robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5940 Commits
2 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
ipxe/src/net/validator.c

validator.c 18KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664 
  1. /*

  2.  * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.

  3.  *

  4.  * This program is free software; you can redistribute it and/or

  5.  * modify it under the terms of the GNU General Public License as

  6.  * published by the Free Software Foundation; either version 2 of the

  7.  * License, or (at your option) any later version.

  8.  *

  9.  * This program is distributed in the hope that it will be useful, but

  10.  * WITHOUT ANY WARRANTY; without even the implied warranty of

  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  12.  * General Public License for more details.

  13.  *

  14.  * You should have received a copy of the GNU General Public License

  15.  * along with this program; if not, write to the Free Software

  16.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

  17.  * 02110-1301, USA.

  18.  *

  19.  * You can also choose to distribute this program under the terms of

  20.  * the Unmodified Binary Distribution Licence (as given in the file

  21.  * COPYING.UBDL), provided that you have satisfied its requirements.

  22.  */

  23. 

  24. FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

  25. 

  26. #include <string.h>

  27. #include <stdio.h>

  28. #include <errno.h>

  29. #include <ipxe/refcnt.h>

  30. #include <ipxe/malloc.h>

  31. #include <ipxe/interface.h>

  32. #include <ipxe/xfer.h>

  33. #include <ipxe/open.h>

  34. #include <ipxe/iobuf.h>

  35. #include <ipxe/xferbuf.h>

  36. #include <ipxe/process.h>

  37. #include <ipxe/x509.h>

  38. #include <ipxe/settings.h>

  39. #include <ipxe/dhcp.h>

  40. #include <ipxe/base64.h>

  41. #include <ipxe/crc32.h>

  42. #include <ipxe/ocsp.h>

  43. #include <ipxe/job.h>

  44. #include <ipxe/validator.h>

  45. #include <config/crypto.h>

  46. 

  47. /** @file

  48.  *

  49.  * Certificate validator

  50.  *

  51.  */

  52. 

  53. struct validator;

  54. 

  55. /** A certificate validator action */

  56. struct validator_action {

  57. 	/** Name */

  58. 	const char *name;

  59. 	/** Action to take upon completed transfer */

  60. 	int ( * done ) ( struct validator *validator, const void *data,

  61. 			 size_t len );

  62. };

  63. 

  64. /** A certificate validator */

  65. struct validator {

  66. 	/** Reference count */

  67. 	struct refcnt refcnt;

  68. 	/** Job control interface */

  69. 	struct interface job;

  70. 	/** Data transfer interface */

  71. 	struct interface xfer;

  72. 

  73. 	/** Process */

  74. 	struct process process;

  75. 

  76. 	/** X.509 certificate chain */

  77. 	struct x509_chain *chain;

  78. 	/** OCSP check */

  79. 	struct ocsp_check *ocsp;

  80. 	/** Data buffer */

  81. 	struct xfer_buffer buffer;

  82. 

  83. 	/** Current action */

  84. 	const struct validator_action *action;

  85. 	/** Current certificate

  86. 	 *

  87. 	 * This will always be present within the certificate chain

  88. 	 * and so this pointer does not hold a reference to the

  89. 	 * certificate.

  90. 	 */

  91. 	struct x509_certificate *cert;

  92. };

  93. 

  94. /**

  95.  * Get validator name (for debug messages)

  96.  *

  97.  * @v validator		Certificate validator

  98.  * @ret name		Validator name

  99.  */

  100. static const char * validator_name ( struct validator *validator ) {

  101. 

  102. 	/* Use name of first certificate in chain */

  103. 	return x509_name ( x509_first ( validator->chain ) );

  104. }

  105. 

  106. /**

  107.  * Free certificate validator

  108.  *

  109.  * @v refcnt		Reference count

  110.  */

  111. static void validator_free ( struct refcnt *refcnt ) {

  112. 	struct validator *validator =

  113. 		container_of ( refcnt, struct validator, refcnt );

  114. 

