Ver código fonte

[crypto] Construct OCSP check URI

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 12 anos atrás
pai
commit
944e023def
3 arquivos alterados com 84 adições e 83 exclusões
  1. 74
    0
      src/crypto/ocsp.c
  2. 2
    0
      src/include/ipxe/ocsp.h
  3. 8
    83
      src/tests/ocsp_test.c

+ 74
- 0
src/crypto/ocsp.c Ver arquivo

@@ -21,11 +21,14 @@ FILE_LICENCE ( GPL2_OR_LATER );
21 21
 
22 22
 #include <stdint.h>
23 23
 #include <stdlib.h>
24
+#include <stdio.h>
24 25
 #include <string.h>
25 26
 #include <errno.h>
26 27
 #include <ipxe/asn1.h>
27 28
 #include <ipxe/x509.h>
28 29
 #include <ipxe/sha1.h>
30
+#include <ipxe/base64.h>
31
+#include <ipxe/uri.h>
29 32
 #include <ipxe/ocsp.h>
30 33
 
31 34
 /** @file
@@ -110,6 +113,7 @@ static void ocsp_free ( struct refcnt *refcnt ) {
110 113
 
111 114
 	x509_put ( ocsp->cert );
112 115
 	x509_put ( ocsp->issuer );
116
+	free ( ocsp->uri_string );
113 117
 	free ( ocsp->request.builder.data );
114 118
 	free ( ocsp->response.data );
115 119
 	x509_put ( ocsp->response.signer );
@@ -180,6 +184,71 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
180 184
 	return 0;
181 185
 }
182 186
 
187
+/**
188
+ * Build OCSP URI string
189
+ *
190
+ * @v ocsp		OCSP check
191
+ * @ret rc		Return status code
192
+ */
193
+static int ocsp_uri_string ( struct ocsp_check *ocsp ) {
194
+	char *base_uri_string;
195
+	char *base64_request;
196
+	size_t base64_request_len;
197
+	size_t uri_string_len;
198
+	size_t prefix_len;
199
+	int rc;
200
+
201
+	/* Sanity check */
202
+	base_uri_string = ocsp->cert->extensions.auth_info.ocsp.uri;
203
+	if ( ! base_uri_string ) {
204
+		DBGC ( ocsp, "OCSP %p \"%s\" has no OCSP URI\n",
205
+		       ocsp, ocsp->cert->subject.name );
206
+		rc = -ENOTTY;
207
+		goto err_no_uri;
208
+	}
209
+
210
+	/* Base64-encode the request */
211
+	base64_request_len = ( base64_encoded_len ( ocsp->request.builder.len )
212
+			       + 1 /* NUL */ );
213
+	base64_request = malloc ( base64_request_len );
214
+	if ( ! base64_request ) {
215
+		rc = -ENOMEM;
216
+		goto err_alloc_base64;
217
+	}
218
+	base64_encode ( ocsp->request.builder.data, ocsp->request.builder.len,
219
+			base64_request );
220
+
221
+	/* Allocate URI string */
222
+	uri_string_len = ( strlen ( base_uri_string ) + 1 /* "/" */ +
223
+			   uri_encode ( base64_request, NULL, 0, URI_FRAGMENT )
224
+			   + 1 /* NUL */ );
225
+	ocsp->uri_string = malloc ( uri_string_len );
226
+	if ( ! ocsp->uri_string ) {
227
+		rc = -ENOMEM;
228
+		goto err_alloc_uri;
229
+	}
230
+
231
+	/* Construct URI string */
232
+	prefix_len = snprintf ( ocsp->uri_string, uri_string_len,
233
+				"%s/", base_uri_string );
234
+	uri_encode ( base64_request, ( ocsp->uri_string + prefix_len ),
235
+		     ( uri_string_len - prefix_len ), URI_FRAGMENT );
236
+	DBGC2 ( ocsp, "OCSP %p \"%s\" URI is %s\n",
237
+		ocsp, ocsp->cert->subject.name, ocsp->uri_string );
238
+
239
+	/* Free base64-encoded request */
240
+	free ( base64_request );
241
+	base64_request = NULL;
242
+
243
+	return 0;
244
+
245
+ err_alloc_uri:
246
+	free ( base64_request );
247
+ err_alloc_base64:
248
+ err_no_uri:
249
+	return rc;
250
+}
251
+
183 252
 /**
184 253
  * Create OCSP check
185 254
  *
@@ -212,8 +281,13 @@ int ocsp_check ( struct x509_certificate *cert,
212 281
 	if ( ( rc = ocsp_request ( *ocsp ) ) != 0 )
213 282
 		goto err_request;
214 283
 
