate is self-signed.
const char * x509_name (struct x509_certificate *cert)
 Get X.509 certificate display name.
int x509_parse (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate from ASN.1 data.
int x509_certificate (const void *data, size_t len, struct x509_certificate **cert)
 Create X.509 certificate.
int x509_is_valid (struct x509_certificate *cert, struct x509_root *root)
 Check if X.509 certificate is valid.
void x509_set_valid (struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
 Set X.509 certificate as validated.
int x509_validate (struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
 Validate X.509 certificate.
int x509_check_name (struct x509_certificate *cert, const char *name)
 Check X.509 certificate name.
struct x509_chainx509_alloc_chain (void)
 Allocate X.509 certificate chain.
int x509_append (struct x509_chain *chain, struct x509_certificate *cert)
 Append X.509 certificate to X.509 certificate chain.
int x509_append_raw (struct x509_chain *chain, const void *data, size_t len)
 Append X.509 certificate to X.509 certificate chain.
void x509_truncate (struct x509_chain *chain, struct x509_link *link)
 Truncate X.509 certificate chain.
struct x509_certificatex509_find (struct x509_chain *store, const struct asn1_cursor *raw)
 Identify X.509 certificate by raw certificate data.
struct x509_certificatex509_find_subject (struct x509_chain *store, const struct asn1_cursor *subject)
 Identify X.509 certificate by subject.
struct x509_certificatex509_find_issuer_serial (struct x509_chain *store, const struct asn1_cursor *issuer, const struct asn1_cursor *serial)
 Identify X.509 certificate by issuer and serial number.
struct x509_certificatex509_find_key (struct x509_chain *store, struct private_key *key)
 Identify X.509 certificate by corresponding public key.
int x509_auto_append (struct x509_chain *chain, struct x509_chain *store)
 Append X.509 certificates to X.509 certificate chain.
int x509_validate_chain (struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root)
 Validate X.509 certificate chain.
int image_x509 (struct image *image, size_t offset, struct x509_certificate **cert)
 Extract X.509 certificate object from image.
int x509_check_issuer (struct x509_certificate *cert, struct x509_certificate *issuer)
 Check X.509 certificate against issuer certificate.
void x509_fingerprint (struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
 Calculate X.509 certificate fingerprint.
int x509_check_root (struct x509_certificate *cert, struct x509_root *root)
 Check X.509 root certificate.
int x509_check_time (struct x509_certificate *cert, time_t time)
 Check X.509 certificate validity period.
static void x509_invalidate (struct x509_certificate *cert)
 Invalidate X.509 certificate.
static void x509_invalidate_chain (struct x509_chain *chain)
 Invalidate X.509 certificate chain.

Detailed Description

X.509 certificates.

Definition in file x509.h.

Macro Definition Documentation

◆ X509_PATH_LEN_UNLIMITED

#define X509_PATH_LEN_UNLIMITED   -2U

Unlimited path length.

We use -2U, since this quantity represents one fewer than the maximum number of remaining certificates in a chain.

Definition at line 90 of file x509.h.

Referenced by x509_parse_basic_constraints().

Enumeration Type Documentation

◆ x509_key_usage_bits

enum x509_key_usage_bits

X.509 certificate key usage bits.

Enumerator
X509_DIGITAL_SIGNATURE 
X509_NON_REPUDIATION 
X509_KEY_ENCIPHERMENT 
X509_DATA_ENCIPHERMENT 
X509_KEY_AGREEMENT 
X509_KEY_CERT_SIGN 
X509_CRL_SIGN 
X509_ENCIPHER_ONLY 
X509_DECIPHER_ONLY 

Definition at line 101 of file x509.h.

101 {
102 X509_DIGITAL_SIGNATURE = 0x0080,
103 X509_NON_REPUDIATION = 0x0040,
104 X509_KEY_ENCIPHERMENT = 0x0020,
105 X509_DATA_ENCIPHERMENT = 0x0010,
106 X509_KEY_AGREEMENT = 0x0008,
107 X509_KEY_CERT_SIGN = 0x0004,
108 X509_CRL_SIGN = 0x0002,
109 X509_ENCIPHER_ONLY = 0x0001,
110 X509_DECIPHER_ONLY = 0x8000,
111};
X509_CRL_SIGN
@ X509_CRL_SIGN
Definition x509.h:108
X509_KEY_CERT_SIGN
@ X509_KEY_CERT_SIGN
Definition x509.h:107
X509_DIGITAL_SIGNATURE
@ X509_DIGITAL_SIGNATURE
Definition x509.h:102
X509_KEY_AGREEMENT
@ X509_KEY_AGREEMENT
Definition x509.h:106
X509_ENCIPHER_ONLY
@ X509_ENCIPHER_ONLY
Definition x509.h:109
X509_NON_REPUDIATION
@ X509_NON_REPUDIATION
Definition x509.h:103
X509_DECIPHER_ONLY
@ X509_DECIPHER_ONLY
Definition x509.h:110
X509_DATA_ENCIPHERMENT
@ X509_DATA_ENCIPHERMENT
Definition x509.h:105
X509_KEY_ENCIPHERMENT
@ X509_KEY_ENCIPHERMENT
Definition x509.h:104

◆ x509_extended_key_usage_bits

enum x509_extended_key_usage_bits

X.509 certificate extended key usage bits.

Extended key usages are identified by OID; these bits are purely an internal definition.

Enumerator
X509_CODE_SIGNING 
X509_OCSP_SIGNING 

Definition at line 124 of file x509.h.

124 {
125 X509_CODE_SIGNING = 0x0001,
126 X509_OCSP_SIGNING = 0x0002,
127};
X509_CODE_SIGNING
@ X509_CODE_SIGNING
Definition x509.h:125
X509_OCSP_SIGNING
@ X509_OCSP_SIGNING
Definition x509.h:126

◆ x509_general_name_types

enum x509_general_name_types

X.509 certificate general name types.

Enumerator
X509_GENERAL_NAME_DNS 
X509_GENERAL_NAME_URI 
X509_GENERAL_NAME_IP 

Definition at line 150 of file x509.h.

150 {
151 X509_GENERAL_NAME_DNS = ASN1_IMPLICIT_TAG ( 2 ),
152 X509_GENERAL_NAME_URI = ASN1_IMPLICIT_TAG ( 6 ),
153 X509_GENERAL_NAME_IP = ASN1_IMPLICIT_TAG ( 7 ),
154};
ASN1_IMPLICIT_TAG
#define ASN1_IMPLICIT_TAG(number)
ASN.1 implicit tag.
Definition asn1.h:96
X509_GENERAL_NAME_URI
@ X509_GENERAL_NAME_URI
Definition x509.h:152
X509_GENERAL_NAME_DNS
@ X509_GENERAL_NAME_DNS
Definition x509.h:151
X509_GENERAL_NAME_IP
@ X509_GENERAL_NAME_IP
Definition x509.h:153

◆ x509_link_flags

enum x509_link_flags

X.509 certficate chain link flags.

Enumerator
X509_LINK_FL_CROSSED 

Cross-signed certificate download has been attempted.

This indicates that a cross-signature download attempt has been made to find a cross-signed issuer for this link's certificate.

X509_LINK_FL_OCSPED 

OCSP has been attempted.

This indicates that an OCSP attempt has been made using this link's certificate as an issuer. (We record the flag on the issuer rather than on the issued certificate, since we want to retry OCSP if an issuer is replaced with a downloaded cross-signed certificate.)

Definition at line 181 of file x509.h.

