robin.thoni
/
ipxe


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304
							/*
 * Copyright (C) 2016 Michael Brown <mbrown@fensystems.co.uk>.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 *
 * You can also choose to distribute this program under the terms of
 * the Unmodified Binary Distribution Licence (as given in the file
 * COPYING.UBDL), provided that you have satisfied its requirements.
 */

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

#include <stdio.h>
#include <errno.h>
#include <getopt.h>
#include <ipxe/x509.h>
#include <ipxe/certstore.h>
#include <ipxe/image.h>
#include <ipxe/command.h>
#include <ipxe/parseopt.h>
#include <usr/imgmgmt.h>
#include <usr/certmgmt.h>

/** @file
 *
 * Certificate management commands
 *
 */

/** "cert<xxx>" options */
struct cert_options {
	/** Certificate subject name */
	char *name;
	/** Keep certificate file after parsing */
	int keep;
};

/** "cert<xxx>" option list */
static union {
	/* "certstore" takes both options */
	struct option_descriptor certstore[2];
	/* "certstat" takes only --subject */
	struct option_descriptor certstat[1];
	/* "certfree" takes only --subject */
	struct option_descriptor certfree[1];
} opts = {
	.certstore = {
		OPTION_DESC ( "subject", 's', required_argument,
			      struct cert_options, name, parse_string ),
		OPTION_DESC ( "keep", 'k', no_argument,
			      struct cert_options, keep, parse_flag ),
	},
};

/** A "cert<xxx>" command descriptor */
struct cert_command_descriptor {
	/** Command descriptor */
	struct command_descriptor cmd;
	/** Payload
	 *
	 * @v cert		X.509 certificate
	 * @ret rc		Return status code
	 */
	int ( * payload ) ( struct x509_certificate *cert );
};

/**
 * Construct "cert<xxx>" command descriptor
 *
 * @v _struct		Options structure type
 * @v _options		Option descriptor array
 * @v _min_args		Minimum number of non-option arguments
 * @v _max_args		Maximum number of non-option arguments
 * @v _usage		Command usage
 * @v _payload		Payload method
 * @ret _command	Command descriptor
 */
#define CERT_COMMAND_DESC( _struct, _options, _min_args, _max_args,	\
			   _usage, _payload )				\
	{								\
		.cmd = COMMAND_DESC ( _struct, _options, _min_args,	\
				      _max_args, _usage ),		\
		.payload = _payload,					\
	}

/**
 * Execute "cert<xxx>" command
 *
 * @v argc		Argument count
 * @v argv		Argument list
 * @v certcmd		Command descriptor
 * @ret rc		Return status code
 */
static int cert_exec ( int argc, char **argv,
		       struct cert_command_descriptor *certcmd ) {
	struct command_descriptor *cmd = &certcmd->cmd;
	struct cert_options opts;
	struct image *image = NULL;
	struct x509_certificate *cert;
	struct x509_certificate *tmp;
	unsigned int count = 0;
	size_t offset = 0;
	int next;
	int rc;

	/* Parse options */
	if ( ( rc = parse_options ( argc, argv, cmd, &opts ) ) != 0 )
		goto err_parse;

	/* Acquire image, if applicable */
	if ( ( optind < argc ) &&
	     ( ( rc = imgacquire ( argv[optind], 0, &image ) ) != 0 ) )
		goto err_acquire;

	/* Get first entry in certificate store */
	tmp = list_first_entry ( &certstore.links, struct x509_certificate,
				 store.list );

	/* Iterate over certificates */
	while ( 1 ) {

		/* Get next certificate from image or store as applicable */
		if ( image ) {

			/* Get next certificate from image */
			if ( offset >= image->len )
				break;
			next = image_x509 ( image, offset, &cert );
			if ( next < 0 ) {
				rc = next;
				printf ( "Could not parse certificate: %s\n",
					 strerror ( rc ) );
				goto err_x509;
			}
			offset = next;

		} else {

			/* Get next certificate from store */
			cert = tmp;
			if ( ! cert )
				break;
			tmp = list_next_entry ( tmp, &certstore.links,
						store.list );
			x509_get ( cert );
		}

		/* Skip non-matching names, if a name was specified */
		if ( opts.name && ( x509_check_name ( cert, opts.name ) != 0 )){
			x509_put ( cert );
			continue;
		}

		/* Execute payload */
		if ( ( rc = certcmd->payload ( cert ) ) != 0 ) {
			x509_put ( cert );
			goto err_payload;
		}

		/* Count number of certificates processed */
		count++;

		/* Drop reference to certificate */
		x509_put ( cert );
	}

	/* Fail if a name was specified and no matching certificates
	 * were found.
	 */
	if ( opts.name && ( count == 0 ) ) {
		printf ( "\"%s\" : no such certificate\n", opts.name );
		rc = -ENOENT;
		goto err_none;
	}

 err_none:
 err_payload:
 err_x509:
	if ( image && ( ! opts.keep ) )
		unregister_image ( image );
 err_acquire:
 err_parse:
	return rc;
}

/**
 * "certstat" payload
 *
 * @v cert		X.509 certificate
 * @ret rc		Return status code
 */
static int certstat_payload ( struct x509_certificate *cert ) {

	certstat ( cert );
	return 0;
}

/** "certstat" command descriptor */
static struct cert_command_descriptor certstat_cmd =
	CERT_COMMAND_DESC ( struct cert_options, opts.certstat, 0, 0, NULL,
			    certstat_payload );

/**
 * The "certstat" command
 *
 * @v argc		Argument count
 * @v argv		Argument list
 * @ret rc		Return status code
 */
static int certstat_exec ( int argc, char **argv ) {

	return cert_exec ( argc, argv, &certstat_cmd );
}

/**
 * "certstore" payload
 *
 * @v cert		X.509 certificate
 * @ret rc		Return status code
 */
static int certstore_payload ( struct x509_certificate *cert ) {

	/* Mark certificate as having been added explicitly */
	cert->flags |= X509_FL_EXPLICIT;

	return 0;
}

/** "certstore" command descriptor */
static struct cert_command_descriptor certstore_cmd =
	CERT_COMMAND_DESC ( struct cert_options, opts.certstore, 0, 1,
			    "[<uri|image>]", certstore_payload );

/**
 * The "certstore" command
 *
 * @v argc		Argument count
 * @v argv		Argument list
 * @ret rc		Return status code
 */
static int certstore_exec ( int argc, char **argv ) {

	return cert_exec ( argc, argv, &certstore_cmd );
}

/**
 * "certfree" payload
 *
 * @v cert		X.509 certificate
 * @ret rc		Return status code
 */
static int certfree_payload ( struct x509_certificate *cert ) {

	/* Remove from certificate store */
	certstore_del ( cert );

	return 0;
}

/** "certfree" command descriptor */
static struct cert_command_descriptor certfree_cmd =
	CERT_COMMAND_DESC ( struct cert_options, opts.certfree, 0, 0, NULL,
			    certfree_payload );

/**
 * The "certfree" command
 *
 * @v argc		Argument count
 * @v argv		Argument list
 * @ret rc		Return status code
 */
static int certfree_exec ( int argc, char **argv ) {

	return cert_exec ( argc, argv, &certfree_cmd );
}

/** Certificate management commands */
struct command certmgmt_commands[] __command = {
	{
		.name = "certstat",
		.exec = certstat_exec,
	},
	{
		.name = "certstore",
		.exec = certstore_exec,
	},
	{
		.name = "certfree",
		.exec = certfree_exec,
	},
};