  115. 	DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",

  116. 		validator, validator_name ( validator ) );

  117. 	x509_chain_put ( validator->chain );

  118. 	ocsp_put ( validator->ocsp );

  119. 	xferbuf_free ( &validator->buffer );

  120. 	free ( validator );

  121. }

  122. 

  123. /**

  124.  * Mark certificate validation as finished

  125.  *

  126.  * @v validator		Certificate validator

  127.  * @v rc		Reason for finishing

  128.  */

  129. static void validator_finished ( struct validator *validator, int rc ) {

  130. 

  131. 	/* Remove process */

  132. 	process_del ( &validator->process );

  133. 

  134. 	/* Close all interfaces */

  135. 	intf_shutdown ( &validator->xfer, rc );

  136. 	intf_shutdown ( &validator->job, rc );

  137. }

  138. 

  139. /****************************************************************************

  140.  *

  141.  * Job control interface

  142.  *

  143.  */

  144. 

  145. /**

  146.  * Report job progress

  147.  *

  148.  * @v validator		Certificate validator

  149.  * @v progress		Progress report to fill in

  150.  * @ret ongoing_rc	Ongoing job status code (if known)

  151.  */

  152. static int validator_progress ( struct validator *validator,

  153. 				struct job_progress *progress ) {

  154. 

  155. 	/* Report current action, if applicable */

  156. 	if ( validator->action ) {

  157. 		snprintf ( progress->message, sizeof ( progress->message ),

  158. 			   "%s %s", validator->action->name,

  159. 			   x509_name ( validator->cert ) );

  160. 	}

  161. 

  162. 	return 0;

  163. }

  164. 

  165. /** Certificate validator job control interface operations */

  166. static struct interface_operation validator_job_operations[] = {

  167. 	INTF_OP ( job_progress, struct validator *, validator_progress ),

  168. 	INTF_OP ( intf_close, struct validator *, validator_finished ),

  169. };

  170. 

  171. /** Certificate validator job control interface descriptor */

  172. static struct interface_descriptor validator_job_desc =

  173. 	INTF_DESC ( struct validator, job, validator_job_operations );

  174. 

  175. /****************************************************************************

  176.  *

  177.  * Cross-signing certificates

  178.  *

  179.  */

  180. 

  181. /** Cross-signed certificate source setting */

  182. const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={

  183. 	.name = "crosscert",

  184. 	.description = "Cross-signed certificate source",

  185. 	.tag = DHCP_EB_CROSS_CERT,

  186. 	.type = &setting_type_string,

  187. };

  188. 

  189. /** Default cross-signed certificate source */

  190. static const char crosscert_default[] = CROSSCERT;

  191. 

  192. /**

  193.  * Append cross-signing certificates to certificate chain

  194.  *

  195.  * @v validator		Certificate validator

  196.  * @v data		Raw cross-signing certificate data

  197.  * @v len		Length of raw data

  198.  * @ret rc		Return status code

  199.  */

  200. static int validator_append ( struct validator *validator,

  201. 			      const void *data, size_t len ) {

  202. 	struct asn1_cursor cursor;

  203. 	struct x509_chain *certs;

  204. 	struct x509_certificate *cert;

  205. 	struct x509_certificate *last;

  206. 	int rc;

  207. 

  208. 	/* Allocate certificate list */

  209. 	certs = x509_alloc_chain();

  210. 	if ( ! certs ) {

  211. 		rc = -ENOMEM;

  212. 		goto err_alloc_certs;

  213. 	}

  214. 

  215. 	/* Initialise cursor */

  216. 	cursor.data = data;

  217. 	cursor.len = len;

  218. 

  219. 	/* Enter certificateSet */

  220. 	if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {

  221. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not enter "

  222. 		       "certificateSet: %s\n", validator,

  223. 		       validator_name ( validator ), strerror ( rc ) );

  224. 		goto err_certificateset;

  225. 	}

  226. 

