You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

certstore.c 7.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279
  1. /*
  2. * Copyright (C) 2014 Michael Brown <mbrown@fensystems.co.uk>.
  3. *
  4. * This program is free software; you can redistribute it and/or
  5. * modify it under the terms of the GNU General Public License as
  6. * published by the Free Software Foundation; either version 2 of the
  7. * License, or any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful, but
  10. * WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  12. * General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program; if not, write to the Free Software
  16. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  17. * 02110-1301, USA.
  18. *
  19. * You can also choose to distribute this program under the terms of
  20. * the Unmodified Binary Distribution Licence (as given in the file
  21. * COPYING.UBDL), provided that you have satisfied its requirements.
  22. */
  23. FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  24. #include <string.h>
  25. #include <stdlib.h>
  26. #include <ipxe/init.h>
  27. #include <ipxe/dhcp.h>
  28. #include <ipxe/settings.h>
  29. #include <ipxe/malloc.h>
  30. #include <ipxe/crypto.h>
  31. #include <ipxe/asn1.h>
  32. #include <ipxe/x509.h>
  33. #include <ipxe/certstore.h>
  34. /** @file
  35. *
  36. * Certificate store
  37. *
  38. */
  39. /** Raw certificate data for all permanent stored certificates */
  40. #undef CERT
  41. #define CERT( _index, _path ) \
  42. extern char stored_cert_ ## _index ## _data[]; \
  43. extern char stored_cert_ ## _index ## _len[]; \
  44. __asm__ ( ".section \".rodata\", \"a\", " PROGBITS "\n\t" \
  45. "\nstored_cert_" #_index "_data:\n\t" \
  46. ".incbin \"" _path "\"\n\t" \
  47. "\nstored_cert_" #_index "_end:\n\t" \
  48. ".equ stored_cert_" #_index "_len, " \
  49. "( stored_cert_" #_index "_end - " \
  50. " stored_cert_" #_index "_data )\n\t" \
  51. ".previous\n\t" );
  52. CERT_ALL
  53. /** Raw certificate cursors for all permanent stored certificates */
  54. #undef CERT
  55. #define CERT( _index, _path ) { \
  56. .data = stored_cert_ ## _index ## _data, \
  57. .len = ( size_t ) stored_cert_ ## _index ## _len, \
  58. },
  59. static struct asn1_cursor certstore_raw[] = {
  60. CERT_ALL
  61. };
  62. /** X.509 certificate structures for all permanent stored certificates */
  63. static struct x509_certificate certstore_certs[ sizeof ( certstore_raw ) /
  64. sizeof ( certstore_raw[0] ) ];
  65. /** Certificate store */
  66. struct x509_chain certstore = {
  67. .refcnt = REF_INIT ( ref_no_free ),
  68. .links = LIST_HEAD_INIT ( certstore.links ),
  69. };
  70. /**
  71. * Mark stored certificate as most recently used
  72. *
  73. * @v cert X.509 certificate
  74. * @ret cert X.509 certificate
  75. */
  76. static struct x509_certificate *
  77. certstore_found ( struct x509_certificate *cert ) {
  78. /* Mark as most recently used */
  79. list_del ( &cert->store.list );
  80. list_add ( &cert->store.list, &certstore.links );
  81. DBGC2 ( &certstore, "CERTSTORE found certificate %s\n",
  82. x509_name ( cert ) );
  83. return cert;
  84. }
  85. /**
  86. * Find certificate in store
  87. *
  88. * @v raw Raw certificate data
  89. * @ret cert X.509 certificate, or NULL if not found
  90. */
  91. struct x509_certificate * certstore_find ( struct asn1_cursor *raw ) {
  92. struct x509_certificate *cert;
  93. /* Search for certificate within store */
  94. list_for_each_entry ( cert, &certstore.links, store.list ) {
  95. if ( asn1_compare ( raw, &cert->raw ) == 0 )
  96. return certstore_found ( cert );
  97. }
  98. return NULL;
  99. }
  100. /**
  101. * Find certificate in store corresponding to a private key
  102. *
  103. * @v key Private key
  104. * @ret cert X.509 certificate, or NULL if not found
  105. */
  106. struct x509_certificate * certstore_find_key ( struct asn1_cursor *key ) {
  107. struct x509_certificate *cert;
  108. /* Search for certificate within store */
  109. list_for_each_entry ( cert, &certstore.links, store.list ) {
  110. if ( pubkey_match ( cert->signature_algorithm->pubkey,
  111. key->data, key->len,
  112. cert->subject.public_key.raw.data,
  113. cert->subject.public_key.raw.len ) == 0 )
  114. return certstore_found ( cert );
  115. }
  116. return NULL;
  117. }
  118. /**
  119. * Add certificate to store
  120. *
  121. * @v cert X.509 certificate
  122. */
  123. void certstore_add ( struct x509_certificate *cert ) {
  124. /* Add certificate to store */
  125. cert->store.cert = cert;
  126. x509_get ( cert );
  127. list_add ( &cert->store.list, &certstore.links );
  128. DBGC ( &certstore, "CERTSTORE added certificate %s\n",
  129. x509_name ( cert ) );
  130. }
  131. /**
  132. * Discard a stored certificate
  133. *
  134. * @ret discarded Number of cached items discarded
  135. */
  136. static unsigned int certstore_discard ( void ) {
  137. struct x509_certificate *cert;
  138. /* Discard the least recently used certificate for which the
  139. * only reference is held by the store itself.