181 {
182 /** Cross-signed certificate download has been attempted
183 *
184 * This indicates that a cross-signature download attempt has
185 * been made to find a cross-signed issuer for this link's
186 * certificate.
187 */
188 X509_LINK_FL_CROSSED = 0x0001,
189 /** OCSP has been attempted
190 *
191 * This indicates that an OCSP attempt has been made using
192 * this link's certificate as an issuer. (We record the flag
193 * on the issuer rather than on the issued certificate, since
194 * we want to retry OCSP if an issuer is replaced with a
195 * downloaded cross-signed certificate.)
196 */
197 X509_LINK_FL_OCSPED = 0x0002,
198};
X509_LINK_FL_OCSPED
@ X509_LINK_FL_OCSPED
OCSP has been attempted.
Definition x509.h:197
X509_LINK_FL_CROSSED
@ X509_LINK_FL_CROSSED
Cross-signed certificate download has been attempted.
Definition x509.h:188

◆ x509_flags

enum x509_flags

X.509 certificate flags.

Enumerator
X509_FL_PERMANENT 

Certificate was added at build time.

X509_FL_EXPLICIT 

Certificate was added explicitly at run time.

Definition at line 253 of file x509.h.

253 {
254 /** Certificate was added at build time */
255 X509_FL_PERMANENT = 0x0001,
256 /** Certificate was added explicitly at run time */
257 X509_FL_EXPLICIT = 0x0002,
258};
X509_FL_EXPLICIT
@ X509_FL_EXPLICIT
Certificate was added explicitly at run time.
Definition x509.h:257
X509_FL_PERMANENT
@ X509_FL_PERMANENT
Certificate was added at build time.
Definition x509.h:255

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

◆ x509_get()

struct x509_certificate * x509_get ( struct x509_certificate * cert)
inlinestatic

Get reference to X.509 certificate.

Parameters
certX.509 certificate
Return values
certX.509 certificate

Definition at line 267 of file x509.h.

267 {
268 ref_get ( &cert->refcnt );
269 return cert;
270}
ref_get
#define ref_get(refcnt)
Get additional reference to object.
Definition refcnt.h:93
x509_certificate::refcnt
struct refcnt refcnt
Reference count.
Definition x509.h:218

References ref_get, and x509_certificate::refcnt.

Referenced by cert_exec(), certstore_add(), ocsp_check(), x509_append(), and x509_certificate().

◆ x509_put()

void x509_put ( struct x509_certificate * cert)
inlinestatic

Drop reference to X.509 certificate.

Parameters
certX.509 certificate

Definition at line 278 of file x509.h.

278 {
279 ref_put ( &cert->refcnt );
280}
ref_put
#define ref_put(refcnt)
Drop reference to object.
Definition refcnt.h:107

References ref_put, and x509_certificate::refcnt.

Referenced by cert_exec(), certstore_apply_settings(), certstore_del(), cms_test_exec(), icert_free(), image_x509(), ocsp_free(), ocsp_parse_certs(), ocsp_response(), ocsp_test_exec(), x509_append(), x509_append_raw(), x509_cached_okx(), x509_certificate(), x509_test_exec(), and x509_truncate().

◆ x509_chain_get()

struct x509_chain * x509_chain_get ( struct x509_chain * chain)
inlinestatic

Get reference to X.509 certificate chain.

Parameters
chainX.509 certificate chain
Return values
chainX.509 certificate chain

Definition at line 289 of file x509.h.

289 {
290 ref_get ( &chain->refcnt );
291 return chain;
292}
x509_chain::refcnt
struct refcnt refcnt
Reference count.
Definition x509.h:203

References ref_get, and x509_chain::refcnt.

Referenced by create_validator().

◆ x509_chain_put()

void x509_chain_put ( struct x509_chain * chain)
inlinestatic

Drop reference to X.509 certificate chain.

Parameters
chainX.509 certificate chain

Definition at line 300 of file x509.h.

300 {
301 ref_put ( &chain->refcnt );
302}

References ref_put, and x509_chain::refcnt.

Referenced by cms_free(), free_tls(), tls_new_certificate_request(), tls_parse_chain(), validator_append(), validator_free(), and x509_test_exec().

◆ x509_first()

struct x509_certificate * x509_first ( struct x509_chain * chain)
inlinestatic

Get first certificate in X.509 certificate chain.

Parameters
chainX.509 certificate chain
Return values
certX.509 certificate, or NULL

Definition at line 311 of file x509.h.

311 {
312 struct x509_link *link;
313
314 link = list_first_entry ( &chain->links, struct x509_link, list );
315 return ( link ? link->cert : NULL );
316}
NULL
#define NULL
NULL pointer (VOID *)
Definition Base.h:322
link
u32 link
Link to next descriptor.
Definition ar9003_mac.h:1
list_first_entry
#define list_first_entry(list, type, member)
Get the container of the first entry in a list.
Definition list.h:334
x509_chain::links
struct list_head links
List of links.
Definition x509.h:205
x509_link
A link in an X.509 certificate chain.
Definition x509.h:171
x509_link::list
struct list_head list
List of links.
Definition x509.h:173

References link, x509_chain::links, x509_link::list, list_first_entry, and NULL.

Referenced by cms_recipient(), cms_verify(), cms_verify_signer(), tls_send_certificate_verify(), tls_validator_done(), validator_name(), and x509_chain_okx().

◆ x509_last()

struct x509_certificate * x509_last ( struct x509_chain * chain)
inlinestatic

Get last certificate in X.509 certificate chain.

Parameters
chainX.509 certificate chain
Return values
certX.509 certificate, or NULL

Definition at line 325 of file x509.h.

325 {
326 struct x509_link *link;
327
328 link = list_last_entry ( &chain->links, struct x509_link, list );
329 return ( link ? link->cert : NULL );
330}
list_last_entry
#define list_last_entry(list, type, member)
Get the container of the last entry in a list.
Definition list.h:347

References link, x509_chain::links, x509_link::list, list_last_entry, and NULL.

Referenced by cms_parse_certificates(), efi_cacert(), tls_parse_chain(), validator_append(), and x509_auto_append().

◆ x509_root_get()

struct x509_root * x509_root_get ( struct x509_root * root)
inlinestatic

Get reference to X.509 root certificate list.

Parameters
rootX.509 root certificate list
Return values
rootX.509 root certificate list

Definition at line 393 of file x509.h.

393 {
394 ref_get ( &root->refcnt );
395 return root;
396}
root
struct stp_switch root
Root switch.
Definition stp.h:15

References ref_get, and root.

Referenced by add_tls(), create_validator(), tls_session(), and x509_set_valid().

◆ x509_root_put()

void x509_root_put ( struct x509_root * root)
inlinestatic

Drop reference to X.509 root certificate list.

Parameters
rootX.509 root certificate list

Definition at line 404 of file x509.h.

404 {
405 ref_put ( &root->refcnt );
406}

References ref_put, and root.

Referenced by free_tls(), free_tls_session(), validator_free(), x509_free(), x509_invalidate(), and x509_set_valid().

◆ x509_is_self_signed()

int x509_is_self_signed ( struct x509_certificate * cert)
inlinestatic

Check if X.509 certificate is self-signed.

Parameters
certX.509 certificate
Return values
is_self_signedX.509 certificate is self-signed

Definition at line 414 of file x509.h.

414 {
415 return ( asn1_compare ( &cert->issuer.raw, &cert->subject.raw ) == 0 );
416}
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition asn1.c:458
x509_certificate::subject
struct x509_subject subject
Subject.
Definition x509.h:245
x509_certificate::issuer
struct x509_issuer issuer
Issuer.
Definition x509.h:241
x509_issuer::raw
struct asn1_cursor raw
Raw issuer.
Definition x509.h:32
x509_subject::raw
struct asn1_cursor raw
Raw subject.
Definition x509.h:62

References asn1_compare(), x509_certificate::issuer, x509_issuer::raw, x509_subject::raw, and x509_certificate::subject.

Referenced by validator_step(), and x509_test_exec().

◆ x509_name()

const char * x509_name ( struct x509_certificate * cert)
extern

Get X.509 certificate display name.

