Parcourir la source

[crypto] Add PEM image format

Add PEM-encoded ASN.1 as an image format.  We accept as PEM any image
containing a line starting with a "-----BEGIN" boundary marker.

We allow for PEM files containing multiple ASN.1 objects, such as a
certificate chain produced by concatenating individual certificate
files.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown il y a 8 ans
Parent
révision
84add97ce9
7 fichiers modifiés avec 343 ajouts et 0 suppressions
  1. 3
    0
      src/config/config.c
  2. 1
    0
      src/config/general.h
  3. 208
    0
      src/image/pem.c
  4. 1
    0
      src/include/ipxe/errfile.h
  5. 22
    0
      src/include/ipxe/pem.h
  6. 107
    0
      src/tests/pem_test.c
  7. 1
    0
      src/tests/tests.c

+ 3
- 0
src/config/config.c Voir le fichier

@@ -191,6 +191,9 @@ REQUIRE_OBJECT ( png );
191 191
 #ifdef IMAGE_DER
192 192
 REQUIRE_OBJECT ( der );
193 193
 #endif
194
+#ifdef IMAGE_PEM
195
+REQUIRE_OBJECT ( pem );
196
+#endif
194 197
 
195 198
 /*
196 199
  * Drag in all requested commands

+ 1
- 0
src/config/general.h Voir le fichier

@@ -113,6 +113,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
113 113
 //#define	IMAGE_PNM		/* PNM image support */
114 114
 //#define	IMAGE_PNG		/* PNG image support */
115 115
 //#define	IMAGE_DER		/* DER image support */
116
+//#define	IMAGE_PEM		/* PEM image support */
116 117
 
