浏览代码

[crypto] Generalise X.509 "valid" field to a "flags" field

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 8 年前
父节点
当前提交
ff28b22568
共有 5 个文件被更改,包括 25 次插入10 次删除
  1. 1
    1
      src/crypto/ocsp.c
  2. 4
    4
      src/crypto/x509.c
  3. 18
    3
      src/include/ipxe/x509.h
  4. 1
    1
      src/net/validator.c
  5. 1
    1
      src/tests/ocsp_test.c

+ 1
- 1
src/crypto/ocsp.c 查看文件

@@ -282,7 +282,7 @@ int ocsp_check ( struct x509_certificate *cert,
282 282
 	/* Sanity checks */
283 283
 	assert ( cert != NULL );
284 284
 	assert ( issuer != NULL );
285
-	assert ( issuer->valid );
285
+	assert ( x509_is_valid ( issuer ) );
286 286
 
287 287
 	/* Allocate and initialise check */
288 288
 	*ocsp = zalloc ( sizeof ( **ocsp ) );

+ 4
- 4
src/crypto/x509.c 查看文件

@@ -1320,7 +1320,7 @@ int x509_validate ( struct x509_certificate *cert,
1320 1320
 		root = &root_certificates;
1321 1321
 
1322 1322
 	/* Return success if certificate has already been validated */
1323
-	if ( cert->valid )
1323
+	if ( x509_is_valid ( cert ) )
1324 1324
 		return 0;
1325 1325
 
1326 1326
 	/* Fail if certificate is invalid at specified time */
@@ -1329,7 +1329,7 @@ int x509_validate ( struct x509_certificate *cert,
1329 1329
 
1330 1330
 	/* Succeed if certificate is a trusted root certificate */
1331 1331
 	if ( x509_check_root ( cert, root ) == 0 ) {
1332
-		cert->valid = 1;
1332
+		cert->flags |= X509_FL_VALIDATED;
1333 1333
 		cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
1334 1334
 		return 0;
1335 1335
 	}
@@ -1342,7 +1342,7 @@ int x509_validate ( struct x509_certificate *cert,
1342 1342
 	}
1343 1343
 
1344 1344
 	/* Fail unless issuer has already been validated */
1345
-	if ( ! issuer->valid ) {
1345
+	if ( ! x509_is_valid ( issuer ) ) {
1346 1346
 		DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
1347 1347
 		DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
1348 1348
 		       issuer, x509_name ( issuer ) );
@@ -1376,7 +1376,7 @@ int x509_validate ( struct x509_certificate *cert,
1376 1376
 		cert->path_remaining = max_path_remaining;
1377 1377
 
1378 1378
 	/* Mark certificate as valid */
1379
-	cert->valid = 1;
1379
+	cert->flags |= X509_FL_VALIDATED;
1380 1380
 
1381 1381
 	DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
1382 1382
 	       cert, x509_name ( cert ) );

+ 18
- 3
src/include/ipxe/x509.h 查看文件

@@ -189,8 +189,8 @@ struct x509_certificate {
189 189
 	/** Link in certificate store */
190 190
 	struct x509_link store;
191 191
 
192
-	/** Certificate has been validated */
193
-	int valid;
192
+	/** Flags */
193
+	unsigned int flags;
194 194
 	/** Maximum number of subsequent certificates in chain */
195 195
 	unsigned int path_remaining;
196 196
 
@@ -216,6 +216,12 @@ struct x509_certificate {
216 216
 	struct x509_extensions extensions;
217 217
 };
218 218
 
219
+/** X.509 certificate flags */
220
+enum x509_flags {
221
+	/** Certificate has been validated */
222
+	X509_FL_VALIDATED = 0x0001,
223
+};
224
+
219 225
 /**
220 226
  * Get reference to X.509 certificate
221 227
  *
@@ -373,13 +379,22 @@ extern int x509_check_root ( struct x509_certificate *cert,
373 379
 			     struct x509_root *root );
374 380
 extern int x509_check_time ( struct x509_certificate *cert, time_t time );
375 381
 
382
+/**
383
+ * Check if X.509 certificate is valid
384
+ *
385
+ * @v cert		X.509 certificate
386
+ */
387
+static inline int x509_is_valid ( struct x509_certificate *cert ) {
388
+	return ( cert->flags & X509_FL_VALIDATED );
389
+}
390
+
376 391
 /**
377 392
  * Invalidate X.509 certificate
378 393
  *
379 394
  * @v cert		X.509 certificate
380 395
  */
381 396
 static inline void x509_invalidate ( struct x509_certificate *cert ) {
382
-	cert->valid = 0;
397
+	cert->flags &= ~X509_FL_VALIDATED;
383 398
 	cert->path_remaining = 0;
384 399
 }
385 400
 

+ 1
- 1
src/net/validator.c 查看文件

@@ -478,7 +478,7 @@ static void validator_step ( struct validator *validator ) {
478 478
 		issuer = link->cert;
479 479
 		if ( ! cert )
480 480
 			continue;
481
-		if ( ! issuer->valid )
481
+		if ( ! x509_is_valid ( issuer ) )
482 482
 			continue;
483 483
 		/* The issuer is valid, but this certificate is not
484 484
 		 * yet valid.  If OCSP is applicable, start it.

+ 1
- 1
src/tests/ocsp_test.c 查看文件

@@ -110,7 +110,7 @@ static void ocsp_prepare_test ( struct ocsp_test *test ) {
110 110
 	x509_invalidate ( cert );
111 111
 
112 112
 	/* Force-validate issuer certificate */
113
-	issuer->valid = 1;
113
+	issuer->flags |= X509_FL_VALIDATED;
114 114
 	issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 );
115 115
 }
116 116
 

正在加载...
取消
保存