Parameters
certX.509 certificate
Return values
nameDisplay name

Definition at line 147 of file x509.c.

147 {
148 struct asn1_cursor *common_name = &cert->subject.common_name;
149 struct digest_algorithm *digest = &sha1_algorithm;
150 static char buf[64];
151 uint8_t fingerprint[ digest->digestsize ];
152 size_t len;
153
154 len = common_name->len;
155 if ( len ) {
156 /* Certificate has a commonName: use that */
157 if ( len > ( sizeof ( buf ) - 1 /* NUL */ ) )
158 len = ( sizeof ( buf ) - 1 /* NUL */ );
159 memcpy ( buf, common_name->data, len );
160 buf[len] = '\0';
161 } else {
162 /* Certificate has no commonName: use SHA-1 fingerprint */
163 x509_fingerprint ( cert, digest, fingerprint );
164 base16_encode ( fingerprint, sizeof ( fingerprint ),
165 buf, sizeof ( buf ) );
166 }
167 return buf;
168}
uint8_t
unsigned char uint8_t
Definition stdint.h:10
len
ring len
Length.
Definition dwmac.h:226
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
sha1_algorithm
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition sha1.c:258
asn1_cursor
An ASN.1 object cursor.
Definition asn1.h:21
asn1_cursor::data
const void * data
Start of data.
Definition asn1.h:23
asn1_cursor::len
size_t len
Length of data.
Definition asn1.h:25
digest_algorithm
A message digest algorithm.
Definition crypto.h:19
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition crypto.h:27
x509_subject::common_name
struct asn1_cursor common_name
Common name.
Definition x509.h:64
x509_fingerprint
void x509_fingerprint(struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
Calculate X.509 certificate fingerprint.
Definition x509.c:1237

References x509_subject::common_name, asn1_cursor::data, digest_algorithm::digestsize, asn1_cursor::len, len, memcpy(), sha1_algorithm, x509_certificate::subject, and x509_fingerprint().

Referenced by certstat(), certstore_add(), certstore_apply_settings(), certstore_del(), certstore_found(), certstore_init(), cms_parse_certificates(), efi_cacert(), icert_encode(), ocsp_check_signature(), ocsp_parse_basic_response(), ocsp_parse_cert_id(), ocsp_parse_certs(), ocsp_parse_responder_id(), ocsp_parse_response_status(), ocsp_parse_response_type(), ocsp_parse_responses(), ocsp_request(), ocsp_uri_string(), ocsp_validate(), tls_new_certificate_request(), tls_parse_chain(), tls_send_certificate(), validator_append(), validator_name(), validator_ocsp_validate(), validator_progress(), validator_start_download(), validator_start_ocsp(), validator_step(), x509_append(), x509_check_alt_name(), x509_check_dnsname(), x509_check_ipaddress(), x509_check_issuer(), x509_check_name(), x509_check_root(), x509_check_signature(), x509_check_time(), x509_parse_subject(), and x509_validate().

◆ x509_parse()

int x509_parse ( struct x509_certificate * cert,
const struct asn1_cursor * raw )
extern

Parse X.509 certificate from ASN.1 data.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 1008 of file x509.c.

1009 {
1010 struct x509_signature *signature = &cert->signature;
1011 struct asn1_algorithm **signature_algorithm = &signature->algorithm;
1012 struct asn1_cursor *signature_value = &signature->value;
1013 struct asn1_cursor cursor;
1014 int rc;
1015
1016 /* Record raw certificate */
1017 memcpy ( &cursor, raw, sizeof ( cursor ) );
1018 memcpy ( &cert->raw, &cursor, sizeof ( cert->raw ) );
1019
1020 /* Enter certificate */
1021 asn1_enter ( &cursor, ASN1_SEQUENCE );
1022
1023 /* Parse tbsCertificate */
1024 if ( ( rc = x509_parse_tbscertificate ( cert, &cursor ) ) != 0 )
1025 return rc;
1026 asn1_skip_any ( &cursor );
1027
1028 /* Parse signatureAlgorithm */
1029 if ( ( rc = asn1_signature_algorithm ( &cursor,
1030 signature_algorithm ) ) != 0 ) {
1031 DBGC ( cert, "X509 %p could not parse signature algorithm: "
1032 "%s\n", cert, strerror ( rc ) );
1033 return rc;
1034 }
1035 DBGC2 ( cert, "X509 %p signatureAlgorithm is %s\n",
1036 cert, (*signature_algorithm)->name );
1037 asn1_skip_any ( &cursor );
1038
1039 /* Parse signatureValue */
1040 memcpy ( signature_value, &cursor, sizeof ( *signature_value ) );
1041 if ( ( rc = asn1_enter_bits ( signature_value, NULL ) ) != 0 ) {
1042 DBGC ( cert, "X509 %p could not parse signature value: %s\n",
1043 cert, strerror ( rc ) );
1044 return rc;
1045 }
1046 DBGC2 ( cert, "X509 %p signatureValue is:\n", cert );
1047 DBGC2_HDA ( cert, 0, signature_value->data, signature_value->len );
1048
1049 /* Check that algorithm in tbsCertificate matches algorithm in
1050 * signature
1051 */
1052 if ( signature->algorithm != (*signature_algorithm) ) {
1053 DBGC ( cert, "X509 %p signature algorithm %s does not match "
1054 "signatureAlgorithm %s\n",
1055 cert, signature->algorithm->name,
1056 (*signature_algorithm)->name );
1057 return -EINVAL_ALGORITHM_MISMATCH;
1058 }
1059
1060 return 0;
1061}
raw
__be32 raw[7]
Definition CIB_PRM.h:0
signature
u8 signature
CPU signature.
Definition CIB_PRM.h:7
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition asn1.c:290
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition asn1.c:169
asn1_enter_bits
int asn1_enter_bits(struct asn1_cursor *cursor, unsigned int *unused)
Enter ASN.1 bit string.
Definition asn1.c:311
asn1_signature_algorithm
int asn1_signature_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified signature algorithm.
Definition asn1.c:624
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition asn1.h:90
DBGC2
#define DBGC2(...)
Definition compiler.h:522
DBGC2_HDA
#define DBGC2_HDA(...)
Definition compiler.h:523
DBGC
#define DBGC(...)
Definition compiler.h:505
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition strerror.c:79
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition asn1.h:408
x509_certificate::signature
struct x509_signature signature
Signature.
Definition x509.h:247
x509_certificate::raw
struct asn1_cursor raw
Raw certificate.
Definition x509.h:231
x509_signature
An X.509 certificate signature.
Definition x509.h:70
x509_parse_tbscertificate
static int x509_parse_tbscertificate(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate tbsCertificate.
Definition x509.c:938
EINVAL_ALGORITHM_MISMATCH
#define EINVAL_ALGORITHM_MISMATCH
Definition x509.c:71

References asn1_enter(), asn1_enter_bits(), ASN1_SEQUENCE, asn1_signature_algorithm(), asn1_skip_any(), asn1_cursor::data, DBGC, DBGC2, DBGC2_HDA, EINVAL_ALGORITHM_MISMATCH, asn1_cursor::len, memcpy(), NULL, raw, x509_certificate::raw, rc, signature, x509_certificate::signature, strerror(), and x509_parse_tbscertificate().

Referenced by certstore_init(), and x509_certificate().

◆ x509_certificate()

int x509_certificate ( const void * data,
size_t len,
struct x509_certificate ** cert )
extern

Create X.509 certificate.

Parameters
dataRaw certificate data
lenLength of raw data
Return values
certX.509 certificate
rcReturn status code

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1074 of file x509.c.