117 118
 /*
118 119
  * Command-line commands to include

+ 208
- 0
src/image/pem.c Voir le fichier

@@ -0,0 +1,208 @@
1
+/*
2
+ * Copyright (C) 2016 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+#include <stdlib.h>
27
+#include <errno.h>
28
+#include <assert.h>
29
+#include <ipxe/asn1.h>
30
+#include <ipxe/pem.h>
31
+#include <ipxe/base64.h>
32
+#include <ipxe/uaccess.h>
33
+#include <ipxe/image.h>
34
+
35
+/** @file
36
+ *
37
+ * PEM-encoded ASN.1 data
38
+ *
39
+ */
40
+
41
+/**
42
+ * Locate next line
43
+ *
44
+ * @v image		PEM image
45
+ * @v offset		Starting offset
46
+ * @ret next		Offset to next line
47
+ */
48
+static size_t pem_next ( struct image *image, size_t offset ) {
49
+	off_t eol;
50
+
51
+	/* Find and skip next newline character, if any */
52
+	eol = memchr_user ( image->data, offset, '\n', ( image->len - offset ));
53
+	if ( eol < 0 )
54
+		return image->len;
55
+	return ( eol + 1 );
56
+}
57
+
58
+/**
59
+ * Locate boundary marker line
60
+ *
61
+ * @v image		PEM image
62
+ * @v offset		Starting offset
63
+ * @v marker		Boundary marker
64
+ * @ret offset		Offset to boundary marker line, or negative error
65
+ */
66
+static int pem_marker ( struct image *image, size_t offset,
67
+			const char *marker ) {
68
+	char buf[ strlen ( marker ) ];
69
+
70
+	/* Sanity check */
71
+	assert ( offset <= image->len );
72
+
73
+	/* Scan for marker at start of line */
74
+	while ( offset < image->len ) {
75
+
76
+		/* Check for marker */
77
+		if ( ( image->len - offset ) < sizeof ( buf ) )
78
+			break;
79
+		copy_from_user ( buf, image->data, offset, sizeof ( buf ) );
80
+		if ( memcmp ( buf, marker, sizeof ( buf ) ) == 0 )
81
+			return offset;
82
+
83
+		/* Move to next line */
84
+		offset = pem_next ( image, offset );
85
+		assert ( offset <= image->len );
86
+	}
87
+
88
+	return -ENOENT;
89
+}
90
+
91
+/**
92
+ * Extract ASN.1 object from image
93
+ *
94
+ * @v image		PEM image
95
+ * @v offset		Offset within image
96
+ * @v cursor		ASN.1 cursor to fill in
97
+ * @ret next		Offset to next image, or negative error
98
+ *
99
+ * The caller is responsible for eventually calling free() on the
100
+ * allocated ASN.1 cursor.
101
+ */
102
+static int pem_asn1 ( struct image *image, size_t offset,
103
+		      struct asn1_cursor **cursor ) {
104
+	size_t encoded_len;
105
+	size_t decoded_max_len;
106
+	char *encoded;
107
+	void *decoded;
108
+	int begin;
109
+	int end;
110
+	int len;
111
+	int rc;
112
+
113
+	/* Locate and skip BEGIN marker */
114
+	begin = pem_marker ( image, offset, PEM_BEGIN );
115
+	if ( begin < 0 ) {
116
+		rc = begin;
117
+		DBGC ( image, "PEM %s [%#zx,%#zx) missing BEGIN marker: %s\n",
118
+		       image->name, offset, image->len, strerror ( rc ) );
119
+		goto err_begin;
120
+	}
121
+	begin = pem_next ( image, begin );
122
+
123
+	/* Locate and skip END marker */
124
+	end = pem_marker ( image, begin, PEM_END );
125
+	if ( end < 0 ) {
126
+		rc = end;
127
+		DBGC ( image, "PEM %s [%#zx,%#zx) missing END marker: %s\n",
128
+		       image->name, offset, image->len, strerror ( rc ) );
129
+		goto err_end;
130
+	}
131
+	encoded_len = ( end - begin );
132
+	end = pem_next ( image, end );
133
+
134
+	/* Extract Base64-encoded data */
135
+	encoded = malloc ( encoded_len + 1 /* NUL */ );
136
+	if ( ! encoded ) {
137
+		rc = -ENOMEM;
138
+		goto err_alloc_encoded;
139
+	}
140
+	copy_from_user ( encoded, image->data, begin, encoded_len );
141
+	encoded[encoded_len] = '\0';
142
+
143
+	/* Allocate cursor and data buffer */
144
+	decoded_max_len = base64_decoded_max_len ( encoded );
145
+	*cursor = malloc ( sizeof ( **cursor ) + decoded_max_len );
146
+	if ( ! *cursor ) {
147
+		rc = -ENOMEM;
148
+		goto err_alloc_decoded;
149
+	}
150
+	decoded = ( ( ( void * ) *cursor ) + sizeof ( **cursor ) );
151
+
152
+	/* Decode Base64-encoded data */
153
+	len = base64_decode ( encoded, decoded, decoded_max_len );
154
+	if ( len < 0 ) {
155
+		rc = len;
156
+		DBGC ( image, "PEM %s could not decode: %s\n",
157
+		       image->name, strerror ( rc ) );
158
+		goto err_decode;
159
+	}
160
+	(*cursor)->data = decoded;
161
+	(*cursor)->len = len;
162
+	assert ( (*cursor)->len <= decoded_max_len );
163
+
164
+	/* Free Base64-encoded data */
165
+	free ( encoded );
166
+
167
+	/* Update offset and skip any unencapsulated trailer */
168
+	offset = end;
169
+	if ( pem_marker ( image, offset, PEM_BEGIN ) < 0 )
170
+		offset = image->len;
171
+
172
+	return offset;
173
+
174
+ err_decode:
175
+	free ( decoded );
176
+ err_alloc_decoded:
177
+	free ( encoded );
178
+ err_alloc_encoded:
179
+ err_end:
180
+ err_begin:
181
+	return rc;
182
+}
183
+
184
+/**
185
+ * Probe PEM image
186
+ *
187
+ * @v image		PEM image
188
+ * @ret rc		Return status code
189
+ */
190
+static int pem_probe ( struct image *image ) {
191
+	int rc;
192
+
193
+	/* Check that image contains a BEGIN marker */
194
+	if ( ( rc = pem_marker ( image, 0, PEM_BEGIN ) ) < 0 ) {
195
+		DBGC ( image, "PEM %s has no BEGIN marker: %s\n",
196
+		       image->name, strerror ( rc ) );
197
+		return rc;
198
+	}
199
+
200
+	return 0;
201
+}
202
+
203
+/** PEM image type */
204
+struct image_type pem_image_type __image_type ( PROBE_NORMAL ) = {
205
+	.name = "PEM",
206
+	.probe = pem_probe,
207
+	.asn1 = pem_asn1,
208
+};