  227. 	/* Add each certificate to list */

  228. 	while ( cursor.len ) {

  229. 

  230. 		/* Add certificate to chain */

  231. 		if ( ( rc = x509_append_raw ( certs, cursor.data,

  232. 					      cursor.len ) ) != 0 ) {

  233. 			DBGC ( validator, "VALIDATOR %p \"%s\" could not "

  234. 			       "append certificate: %s\n", validator,

  235. 			       validator_name ( validator ), strerror ( rc) );

  236. 			DBGC_HDA ( validator, 0, cursor.data, cursor.len );

  237. 			return rc;

  238. 		}

  239. 		cert = x509_last ( certs );

  240. 		DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ",

  241. 		       validator, validator_name ( validator ) );

  242. 		DBGC ( validator, "%s\n", x509_name ( cert ) );

  243. 

  244. 		/* Move to next certificate */

  245. 		asn1_skip_any ( &cursor );

  246. 	}

  247. 

  248. 	/* Append certificates to chain */

  249. 	last = x509_last ( validator->chain );

  250. 	if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {

  251. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not append "

  252. 		       "certificates: %s\n", validator,

  253. 		       validator_name ( validator ), strerror ( rc ) );

  254. 		goto err_auto_append;

  255. 	}

  256. 

  257. 	/* Check that at least one certificate has been added */

  258. 	if ( last == x509_last ( validator->chain ) ) {

  259. 		DBGC ( validator, "VALIDATOR %p \"%s\" failed to append any "

  260. 		       "applicable certificates\n", validator,

  261. 		       validator_name ( validator ) );

  262. 		rc = -EACCES;

  263. 		goto err_no_progress;

  264. 	}

  265. 

  266. 	/* Drop reference to certificate list */

  267. 	x509_chain_put ( certs );

  268. 

  269. 	return 0;

  270. 

  271.  err_no_progress:

  272.  err_auto_append:

  273.  err_certificateset:

  274. 	x509_chain_put ( certs );

  275.  err_alloc_certs:

  276. 	return rc;

  277. }

  278. 

  279. /** Cross-signing certificate download validator action */

  280. static const struct validator_action validator_crosscert = {

  281. 	.name = "XCRT",

  282. 	.done = validator_append,

  283. };

  284. 

  285. /**

  286.  * Start download of cross-signing certificate

  287.  *

  288.  * @v validator		Certificate validator

  289.  * @v cert		X.509 certificate

  290.  * @ret rc		Return status code

  291.  */

  292. static int validator_start_download ( struct validator *validator,

  293. 				      struct x509_certificate *cert ) {

  294. 	const struct asn1_cursor *issuer = &cert->issuer.raw;

  295. 	const char *crosscert;

  296. 	char *crosscert_copy;

  297. 	char *uri_string;

  298. 	size_t uri_string_len;

  299. 	uint32_t crc;

  300. 	int len;

  301. 	int rc;

  302. 

  303. 	/* Determine cross-signed certificate source */

  304. 	fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );

  305. 	crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );

  306. 	if ( ! crosscert[0] ) {

  307. 		rc = -EINVAL;

  308. 		goto err_check_uri_string;

  309. 	}

  310. 

  311. 	/* Allocate URI string */

  312. 	uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */

  313. 			   + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );

  314. 	uri_string = zalloc ( uri_string_len );

  315. 	if ( ! uri_string ) {

  316. 		rc = -ENOMEM;

  317. 		goto err_alloc_uri_string;

  318. 	}

  319. 

  320. 	/* Generate CRC32 */

  321. 	crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );

  322. 

  323. 	/* Generate URI string */

  324. 	len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",

  325. 			 crosscert, crc );

  326. 	base64_encode ( issuer->data, issuer->len, ( uri_string + len ),

  327. 			( uri_string_len - len ) );

  328. 	DBGC ( validator, "VALIDATOR %p \"%s\" downloading ",

  329. 	       validator, validator_name ( validator ) );

  330. 	DBGC ( validator, "\"%s\" cross-signature from %s\n",

  331. 	       x509_name ( cert ), uri_string );

  332. 

