iPXE
Data Structures | Macros | Enumerations | Functions
x509.h File Reference

X.509 certificates. More...

#include <stdint.h>
#include <stddef.h>
#include <time.h>
#include <ipxe/asn1.h>
#include <ipxe/refcnt.h>
#include <ipxe/list.h>

Go to the source code of this file.

Data Structures

struct  x509_serial
 An X.509 serial number. More...
 
struct  x509_issuer
 An X.509 issuer. More...
 
struct  x509_time
 An X.509 time. More...
 
struct  x509_validity
 An X.509 certificate validity period. More...
 
struct  x509_public_key
 An X.509 certificate public key. More...
 
struct  x509_subject
 An X.509 certificate subject. More...
 
struct  x509_signature
 An X.509 certificate signature. More...
 
struct  x509_basic_constraints
 An X.509 certificate basic constraints set. More...
 
struct  x509_key_usage
 An X.509 certificate key usage. More...
 
struct  x509_extended_key_usage
 An X.509 certificate extended key usage. More...
 
struct  x509_ocsp_responder
 X.509 certificate OCSP responder. More...
 
struct  x509_authority_info_access
 X.509 certificate authority information access. More...
 
struct  x509_subject_alt_name
 X.509 certificate subject alternative name. More...
 
struct  x509_extensions
 An X.509 certificate extensions set. More...
 
struct  x509_link
 A link in an X.509 certificate chain. More...
 
struct  x509_chain
 An X.509 certificate chain. More...
 
struct  x509_certificate
 An X.509 certificate. More...
 
struct  x509_extension
 An X.509 extension. More...
 
struct  x509_key_purpose
 An X.509 key purpose. More...
 
struct  x509_access_method
 An X.509 access method. More...
 
struct  x509_root
 An X.509 root certificate list. More...
 

Macros

#define X509_PATH_LEN_UNLIMITED   -2U
 Unlimited path length. More...
 

Enumerations

enum  x509_key_usage_bits {
  X509_DIGITAL_SIGNATURE = 0x0080, X509_NON_REPUDIATION = 0x0040, X509_KEY_ENCIPHERMENT = 0x0020, X509_DATA_ENCIPHERMENT = 0x0010,
  X509_KEY_AGREEMENT = 0x0008, X509_KEY_CERT_SIGN = 0x0004, X509_CRL_SIGN = 0x0002, X509_ENCIPHER_ONLY = 0x0001,
  X509_DECIPHER_ONLY = 0x8000
}
 X.509 certificate key usage bits. More...
 
enum  x509_extended_key_usage_bits { X509_CODE_SIGNING = 0x0001, X509_OCSP_SIGNING = 0x0002 }
 X.509 certificate extended key usage bits. More...
 
enum  x509_general_name_types { X509_GENERAL_NAME_DNS = ASN1_IMPLICIT_TAG ( 2 ), X509_GENERAL_NAME_URI = ASN1_IMPLICIT_TAG ( 6 ), X509_GENERAL_NAME_IP = ASN1_IMPLICIT_TAG ( 7 ) }
 X.509 certificate general name types. More...
 
enum  x509_flags { X509_FL_PERMANENT = 0x0001, X509_FL_EXPLICIT = 0x0002 }
 X.509 certificate flags. More...
 

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
static struct x509_certificatex509_get (struct x509_certificate *cert)
 Get reference to X.509 certificate. More...
 
static void x509_put (struct x509_certificate *cert)
 Drop reference to X.509 certificate. More...
 
static struct x509_chainx509_chain_get (struct x509_chain *chain)
 Get reference to X.509 certificate chain. More...
 
static void x509_chain_put (struct x509_chain *chain)
 Drop reference to X.509 certificate chain. More...
 
static struct x509_certificatex509_first (struct x509_chain *chain)
 Get first certificate in X.509 certificate chain. More...
 
static struct x509_certificatex509_last (struct x509_chain *chain)
 Get last certificate in X.509 certificate chain. More...
 
static struct x509_rootx509_root_get (struct x509_root *root)
 Get reference to X.509 root certificate list. More...
 
static void x509_root_put (struct x509_root *root)
 Drop reference to X.509 root certificate list. More...
 
const char * x509_name (struct x509_certificate *cert)
 Get X.509 certificate display name. More...
 
int x509_parse (struct x509_certificate *cert, const struct asn1_cursor *raw)
 Parse X.509 certificate from ASN.1 data. More...
 
int x509_certificate (const void *data, size_t len, struct x509_certificate **cert)
 Create X.509 certificate. More...
 
int x509_is_valid (struct x509_certificate *cert, struct x509_root *root)
 Check if X.509 certificate is valid. More...
 
int x509_validate (struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
 Validate X.509 certificate. More...
 
int x509_check_name (struct x509_certificate *cert, const char *name)
 Check X.509 certificate name. More...
 
struct x509_chainx509_alloc_chain (void)
 Allocate X.509 certificate chain. More...
 
int x509_append (struct x509_chain *chain, struct x509_certificate *cert)
 Append X.509 certificate to X.509 certificate chain. More...
 
int x509_append_raw (struct x509_chain *chain, const void *data, size_t len)
 Append X.509 certificate to X.509 certificate chain. More...
 
int x509_auto_append (struct x509_chain *chain, struct x509_chain *certs)
 Append X.509 certificates to X.509 certificate chain. More...
 
int x509_validate_chain (struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root)
 Validate X.509 certificate chain. More...
 
int image_x509 (struct image *image, size_t offset, struct x509_certificate **cert)
 Extract X.509 certificate object from image. More...
 
int x509_check_issuer (struct x509_certificate *cert, struct x509_certificate *issuer)
 Check X.509 certificate against issuer certificate. More...
 
void x509_fingerprint (struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
 Calculate X.509 certificate fingerprint. More...
 
int x509_check_root (struct x509_certificate *cert, struct x509_root *root)
 Check X.509 root certificate. More...
 
int x509_check_time (struct x509_certificate *cert, time_t time)
 Check X.509 certificate validity period. More...
 
static void x509_invalidate (struct x509_certificate *cert)
 Invalidate X.509 certificate. More...
 
static void x509_invalidate_chain (struct x509_chain *chain)
 Invalidate X.509 certificate chain. More...
 

Detailed Description

X.509 certificates.

Definition in file x509.h.

Macro Definition Documentation

◆ X509_PATH_LEN_UNLIMITED

#define X509_PATH_LEN_UNLIMITED   -2U

Unlimited path length.

We use -2U, since this quantity represents one fewer than the maximum number of remaining certificates in a chain.

Definition at line 88 of file x509.h.

Enumeration Type Documentation

◆ x509_key_usage_bits

X.509 certificate key usage bits.