1075 {
1076 struct asn1_cursor cursor;
1077 void *raw;
1078 int rc;
1079
1080 /* Initialise cursor */
1081 cursor.data = data;
1082 cursor.len = len;
1083 asn1_shrink_any ( &cursor );
1084
1085 /* Return stored certificate, if present */
1086 if ( ( *cert = x509_find ( NULL, &cursor ) ) != NULL ) {
1087
1088 /* Add caller's reference */
1089 x509_get ( *cert );
1090 return 0;
1091 }
1092
1093 /* Allocate and initialise certificate */
1094 *cert = zalloc ( sizeof ( **cert ) + cursor.len );
1095 if ( ! *cert )
1096 return -ENOMEM;
1097 ref_init ( &(*cert)->refcnt, x509_free );
1098 raw = ( *cert + 1 );
1099
1100 /* Copy raw data */
1101 memcpy ( raw, cursor.data, cursor.len );
1102 cursor.data = raw;
1103
1104 /* Parse certificate */
1105 if ( ( rc = x509_parse ( *cert, &cursor ) ) != 0 ) {
1106 x509_put ( *cert );
1107 *cert = NULL;
1108 return rc;
1109 }
1110
1111 /* Add certificate to store */
1112 certstore_add ( *cert );
1113
1114 return 0;
1115}
asn1_shrink_any
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition asn1.c:300
certstore_add
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
Definition certstore.c:101
data
uint8_t data[48]
Additional event data.
Definition ena.h:11
ENOMEM
#define ENOMEM
Not enough space.
Definition errno.h:535
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition malloc.c:662
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition refcnt.h:65
x509_parse
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
Definition x509.c:1008
x509_free
static void x509_free(struct refcnt *refcnt)
Free X.509 certificate.
Definition x509.c:133
x509_find
struct x509_certificate * x509_find(struct x509_chain *store, const struct asn1_cursor *raw)
Identify X.509 certificate by raw certificate data.
Definition x509.c:1746
x509_get
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition x509.h:267
x509_put
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition x509.h:278

References asn1_shrink_any(), certstore_add(), asn1_cursor::data, data, ENOMEM, asn1_cursor::len, len, memcpy(), NULL, raw, rc, ref_init, x509_find(), x509_free(), x509_get(), x509_parse(), x509_put(), and zalloc().

◆ x509_is_valid()

int x509_is_valid ( struct x509_certificate * cert,
struct x509_root * root )
extern

Check if X.509 certificate is valid.

Parameters
certX.509 certificate
rootRoot certificate list, or NULL to use default

Definition at line 1313 of file x509.c.

1313 {
1314
1315 /* Use default root certificate store if none specified */
1316 if ( ! root )
1317 root = &root_certificates;
1318
1319 return ( cert->root == root );
1320}
root_certificates
struct x509_root root_certificates
Root certificates.
Definition rootcert.c:79
x509_certificate::root
struct x509_root * root
Root against which certificate has been validated (if any)
Definition x509.h:226

References root, x509_certificate::root, and root_certificates.

Referenced by certstat(), ipair_window_changed(), validator_step(), x509_validate(), and x509_validate_chain_okx().

◆ x509_set_valid()

void x509_set_valid ( struct x509_certificate * cert,
struct x509_certificate * issuer,
struct x509_root * root )
extern

Set X.509 certificate as validated.

Parameters
certX.509 certificate
issuerIssuing X.509 certificate (or NULL)
rootRoot certificate list

Definition at line 1329 of file x509.c.

1331 {
1332 unsigned int max_path_remaining;
1333
1334 /* Sanity checks */
1335 assert ( root != NULL );
1336 assert ( ( issuer == NULL ) || ( issuer->path_remaining >= 1 ) );
1337
1338 /* Record validation root */
1339 x509_root_put ( cert->root );
1340 cert->root = x509_root_get ( root );
1341
1342 /* Calculate effective path length */
1343 cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
1344 if ( issuer ) {
1345 max_path_remaining = ( issuer->path_remaining - 1 );
1346 if ( cert->path_remaining > max_path_remaining )
1347 cert->path_remaining = max_path_remaining;
1348 }
1349}
assert
#define assert(condition)
Assert a condition at run-time.
Definition assert.h:50
x509_basic_constraints::path_len
unsigned int path_len
Path length.
Definition x509.h:82
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition x509.h:249
x509_certificate::path_remaining
unsigned int path_remaining
Maximum number of subsequent certificates in chain.
Definition x509.h:228
x509_extensions::basic
struct x509_basic_constraints basic
Basic constraints.
Definition x509.h:159
x509_root_get
static struct x509_root * x509_root_get(struct x509_root *root)
Get reference to X.509 root certificate list.
Definition x509.h:393
x509_root_put
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition x509.h:404

References assert, x509_extensions::basic, x509_certificate::extensions, NULL, x509_basic_constraints::path_len, x509_certificate::path_remaining, root, x509_certificate::root, x509_root_get(), and x509_root_put().

Referenced by efi_cacert(), and x509_validate().

◆ x509_validate()

int x509_validate ( struct x509_certificate * cert,
struct x509_certificate * issuer,
time_t time,
struct x509_root * root )
extern

Validate X.509 certificate.

Parameters
certX.509 certificate
issuerIssuing X.509 certificate (or NULL)
timeTime at which to validate certificate
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

The issuing certificate must have already been validated.

Validation results are cached: if a certificate has already been successfully validated then issuer, time, and root will be ignored.

Definition at line 1366 of file x509.c.

1368 {
1369 int rc;
1370
1371 /* Use default root certificate store if none specified */
1372 if ( ! root )
1373 root = &root_certificates;
1374
1375 /* Return success if certificate has already been validated */
1376 if ( x509_is_valid ( cert, root ) )
1377 return 0;
1378
1379 /* Fail if certificate is invalid at specified time */
1380 if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
1381 return rc;
1382
1383 /* Succeed if certificate is a trusted root certificate */
1384 if ( x509_check_root ( cert, root ) == 0 ) {
1385 x509_set_valid ( cert, NULL, root );
1386 return 0;
1387 }
1388
1389 /* Fail unless we have an issuer */
1390 if ( ! issuer ) {
1391 DBGC2 ( cert, "X509 %p \"%s\" has no trusted issuer\n",
1392 cert, x509_name ( cert ) );
1393 return -EACCES_UNTRUSTED;
1394 }
1395
1396 /* Fail unless issuer has already been validated */
1397 if ( ! x509_is_valid ( issuer, root ) ) {
1398 DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1399 DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
1400 issuer, x509_name ( issuer ) );
1401 return -EACCES_OUT_OF_ORDER;
1402 }
1403
1404 /* Fail if issuing certificate cannot validate this certificate */
1405 if ( ( rc = x509_check_issuer ( cert, issuer ) ) != 0 )
1406 return rc;
1407
1408 /* Fail if path length constraint is violated */
1409 if ( issuer->path_remaining == 0 ) {
1410 DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1411 DBGC ( cert, "issuer %p \"%s\" path length exceeded\n",
1412 issuer, x509_name ( issuer ) );
1413 return -EACCES_PATH_LEN;
1414 }
1415
1416 /* Fail if OCSP is required */
1417 if ( ocsp_required ( cert ) ) {
1418 DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1419 cert, x509_name ( cert ) );
1420 return -EACCES_OCSP_REQUIRED;
1421 }
1422
1423 /* Mark certificate as valid */
1424 x509_set_valid ( cert, issuer, root );
1425
1426 DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
1427 cert, x509_name ( cert ) );
1428 DBGC ( cert, "issuer %p \"%s\"\n", issuer, x509_name ( issuer ) );
1429 return 0;
1430}
EACCES_UNTRUSTED
#define EACCES_UNTRUSTED
Definition image.c:49
ocsp_required
static int ocsp_required(struct x509_certificate *cert)
Check if X.509 certificate requires an OCSP check.
Definition ocsp.h:129
EACCES_OCSP_REQUIRED
#define EACCES_OCSP_REQUIRED
Definition x509.c:115
x509_check_root
int x509_check_root(struct x509_certificate *cert, struct x509_root *root)
Check X.509 root certificate.
Definition x509.c:1255
x509_check_issuer
int x509_check_issuer(struct x509_certificate *cert, struct x509_certificate *issuer)
Check X.509 certificate against issuer certificate.
Definition x509.c:1177
EACCES_PATH_LEN
#define EACCES_PATH_LEN
Definition x509.c:99
x509_is_valid
int x509_is_valid(struct x509_certificate *cert, struct x509_root *root)
Check if X.509 certificate is valid.
Definition x509.c:1313
EACCES_OUT_OF_ORDER
#define EACCES_OUT_OF_ORDER
Definition x509.c:107
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition x509.c:147
x509_check_time
int x509_check_time(struct x509_certificate *cert, time_t time)
Check X.509 certificate validity period.
Definition x509.c:1287
x509_set_valid
void x509_set_valid(struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
Set X.509 certificate as validated.
Definition x509.c:1329