284
+	/* Build URI string */
285
+	if ( ( rc = ocsp_uri_string ( *ocsp ) ) != 0 )
286
+		goto err_uri_string;
287
+
215 288
 	return 0;
216 289
 
290
+ err_uri_string:
217 291
  err_request:
218 292
 	ocsp_put ( *ocsp );
219 293
  err_alloc:

+ 2
- 0
src/include/ipxe/ocsp.h Ver arquivo

@@ -70,6 +70,8 @@ struct ocsp_check {
70 70
 	struct x509_certificate *cert;
71 71
 	/** Issuing certificate */
72 72
 	struct x509_certificate *issuer;
73
+	/** URI string */
74
+	char *uri_string;
73 75
 	/** Request */
74 76
 	struct ocsp_request request;
75 77
 	/** Response */

+ 8
- 83
src/tests/ocsp_test.c Ver arquivo

@@ -352,81 +352,6 @@ CERTIFICATE ( google_crt,
352 352
 		      0x50, 0x48, 0xaf, 0x17, 0x94, 0x57, 0x48, 0x39,
353 353
 		      0x6b, 0xd2, 0xec, 0xf1, 0x2b, 0x8d, 0xe2, 0x2c ) );
354 354
 
355
-/*
356
- * subject	boot.test.ipxe.org
357
- * issuer	iPXE self-test leaf CA
358
- */
359
-CERTIFICATE ( server_crt,
360
-	DATA ( 0x30, 0x82, 0x02, 0x7d, 0x30, 0x82, 0x01, 0xe6, 0x02, 0x01,
361
-	       0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
362
-	       0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81, 0x88, 0x31,
363
-	       0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
364
-	       0x47, 0x42, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
365
-	       0x08, 0x0c, 0x0e, 0x43, 0x61, 0x6d, 0x62, 0x72, 0x69, 0x64,
366
-	       0x67, 0x65, 0x73, 0x68, 0x69, 0x72, 0x65, 0x31, 0x12, 0x30,
367
-	       0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x61,
368
-	       0x6d, 0x62, 0x72, 0x69, 0x64, 0x67, 0x65, 0x31, 0x18, 0x30,
369
-	       0x16, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0f, 0x46, 0x65,
370
-	       0x6e, 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x73, 0x20,
371
-	       0x4c, 0x74, 0x64, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55,
372
-	       0x04, 0x0b, 0x0c, 0x08, 0x69, 0x70, 0x78, 0x65, 0x2e, 0x6f,
373
-	       0x72, 0x67, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
374
-	       0x03, 0x0c, 0x16, 0x69, 0x50, 0x58, 0x45, 0x20, 0x73, 0x65,
375
-	       0x6c, 0x66, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20, 0x6c, 0x65,
376
-	       0x61, 0x66, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31,
377
-	       0x32, 0x30, 0x33, 0x32, 0x32, 0x30, 0x30, 0x30, 0x31, 0x33,
378
-	       0x34, 0x5a, 0x17, 0x0d, 0x31, 0x33, 0x30, 0x33, 0x32, 0x32,
379
-	       0x30, 0x30, 0x30, 0x31, 0x33, 0x34, 0x5a, 0x30, 0x81, 0x84,
380
-	       0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
381
-	       0x02, 0x47, 0x42, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55,
382
-	       0x04, 0x08, 0x0c, 0x0e, 0x43, 0x61, 0x6d, 0x62, 0x72, 0x69,
383
-	       0x64, 0x67, 0x65, 0x73, 0x68, 0x69, 0x72, 0x65, 0x31, 0x12,
384
-	       0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43,
385
-	       0x61, 0x6d, 0x62, 0x72, 0x69, 0x64, 0x67, 0x65, 0x31, 0x18,
386
-	       0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0f, 0x46,
387
-	       0x65, 0x6e, 0x20, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x73,
388
-	       0x20, 0x4c, 0x74, 0x64, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03,
389