Enumerator
X509_DIGITAL_SIGNATURE 
X509_NON_REPUDIATION 
X509_KEY_ENCIPHERMENT 
X509_DATA_ENCIPHERMENT 
X509_KEY_AGREEMENT 
X509_KEY_CERT_SIGN 
X509_CRL_SIGN 
X509_ENCIPHER_ONLY 
X509_DECIPHER_ONLY 

Definition at line 99 of file x509.h.

◆ x509_extended_key_usage_bits

X.509 certificate extended key usage bits.

Extended key usages are identified by OID; these bits are purely an internal definition.

Enumerator
X509_CODE_SIGNING 
X509_OCSP_SIGNING 

Definition at line 122 of file x509.h.

122  {
123  X509_CODE_SIGNING = 0x0001,
124  X509_OCSP_SIGNING = 0x0002,
125 };

◆ x509_general_name_types

X.509 certificate general name types.

Enumerator
X509_GENERAL_NAME_DNS 
X509_GENERAL_NAME_URI 
X509_GENERAL_NAME_IP 

Definition at line 148 of file x509.h.

148  {
152 };
#define ASN1_IMPLICIT_TAG(number)
ASN.1 implicit tag.
Definition: asn1.h:95

◆ x509_flags

enum x509_flags

X.509 certificate flags.

Enumerator
X509_FL_PERMANENT 

Certificate was added at build time.

X509_FL_EXPLICIT 

Certificate was added explicitly at run time.

Definition at line 222 of file x509.h.

222  {
223  /** Certificate was added at build time */
224  X509_FL_PERMANENT = 0x0001,
225  /** Certificate was added explicitly at run time */
226  X509_FL_EXPLICIT = 0x0002,
227 };
Certificate was added at build time.
Definition: x509.h:224
Certificate was added explicitly at run time.
Definition: x509.h:226

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ x509_get()

static struct x509_certificate* x509_get ( struct x509_certificate cert)
inlinestatic

Get reference to X.509 certificate.

Parameters
certX.509 certificate
Return values
certX.509 certificate

Definition at line 236 of file x509.h.

236  {
237  ref_get ( &cert->refcnt );
238  return cert;
239 }
struct refcnt refcnt
Reference count.
Definition: x509.h:187
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92

References ref_get, and x509_certificate::refcnt.

Referenced by cert_exec(), certstore_add(), ocsp_check(), tls_new_certificate_request(), x509_append(), and x509_certificate().

◆ x509_put()

static void x509_put ( struct x509_certificate cert)
inlinestatic

Drop reference to X.509 certificate.

Parameters
certX.509 certificate

Definition at line 247 of file x509.h.

247  {
248  ref_put ( &cert->refcnt );
249 }
struct refcnt refcnt
Reference count.
Definition: x509.h:187
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106

References ref_put, and x509_certificate::refcnt.

Referenced by cert_exec(), certstore_apply_settings(), certstore_del(), icert_free(), image_x509(), ocsp_free(), ocsp_parse_certs(), ocsp_response(), ocsp_test_exec(), tls_new_certificate_request(), x509_append_raw(), x509_cached_okx(), x509_certificate(), x509_free_chain(), and x509_test_exec().

◆ x509_chain_get()

static struct x509_chain* x509_chain_get ( struct x509_chain chain)
inlinestatic

Get reference to X.509 certificate chain.

Parameters
chainX.509 certificate chain
Return values
chainX.509 certificate chain

Definition at line 258 of file x509.h.

258  {
259  ref_get ( &chain->refcnt );
260  return chain;
261 }
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92
struct refcnt refcnt
Reference count.
Definition: x509.h:179

References ref_get, and x509_chain::refcnt.

Referenced by create_validator().

◆ x509_chain_put()

static void x509_chain_put ( struct x509_chain chain)
inlinestatic

Drop reference to X.509 certificate chain.

Parameters
chainX.509 certificate chain

Definition at line 269 of file x509.h.

269  {
270  ref_put ( &chain->refcnt );
271 }
struct refcnt refcnt
Reference count.
Definition: x509.h:179
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106

References ref_put, and x509_chain::refcnt.

Referenced by cms_free(), free_tls(), tls_new_certificate_request(), tls_parse_chain(), validator_append(), validator_free(), and x509_test_exec().

◆ x509_first()

static struct x509_certificate* x509_first ( struct x509_chain chain)
inlinestatic

Get first certificate in X.509 certificate chain.

Parameters
chainX.509 certificate chain
Return values
certX.509 certificate, or NULL

Definition at line 280 of file x509.h.

280  {
281  struct x509_link *link;
282 
283  link = list_first_entry ( &chain->links, struct x509_link, list );
284  return ( link ? link->cert : NULL );
285 }
struct list_head links
List of links.
Definition: x509.h:181
#define list_first_entry(list, type, member)
Get the container of the first entry in a list.
Definition: list.h:333
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362

References link, x509_chain::links, x509_link::list, list_first_entry, and NULL.

Referenced by cms_verify(), cms_verify_signer_info(), tls_send_certificate_verify(), tls_validator_done(), validator_name(), and x509_chain_okx().

◆ x509_last()

static struct x509_certificate* x509_last ( struct x509_chain chain)
inlinestatic

Get last certificate in X.509 certificate chain.

Parameters
chainX.509 certificate chain
Return values
certX.509 certificate, or NULL

Definition at line 294 of file x509.h.

294  {
295  struct x509_link *link;
296 
297  link = list_last_entry ( &chain->links, struct x509_link, list );
298  return ( link ? link->cert : NULL );
299 }
struct list_head links
List of links.
Definition: x509.h:181
#define list_last_entry(list, type, member)
Get the container of the last entry in a list.
Definition: list.h:346
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362

References link, x509_chain::links, x509_link::list, list_last_entry, and NULL.

Referenced by cms_parse_certificates(), tls_parse_chain(), validator_append(), validator_step(), and x509_auto_append().

◆ x509_root_get()

static struct x509_root* x509_root_get ( struct x509_root root)
inlinestatic

Get reference to X.509 root certificate list.

Parameters
rootX.509 root certificate list
Return values
rootX.509 root certificate list

Definition at line 362 of file x509.h.

362  {
363  ref_get ( &root->refcnt );
364  return root;
365 }
struct stp_switch root
Root switch.
Definition: stp.h:26
#define ref_get(refcnt)
Get additional reference to object.
Definition: refcnt.h:92

References ref_get, and root.

Referenced by add_tls(), create_validator(), tls_session(), and x509_set_valid().

◆ x509_root_put()

static void x509_root_put ( struct x509_root root)
inlinestatic

Drop reference to X.509 root certificate list.

Parameters
rootX.509 root certificate list

Definition at line 373 of file x509.h.

373  {
374  ref_put ( &root->refcnt );
375 }
struct stp_switch root
Root switch.
Definition: stp.h:26
#define ref_put(refcnt)
Drop reference to object.
Definition: refcnt.h:106

References ref_put, and root.