References DBGC, DBGC2, EACCES_OCSP_REQUIRED, EACCES_OUT_OF_ORDER, EACCES_PATH_LEN, EACCES_UNTRUSTED, NULL, ocsp_required(), x509_certificate::path_remaining, rc, root, root_certificates, x509_check_issuer(), x509_check_root(), x509_check_time(), x509_is_valid(), x509_name(), and x509_set_valid().

Referenced by ocsp_validate(), REQUIRING_SYMBOL(), and x509_validate_chain().

◆ x509_check_name()

int x509_check_name ( struct x509_certificate * cert,
const char * name )
extern

Check X.509 certificate name.

Parameters
certX.509 certificate
nameName
Return values
rcReturn status code

Definition at line 1564 of file x509.c.

1564 {
1565 struct asn1_cursor *common_name = &cert->subject.common_name;
1566 struct asn1_cursor alt_name;
1567 int rc;
1568
1569 /* Check commonName */
1570 if ( x509_check_dnsname ( cert, common_name, name ) == 0 ) {
1571 DBGC2 ( cert, "X509 %p \"%s\" commonName matches \"%s\"\n",
1572 cert, x509_name ( cert ), name );
1573 return 0;
1574 }
1575
1576 /* Check any subjectAlternativeNames */
1577 memcpy ( &alt_name, &cert->extensions.alt_name.names,
1578 sizeof ( alt_name ) );
1579 for ( ; alt_name.len ; asn1_skip_any ( &alt_name ) ) {
1580 if ( ( rc = x509_check_alt_name ( cert, &alt_name,
1581 name ) ) == 0 ) {
1582 DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches "
1583 "\"%s\"\n", cert, x509_name ( cert ), name );
1584 return 0;
1585 }
1586 }
1587
1588 DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n",
1589 cert, x509_name ( cert ), name );
1590 return -EACCES_WRONG_NAME;
1591}
name
const char * name
Definition ath9k_hw.c:1986
EACCES_WRONG_NAME
#define EACCES_WRONG_NAME
Definition cms.c:55
x509_extensions::alt_name
struct x509_subject_alt_name alt_name
Subject alternative name.
Definition x509.h:167
x509_subject_alt_name::names
struct asn1_cursor names
Names.
Definition x509.h:146
x509_check_dnsname
static int x509_check_dnsname(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative dNSName.
Definition x509.c:1440
x509_check_alt_name
static int x509_check_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative name.
Definition x509.c:1532

References x509_extensions::alt_name, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, EACCES_WRONG_NAME, x509_certificate::extensions, asn1_cursor::len, memcpy(), name, x509_subject_alt_name::names, rc, x509_certificate::subject, x509_check_alt_name(), x509_check_dnsname(), and x509_name().

Referenced by cert_exec(), cms_verify(), tls_validator_done(), x509_check_name_fail_okx(), and x509_check_name_okx().

◆ x509_alloc_chain()

struct x509_chain * x509_alloc_chain ( void )
extern

Allocate X.509 certificate chain.

Return values
chainX.509 certificate chain, or NULL

Definition at line 1615 of file x509.c.

1615 {
1616 struct x509_chain *chain;
1617
1618 /* Allocate chain */
1619 chain = zalloc ( sizeof ( *chain ) );
1620 if ( ! chain )
1621 return NULL;
1622
1623 /* Initialise chain */
1624 ref_init ( &chain->refcnt, x509_free_chain );
1625 INIT_LIST_HEAD ( &chain->links );
1626
1627 DBGC2 ( chain, "X509 chain %p allocated\n", chain );
1628 return chain;
1629}
INIT_LIST_HEAD
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition list.h:46
x509_chain
An X.509 certificate chain.
Definition x509.h:201
x509_free_chain
static void x509_free_chain(struct refcnt *refcnt)
Free X.509 certificate chain.
Definition x509.c:1598

References DBGC2, INIT_LIST_HEAD, x509_chain::links, NULL, ref_init, x509_chain::refcnt, x509_free_chain(), and zalloc().

Referenced by cms_parse_participants(), cms_parse_signed(), tls_new_certificate_request(), tls_parse_chain(), validator_append(), and x509_chain_okx().

◆ x509_append()

int x509_append ( struct x509_chain * chain,
struct x509_certificate * cert )
extern

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
certX.509 certificate
Return values
rcReturn status code

Definition at line 1638 of file x509.c.

1638 {
1639 struct x509_link *link;
1640 int rc;
1641
1642 /* Ensure allocation of link cannot invalidate certificate */
1643 x509_get ( cert );
1644
1645 /* Allocate link */
1646 link = zalloc ( sizeof ( *link ) );
1647 if ( ! link ) {
1648 rc = -ENOMEM;
1649 goto err_alloc;
1650 }
1651
1652 /* Add link to chain */
1653 link->cert = x509_get ( cert );
1654 list_add_tail ( &link->list, &chain->links );
1655 DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
1656 chain, cert, x509_name ( cert ) );
1657
1658 /* Success */
1659 rc = 0;
1660
1661 x509_put ( cert );
1662 err_alloc:
1663 return rc;
1664}
list_add_tail
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition list.h:94
x509_link::cert
struct x509_certificate * cert
Certificate.
Definition x509.h:175

References x509_link::cert, DBGC, ENOMEM, link, x509_chain::links, list_add_tail, rc, x509_get(), x509_name(), x509_put(), and zalloc().

Referenced by cms_parse_identifier(), tls_new_certificate_request(), x509_append_raw(), x509_auto_append(), and x509_chain_okx().

◆ x509_append_raw()

int x509_append_raw ( struct x509_chain * chain,
const void * data,
size_t len )
extern

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
dataRaw certificate data
lenLength of raw data
Return values
rcReturn status code

Definition at line 1674 of file x509.c.

1675 {
1676 struct x509_certificate *cert;
1677 int rc;
1678
1679 /* Parse certificate */
1680 if ( ( rc = x509_certificate ( data, len, &cert ) ) != 0 )
1681 goto err_parse;
1682
1683 /* Append certificate to chain */
1684 if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1685 goto err_append;
1686
1687 /* Drop reference to certificate */
1688 x509_put ( cert );
1689
1690 return 0;
1691
1692 err_append:
1693 x509_put ( cert );
1694 err_parse:
1695 return rc;
1696}
x509_certificate
An X.509 certificate.
Definition x509.h:216
x509_append
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition x509.c:1638

References data, len, rc, x509_append(), and x509_put().

Referenced by cms_parse_certificates(), efi_cacert(), tls_parse_chain(), and validator_append().

◆ x509_truncate()

void x509_truncate ( struct x509_chain * chain,
struct x509_link * link )
extern

Truncate X.509 certificate chain.

Parameters
chainX.509 certificate chain
linkLink after which to truncate chain, or NULL

Definition at line 1704 of file x509.c.