+ 1
- 0
src/include/ipxe/errfile.h Voir le fichier

@@ -277,6 +277,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
277 277
 #define ERRFILE_pnm		      ( ERRFILE_IMAGE | 0x00060000 )
278 278
 #define ERRFILE_png		      ( ERRFILE_IMAGE | 0x00070000 )
279 279
 #define ERRFILE_der		      ( ERRFILE_IMAGE | 0x00080000 )
280
+#define ERRFILE_pem		      ( ERRFILE_IMAGE | 0x00090000 )
280 281
 
281 282
 #define ERRFILE_asn1		      ( ERRFILE_OTHER | 0x00000000 )
282 283
 #define ERRFILE_chap		      ( ERRFILE_OTHER | 0x00010000 )

+ 22
- 0
src/include/ipxe/pem.h Voir le fichier

@@ -0,0 +1,22 @@
1
+#ifndef _IPXE_PEM_H
2
+#define _IPXE_PEM_H
3
+
4
+/** @file
5
+ *
6
+ * PEM image format
7
+ *
8
+ */
9
+
10
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
11
+
12
+#include <ipxe/image.h>
13
+
14
+/** Pre-encapsulation boundary marker */
15
+#define PEM_BEGIN "-----BEGIN"
16
+
17
+/** Post-encapsulation boundary marker */
18
+#define PEM_END "-----END"
19
+
20
+extern struct image_type pem_image_type __image_type ( PROBE_NORMAL );
21
+
22
+#endif /* _IPXE_PEM_H */