Referenced by free_tls(), free_tls_session(), validator_free(), x509_free(), x509_invalidate(), and x509_set_valid().

◆ x509_name()

const char* x509_name ( struct x509_certificate cert)

Get X.509 certificate display name.

Parameters
certX.509 certificate
Return values
nameDisplay name

Definition at line 145 of file x509.c.

145  {
146  struct asn1_cursor *common_name = &cert->subject.common_name;
148  static char buf[64];
149  uint8_t fingerprint[ digest->digestsize ];
150  size_t len;
151 
152  len = common_name->len;
153  if ( len ) {
154  /* Certificate has a commonName: use that */
155  if ( len > ( sizeof ( buf ) - 1 /* NUL */ ) )
156  len = ( sizeof ( buf ) - 1 /* NUL */ );
157  memcpy ( buf, common_name->data, len );
158  buf[len] = '\0';
159  } else {
160  /* Certificate has no commonName: use SHA-1 fingerprint */
161  x509_fingerprint ( cert, digest, fingerprint );
162  base16_encode ( fingerprint, sizeof ( fingerprint ),
163  buf, sizeof ( buf ) );
164  }
165  return buf;
166 }
const void * data
Start of data.
Definition: asn1.h:22
struct md4_digest digest
Digest of data already processed.
Definition: md4.h:12
size_t len
Length of data.
Definition: asn1.h:24
void * memcpy(void *dest, const void *src, size_t len) __nonnull
struct x509_subject subject
Subject.
Definition: x509.h:214
unsigned char uint8_t
Definition: stdint.h:10
void x509_fingerprint(struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
Calculate X.509 certificate fingerprint.
Definition: x509.c:1242
struct asn1_cursor common_name
Common name.
Definition: x509.h:62
uint32_t len
Length.
Definition: ena.h:14
A message digest algorithm.
Definition: crypto.h:16
An ASN.1 object cursor.
Definition: asn1.h:20
struct digest_algorithm sha1_algorithm
SHA-1 algorithm.
Definition: sha1.c:257

References x509_subject::common_name, asn1_cursor::data, digest, len, asn1_cursor::len, memcpy(), sha1_algorithm, x509_certificate::subject, and x509_fingerprint().

Referenced by certstat(), certstore_add(), certstore_apply_settings(), certstore_del(), certstore_found(), certstore_init(), cms_parse_certificates(), icert_encode(), ocsp_check_signature(), ocsp_parse_basic_response(), ocsp_parse_cert_id(), ocsp_parse_certs(), ocsp_parse_responder_id(), ocsp_parse_response_status(), ocsp_parse_response_type(), ocsp_parse_responses(), ocsp_request(), ocsp_uri_string(), ocsp_validate(), tls_new_certificate_request(), tls_parse_chain(), tls_send_certificate(), validator_append(), validator_name(), validator_progress(), validator_start_download(), validator_start_ocsp(), x509_append(), x509_check_alt_name(), x509_check_dnsname(), x509_check_ipaddress(), x509_check_issuer(), x509_check_name(), x509_check_root(), x509_check_signature(), x509_check_time(), x509_parse_subject(), and x509_validate().

◆ x509_parse()

int x509_parse ( struct x509_certificate cert,
const struct asn1_cursor raw 
)

Parse X.509 certificate from ASN.1 data.

Parameters
certX.509 certificate
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 1003 of file x509.c.

1004  {
1005  struct x509_signature *signature = &cert->signature;
1006  struct asn1_algorithm **signature_algorithm = &signature->algorithm;
1007  struct asn1_bit_string *signature_value = &signature->value;
1008  struct asn1_cursor cursor;
1009  int rc;
1010 
1011  /* Record raw certificate */
1012  memcpy ( &cursor, raw, sizeof ( cursor ) );
1013  memcpy ( &cert->raw, &cursor, sizeof ( cert->raw ) );
1014 
1015  /* Enter certificate */
1016  asn1_enter ( &cursor, ASN1_SEQUENCE );
1017 
1018  /* Parse tbsCertificate */
1019  if ( ( rc = x509_parse_tbscertificate ( cert, &cursor ) ) != 0 )
1020  return rc;
1021  asn1_skip_any ( &cursor );
1022 
1023  /* Parse signatureAlgorithm */
1024  if ( ( rc = asn1_signature_algorithm ( &cursor,
1025  signature_algorithm ) ) != 0 ) {
1026  DBGC ( cert, "X509 %p could not parse signature algorithm: "
1027  "%s\n", cert, strerror ( rc ) );
1028  return rc;
1029  }
1030  DBGC2 ( cert, "X509 %p signatureAlgorithm is %s\n",
1031  cert, (*signature_algorithm)->name );
1032  asn1_skip_any ( &cursor );
1033 
1034  /* Parse signatureValue */
1035  if ( ( rc = asn1_integral_bit_string ( &cursor,
1036  signature_value ) ) != 0 ) {
1037  DBGC ( cert, "X509 %p could not parse signature value: %s\n",
1038  cert, strerror ( rc ) );
1039  return rc;
1040  }
1041  DBGC2 ( cert, "X509 %p signatureValue is:\n", cert );
1042  DBGC2_HDA ( cert, 0, signature_value->data, signature_value->len );
1043 
1044  /* Check that algorithm in tbsCertificate matches algorithm in
1045  * signature
1046  */
1047  if ( signature->algorithm != (*signature_algorithm) ) {
1048  DBGC ( cert, "X509 %p signature algorithm %s does not match "
1049  "signatureAlgorithm %s\n",
1050  cert, signature->algorithm->name,
1051  (*signature_algorithm)->name );
1052  return -EINVAL_ALGORITHM_MISMATCH;
1053  }
1054 
1055  return 0;
1056 }
const void * data
Data.
Definition: asn1.h:349
An ASN.1 OID-identified algorithm.
Definition: asn1.h:306
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
#define DBGC(...)
Definition: compiler.h:505
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
int asn1_signature_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified signature algorithm.
Definition: asn1.c:565
void * memcpy(void *dest, const void *src, size_t len) __nonnull
struct x509_signature signature
Signature.
Definition: x509.h:216
#define DBGC2_HDA(...)
Definition: compiler.h:523
int asn1_integral_bit_string(const struct asn1_cursor *cursor, struct asn1_bit_string *bits)
Parse ASN.1 bit string that must be an integral number of bytes.
Definition: asn1.c:414
static int x509_parse_tbscertificate(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate tbsCertificate.
Definition: x509.c:933
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
size_t len
Length.
Definition: asn1.h:351
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
#define DBGC2(...)
Definition: compiler.h:522
#define EINVAL_ALGORITHM_MISMATCH
Definition: x509.c:69
__be32 raw[7]
Definition: CIB_PRM.h:28
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:200
u8 signature
Signature.
Definition: CIB_PRM.h:35
An ASN.1 object cursor.
Definition: asn1.h:20
An ASN.1 bit string.
Definition: asn1.h:347
An X.509 certificate signature.
Definition: x509.h:68

References asn1_enter(), asn1_integral_bit_string(), ASN1_SEQUENCE, asn1_signature_algorithm(), asn1_skip_any(), asn1_bit_string::data, DBGC, DBGC2, DBGC2_HDA, EINVAL_ALGORITHM_MISMATCH, asn1_bit_string::len, memcpy(), raw, x509_certificate::raw, rc, signature, x509_certificate::signature, strerror(), and x509_parse_tbscertificate().

