robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[crypto] Add support for iPAddress subject alternative names 

Originally-implemented-by: Jarrod Johnson <jarrod.b.johnson@gmail.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 11 years ago
parent
5365340e77
commit
8484e97f7c
3 changed files with 105 additions and 40 deletions
Split View Show Diff Stats
  1. 55
    0
      src/crypto/x509.c
  2. 1
    0
      src/include/ipxe/x509.h
  3. 49
    40
      src/tests/x509_test.c

+ 55
- 0
src/crypto/x509.c View File 

@@ -33,6 +33,8 @@ FILE_LICENCE ( GPL2_OR_LATER );
33 33 
 #include <ipxe/rsa.h>
34 34 
 #include <ipxe/rootcert.h>
35 35 
 #include <ipxe/certstore.h>
36 
+#include <ipxe/socket.h>
37 
+#include <ipxe/in.h>
36 38 
 #include <ipxe/x509.h>
37 39 
 #include <config/crypto.h>
38 40 
 
@@ -1417,6 +1419,57 @@ static int x509_check_dnsname ( struct x509_certificate *cert,
1417 1419 
 	return 0;
1418 1420 
 }
1419 1421
1422 
+/**
1423 
+ * Check X.509 certificate alternative iPAddress
1424 
+ *
1425 
+ * @v cert		X.509 certificate
1426 
+ * @v raw		ASN.1 cursor
1427 
+ * @v name		Name
1428 
+ * @ret rc		Return status code
1429 
+ */
1430 
+static int x509_check_ipaddress ( struct x509_certificate *cert,
1431 
+				  const struct asn1_cursor *raw,
1432 
+				  const char *name ) {
1433 
+	struct sockaddr sa;
1434 
+	sa_family_t family;
1435 
+	const void *address;
1436 
+	int rc;
1437 
+
1438 
+	/* Determine address family */
1439 
+	if ( raw->len == sizeof ( struct in_addr ) ) {
1440 
+		struct sockaddr_in *sin = ( ( struct sockaddr_in * ) &sa );
1441 
+		family = AF_INET;
1442 
+		address = &sin->sin_addr;
1443 
+	} else if ( raw->len == sizeof ( struct in6_addr ) ) {
1444 
+		struct sockaddr_in6 *sin6 = ( ( struct sockaddr_in6 * ) &sa );
1445 
+		family = AF_INET6;
1446 
+		address = &sin6->sin6_addr;
1447 
+	} else {
1448 
+		DBGC ( cert, "X509 %p \"%s\" has iPAddress with unexpected "
1449 
+		       "length %zd\n", cert, x509_name ( cert ), raw->len );
1450 
+		DBGC_HDA ( cert, 0, raw->data, raw->len );
1451 
+		return -EINVAL;
1452 
+	}
1453 
+
1454 
+	/* Attempt to convert name to a socket address */
1455 
+	if ( ( rc = sock_aton ( name, &sa ) ) != 0 ) {
1456 
+		DBGC2 ( cert, "X509 %p \"%s\" cannot parse \"%s\" as "
1457 
+			"iPAddress: %s\n", cert, x509_name ( cert ), name,
1458 
+			strerror ( rc ) );
1459 
+		return rc;
1460 
+	}
1461 
+	if ( sa.sa_family != family )
1462 
+		return -ENOENT;
1463 
+
1464 
+	/* Compare addresses */
1465 
+	if ( memcmp ( address, raw->data, raw->len ) != 0 )
1466 
+		return -ENOENT;
1467 
+
1468 
+	DBGC2 ( cert, "X509 %p \"%s\" found iPAddress match for \"%s\"\n",
1469 
+		cert, x509_name ( cert ), sock_ntoa ( &sa ) );
1470 
+	return 0;
1471 
+}
1472 
+
1420 1473 
 /**
1421 1474 
  * Check X.509 certificate alternative name
1422 1475 
  *
 