  333. 	/* Set completion handler */

  334. 	validator->action = &validator_crosscert;

  335. 	validator->cert = cert;

  336. 

  337. 	/* Open URI */

  338. 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,

  339. 					   uri_string ) ) != 0 ) {

  340. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "

  341. 		       "%s\n", validator, validator_name ( validator ),

  342. 		       uri_string, strerror ( rc ) );

  343. 		goto err_open_uri_string;

  344. 	}

  345. 

  346. 	/* Success */

  347. 	rc = 0;

  348. 

  349.  err_open_uri_string:

  350. 	free ( uri_string );

  351.  err_alloc_uri_string:

  352.  err_check_uri_string:

  353. 	free ( crosscert_copy );

  354. 	return rc;

  355. }

  356. 

  357. /****************************************************************************

  358.  *

  359.  * OCSP checks

  360.  *

  361.  */

  362. 

  363. /**

  364.  * Validate OCSP response

  365.  *

  366.  * @v validator		Certificate validator

  367.  * @v data		Raw OCSP response

  368.  * @v len		Length of raw data

  369.  * @ret rc		Return status code

  370.  */

  371. static int validator_ocsp_validate ( struct validator *validator,

  372. 				     const void *data, size_t len ) {

  373. 	time_t now;

  374. 	int rc;

  375. 

  376. 	/* Record OCSP response */

  377. 	if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {

  378. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP "

  379. 		       "response: %s\n", validator,

  380. 		       validator_name ( validator ),strerror ( rc ) );

  381. 		return rc;

  382. 	}

  383. 

  384. 	/* Validate OCSP response */

  385. 	now = time ( NULL );

  386. 	if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {

  387. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not validate "

  388. 		       "OCSP response: %s\n", validator,

  389. 		       validator_name ( validator ), strerror ( rc ) );

  390. 		return rc;

  391. 	}

  392. 

  393. 	/* Drop reference to OCSP check */

  394. 	ocsp_put ( validator->ocsp );

  395. 	validator->ocsp = NULL;

  396. 

  397. 	return 0;

  398. }

  399. 

  400. /** OCSP validator action */

  401. static const struct validator_action validator_ocsp = {

  402. 	.name = "OCSP",

  403. 	.done = validator_ocsp_validate,

  404. };

  405. 

  406. /**

  407.  * Start OCSP check

  408.  *

  409.  * @v validator		Certificate validator

  410.  * @v cert		Certificate to check

  411.  * @v issuer		Issuing certificate

  412.  * @ret rc		Return status code

  413.  */

  414. static int validator_start_ocsp ( struct validator *validator,

  415. 				  struct x509_certificate *cert,

  416. 				  struct x509_certificate *issuer ) {

  417. 	const char *uri_string;

  418. 	int rc;

  419. 

  420. 	/* Create OCSP check */

  421. 	assert ( validator->ocsp == NULL );

  422. 	if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {

  423. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP "

  424. 		       "check: %s\n", validator, validator_name ( validator ),

  425. 		       strerror ( rc ) );

  426. 		return rc;

  427. 	}

  428. 

  429. 	/* Set completion handler */

  430. 	validator->action = &validator_ocsp;

  431. 	validator->cert = cert;

  432. 

  433. 	/* Open URI */

  434. 	uri_string = validator->ocsp->uri_string;

  435. 	DBGC ( validator, "VALIDATOR %p \"%s\" checking ",

  436. 	       validator, validator_name ( validator ) );

  437. 	DBGC ( validator, "\"%s\" via %s\n",

  438. 	       x509_name ( cert ), uri_string );

  439. 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,

  440. 					   uri_string ) ) != 0 ) {

  441. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "

  442. 		       "%s\n", validator, validator_name ( validator ),

  443. 		       uri_string, strerror ( rc ) );

  444. 		return rc;

  445. 	}

  446. 