Referenced by certstore_init(), and x509_certificate().

◆ x509_certificate()

int x509_certificate ( const void *  data,
size_t  len,
struct x509_certificate **  cert 
)

Create X.509 certificate.

Parameters
dataRaw certificate data
lenLength of raw data
Return values
certX.509 certificate
rcReturn status code

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1069 of file x509.c.

1070  {
1071  struct asn1_cursor cursor;
1072  void *raw;
1073  int rc;
1074 
1075  /* Initialise cursor */
1076  cursor.data = data;
1077  cursor.len = len;
1078  asn1_shrink_any ( &cursor );
1079 
1080  /* Return stored certificate, if present */
1081  if ( ( *cert = certstore_find ( &cursor ) ) != NULL ) {
1082 
1083  /* Add caller's reference */
1084  x509_get ( *cert );
1085  return 0;
1086  }
1087 
1088  /* Allocate and initialise certificate */
1089  *cert = zalloc ( sizeof ( **cert ) + cursor.len );
1090  if ( ! *cert )
1091  return -ENOMEM;
1092  ref_init ( &(*cert)->refcnt, x509_free );
1093  raw = ( *cert + 1 );
1094 
1095  /* Copy raw data */
1096  memcpy ( raw, cursor.data, cursor.len );
1097  cursor.data = raw;
1098 
1099  /* Parse certificate */
1100  if ( ( rc = x509_parse ( *cert, &cursor ) ) != 0 ) {
1101  x509_put ( *cert );
1102  *cert = NULL;
1103  return rc;
1104  }
1105 
1106  /* Add certificate to store */
1107  certstore_add ( *cert );
1108 
1109  return 0;
1110 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:236
static void x509_free(struct refcnt *refcnt)
Free X.509 certificate.
Definition: x509.c:131
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
Definition: certstore.c:138
#define ENOMEM
Not enough space.
Definition: errno.h:534
void * memcpy(void *dest, const void *src, size_t len) __nonnull
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:286
struct x509_certificate * certstore_find(struct asn1_cursor *raw)
Find certificate in store.
Definition: certstore.c:102
uint32_t len
Length.
Definition: ena.h:14
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:247
__be32 raw[7]
Definition: CIB_PRM.h:28
struct arbelprm_port_state_change_st data
Message.
Definition: arbel.h:12
struct arbelprm_wqe_segment_data_ptr data[ARBEL_MAX_GATHER]
Definition: arbel.h:237
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
An ASN.1 object cursor.
Definition: asn1.h:20
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
Definition: x509.c:1003

References asn1_shrink_any(), certstore_add(), certstore_find(), data, asn1_cursor::data, ENOMEM, len, asn1_cursor::len, memcpy(), NULL, raw, rc, ref_init, x509_free(), x509_get(), x509_parse(), x509_put(), and zalloc().

◆ x509_is_valid()

int x509_is_valid ( struct x509_certificate cert,
struct x509_root root 
)

Check if X.509 certificate is valid.

Parameters
certX.509 certificate
rootRoot certificate list, or NULL to use default

Definition at line 1318 of file x509.c.

1318  {
1319 
1320  /* Use default root certificate store if none specified */
1321  if ( ! root )
1323 
1324  return ( cert->root == root );
1325 }
struct stp_switch root
Root switch.
Definition: stp.h:26
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:73
struct x509_root * root
Root against which certificate has been validated (if any)
Definition: x509.h:195

References root, x509_certificate::root, and root_certificates.

Referenced by certstat(), ipair_window_changed(), validator_step(), x509_validate(), and x509_validate_chain_okx().

◆ x509_validate()

int x509_validate ( struct x509_certificate cert,
struct x509_certificate issuer,
time_t  time,
struct x509_root root 
)

Validate X.509 certificate.

Parameters
certX.509 certificate
issuerIssuing X.509 certificate (or NULL)
timeTime at which to validate certificate
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

The issuing certificate must have already been validated.

Validation results are cached: if a certificate has already been successfully validated then issuer, time, and root will be ignored.

Definition at line 1371 of file x509.c.

1373  {
1374  int rc;
1375 
1376  /* Use default root certificate store if none specified */
1377  if ( ! root )
1379 
1380  /* Return success if certificate has already been validated */
1381  if ( x509_is_valid ( cert, root ) )
1382  return 0;
1383 
1384  /* Fail if certificate is invalid at specified time */
1385  if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
1386  return rc;
1387 
1388  /* Succeed if certificate is a trusted root certificate */
1389  if ( x509_check_root ( cert, root ) == 0 ) {
1390  x509_set_valid ( cert, NULL, root );
1391  return 0;
1392  }
1393 
1394  /* Fail unless we have an issuer */
1395  if ( ! issuer ) {
1396  DBGC2 ( cert, "X509 %p \"%s\" has no trusted issuer\n",
1397  cert, x509_name ( cert ) );
1398  return -EACCES_UNTRUSTED;
1399  }
1400 
1401  /* Fail unless issuer has already been validated */
1402  if ( ! x509_is_valid ( issuer, root ) ) {
1403  DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1404  DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
1405  issuer, x509_name ( issuer ) );
1406  return -EACCES_OUT_OF_ORDER;
1407  }
1408 
1409  /* Fail if issuing certificate cannot validate this certificate */
1410  if ( ( rc = x509_check_issuer ( cert, issuer ) ) != 0 )
1411  return rc;
1412 
1413  /* Fail if path length constraint is violated */
1414  if ( issuer->path_remaining == 0 ) {
1415  DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1416  DBGC ( cert, "issuer %p \"%s\" path length exceeded\n",
1417  issuer, x509_name ( issuer ) );
1418  return -EACCES_PATH_LEN;
1419  }
1420 
1421  /* Fail if OCSP is required */
1422  if ( ocsp_required ( cert ) ) {
1423  DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1424  cert, x509_name ( cert ) );
1425  return -EACCES_OCSP_REQUIRED;
1426  }
1427 
1428  /* Mark certificate as valid */
1429  x509_set_valid ( cert, issuer, root );
1430 
1431  DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
1432  cert, x509_name ( cert ) );
1433  DBGC ( cert, "issuer %p \"%s\"\n", issuer, x509_name ( issuer ) );
1434  return 0;
1435 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
unsigned int path_remaining
Maximum number of subsequent certificates in chain.
Definition: x509.h:197
struct stp_switch root
Root switch.
Definition: stp.h:26
static void x509_set_valid(struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
Set X.509 certificate as validated.
Definition: x509.c:1334
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:73
#define DBGC(...)
Definition: compiler.h:505
int x509_is_valid(struct x509_certificate *cert, struct x509_root *root)
Check if X.509 certificate is valid.
Definition: x509.c:1318
static int ocsp_required(struct x509_certificate *cert)
Check if X.509 certificate requires an OCSP check.
Definition: ocsp.h:128
#define EACCES_OCSP_REQUIRED
Definition: x509.c:113
#define EACCES_OUT_OF_ORDER
Definition: x509.c:105
#define EACCES_PATH_LEN
Definition: x509.c:97
int x509_check_root(struct x509_certificate *cert, struct x509_root *root)
Check X.509 root certificate.
Definition: x509.c:1260
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
#define DBGC2(...)
Definition: compiler.h:522
int x509_check_issuer(struct x509_certificate *cert, struct x509_certificate *issuer)
Check X.509 certificate against issuer certificate.
Definition: x509.c:1182
#define EACCES_UNTRUSTED
Definition: x509.c:101
uint64_t time
Current time.
Definition: ntlm.h:20
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
int x509_check_time(struct x509_certificate *cert, time_t time)
Check X.509 certificate validity period.
Definition: x509.c:1292