-	       0x55, 0x04, 0x0b, 0x0c, 0x08, 0x69, 0x70, 0x78, 0x65, 0x2e,
390
-	       0x6f, 0x72, 0x67, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55,
391
-	       0x04, 0x03, 0x0c, 0x12, 0x62, 0x6f, 0x6f, 0x74, 0x2e, 0x74,
392
-	       0x65, 0x73, 0x74, 0x2e, 0x69, 0x70, 0x78, 0x65, 0x2e, 0x6f,
393
-	       0x72, 0x67, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a,
394
-	       0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
395
-	       0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81,
396
-	       0x00, 0xbd, 0x43, 0x97, 0x45, 0xa2, 0xe0, 0x1d, 0x38, 0x41,
397
-	       0xb0, 0xd9, 0x91, 0xf9, 0x77, 0xa9, 0xcb, 0x9c, 0x9c, 0x93,
398
-	       0xfe, 0x5a, 0xee, 0xbc, 0xd9, 0x0f, 0x39, 0xf6, 0x42, 0xe4,
399
-	       0x55, 0x21, 0xbb, 0x11, 0xfd, 0xfd, 0xba, 0x25, 0x58, 0xc8,
400
-	       0xc6, 0xa5, 0x3b, 0x6f, 0x80, 0xba, 0x5b, 0xbc, 0x89, 0xca,
401
-	       0x7a, 0xdf, 0x6e, 0xb9, 0x81, 0xb6, 0x25, 0x67, 0x0a, 0x38,
402
-	       0x10, 0xf8, 0x26, 0x43, 0x0c, 0x51, 0x02, 0x14, 0xd6, 0xf2,
403
-	       0x9d, 0x7c, 0xf5, 0x25, 0x1c, 0x78, 0x4d, 0x47, 0xaf, 0x87,
404
-	       0x2e, 0x38, 0x49, 0x87, 0xb5, 0x8a, 0xf3, 0xb5, 0xd4, 0x15,
405
-	       0x69, 0x2a, 0x52, 0xc9, 0x46, 0x97, 0x34, 0x8e, 0x50, 0x4b,
406
-	       0xc4, 0xf2, 0xfb, 0x39, 0xfd, 0x16, 0x68, 0xdb, 0xa8, 0x17,
407
-	       0xe2, 0x71, 0x4b, 0xe0, 0xdf, 0x3d, 0xfc, 0xc3, 0x9b, 0x9d,
408
-	       0x22, 0xc9, 0xd3, 0xf6, 0x02, 0xa6, 0x60, 0xef, 0xf7, 0x02,
409
-	       0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
410
-	       0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03,
411
-	       0x81, 0x81, 0x00, 0x7d, 0xff, 0x73, 0xf3, 0x68, 0xe3, 0x75,
412
-	       0xf1, 0xcf, 0xac, 0x2e, 0x23, 0x73, 0xea, 0xd1, 0x26, 0x33,
413
-	       0xbf, 0xf9, 0x56, 0xdf, 0xbf, 0x98, 0x20, 0x84, 0x08, 0x78,
414
-	       0x6b, 0xe6, 0x71, 0x7e, 0x22, 0x68, 0x4d, 0x6c, 0xbb, 0xd5,
415
-	       0xcc, 0xb4, 0x28, 0x33, 0x5e, 0xbe, 0x4d, 0x10, 0x16, 0x9f,
416
-	       0x65, 0x3b, 0x68, 0x90, 0xa7, 0xf7, 0x9d, 0x57, 0x71, 0x45,
417
-	       0x39, 0x86, 0x4c, 0xc0, 0x97, 0x34, 0x03, 0x9c, 0x2b, 0x25,
418
-	       0x05, 0xb1, 0x5c, 0x0c, 0x4e, 0xf2, 0x14, 0xbf, 0xcf, 0xf0,
419
-	       0x9a, 0x2d, 0xcf, 0x02, 0x47, 0x60, 0xd2, 0xe9, 0xed, 0xbf,
420
-	       0x71, 0x5d, 0x07, 0x09, 0x01, 0x87, 0xeb, 0xf7, 0xa8, 0x26,
421
-	       0x86, 0x24, 0x59, 0xf0, 0x31, 0x3b, 0x42, 0xd1, 0xf1, 0xfd,
422
-	       0x7c, 0x49, 0x5f, 0x1a, 0xf0, 0x41, 0x67, 0xf0, 0x16, 0x3a,
423
-	       0xfd, 0xb6, 0xb5, 0xf6, 0x2e, 0x0c, 0x18, 0x1f, 0x09, 0x8e,
424
-	       0x4d ),
425
-	FINGERPRINT ( 0xe0, 0xdb, 0x60, 0x53, 0x7c, 0xf6, 0x25, 0x8f,
426
-		      0xa7, 0xba, 0xdf, 0xe2, 0x1a, 0xfc, 0x27, 0x49,
427
-		      0xf6, 0x83, 0x15, 0xbd, 0x1b, 0x4c, 0x3f, 0x36,
428
-		      0x6f, 0x33, 0xf2, 0x47, 0x8e, 0x8b, 0x38, 0xa8 ) );
429
-
430 355
 /*
431 356
  * subject	VeriSign Class 3 International Server CA - G3
432 357
  * issuer	VeriSign Class 3 Public Primary Certification Authority - G5
@@ -1193,14 +1118,16 @@ OCSP ( google_ocsp, &google_crt, &thawte_crt,
1193 1118
 	       0x97, 0x85, 0xfb, 0x2a, 0xa3, 0x92, 0x65, 0x0b, 0x02, 0x58,
1194 1119
 	       0x14, 0x89, 0x8f, 0x3b ) );
1195 1120
 