  447. 	return 0;

  448. }

  449. 

  450. /****************************************************************************

  451.  *

  452.  * Data transfer interface

  453.  *

  454.  */

  455. 

  456. /**

  457.  * Close data transfer interface

  458.  *

  459.  * @v validator		Certificate validator

  460.  * @v rc		Reason for close

  461.  */

  462. static void validator_xfer_close ( struct validator *validator, int rc ) {

  463. 

  464. 	/* Close data transfer interface */

  465. 	intf_restart ( &validator->xfer, rc );

  466. 

  467. 	/* Check for errors */

  468. 	if ( rc != 0 ) {

  469. 		DBGC ( validator, "VALIDATOR %p \"%s\" transfer failed: %s\n",

  470. 		       validator, validator_name ( validator ),

  471. 		       strerror ( rc ) );

  472. 		goto err_transfer;

  473. 	}

  474. 	DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n",

  475. 		validator, validator_name ( validator ) );

  476. 

  477. 	/* Process completed download */

  478. 	assert ( validator->action != NULL );

  479. 	if ( ( rc = validator->action->done ( validator, validator->buffer.data,

  480. 					      validator->buffer.len ) ) != 0 )

  481. 		goto err_append;

  482. 

  483. 	/* Free downloaded data */

  484. 	xferbuf_free ( &validator->buffer );

  485. 

  486. 	/* Resume validation process */

  487. 	process_add ( &validator->process );

  488. 

  489. 	return;

  490. 

  491.  err_append:

  492.  err_transfer:

  493. 	validator_finished ( validator, rc );

  494. }

  495. 

  496. /**

  497.  * Receive data

  498.  *

  499.  * @v validator		Certificate validator

  500.  * @v iobuf		I/O buffer

  501.  * @v meta		Data transfer metadata

  502.  * @ret rc		Return status code

  503.  */

  504. static int validator_xfer_deliver ( struct validator *validator,

  505. 				    struct io_buffer *iobuf,

  506. 				    struct xfer_metadata *meta ) {

  507. 	int rc;

  508. 

  509. 	/* Add data to buffer */

  510. 	if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),

  511. 				      meta ) ) != 0 ) {

  512. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not receive "

  513. 		       "data: %s\n", validator, validator_name ( validator ),

  514. 		       strerror ( rc ) );

  515. 		validator_finished ( validator, rc );

  516. 		return rc;

  517. 	}

  518. 

  519. 	return 0;

  520. }

  521. 

  522. /** Certificate validator data transfer interface operations */

  523. static struct interface_operation validator_xfer_operations[] = {

  524. 	INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),

  525. 	INTF_OP ( intf_close, struct validator *, validator_xfer_close ),

  526. };

  527. 

  528. /** Certificate validator data transfer interface descriptor */

  529. static struct interface_descriptor validator_xfer_desc =

  530. 	INTF_DESC ( struct validator, xfer, validator_xfer_operations );

  531. 

  532. /****************************************************************************

  533.  *

  534.  * Validation process

  535.  *

  536.  */

  537. 

  538. /**

  539.  * Certificate validation process

  540.  *

  541.  * @v validator		Certificate validator

  542.  */

  543. static void validator_step ( struct validator *validator ) {

  544. 	struct x509_link *link;

  545. 	struct x509_certificate *cert;

  546. 	struct x509_certificate *issuer = NULL;

  547. 	struct x509_certificate *last;

  548. 	time_t now;

  549. 	int rc;

  550. 

  551. 	/* Try validating chain.  Try even if the chain is incomplete,

  552. 	 * since certificates may already have been validated

  553. 	 * previously.

  554. 	 */

  555. 	now = time ( NULL );

  556. 	if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,

  557. 					  NULL ) ) == 0 ) {

  558. 		DBGC ( validator, "VALIDATOR %p \"%s\" validated\n",

  559. 		       validator, validator_name ( validator ) );

  560. 		validator_finished ( validator, 0 );

  561. 		return;

  562. 	}

  563. 