References DBGC, DBGC2, EACCES_OCSP_REQUIRED, EACCES_OUT_OF_ORDER, EACCES_PATH_LEN, EACCES_UNTRUSTED, NULL, ocsp_required(), x509_certificate::path_remaining, rc, root, root_certificates, time, x509_check_issuer(), x509_check_root(), x509_check_time(), x509_is_valid(), x509_name(), and x509_set_valid().

Referenced by ocsp_validate(), and x509_validate_chain().

◆ x509_check_name()

int x509_check_name ( struct x509_certificate cert,
const char *  name 
)

Check X.509 certificate name.

Parameters
certX.509 certificate
nameName
Return values
rcReturn status code

Definition at line 1569 of file x509.c.

1569  {
1570  struct asn1_cursor *common_name = &cert->subject.common_name;
1571  struct asn1_cursor alt_name;
1572  int rc;
1573 
1574  /* Check commonName */
1575  if ( x509_check_dnsname ( cert, common_name, name ) == 0 ) {
1576  DBGC2 ( cert, "X509 %p \"%s\" commonName matches \"%s\"\n",
1577  cert, x509_name ( cert ), name );
1578  return 0;
1579  }
1580 
1581  /* Check any subjectAlternativeNames */
1582  memcpy ( &alt_name, &cert->extensions.alt_name.names,
1583  sizeof ( alt_name ) );
1584  for ( ; alt_name.len ; asn1_skip_any ( &alt_name ) ) {
1585  if ( ( rc = x509_check_alt_name ( cert, &alt_name,
1586  name ) ) == 0 ) {
1587  DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches "
1588  "\"%s\"\n", cert, x509_name ( cert ), name );
1589  return 0;
1590  }
1591  }
1592 
1593  DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n",
1594  cert, x509_name ( cert ), name );
1595  return -EACCES_WRONG_NAME;
1596 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
const char * name
Definition: ath9k_hw.c:1984
struct asn1_cursor names
Names.
Definition: x509.h:144
static int x509_check_alt_name(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative name.
Definition: x509.c:1537
#define DBGC(...)
Definition: compiler.h:505
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
void * memcpy(void *dest, const void *src, size_t len) __nonnull
#define EACCES_WRONG_NAME
Definition: x509.c:117
static int x509_check_dnsname(struct x509_certificate *cert, const struct asn1_cursor *raw, const char *name)
Check X.509 certificate alternative dNSName.
Definition: x509.c:1445
struct x509_subject subject
Subject.
Definition: x509.h:214
struct asn1_cursor common_name
Common name.
Definition: x509.h:62
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
struct x509_subject_alt_name alt_name
Subject alternative name.
Definition: x509.h:165
#define DBGC2(...)
Definition: compiler.h:522
An ASN.1 object cursor.
Definition: asn1.h:20
struct x509_extensions extensions
Extensions.
Definition: x509.h:218

References x509_extensions::alt_name, asn1_skip_any(), x509_subject::common_name, DBGC, DBGC2, EACCES_WRONG_NAME, x509_certificate::extensions, asn1_cursor::len, memcpy(), name, x509_subject_alt_name::names, rc, x509_certificate::subject, x509_check_alt_name(), x509_check_dnsname(), and x509_name().

Referenced by cert_exec(), cms_verify(), tls_validator_done(), x509_check_name_fail_okx(), and x509_check_name_okx().

◆ x509_alloc_chain()

struct x509_chain* x509_alloc_chain ( void  )

Allocate X.509 certificate chain.

Return values
chainX.509 certificate chain, or NULL

Definition at line 1627 of file x509.c.

1627  {
1628  struct x509_chain *chain;
1629 
1630  /* Allocate chain */
1631  chain = zalloc ( sizeof ( *chain ) );
1632  if ( ! chain )
1633  return NULL;
1634 
1635  /* Initialise chain */
1636  ref_init ( &chain->refcnt, x509_free_chain );
1637  INIT_LIST_HEAD ( &chain->links );
1638 
1639  DBGC2 ( chain, "X509 chain %p allocated\n", chain );
1640  return chain;
1641 }
struct list_head links
List of links.
Definition: x509.h:181
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
static void x509_free_chain(struct refcnt *refcnt)
Free X.509 certificate chain.
Definition: x509.c:1603
An X.509 certificate chain.
Definition: x509.h:177
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition: list.h:45
#define DBGC2(...)
Definition: compiler.h:522
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362
struct refcnt refcnt
Reference count.
Definition: x509.h:179

References DBGC2, INIT_LIST_HEAD, x509_chain::links, NULL, ref_init, x509_chain::refcnt, x509_free_chain(), and zalloc().

Referenced by cms_parse(), cms_signature(), tls_new_certificate_request(), tls_parse_chain(), validator_append(), and x509_chain_okx().

◆ x509_append()

int x509_append ( struct x509_chain chain,
struct x509_certificate cert 
)

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
certX.509 certificate
Return values
rcReturn status code

Definition at line 1650 of file x509.c.