@@ -1440,6 +1493,8 @@ static int x509_check_alt_name ( struct x509_certificate *cert,
1440 1493 
 	switch ( type ) {
1441 1494 
 	case X509_GENERAL_NAME_DNS :
1442 1495 
 		return x509_check_dnsname ( cert, &alt_name, name );
1496 
+	case X509_GENERAL_NAME_IP :
1497 
+		return x509_check_ipaddress ( cert, &alt_name, name );
1443 1498 
 	default:
1444 1499 
 		DBGC2 ( cert, "X509 %p \"%s\" unknown name of type %#02x:\n",
1445 1500 
 			cert, x509_name ( cert ), type );

+ 1
- 0
src/include/ipxe/x509.h View File 

@@ -146,6 +146,7 @@ struct x509_subject_alt_name {
146 146 
 enum x509_general_name_types {
147 147 
 	X509_GENERAL_NAME_DNS = ASN1_IMPLICIT_TAG ( 2 ),
148 148 
 	X509_GENERAL_NAME_URI = ASN1_IMPLICIT_TAG ( 6 ),
149 
+	X509_GENERAL_NAME_IP = ASN1_IMPLICIT_TAG ( 7 ),
149 150 
 };
150 151
151 152 
 /** An X.509 certificate extensions set */

+ 49
- 40
src/tests/x509_test.c View File 

@@ -413,8 +413,8 @@ CERTIFICATE ( useless_crt,
413 413 
  * issuer	iPXE self-test leaf CA
414 414 
  */
415 415 
 CERTIFICATE ( server_crt,
416 
-	DATA ( 0x30, 0x82, 0x02, 0xba, 0x30, 0x82, 0x02, 0x23, 0xa0, 0x03,
417 
-	       0x02, 0x01, 0x02, 0x02, 0x01, 0x18, 0x30, 0x0d, 0x06, 0x09,
416 
+	DATA ( 0x30, 0x82, 0x02, 0xd2, 0x30, 0x82, 0x02, 0x3b, 0xa0, 0x03,
417 
+	       0x02, 0x01, 0x02, 0x02, 0x01, 0x1e, 0x30, 0x0d, 0x06, 0x09,
418 418 
 	       0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
419 419 
 	       0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
420 420 
 	       0x55, 0x04, 0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x17, 0x30,
 
@@ -431,9 +431,9 @@ CERTIFICATE ( server_crt,
431 431 
 	       0x58, 0x45, 0x20, 0x73, 0x65, 0x6c, 0x66, 0x2d, 0x74, 0x65,
432 432 
 	       0x73, 0x74, 0x20, 0x6c, 0x65, 0x61, 0x66, 0x20, 0x43, 0x41,
433 433 
 	       0x30, 0x1e, 0x17, 0x0d, 0x31, 0x32, 0x30, 0x33, 0x30, 0x35,
434 
-	       0x31, 0x33, 0x34, 0x35, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x31,
434 
+	       0x31, 0x33, 0x34, 0x35, 0x30, 0x35, 0x5a, 0x17, 0x0d, 0x31,
435 435 
 	       0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x33, 0x34, 0x35, 0x30,
436 
-	       0x30, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06,
436 
+	       0x35, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06,
437 437 
 	       0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x17,
438 438 
 	       0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0e, 0x43,
439 439 
 	       0x61, 0x6d, 0x62, 0x72, 0x69, 0x64, 0x67, 0x65, 0x73, 0x68,
 