+ 107
- 0
src/tests/pem_test.c Voir le fichier

@@ -0,0 +1,107 @@
1
+/*
2
+ * Copyright (C) 2016 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+/** @file
27
+ *
28
+ * PEM self-tests
29
+ *
30
+ */
31
+
32
+/* Forcibly enable assertions */
33
+#undef NDEBUG
34
+
35
+#include <string.h>
36
+#include <assert.h>
37
+#include <ipxe/test.h>
38
+#include <ipxe/pem.h>
39
+#include "asn1_test.h"
40
+
41
+/** Define inline expected digest */
42
+#define DIGEST(...) { { __VA_ARGS__ } }
43
+
44
+/** Single RSA private key */
45
+ASN1 ( single, &pem_image_type,
46
+       "-----BEGIN RSA PRIVATE KEY-----\n"
47
+       "MCwCAQACBQC6loItAgMBAAECBCqhYIkCAwDyVwIDAMUbAgMAr9kCAmr9AgIaWQ==\n"
48
+       "-----END RSA PRIVATE KEY-----\n",
49
+       DIGEST ( 0xb9, 0x38, 0x83, 0xcd, 0xf4, 0x58, 0xa9, 0xa2, 0x84, 0x11,
50
+		0xfa, 0x0b, 0x6f, 0xdc, 0x3e, 0xa3, 0x7c, 0x90, 0x7c, 0x2d ) );
51
+
52
+/** Three concatenated RSA private keys */
53
+ASN1 ( multiple, &pem_image_type,
54
+       "-----BEGIN RSA PRIVATE KEY-----\n"
55
+       "MCwCAQACBQDtbjyVAgMBAAECBQCEOtJxAgMA+xsCAwDyDwICLGsCAgqTAgIxVQ==\n"
56
+       "-----END RSA PRIVATE KEY-----\n"
57
+       "-----BEGIN RSA PRIVATE KEY-----\n"
58
+       "MCwCAQACBQC3VlyxAgMBAAECBGakxDUCAwDanwIDANavAgIBWQICTuECAwCmWg==\n"
59
+       "-----END RSA PRIVATE KEY-----\n"
60
+       "-----BEGIN RSA PRIVATE KEY-----\n"
61
+       "MCwCAQACBQC89dS1AgMBAAECBQCxjnLBAgMA3qcCAwDZQwICP3cCAgpRAgI57A==\n"
62
+       "-----END RSA PRIVATE KEY-----\n",
63
+       DIGEST ( 0x9c, 0xb2, 0xc1, 0xa0, 0x9c, 0xcb, 0x11, 0xbf, 0x80, 0xd0,
64
+		0x8c, 0xe5, 0xda, 0xf2, 0x3b, 0x2c, 0xca, 0x64, 0x25, 0x8a ),
65
+       DIGEST ( 0x82, 0x66, 0x24, 0xd9, 0xc3, 0x98, 0x1e, 0x5e, 0x56, 0xed,
66
+		0xd0, 0xd0, 0x2a, 0x5e, 0x9c, 0x3a, 0x58, 0xdf, 0x76, 0x0d ),
67
+       DIGEST ( 0x01, 0xd2, 0x8a, 0x74, 0x42, 0x08, 0x0f, 0xb0, 0x03, 0x82,
68
+		0xcd, 0xa3, 0xdc, 0x78, 0xfe, 0xd7, 0xa3, 0x28, 0xfc, 0x29 ) );
69
+
70
+/** Two RSA private keys with various bits of noise added */
71
+ASN1 ( noisy, &pem_image_type,
72
+       "Hello world!  This is uninteresting stuff before the actual data.\n"
73
+       "-----BEGIN RSA PRIVATE KEY-----\n"
74
+       "MCwCAQACBQC3VlyxAgMBAAECBGakxDUCAwDanwIDANavAgIBWQICTuECAwCmWg==\n"
75
+       "-----END RSA PRIVATE KEY-----\n"
76
+       "Here is some more uninteresting stuff.\n"
77
+       "Followed by what is actually another RSA private key, but with "
78
+       "extra whitespace added, and the description change to pretend "
79
+       "it's a certificate\n"
80
+       "-----BEGIN CERTIFICATE-----\n"
81
+       "   MCwCAQACBQC6loItAgMBAAECBCqhYIkCAwD\r\n"
82
+       "   yVwIDAMUbAgMAr9kCAmr9AgIaWQ==  \r\n"
83
+       "-----END CERTIFICATE-----\n"
84
+       "and some trailing garbage as well\n"
85
+       "and more garbage with no final newline",
86
+       DIGEST ( 0x82, 0x66, 0x24, 0xd9, 0xc3, 0x98, 0x1e, 0x5e, 0x56, 0xed,
87
+		0xd0, 0xd0, 0x2a, 0x5e, 0x9c, 0x3a, 0x58, 0xdf, 0x76, 0x0d ),
88
+       DIGEST ( 0xb9, 0x38, 0x83, 0xcd, 0xf4, 0x58, 0xa9, 0xa2, 0x84, 0x11,
89
+		0xfa, 0x0b, 0x6f, 0xdc, 0x3e, 0xa3, 0x7c, 0x90, 0x7c, 0x2d ) );
90
+
91
+/**
92
+ * Perform PEM self-test
93
+ *
94
+ */
95
+static void pem_test_exec ( void ) {
96
+
97
+	/* Perform tests */
98
+	asn1_ok ( &single );
99
+	asn1_ok ( &multiple );
100
+	asn1_ok ( &noisy );
101
+}
102
+
103
+/** PEM self-test */
104
+struct self_test pem_test __self_test = {
105
+	.name = "pem",
106
+	.exec = pem_test_exec,
107
+};

+ 1
- 0
src/tests/tests.c Voir le fichier

@@ -70,3 +70,4 @@ REQUIRE_OBJECT ( linebuf_test );
70 70
 REQUIRE_OBJECT ( iobuf_test );
71 71
 REQUIRE_OBJECT ( bitops_test );
72 72
 REQUIRE_OBJECT ( der_test );
73
+REQUIRE_OBJECT ( pem_test );

Chargement…
Annuler
Enregistrer