1650  {
1651  struct x509_link *link;
1652 
1653  /* Allocate link */
1654  link = zalloc ( sizeof ( *link ) );
1655  if ( ! link )
1656  return -ENOMEM;
1657 
1658  /* Add link to chain */
1659  link->cert = x509_get ( cert );
1660  list_add_tail ( &link->list, &chain->links );
1661  DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
1662  chain, cert, x509_name ( cert ) );
1663 
1664  return 0;
1665 }
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:236
struct list_head links
List of links.
Definition: x509.h:181
#define DBGC(...)
Definition: compiler.h:505
#define ENOMEM
Not enough space.
Definition: errno.h:534
#define list_add_tail(new, head)
Add a new entry to the tail of a list.
Definition: list.h:93
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145

References x509_link::cert, DBGC, ENOMEM, link, x509_chain::links, list_add_tail, x509_get(), x509_name(), and zalloc().

Referenced by cms_parse_signer_identifier(), tls_new_certificate_request(), x509_append_raw(), x509_auto_append(), and x509_chain_okx().

◆ x509_append_raw()

int x509_append_raw ( struct x509_chain chain,
const void *  data,
size_t  len 
)

Append X.509 certificate to X.509 certificate chain.

Parameters
chainX.509 certificate chain
dataRaw certificate data
lenLength of raw data
Return values
rcReturn status code

Definition at line 1675 of file x509.c.

1676  {
1677  struct x509_certificate *cert;
1678  int rc;
1679 
1680  /* Parse certificate */
1681  if ( ( rc = x509_certificate ( data, len, &cert ) ) != 0 )
1682  goto err_parse;
1683 
1684  /* Append certificate to chain */
1685  if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1686  goto err_append;
1687 
1688  /* Drop reference to certificate */
1689  x509_put ( cert );
1690 
1691  return 0;
1692 
1693  err_append:
1694  x509_put ( cert );
1695  err_parse:
1696  return rc;
1697 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1650
An X.509 certificate.
Definition: x509.h:185
uint32_t len
Length.
Definition: ena.h:14
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:247
struct arbelprm_port_state_change_st data
Message.
Definition: arbel.h:12

References data, len, rc, x509_append(), and x509_put().

Referenced by cms_parse_certificates(), tls_parse_chain(), and validator_append().

◆ x509_auto_append()

int x509_auto_append ( struct x509_chain chain,
struct x509_chain certs 
)

Append X.509 certificates to X.509 certificate chain.

Parameters
chainX.509 certificate chain
certsX.509 certificate list
Return values
rcReturn status code

Certificates will be automatically appended to the chain based upon the subject and issuer names.

Definition at line 1734 of file x509.c.

1734  {
1735  struct x509_certificate *cert;
1736  struct x509_certificate *previous;
1737  int rc;
1738 
1739  /* Get current certificate */
1740  cert = x509_last ( chain );
1741  if ( ! cert ) {
1742  DBGC ( chain, "X509 chain %p has no certificates\n", chain );
1743  return -EACCES_EMPTY;
1744  }
1745 
1746  /* Append certificates, in order */
1747  while ( 1 ) {
1748 
1749  /* Find issuing certificate */
1750  previous = cert;
1751  cert = x509_find_subject ( certs, &cert->issuer.raw );
1752  if ( ! cert )
1753  break;
1754  if ( cert == previous )
1755  break;
1756 
1757  /* Append certificate to chain */
1758  if ( ( rc = x509_append ( chain, cert ) ) != 0 )
1759  return rc;
1760  }
1761 
1762  return 0;
1763 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:30
#define EACCES_EMPTY
Definition: x509.c:109
struct x509_issuer issuer
Issuer.
Definition: x509.h:210
#define DBGC(...)
Definition: compiler.h:505
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1650
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition: x509.h:294
An X.509 certificate.
Definition: x509.h:185
static struct x509_certificate * x509_find_subject(struct x509_chain *certs, const struct asn1_cursor *subject)
Identify X.509 certificate by subject.
Definition: x509.c:1707

References DBGC, EACCES_EMPTY, x509_certificate::issuer, x509_issuer::raw, rc, x509_append(), x509_find_subject(), and x509_last().

Referenced by cms_parse_signer_identifier(), tls_new_certificate_request(), validator_append(), and x509_validate_chain().

◆ x509_validate_chain()

int x509_validate_chain ( struct x509_chain chain,
time_t  time,
struct x509_chain store,
struct x509_root root 
)

Validate X.509 certificate chain.

Parameters
chainX.509 certificate chain
timeTime at which to validate certificates
storeCertificate store, or NULL to use default
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

Definition at line 1774 of file x509.c.

1775  {
1776  struct x509_certificate *issuer = NULL;
1777  struct x509_link *link;
1778  int rc;
1779 
1780  /* Use default certificate store if none specified */
1781  if ( ! store )
1782  store = &certstore;
1783 
1784  /* Append any applicable certificates from the certificate store */
1785  if ( ( rc = x509_auto_append ( chain, store ) ) != 0 )
1786  return rc;
1787 
1788  /* Find first certificate that can be validated as a
1789  * standalone (i.e. is already valid, or can be validated as
1790  * a trusted root certificate).
1791  */
1792  list_for_each_entry ( link, &chain->links, list ) {
1793 
1794  /* Try validating this certificate as a standalone */
1795  if ( ( rc = x509_validate ( link->cert, NULL, time,
1796  root ) ) != 0 )
1797  continue;
1798 
1799  /* Work back up to start of chain, performing pairwise
1800  * validation.
1801  */
1802  issuer = link->cert;
1804  list ) {
1805 
1806  /* Validate this certificate against its issuer */
1807  if ( ( rc = x509_validate ( link->cert, issuer, time,
1808  root ) ) != 0 )
1809  return rc;
1810  issuer = link->cert;
1811  }
1812 
1813  return 0;
1814  }
1815 
1816  DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
1817  return -EACCES_USELESS;
1818 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct x509_chain certstore
Certificate store.
Definition: certstore.c:73
struct stp_switch root
Root switch.
Definition: stp.h:26
struct list_head links
List of links.
Definition: x509.h:181
struct x509_issuer issuer
Issuer.
Definition: x509.h:210
#define DBGC(...)
Definition: compiler.h:505
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:420
int x509_validate(struct x509_certificate *cert, struct x509_certificate *issuer, time_t time, struct x509_root *root)
Validate X.509 certificate.
Definition: x509.c:1371
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
An X.509 certificate.
Definition: x509.h:185
#define list_for_each_entry_continue_reverse(pos, head, member)
Iterate over entries in a list in reverse, starting after current position.
Definition: list.h:475
int x509_auto_append(struct x509_chain *chain, struct x509_chain *certs)
Append X.509 certificates to X.509 certificate chain.
Definition: x509.c:1734
#define EACCES_USELESS
Definition: x509.c:121
uint64_t time
Current time.
Definition: ntlm.h:20
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362

References certstore, DBGC, EACCES_USELESS, x509_certificate::issuer, link, x509_chain::links, x509_link::list, list_for_each_entry, list_for_each_entry_continue_reverse, NULL, rc, root, time, x509_auto_append(), and x509_validate().