@@ -449,45 +449,47 @@ CERTIFICATE ( server_crt,
449 449 
 	       0x70, 0x78, 0x65, 0x2e, 0x6f, 0x72, 0x67, 0x30, 0x81, 0x9f,
450 450 
 	       0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
451 451 
 	       0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30,
452 
-	       0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0x9d, 0x87, 0xe4, 0xa7,
453 
-	       0xcf, 0x12, 0x08, 0x43, 0x4c, 0x90, 0x8b, 0x10, 0x7d, 0xcc,
454 
-	       0x94, 0x1e, 0x5e, 0xef, 0xa7, 0x90, 0xbc, 0xe8, 0xe4, 0xee,
455 
-	       0xd9, 0xb4, 0xd9, 0x63, 0x55, 0xc7, 0x03, 0x98, 0x42, 0xd7,
456 
-	       0x4e, 0xaf, 0xd7, 0xdc, 0x40, 0x83, 0x61, 0x1b, 0xcc, 0x7b,
457 
-	       0xf5, 0x1d, 0xba, 0x9f, 0x66, 0xfb, 0xe7, 0x42, 0xbd, 0xd7,
458 
-	       0xac, 0xeb, 0x3c, 0xa2, 0x99, 0x6a, 0xe4, 0x8f, 0xb4, 0x06,
459 
-	       0x4e, 0xc3, 0x3b, 0x62, 0xcd, 0x6a, 0x30, 0x0a, 0xe0, 0xb1,
460 
-	       0x50, 0x83, 0x77, 0xc4, 0x97, 0x15, 0xc4, 0x7c, 0x40, 0xb8,
461 
-	       0x60, 0x39, 0x07, 0x72, 0x4b, 0xd2, 0x61, 0x5c, 0xd0, 0xac,
462 
-	       0x21, 0x9b, 0x85, 0xba, 0x53, 0x39, 0x1d, 0xef, 0xe9, 0xb7,
463 
-	       0x69, 0xed, 0x7f, 0x1c, 0x38, 0x56, 0x0a, 0xe5, 0x24, 0xd0,
464 
-	       0x1a, 0xa5, 0x9a, 0xd2, 0x5e, 0x1b, 0x47, 0x42, 0x49, 0x08,
465 
-	       0x0d, 0x68, 0x2d, 0xc9, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
466 
-	       0x36, 0x30, 0x34, 0x30, 0x32, 0x06, 0x03, 0x55, 0x1d, 0x11,
467 
-	       0x04, 0x2b, 0x30, 0x29, 0x82, 0x12, 0x64, 0x65, 0x6d, 0x6f,
452 
+	       0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xac, 0x7b, 0x54, 0xc1,
453 
+	       0x97, 0x4d, 0x56, 0xbd, 0xb2, 0x52, 0xb3, 0x5c, 0x1b, 0x28,
454 
+	       0xae, 0x91, 0x33, 0xf0, 0xc8, 0xc2, 0x3c, 0x7d, 0xe8, 0x95,
455 
+	       0x72, 0xaf, 0xfe, 0xa1, 0x68, 0xe1, 0xbd, 0xe2, 0x9d, 0x4c,
456 
+	       0xe8, 0x95, 0x56, 0x94, 0xce, 0x47, 0x57, 0x1b, 0xb1, 0x08,
457 
+	       0xa1, 0x5b, 0x02, 0x8f, 0x56, 0x75, 0x1e, 0x4f, 0xfd, 0xc5,
458 
+	       0x87, 0x5c, 0x1c, 0x3f, 0xab, 0x4f, 0xba, 0x25, 0x14, 0x6d,
459 
+	       0xe3, 0xa2, 0x47, 0x33, 0xd0, 0x78, 0x63, 0xcc, 0x11, 0x37,
460 
+	       0x08, 0x73, 0x25, 0x42, 0x20, 0xa9, 0x57, 0x29, 0xeb, 0x44,
461 
+	       0x80, 0x0d, 0xe6, 0x76, 0x4b, 0x02, 0x8b, 0x67, 0xb2, 0x99,
462 
+	       0xfe, 0xb3, 0x44, 0x62, 0xdf, 0x34, 0x0e, 0xf3, 0xe2, 0x17,
463 
+	       0x42, 0x8f, 0x36, 0x42, 0x5a, 0x1c, 0x03, 0x3e, 0x06, 0x0d,
464 
+	       0x5e, 0x08, 0x52, 0xd1, 0x06, 0xfb, 0xa9, 0xdb, 0x13, 0x15,
465 
+	       0x08, 0x6d, 0x03, 0x85, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
466 
+	       0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x03, 0x55, 0x1d, 0x11,
467 
+	       0x04, 0x43, 0x30, 0x41, 0x82, 0x12, 0x64, 0x65, 0x6d, 0x6f,
468 468 
 	       0x2e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x69, 0x70, 0x78, 0x65,
469 469 
 	       0x2e, 0x6f, 0x72, 0x67, 0x82, 0x13, 0x2a, 0x2e, 0x61, 0x6c,
470 470 
 	       0x74, 0x2e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x69, 0x70, 0x78,
471 