  564. 	/* If there is a certificate that could be validated using

  565. 	 * OCSP, try it.

  566. 	 */

  567. 	list_for_each_entry ( link, &validator->chain->links, list ) {

  568. 		cert = issuer;

  569. 		issuer = link->cert;

  570. 		if ( ! cert )

  571. 			continue;

  572. 		if ( ! x509_is_valid ( issuer ) )

  573. 			continue;

  574. 		/* The issuer is valid, but this certificate is not

  575. 		 * yet valid.  If OCSP is applicable, start it.

  576. 		 */

  577. 		if ( ocsp_required ( cert ) ) {

  578. 			/* Start OCSP */

  579. 			if ( ( rc = validator_start_ocsp ( validator, cert,

  580. 							   issuer ) ) != 0 ) {

  581. 				validator_finished ( validator, rc );

  582. 				return;

  583. 			}

  584. 			return;

  585. 		}

  586. 		/* Otherwise, this is a permanent failure */

  587. 		validator_finished ( validator, rc );

  588. 		return;

  589. 	}

  590. 

  591. 	/* If chain ends with a self-issued certificate, then there is

  592. 	 * nothing more to do.

  593. 	 */

  594. 	last = x509_last ( validator->chain );

  595. 	if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {

  596. 		validator_finished ( validator, rc );

  597. 		return;

  598. 	}

  599. 

  600. 	/* Otherwise, try to download a suitable cross-signing

  601. 	 * certificate.

  602. 	 */

  603. 	if ( ( rc = validator_start_download ( validator, last ) ) != 0 ) {

  604. 		validator_finished ( validator, rc );

  605. 		return;

  606. 	}

  607. }

  608. 

  609. /** Certificate validator process descriptor */

  610. static struct process_descriptor validator_process_desc =

  611. 	PROC_DESC_ONCE ( struct validator, process, validator_step );

  612. 

  613. /****************************************************************************

  614.  *

  615.  * Instantiator

  616.  *

  617.  */

  618. 

  619. /**

  620.  * Instantiate a certificate validator

  621.  *

  622.  * @v job		Job control interface

  623.  * @v chain		X.509 certificate chain

  624.  * @ret rc		Return status code

  625.  */

  626. int create_validator ( struct interface *job, struct x509_chain *chain ) {

  627. 	struct validator *validator;

  628. 	int rc;

  629. 

  630. 	/* Sanity check */

  631. 	if ( ! chain ) {

  632. 		rc = -EINVAL;

  633. 		goto err_sanity;

  634. 	}

  635. 

  636. 	/* Allocate and initialise structure */

  637. 	validator = zalloc ( sizeof ( *validator ) );

  638. 	if ( ! validator ) {

  639. 		rc = -ENOMEM;

  640. 		goto err_alloc;

  641. 	}

  642. 	ref_init ( &validator->refcnt, validator_free );

  643. 	intf_init ( &validator->job, &validator_job_desc,

  644. 		    &validator->refcnt );

  645. 	intf_init ( &validator->xfer, &validator_xfer_desc,

  646. 		    &validator->refcnt );

  647. 	process_init ( &validator->process, &validator_process_desc,

  648. 		       &validator->refcnt );

  649. 	validator->chain = x509_chain_get ( chain );

  650. 	xferbuf_malloc_init ( &validator->buffer );

  651. 

  652. 	/* Attach parent interface, mortalise self, and return */

  653. 	intf_plug_plug ( &validator->job, job );

  654. 	ref_put ( &validator->refcnt );

  655. 	DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n",

  656. 		validator, validator_name ( validator ), validator->chain );

  657. 	return 0;

  658. 

  659. 	validator_finished ( validator, rc );

  660. 	ref_put ( &validator->refcnt );

  661.  err_alloc:

  662.  err_sanity:

  663. 	return rc;

  664. }