Referenced by cms_verify_signer_info(), validator_step(), x509_validate_chain_fail_okx(), and x509_validate_chain_okx().

◆ image_x509()

int image_x509 ( struct image image,
size_t  offset,
struct x509_certificate **  cert 
)

Extract X.509 certificate object from image.

Parameters
imageImage
offsetOffset within image
Return values
certX.509 certificate
nextOffset to next image, or negative error

On success, the caller holds a reference to the X.509 certificate, and is responsible for ultimately calling x509_put().

Definition at line 1831 of file x509.c.

1832  {
1833  struct asn1_cursor *cursor;
1834  int next;
1835  int rc;
1836 
1837  /* Get ASN.1 object */
1838  next = image_asn1 ( image, offset, &cursor );
1839  if ( next < 0 ) {
1840  rc = next;
1841  goto err_asn1;
1842  }
1843 
1844  /* Parse certificate */
1845  if ( ( rc = x509_certificate ( cursor->data, cursor->len,
1846  cert ) ) != 0 )
1847  goto err_certificate;
1848 
1849  /* Free ASN.1 object */
1850  free ( cursor );
1851 
1852  return next;
1853 
1854  x509_put ( *cert );
1855  err_certificate:
1856  free ( cursor );
1857  err_asn1:
1858  return rc;
1859 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
uint32_t next
Next descriptor address.
Definition: myson.h:18
const void * data
Start of data.
Definition: asn1.h:22
int image_asn1(struct image *image, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from image.
Definition: asn1.c:854
An executable image.
Definition: image.h:24
size_t len
Length of data.
Definition: asn1.h:24
static userptr_t size_t offset
Offset of the first segment within the content.
Definition: deflate.h:259
An X.509 certificate.
Definition: x509.h:185
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:247
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_cursor::data, free, image_asn1(), asn1_cursor::len, next, offset, rc, and x509_put().

Referenced by cert_exec().

◆ x509_check_issuer()

int x509_check_issuer ( struct x509_certificate cert,
struct x509_certificate issuer 
)

Check X.509 certificate against issuer certificate.

Parameters
certX.509 certificate
issuerX.509 issuer certificate
Return values
rcReturn status code

Definition at line 1182 of file x509.c.

1183  {
1184  struct x509_public_key *public_key = &issuer->subject.public_key;
1185  int rc;
1186 
1187  /* Check issuer. In theory, this should be a full X.500 DN
1188  * comparison, which would require support for a plethora of
1189  * abominations such as TeletexString (which allows the
1190  * character set to be changed mid-string using escape codes).
1191  * In practice, we assume that anyone who deliberately changes
1192  * the encoding of the issuer DN is probably a masochist who
1193  * will rather enjoy the process of figuring out exactly why
1194  * their certificate doesn't work.
1195  *
1196  * See http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
1197  * for some enjoyable ranting on this subject.
1198  */
1199  if ( asn1_compare ( &cert->issuer.raw, &issuer->subject.raw ) != 0 ) {
1200  DBGC ( cert, "X509 %p \"%s\" issuer does not match ",
1201  cert, x509_name ( cert ) );
1202  DBGC ( cert, "X509 %p \"%s\" subject\n",
1203  issuer, x509_name ( issuer ) );
1204  DBGC_HDA ( cert, 0, cert->issuer.raw.data,
1205  cert->issuer.raw.len );
1206  DBGC_HDA ( issuer, 0, issuer->subject.raw.data,
1207  issuer->subject.raw.len );
1208  return -EACCES_WRONG_ISSUER;
1209  }
1210 
1211  /* Check that issuer is allowed to sign certificates */
1212  if ( ! issuer->extensions.basic.ca ) {
1213  DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1214  issuer, x509_name ( issuer ) );
1215  DBGC ( issuer, "X509 %p \"%s\": not a CA certificate\n",
1216  cert, x509_name ( cert ) );
1217  return -EACCES_NOT_CA;
1218  }
1219  if ( issuer->extensions.usage.present &&
1220  ( ! ( issuer->extensions.usage.bits & X509_KEY_CERT_SIGN ) ) ) {
1221  DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
1222  issuer, x509_name ( issuer ) );
1223  DBGC ( issuer, "X509 %p \"%s\": no keyCertSign usage\n",
1224  cert, x509_name ( cert ) );
1225  return -EACCES_KEY_USAGE;
1226  }
1227 
1228  /* Check signature */
1229  if ( ( rc = x509_check_signature ( cert, public_key ) ) != 0 )
1230  return rc;
1231 
1232  return 0;
1233 }
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:30
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
struct x509_issuer issuer
Issuer.
Definition: x509.h:210
const void * data
Start of data.
Definition: asn1.h:22
#define DBGC(...)
Definition: compiler.h:505
int present
Key usage extension is present.
Definition: x509.h:93
size_t len
Length of data.
Definition: asn1.h:24
#define EACCES_KEY_USAGE
Definition: x509.c:89
#define DBGC_HDA(...)
Definition: compiler.h:506
An X.509 certificate public key.
Definition: x509.h:48
struct x509_public_key public_key
Public key information.
Definition: x509.h:64
struct x509_subject subject
Subject.
Definition: x509.h:214
int ca
Subject is a CA.
Definition: x509.h:78
#define EACCES_NOT_CA
Definition: x509.c:85
struct asn1_cursor raw
Raw subject.
Definition: x509.h:60
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
static int x509_check_signature(struct x509_certificate *cert, struct x509_public_key *public_key)
Check X.509 certificate signature.
Definition: x509.c:1119
unsigned int bits
Usage bits.
Definition: x509.h:95
struct x509_key_usage usage
Key usage.
Definition: x509.h:159
#define EACCES_WRONG_ISSUER
Definition: x509.c:81
struct x509_basic_constraints basic
Basic constraints.
Definition: x509.h:157
struct x509_extensions extensions
Extensions.
Definition: x509.h:218

References asn1_compare(), x509_extensions::basic, x509_key_usage::bits, x509_basic_constraints::ca, asn1_cursor::data, DBGC, DBGC_HDA, EACCES_KEY_USAGE, EACCES_NOT_CA, EACCES_WRONG_ISSUER, x509_certificate::extensions, x509_certificate::issuer, asn1_cursor::len, x509_key_usage::present, x509_subject::public_key, x509_subject::raw, x509_issuer::raw, rc, x509_certificate::subject, x509_extensions::usage, x509_check_signature(), X509_KEY_CERT_SIGN, and x509_name().

Referenced by x509_check_issuer_fail_okx(), x509_check_issuer_okx(), and x509_validate().

◆ x509_fingerprint()

void x509_fingerprint ( struct x509_certificate cert,
struct digest_algorithm digest,
void *  fingerprint 
)

Calculate X.509 certificate fingerprint.

Parameters
certX.509 certificate
digestDigest algorithm
fingerprintFingerprint buffer

Definition at line 1242 of file x509.c.