-	       0x65, 0x2e, 0x6f, 0x72, 0x67, 0x30, 0x0d, 0x06, 0x09, 0x2a,
472 
-	       0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,
473 
-	       0x03, 0x81, 0x81, 0x00, 0x23, 0x16, 0x6a, 0x10, 0x55, 0x44,
474 
-	       0xb9, 0x9d, 0x9f, 0x9f, 0x53, 0x51, 0x3d, 0x7d, 0x33, 0xa1,
475 
-	       0x84, 0xb2, 0x5a, 0xfb, 0x1d, 0x76, 0xd5, 0xb1, 0x79, 0x66,
476 
-	       0xf5, 0xe3, 0xa6, 0x58, 0x2e, 0x3d, 0xec, 0x9f, 0xcf, 0x7d,
477 
-	       0x75, 0x3b, 0xd7, 0xe8, 0xf6, 0x96, 0xd7, 0xdd, 0x89, 0x1e,
478 
-	       0x30, 0x25, 0xd9, 0xbb, 0xc0, 0x99, 0xc0, 0x1f, 0x1b, 0x4f,
479 
-	       0xa6, 0x8e, 0xd5, 0x76, 0x50, 0x18, 0xa1, 0x7a, 0x48, 0x08,
480 
-	       0xd5, 0x75, 0xee, 0x20, 0x82, 0x12, 0xc0, 0xe8, 0xeb, 0xf1,
481 
-	       0x50, 0xee, 0x9d, 0xbd, 0x73, 0x7c, 0xb5, 0x13, 0x05, 0x91,
482 
-	       0x1f, 0xc6, 0x50, 0x08, 0xbc, 0x98, 0xde, 0x43, 0x9a, 0xa4,
483 
-	       0x9f, 0x69, 0xf7, 0x6e, 0x36, 0x20, 0x42, 0x80, 0x72, 0xba,
484 
-	       0x0d, 0x63, 0x4c, 0xc5, 0x00, 0x0d, 0x85, 0xaa, 0x14, 0x38,
485 
-	       0x28, 0x11, 0x3e, 0xa2, 0xcc, 0xc2, 0xac, 0xe8, 0xa7, 0xbe,
486 
-	       0x0a, 0xa0 ),
487 
-	FINGERPRINT ( 0x2f, 0xd3, 0xe0, 0x69, 0xde, 0xbc, 0x7c, 0x39,
488 
-		      0xa7, 0xee, 0x23, 0x3b, 0xf5, 0x92, 0xf5, 0xbe,
489 
-		      0x05, 0xab, 0xb5, 0xf8, 0x42, 0x9e, 0xf5, 0x9c,
490 
-		      0x24, 0xde, 0x9e, 0x1f, 0xeb, 0xed, 0xd1, 0x20 ) );
471 
+	       0x65, 0x2e, 0x6f, 0x72, 0x67, 0x87, 0x04, 0xc0, 0xa8, 0x00,
472 
+	       0x01, 0x87, 0x10, 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
473 
+	       0x00, 0x00, 0x00, 0x69, 0xff, 0xfe, 0x50, 0x58, 0x45, 0x30,
474 
+	       0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
475 
+	       0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x63, 0x83,
476 
+	       0xf5, 0xde, 0xf7, 0x59, 0x81, 0xd3, 0x34, 0x61, 0xfd, 0x2c,
477 
+	       0x0c, 0xec, 0x1c, 0x25, 0xd2, 0x2c, 0xe8, 0x90, 0x4f, 0x34,
478 
+	       0x43, 0x2c, 0x86, 0x18, 0x9e, 0x66, 0x26, 0x0d, 0x02, 0x2a,
479 
+	       0xea, 0x28, 0xc6, 0xbb, 0x51, 0x02, 0xbe, 0x8f, 0x51, 0x50,
480 
+	       0xc7, 0x04, 0x49, 0x97, 0xb9, 0xd4, 0xa5, 0x74, 0x39, 0xaa,
481 
+	       0x22, 0xbb, 0x4e, 0x46, 0x57, 0x15, 0x0e, 0xcf, 0x64, 0x60,
482 
+	       0xc8, 0x13, 0xdf, 0x82, 0x09, 0x3b, 0x92, 0xf5, 0x69, 0x80,
483 
+	       0xd2, 0x5e, 0x53, 0x9d, 0x3a, 0xcd, 0x9e, 0x81, 0xa1, 0xbd,
484 
+	       0x5b, 0x66, 0x89, 0x4d, 0xf7, 0xa4, 0xd6, 0x92, 0xe4, 0xe1,
485 
+	       0x80, 0x87, 0xfa, 0xa5, 0x47, 0x25, 0x9c, 0x35, 0x77, 0xa5,
486 
+	       0x11, 0x1b, 0x48, 0x4c, 0x5e, 0x5e, 0x2f, 0xc7, 0xf8, 0x78,
487 
+	       0x4c, 0x36, 0x41, 0xfb, 0x91, 0x5d, 0xf6, 0x43, 0x99, 0x7c,
488 
+	       0xcd, 0x7f, 0x27, 0x4c, 0x75, 0xca ),
489 
+	FINGERPRINT ( 0x82, 0xd3, 0xa0, 0x4c, 0x0d, 0x7d, 0x3c, 0xb1,
490 
+		      0x90, 0x63, 0xd8, 0xef, 0x1e, 0xd2, 0xdd, 0x10,
491 
+		      0xd5, 0x89, 0x40, 0x35, 0xb9, 0x5e, 0x98, 0x44,
492 
+		      0x30, 0xa2, 0x48, 0x9a, 0xb8, 0x2f, 0xcf, 0xe3 ) );
491 493
492 494 
 /*
493 495 
  * subject	not.a.ca.test.ipxe.org
 