1704 {
1705 struct x509_link *tmp;
1706
1707 /* Truncate entire chain if no link is specified */
1708 if ( ! link )
1709 link = list_entry ( &chain->links, struct x509_link, list );
1710
1711 /* Free each link in the chain */
1712 list_for_each_entry_safe_continue ( link, tmp, &chain->links, list ) {
1713 x509_put ( link->cert );
1714 list_del ( &link->list );
1715 free ( link );
1716 }
1717}
tmp
unsigned long tmp
Definition linux_pci.h:65
list_for_each_entry_safe_continue
#define list_for_each_entry_safe_continue(pos, tmp, head, member)
Iterate over subsequent entries in a list, safe against deletion.
Definition list.h:501
list_entry
#define list_entry(list, type, member)
Get the container of a list entry.
Definition list.h:322
list_del
#define list_del(list)
Delete an entry from a list.
Definition list.h:120
free
static void(* free)(struct refcnt *refcnt))
Definition refcnt.h:55

References free, link, x509_chain::links, x509_link::list, list_del, list_entry, list_for_each_entry_safe_continue, tmp, and x509_put().

Referenced by efi_cacert_shutdown(), validator_append(), x509_free_chain(), and x509_test_exec().

◆ x509_find()

struct x509_certificate * x509_find ( struct x509_chain * store,
const struct asn1_cursor * raw )
extern

Identify X.509 certificate by raw certificate data.

Parameters
storeCertificate store, or NULL to use default
rawRaw certificate data
Return values
certX.509 certificate, or NULL if not found

Definition at line 1746 of file x509.c.

1747 {
1748 struct x509_link *link;
1749 struct x509_certificate *cert;
1750
1751 /* Use default certificate store if none specified */
1752 if ( ! store )
1753 store = &certstore;
1754
1755 /* Search for certificate within store */
1756 list_for_each_entry ( link, &store->links, list ) {
1757
1758 /* Check raw certificate data */
1759 cert = link->cert;
1760 if ( asn1_compare ( raw, &cert->raw ) == 0 )
1761 return x509_found ( store, cert );
1762 }
1763
1764 return NULL;
1765}
certstore
struct x509_chain certstore
Certificate store.
Definition certstore.c:90
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition list.h:432
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition x509.h:221
x509_found
static struct x509_certificate * x509_found(struct x509_chain *store, struct x509_certificate *cert)
Mark X.509 certificate as found.
Definition x509.c:1726

References asn1_compare(), certstore, link, list_for_each_entry, NULL, raw, x509_certificate::raw, x509_certificate::store, and x509_found().

Referenced by certstore_init(), and x509_certificate().

◆ x509_find_subject()

struct x509_certificate * x509_find_subject ( struct x509_chain * store,
const struct asn1_cursor * subject )
extern

Identify X.509 certificate by subject.

Parameters
storeCertificate store, or NULL to use default
subjectSubject
Return values
certX.509 certificate, or NULL if not found

Definition at line 1775 of file x509.c.

1776 {
1777 struct x509_link *link;
1778 struct x509_certificate *cert;
1779
1780 /* Use default certificate store if none specified */
1781 if ( ! store )
1782 store = &certstore;
1783
1784 /* Scan through certificate list */
1785 list_for_each_entry ( link, &store->links, list ) {
1786
1787 /* Check subject */
1788 cert = link->cert;
1789 if ( asn1_compare ( subject, &cert->subject.raw ) == 0 )
1790 return x509_found ( store, cert );
1791 }
1792
1793 return NULL;
1794}

References asn1_compare(), certstore, link, list_for_each_entry, NULL, x509_subject::raw, x509_certificate::store, x509_certificate::subject, and x509_found().

Referenced by x509_auto_append().

◆ x509_find_issuer_serial()

struct x509_certificate * x509_find_issuer_serial ( struct x509_chain * store,
const struct asn1_cursor * issuer,
const struct asn1_cursor * serial )
extern

Identify X.509 certificate by issuer and serial number.

Parameters
storeCertificate store, or NULL to use default
issuerIssuer
serialSerial number
Return values
certX.509 certificate, or NULL if not found

Definition at line 1805 of file x509.c.

1807 {
1808 struct x509_link *link;
1809 struct x509_certificate *cert;
1810
1811 /* Use default certificate store if none specified */
1812 if ( ! store )
1813 store = &certstore;
1814
1815 /* Scan through certificate list */
1816 list_for_each_entry ( link, &store->links, list ) {
1817
1818 /* Check issuer and serial number */
1819 cert = link->cert;
1820 if ( ( asn1_compare ( issuer, &cert->issuer.raw ) == 0 ) &&
1821 ( asn1_compare ( serial, &cert->serial.raw ) == 0 ) )
1822 return x509_found ( store, cert );
1823 }
1824
1825 return NULL;
1826}
serial
uint64_t serial
Serial number.
Definition edd.h:1
x509_certificate::serial
struct x509_serial serial
Serial number.
Definition x509.h:235
x509_serial::raw
struct asn1_cursor raw
Raw serial number.
Definition x509.h:26

References asn1_compare(), certstore, x509_certificate::issuer, link, list_for_each_entry, NULL, x509_issuer::raw, x509_serial::raw, serial, x509_certificate::serial, x509_certificate::store, and x509_found().

Referenced by cms_parse_identifier().

◆ x509_find_key()

struct x509_certificate * x509_find_key ( struct x509_chain * store,
struct private_key * key )
extern

Identify X.509 certificate by corresponding public key.

Parameters
storeCertificate store, or NULL to use default
keyPrivate key
Return values
certX.509 certificate, or NULL if not found

Definition at line 1835 of file x509.c.

1836 {
1837 struct x509_link *link;
1838 struct x509_certificate *cert;
1839
1840 /* Use default certificate store if none specified */
1841 if ( ! store )
1842 store = &certstore;
1843
1844 /* Scan through certificate list */
1845 list_for_each_entry ( link, &store->links, list ) {
1846
1847 /* Check public key */
1848 cert = link->cert;
1849 if ( pubkey_match ( cert->signature_algorithm->pubkey,
1850 privkey_cursor ( key ),
1851 &cert->subject.public_key.raw ) == 0 )
1852 return x509_found ( store, cert );
1853 }
1854
1855 return NULL;
1856}
key
union @162305117151260234136356364136041353210355154177 key
Sense key.
Definition scsi.h:3
pubkey_match
static int pubkey_match(struct pubkey_algorithm *pubkey, const struct asn1_cursor *private_key, const struct asn1_cursor *public_key)
Definition crypto.h:315
privkey_cursor
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
Definition privkey.h:53
asn1_algorithm::pubkey
struct pubkey_algorithm * pubkey
Public-key algorithm (if applicable)
Definition asn1.h:414
x509_certificate::signature_algorithm
struct asn1_algorithm * signature_algorithm
Signature algorithm.
Definition x509.h:239
x509_public_key::raw
struct asn1_cursor raw
Raw public key information.
Definition x509.h:52
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition x509.h:66

References certstore, key, link, list_for_each_entry, NULL, privkey_cursor(), asn1_algorithm::pubkey, pubkey_match(), x509_subject::public_key, x509_public_key::raw, x509_certificate::signature_algorithm, x509_certificate::store, x509_certificate::subject, and x509_found().

Referenced by cms_keypair_okx(), cms_recipient(), and tls_new_certificate_request().

◆ x509_auto_append()

int x509_auto_append ( struct x509_chain * chain,
struct x509_chain * store )
extern

Append X.509 certificates to X.509 certificate chain.

Parameters
chainX.509 certificate chain
storeCertificate store, or NULL to use default
Return values
rcReturn status code

Certificates will be automatically appended to the chain based upon the subject and issuer names.

Definition at line 1868 of file x509.c.