1244  {
1245  uint8_t ctx[ digest->ctxsize ];
1246 
1247  /* Calculate fingerprint */
1248  digest_init ( digest, ctx );
1249  digest_update ( digest, ctx, cert->raw.data, cert->raw.len );
1250  digest_final ( digest, ctx, fingerprint );
1251 }
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Definition: crypto.h:177
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
Definition: crypto.h:182
const void * data
Start of data.
Definition: asn1.h:22
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
struct md4_digest digest
Digest of data already processed.
Definition: md4.h:12
size_t len
Length of data.
Definition: asn1.h:24
static void digest_init(struct digest_algorithm *digest, void *ctx)
Definition: crypto.h:172
unsigned char uint8_t
Definition: stdint.h:10
struct asn1_cursor raw
Raw certificate.
Definition: x509.h:200

References ctx, asn1_cursor::data, digest, digest_final(), digest_init(), digest_update(), asn1_cursor::len, and x509_certificate::raw.

Referenced by certstat(), icert_certs(), x509_check_root(), x509_fingerprint_okx(), and x509_name().

◆ x509_check_root()

int x509_check_root ( struct x509_certificate cert,
struct x509_root root 
)

Check X.509 root certificate.

Parameters
certX.509 certificate
rootX.509 root certificate list
Return values
rcReturn status code

Definition at line 1260 of file x509.c.

1260  {
1261  struct digest_algorithm *digest = root->digest;
1262  uint8_t fingerprint[ digest->digestsize ];
1263  const uint8_t *root_fingerprint = root->fingerprints;
1264  unsigned int i;
1265 
1266  /* Calculate certificate fingerprint */
1267  x509_fingerprint ( cert, digest, fingerprint );
1268 
1269  /* Check fingerprint against all root certificates */
1270  for ( i = 0 ; i < root->count ; i++ ) {
1271  if ( memcmp ( fingerprint, root_fingerprint,
1272  sizeof ( fingerprint ) ) == 0 ) {
1273  DBGC ( cert, "X509 %p \"%s\" is a root certificate\n",
1274  cert, x509_name ( cert ) );
1275  return 0;
1276  }
1277  root_fingerprint += sizeof ( fingerprint );
1278  }
1279 
1280  DBGC2 ( cert, "X509 %p \"%s\" is not a root certificate\n",
1281  cert, x509_name ( cert ) );
1282  return -ENOENT;
1283 }
struct stp_switch root
Root switch.
Definition: stp.h:26
#define DBGC(...)
Definition: compiler.h:505
#define ENOENT
No such file or directory.
Definition: errno.h:514
struct md4_digest digest
Digest of data already processed.
Definition: md4.h:12
unsigned char uint8_t
Definition: stdint.h:10
void x509_fingerprint(struct x509_certificate *cert, struct digest_algorithm *digest, void *fingerprint)
Calculate X.509 certificate fingerprint.
Definition: x509.c:1242
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
#define DBGC2(...)
Definition: compiler.h:522
A message digest algorithm.
Definition: crypto.h:16
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114

References DBGC, DBGC2, digest, ENOENT, memcmp(), root, x509_fingerprint(), and x509_name().

Referenced by x509_check_root_fail_okx(), x509_check_root_okx(), and x509_validate().

◆ x509_check_time()

int x509_check_time ( struct x509_certificate cert,
time_t  time 
)

Check X.509 certificate validity period.

Parameters
certX.509 certificate
timeTime at which to check certificate
Return values
rcReturn status code

Definition at line 1292 of file x509.c.

1292  {
1293  struct x509_validity *validity = &cert->validity;
1294 
1295  /* Check validity period */
1296  if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
1297  DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
1298  cert, x509_name ( cert ), time );
1299  return -EACCES_EXPIRED;
1300  }
1301  if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
1302  DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
1303  cert, x509_name ( cert ), time );
1304  return -EACCES_EXPIRED;
1305  }
1306 
1307  DBGC2 ( cert, "X509 %p \"%s\" is valid (at time %lld)\n",
1308  cert, x509_name ( cert ), time );
1309  return 0;
1310 }
#define DBGC(...)
Definition: compiler.h:505
time_t time
Seconds since the Epoch.
Definition: x509.h:36
struct x509_time not_before
Not valid before.
Definition: x509.h:42
#define EACCES_EXPIRED
Definition: x509.c:93
An X.509 certificate validity period.
Definition: x509.h:40
struct x509_validity validity
Validity.
Definition: x509.h:212
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
#define TIMESTAMP_ERROR_MARGIN
SHA-512/224 digest algorithm.
Definition: crypto.h:54
#define DBGC2(...)
Definition: compiler.h:522
struct x509_time not_after
Not valid after.
Definition: x509.h:44
uint64_t time
Current time.
Definition: ntlm.h:20

References DBGC, DBGC2, EACCES_EXPIRED, x509_validity::not_after, x509_validity::not_before, time, x509_time::time, TIMESTAMP_ERROR_MARGIN, x509_certificate::validity, and x509_name().

Referenced by x509_check_time_fail_okx(), x509_check_time_okx(), and x509_validate().

◆ x509_invalidate()

static void x509_invalidate ( struct x509_certificate cert)
inlinestatic

Invalidate X.509 certificate.

Parameters
certX.509 certificate

Definition at line 417 of file x509.h.

417  {
418  x509_root_put ( cert->root );
419  cert->root = NULL;
420  cert->path_remaining = 0;
421 }
unsigned int path_remaining
Maximum number of subsequent certificates in chain.
Definition: x509.h:197
static void x509_root_put(struct x509_root *root)
Drop reference to X.509 root certificate list.
Definition: x509.h:373
struct x509_root * root
Root against which certificate has been validated (if any)
Definition: x509.h:195
#define NULL
NULL pointer (VOID *)
Definition: Base.h:362

References NULL, x509_certificate::path_remaining, x509_certificate::root, and x509_root_put().

Referenced by ocsp_prepare_test(), ocsp_validate(), and x509_invalidate_chain().

◆ x509_invalidate_chain()

static void x509_invalidate_chain ( struct x509_chain chain)
inlinestatic

Invalidate X.509 certificate chain.

Parameters
chainX.509 certificate chain

Definition at line 428 of file x509.h.

428  {
429  struct x509_link *link;
430 
431  list_for_each_entry ( link, &chain->links, list )
432  x509_invalidate ( link->cert );
433 }
struct list_head links
List of links.
Definition: x509.h:181
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:420
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
static void x509_invalidate(struct x509_certificate *cert)
Invalidate X.509 certificate.
Definition: x509.h:417

References link, x509_chain::links, x509_link::list, list_for_each_entry, and x509_invalidate().

Referenced by cms_verify_fail_okx(), cms_verify_okx(), x509_validate_chain_fail_okx(), and x509_validate_chain_okx().