@@ -1033,6 +1035,11 @@ static void x509_test_exec ( void ) {
1033 1035 
 	x509_check_name_fail_ok ( &server_crt, "ipxe.org" );
1034 1036 
 	x509_check_name_fail_ok ( &server_crt, "org" );
1035 1037 
 	x509_check_name_fail_ok ( &server_crt, "" );
1038 
+	x509_check_name_ok ( &server_crt, "192.168.0.1" );
1039 
+	x509_check_name_fail_ok ( &server_crt, "192.168.0.2" );
1040 
+	x509_check_name_ok ( &server_crt, "fe80::69ff:fe50:5845" );
1041 
+	x509_check_name_ok ( &server_crt, "FE80:0:0:0:0:69FF:FE50:5845" );
1042 
+	x509_check_name_fail_ok ( &server_crt, "fe80::69ff:fe50:5846" );
1036 1043
1037 1044 
 	/* Parse all certificate chains */
1038 1045 
 	x509_chain_ok ( &server_chain );
 
@@ -1101,3 +1108,5 @@ struct self_test x509_test __self_test = {
1101 1108 
 REQUIRE_OBJECT ( rsa );
1102 1109 
 REQUIRE_OBJECT ( sha1 );
1103 1110 
 REQUIRE_OBJECT ( sha256 );
1111 
+REQUIRE_OBJECT ( ipv4 );
1112 
+REQUIRE_OBJECT ( ipv6 );

Write Preview
Loading…
Cancel
Save