1196
-OCSP ( unauthorized_ocsp, &server_crt, &thawte_crt,
1197
-	DATA ( 0x30, 0x42, 0x30, 0x40, 0x30, 0x3e, 0x30, 0x3c, 0x30, 0x3a,
1121
+OCSP ( unauthorized_ocsp, &barclays_crt, &thawte_crt,
1122
+	DATA ( 0x30, 0x51, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0x30, 0x49,
1198 1123
 	       0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
1199
-	       0x00, 0x04, 0x14, 0x68, 0x7a, 0xcf, 0x39, 0x5d, 0xdf, 0x7c,
1200
-	       0x2c, 0x91, 0x6d, 0xdb, 0xcb, 0x9d, 0x0c, 0x27, 0x5b, 0x30,
1201
-	       0x64, 0x28, 0xf2, 0x04, 0x14, 0x3b, 0x34, 0x9a, 0x70, 0x91,
1124
+	       0x00, 0x04, 0x14, 0xd4, 0xb4, 0x3b, 0x8e, 0x3d, 0x02, 0x49,
1125
+	       0x1a, 0x65, 0x50, 0x6f, 0x96, 0x73, 0x14, 0xdd, 0xe8, 0x59,
1126
+	       0x44, 0x52, 0xe4, 0x04, 0x14, 0x3b, 0x34, 0x9a, 0x70, 0x91,
1202 1127
 	       0x73, 0xb2, 0x8a, 0x1b, 0x0c, 0xf4, 0xe9, 0x37, 0xcd, 0xb3,
1203
-	       0x70, 0x32, 0x9e, 0x18, 0x54, 0x02, 0x01, 0x03 ),
1128
+	       0x70, 0x32, 0x9e, 0x18, 0x54, 0x02, 0x10, 0x49, 0x83, 0xfc,
1129
+	       0x05, 0x76, 0xdf, 0x36, 0x91, 0x7c, 0x64, 0x2a, 0x27, 0xc1,
1130
+	       0xf1, 0x48, 0xe3 ),
1204 1131
 	DATA ( 0x30, 0x03, 0x0a, 0x01, 0x06 ) );
1205 1132
 
1206 1133
 OCSP ( unknown_ocsp, &thawte_crt, &startssl_crt,
@@ -1468,7 +1395,6 @@ static void ocsp_test_exec ( void ) {
1468 1395
 	/* Parse certificates */
1469 1396
 	ocsp_certificate_ok ( &barclays_crt );
1470 1397
 	ocsp_certificate_ok ( &google_crt );
1471
-	ocsp_certificate_ok ( &server_crt );
1472 1398
 	ocsp_certificate_ok ( &verisign_crt );
1473 1399
 	ocsp_certificate_ok ( &thawte_crt );
1474 1400
 	ocsp_certificate_ok ( &startssl_crt );
@@ -1509,7 +1435,6 @@ static void ocsp_test_exec ( void ) {
1509 1435
 	x509_put ( startssl_crt.cert );
1510 1436
 	x509_put ( thawte_crt.cert );
1511 1437
 	x509_put ( verisign_crt.cert );
1512
-	x509_put ( server_crt.cert );
1513 1438
 	x509_put ( google_crt.cert );
1514 1439
 	x509_put ( barclays_crt.cert );
1515 1440
 }

Carregando…
Cancelar
Salvar