1868 {
1869 struct x509_certificate *cert;
1870 struct x509_certificate *previous;
1871 int rc;
1872
1873 /* Get current certificate */
1874 cert = x509_last ( chain );
1875 if ( ! cert ) {
1876 DBGC ( chain, "X509 chain %p has no certificates\n", chain );
1877 return -EACCES_EMPTY;
1878 }
1879
1880 /* Append certificates, in order */
1881 while ( 1 ) {
1882
1883 /* Find issuing certificate */
1884 previous = cert;
1885 cert = x509_find_subject ( store, &cert->issuer.raw );
1886 if ( ! cert )
1887 break;
1888 if ( cert == previous )
1889 break;
1890
1891 /* Append certificate to chain */
1892 if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1893 return rc;
1894 }
1895
1896 return 0;
1897}
x509_find_subject
struct x509_certificate * x509_find_subject(struct x509_chain *store, const struct asn1_cursor *subject)
Identify X.509 certificate by subject.
Definition x509.c:1775
EACCES_EMPTY
#define EACCES_EMPTY
Definition x509.c:111
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition x509.h:325

References DBGC, EACCES_EMPTY, x509_certificate::issuer, x509_issuer::raw, rc, x509_certificate::store, x509_append(), x509_find_subject(), and x509_last().

Referenced by cms_parse_identifier(), tls_new_certificate_request(), validator_append(), and x509_validate_chain().

◆ x509_validate_chain()

int x509_validate_chain ( struct x509_chain * chain,
time_t time,
struct x509_chain * store,
struct x509_root * root )
extern

Validate X.509 certificate chain.

Parameters
chainX.509 certificate chain
timeTime at which to validate certificates
storeCertificate store, or NULL to use default
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

Definition at line 1908 of file x509.c.

1909 {
1910 struct x509_certificate *issuer = NULL;
1911 struct x509_link *link;
1912 int rc;
1913
1914 /* Append any applicable certificates from the certificate store */
1915 if ( ( rc = x509_auto_append ( chain, store ) ) != 0 )
1916 return rc;
1917
1918 /* Find first certificate that can be validated as a
1919 * standalone (i.e. is already valid, or can be validated as
1920 * a trusted root certificate).
1921 */
1922 list_for_each_entry ( link, &chain->links, list ) {
1923
1924 /* Try validating this certificate as a standalone */
1925 if ( ( rc = x509_validate ( link->cert, NULL, time,
1926 root ) ) != 0 )
1927 continue;
1928
1929 /* Work back up to start of chain, performing pairwise
1930 * validation.
1931 */
1932 issuer = link->cert;
1933 list_for_each_entry_continue_reverse ( link, &chain->links,
1934 list ) {
1935
1936 /* Validate this certificate against its issuer */
1937 if ( ( rc = x509_validate ( link->cert, issuer, time,
1938 root ) ) != 0 )
1939 return rc;
1940 issuer = link->cert;
1941 }
1942
1943 return 0;
1944 }
1945
1946 DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
1947 return -EACCES_USELESS;
1948}
list_for_each_entry_continue_reverse
#define list_for_each_entry_continue_reverse(pos, head, member)
Iterate over entries in a list in reverse, starting after current position.
Definition list.h:487
x509_validate
int x509_validate(struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
Validate X.509 certificate.
Definition x509.c:1366
x509_auto_append
int x509_auto_append(struct x509_chain *chain, struct x509_chain *store)
Append X.509 certificates to X.509 certificate chain.
Definition x509.c:1868
EACCES_USELESS
#define EACCES_USELESS
Definition x509.c:123

References DBGC, EACCES_USELESS, x509_certificate::issuer, link, x509_chain::links, x509_link::list, list_for_each_entry, list_for_each_entry_continue_reverse, NULL, rc, root, x509_auto_append(), and x509_validate().

Referenced by cms_verify_signer(), validator_step(), x509_validate_chain_fail_okx(), and x509_validate_chain_okx().

◆ image_x509()

int image_x509 ( struct image * image,
size_t offset,
struct x509_certificate ** cert )
extern

Extract X.509 certificate object from image.

Parameters
imageImage
offsetOffset within image
Return values
certX.509 certificate
nextOffset to next image, or negative error

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1961 of file x509.c.

1962 {
1963 struct asn1_cursor *cursor;
1964 int next;
1965 int rc;
1966
1967 /* Get ASN.1 object */
1968 next = image_asn1 ( image, offset, &cursor );
1969 if ( next < 0 ) {
1970 rc = next;
1971 goto err_asn1;
1972 }
1973
1974 /* Parse certificate */
1975 if ( ( rc = x509_certificate ( cursor->data, cursor->len,
1976 cert ) ) != 0 )
1977 goto err_certificate;
1978
1979 /* Free ASN.1 object */
1980 free ( cursor );
1981
1982 return next;
1983
1984 x509_put ( *cert );
1985 err_certificate:
1986 free ( cursor );
1987 err_asn1:
1988 return rc;
1989}
image_asn1
int image_asn1(struct image *image, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from image.
Definition asn1.c:1028
offset
uint16_t offset
Offset to command line.
Definition bzimage.h:3
next
uint32_t next
Next descriptor address.
Definition dwmac.h:11
image
An executable image.
Definition image.h:24

References asn1_cursor::data, free, image_asn1(), asn1_cursor::len, next, offset, rc, and x509_put().

Referenced by cert_exec().

◆ x509_check_issuer()

int x509_check_issuer ( struct x509_certificate * cert,
struct x509_certificate * issuer )
extern

Check X.509 certificate against issuer certificate.

Parameters
certX.509 certificate
issuerX.509 issuer certificate
Return values
rcReturn status code

Definition at line 1177 of file x509.c.

1178 {
1179 struct x509_public_key *public_key = &issuer->subject.public_key;
1180 int rc;
1181
1182 /* Check issuer. In theory, this should be a full X.500 DN
1183 * comparison, which would require support for a plethora of
1184 * abominations such as TeletexString (which allows the
1185 * character set to be changed mid-string using escape codes).
1186 * In practice, we assume that anyone who deliberately changes
1187 * the encoding of the issuer DN is probably a masochist who
1188 * will rather enjoy the process of figuring out exactly why
1189 * their certificate doesn't work.
1190 *
1191 * See http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
1192 * for some enjoyable ranting on this subject.
1193 */
1194 if ( asn1_compare ( &cert->issuer.raw, &issuer->subject.raw ) != 0 ) {
1195 DBGC ( cert, "X509 %p \"%s\" issuer does not match ",
1196 cert, x509_name ( cert ) );
1197 DBGC ( cert, "X509 %p \"%s\" subject\n",
1198 issuer, x509_name ( issuer ) );
1199 DBGC_HDA ( cert, 0, cert->issuer.raw.data,
1200 cert->issuer.raw.len );
1201 DBGC_HDA ( issuer, 0, issuer->subject.raw.data,
1202 issuer->subject.raw.len );
1203 return -EACCES_WRONG_ISSUER;
1204 }
1205
1206 /* Check that issuer is allowed to sign certificates */
1207 if ( ! issuer->extensions.basic.ca ) {
1208 DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1209 issuer, x509_name ( issuer ) );
1210 DBGC ( issuer, "X509 %p \"%s\": not a CA certificate\n",
1211 cert, x509_name ( cert ) );
1212 return -EACCES_NOT_CA;
1213 }
1214 if ( issuer->extensions.usage.present &&
1215 ( ! ( issuer->extensions.usage.bits & X509_KEY_CERT_SIGN ) ) ) {
1216 DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1217 issuer, x509_name ( issuer ) );
1218 DBGC ( issuer, "X509 %p \"%s\": no keyCertSign usage\n",
1219 cert, x509_name ( cert ) );
1220 return -EACCES_KEY_USAGE;
1221 }
1222
1223 /* Check signature */
1224 if ( ( rc = x509_check_signature ( cert, public_key ) ) != 0 )
1225 return rc;
1226
1227 return 0;
1228}
DBGC_HDA
#define DBGC_HDA(...)
Definition compiler.h:506
x509_basic_constraints::ca
int ca
Subject is a CA.
Definition x509.h:80
x509_extensions::usage
struct x509_key_usage usage
Key usage.
Definition x509.h:161
x509_key_usage::present
int present
Key usage extension is present.
Definition x509.h:95
x509_key_usage::bits
unsigned int bits
Usage bits.
Definition x509.h:97
x509_public_key
An X.509 certificate public key.
Definition x509.h:50
EACCES_NOT_CA
#define EACCES_NOT_CA
Definition x509.c:87
EACCES_WRONG_ISSUER
#define EACCES_WRONG_ISSUER
Definition x509.c:83
x509_check_signature
static int x509_check_signature(struct x509_certificate *cert, struct x509_public_key *public_key)
Check X.509 certificate signature.
Definition x509.c:1124
EACCES_KEY_USAGE
#define EACCES_KEY_USAGE
Definition x509.c:91

References asn1_compare(), x509_extensions::basic, x509_key_usage::bits, x509_basic_constraints::ca, asn1_cursor::data, DBGC, DBGC_HDA, EACCES_KEY_USAGE, EACCES_NOT_CA, EACCES_WRONG_ISSUER, x509_certificate::extensions, x509_certificate::issuer, asn1_cursor::len, x509_key_usage::present, x509_subject::public_key, x509_issuer::raw, x509_subject::raw, rc, x509_certificate::subject, x509_extensions::usage, x509_check_signature(), X509_KEY_CERT_SIGN, and x509_name().

Referenced by x509_check_issuer_fail_okx(), x509_check_issuer_okx(), and x509_validate().

◆ x509_fingerprint()

void x509_fingerprint ( struct x509_certificate * cert,
struct digest_algorithm * digest,
void * fingerprint )
extern

Calculate X.509 certificate fingerprint.

Parameters
certX.509 certificate
digestDigest algorithm
fingerprintFingerprint buffer

Definition at line 1237 of file x509.c.

1239 {
1240 uint8_t ctx[ digest->ctxsize ];
1241
1242 /* Calculate fingerprint */
1243 digest_init ( digest, ctx );
1244 digest_update ( digest, ctx, cert->raw.data, cert->raw.len );
1245 digest_final ( digest, ctx, fingerprint );
1246}
ctx
struct golan_eq_context ctx
Definition CIB_PRM.h:0
digest_init
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition crypto.h:219
digest_final
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition crypto.h:230
digest_update
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition crypto.h:224
digest_algorithm::ctxsize
size_t ctxsize
Context size.
Definition crypto.h:23

References ctx, digest_algorithm::ctxsize, asn1_cursor::data, digest_final(), digest_init(), digest_update(), asn1_cursor::len, and x509_certificate::raw.

Referenced by certstat(), icert_certs(), x509_check_root(), x509_fingerprint_okx(), and x509_name().

◆ x509_check_root()

int x509_check_root ( struct x509_certificate * cert,
struct x509_root * root )
extern

Check X.509 root certificate.

Parameters
certX.509 certificate
rootX.509 root certificate list
Return values
rcReturn status code

Definition at line 1255 of file x509.c.

1255 {
1256 struct digest_algorithm *digest = root->digest;
1257 uint8_t fingerprint[ digest->digestsize ];
1258 const uint8_t *root_fingerprint = root->fingerprints;
1259 unsigned int i;
1260
1261 /* Calculate certificate fingerprint */
1262 x509_fingerprint ( cert, digest, fingerprint );
1263
1264 /* Check fingerprint against all root certificates */
1265 for ( i = 0 ; i < root->count ; i++ ) {
1266 if ( memcmp ( fingerprint, root_fingerprint,
1267 sizeof ( fingerprint ) ) == 0 ) {
1268 DBGC ( cert, "X509 %p \"%s\" is a root certificate\n",
1269 cert, x509_name ( cert ) );
1270 return 0;
1271 }
1272 root_fingerprint += sizeof ( fingerprint );
1273 }
1274
1275 DBGC2 ( cert, "X509 %p \"%s\" is not a root certificate\n",
1276 cert, x509_name ( cert ) );
1277 return -ENOENT;
1278}
ENOENT
#define ENOENT
No such file or directory.
Definition errno.h:515
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition string.c:115

References DBGC, DBGC2, digest_algorithm::digestsize, ENOENT, memcmp(), root, x509_fingerprint(), and x509_name().

Referenced by x509_check_root_fail_okx(), x509_check_root_okx(), and x509_validate().

◆ x509_check_time()

int x509_check_time ( struct x509_certificate * cert,
time_t time )
extern

Check X.509 certificate validity period.

Parameters
certX.509 certificate
timeTime at which to check certificate
Return values
rcReturn status code

Definition at line 1287 of file x509.c.

1287 {
1288 struct x509_validity *validity = &cert->validity;
1289
1290 /* Check validity period */
1291 if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
1292 DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
1293 cert, x509_name ( cert ), time );
1294 return -EACCES_EXPIRED;
1295 }
1296 if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
1297 DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
1298 cert, x509_name ( cert ), time );
1299 return -EACCES_EXPIRED;
1300 }
1301
1302 DBGC2 ( cert, "X509 %p \"%s\" is valid (at time %lld)\n",
1303 cert, x509_name ( cert ), time );
1304 return 0;
1305}
TIMESTAMP_ERROR_MARGIN
#define TIMESTAMP_ERROR_MARGIN
Margin of error (in seconds) allowed in signed timestamps.
Definition crypto.h:79
x509_certificate::validity
struct x509_validity validity
Validity.
Definition x509.h:243
x509_time::time
time_t time
Seconds since the Epoch.
Definition x509.h:38
x509_validity
An X.509 certificate validity period.
Definition x509.h:42
x509_validity::not_before
struct x509_time not_before
Not valid before.
Definition x509.h:44
x509_validity::not_after
struct x509_time not_after
Not valid after.
Definition x509.h:46
EACCES_EXPIRED
#define EACCES_EXPIRED
Definition x509.c:95

References DBGC, DBGC2, EACCES_EXPIRED, x509_validity::not_after, x509_validity::not_before, x509_time::time, TIMESTAMP_ERROR_MARGIN, x509_certificate::validity, and x509_name().

Referenced by x509_check_time_fail_okx(), x509_check_time_okx(), and x509_validate().

◆ x509_invalidate()

void x509_invalidate ( struct x509_certificate * cert)
inlinestatic

Invalidate X.509 certificate.

Parameters
certX.509 certificate

Definition at line 473 of file x509.h.

473 {
474 x509_root_put ( cert->root );
475 cert->root = NULL;
476 cert->path_remaining = 0;
477}

References NULL, x509_certificate::path_remaining, x509_certificate::root, and x509_root_put().

Referenced by ocsp_prepare_test(), ocsp_validate(), and x509_invalidate_chain().

◆ x509_invalidate_chain()

void x509_invalidate_chain ( struct x509_chain * chain)
inlinestatic

Invalidate X.509 certificate chain.

Parameters
chainX.509 certificate chain

Definition at line 484 of file x509.h.

484 {
485 struct x509_link *link;
486
487 list_for_each_entry ( link, &chain->links, list )
488 x509_invalidate ( link->cert );
489}
x509_invalidate
static void x509_invalidate(struct x509_certificate *cert)
Invalidate X.509 certificate.
Definition x509.h:473

References link, x509_chain::links, x509_link::list, list_for_each_entry, and x509_invalidate().

Referenced by cms_verify_fail_okx(), cms_verify_okx(), x509_validate_chain_fail_okx(), and x509_validate_chain_okx().

Generated by doxygen 1.14.0