  140. */
  141. list_for_each_entry_reverse ( cert, &certstore.links, store.list ) {
  142. if ( cert->refcnt.count == 0 ) {
  143. DBGC ( &certstore, "CERTSTORE discarded certificate "
  144. "%s\n", x509_name ( cert ) );
  145. list_del ( &cert->store.list );
  146. x509_put ( cert );
  147. return 1;
  148. }
  149. }
  150. return 0;
  151. }
  152. /** Certificate store cache discarder */
  153. struct cache_discarder certstore_discarder __cache_discarder ( CACHE_NORMAL ) ={
  154. .discard = certstore_discard,
  155. };
  156. /**
  157. * Construct permanent certificate store
  158. *
  159. */
  160. static void certstore_init ( void ) {
  161. struct asn1_cursor *raw;
  162. struct x509_certificate *cert;
  163. int i;
  164. int rc;
  165. /* Skip if we have no permanent stored certificates */
  166. if ( ! sizeof ( certstore_raw ) )
  167. return;
  168. /* Add certificates */
  169. for ( i = 0 ; i < ( int ) ( sizeof ( certstore_raw ) /
  170. sizeof ( certstore_raw[0] ) ) ; i++ ) {
  171. /* Skip if certificate already present in store */
  172. raw = &certstore_raw[i];
  173. if ( ( cert = certstore_find ( raw ) ) != NULL ) {
  174. DBGC ( &certstore, "CERTSTORE permanent certificate %d "
  175. "is a duplicate of %s\n", i, x509_name ( cert ));
  176. continue;
  177. }
  178. /* Parse certificate */
  179. cert = &certstore_certs[i];
  180. ref_init ( &cert->refcnt, ref_no_free );
  181. if ( ( rc = x509_parse ( cert, raw ) ) != 0 ) {
  182. DBGC ( &certstore, "CERTSTORE could not parse "
  183. "permanent certificate %d: %s\n",
  184. i, strerror ( rc ) );
  185. continue;
  186. }
  187. /* Add certificate to store. Certificate will never
  188. * be discarded from the store, since we retain a
  189. * permanent reference to it.
  190. */
  191. certstore_add ( cert );
  192. DBGC ( &certstore, "CERTSTORE permanent certificate %d is %s\n",
  193. i, x509_name ( cert ) );
  194. }
  195. }
  196. /** Certificate store initialisation function */
  197. struct init_fn certstore_init_fn __init_fn ( INIT_LATE ) = {
  198. .initialise = certstore_init,
  199. };
  200. /** Additional certificate setting */
  201. static struct setting cert_setting __setting ( SETTING_CRYPTO, cert ) = {
  202. .name = "cert",
  203. .description = "Certificate",
  204. .tag = DHCP_EB_CERT,
  205. .type = &setting_type_hex,
  206. };
  207. /**
  208. * Apply certificate store configuration settings
  209. *
  210. * @ret rc Return status code
  211. */
  212. static int certstore_apply_settings ( void ) {
  213. static struct x509_certificate *cert = NULL;
  214. struct x509_certificate *old_cert;
  215. void *cert_data;
  216. int len;
  217. int rc;
  218. /* Record any existing additional certificate */
  219. old_cert = cert;
  220. cert = NULL;
  221. /* Add additional certificate, if any */
  222. if ( ( len = fetch_raw_setting_copy ( NULL, &cert_setting,
  223. &cert_data ) ) >= 0 ) {
  224. if ( ( rc = x509_certificate ( cert_data, len, &cert ) ) == 0 ){
  225. DBGC ( &certstore, "CERTSTORE added additional "
  226. "certificate %s\n", x509_name ( cert ) );
  227. } else {
  228. DBGC ( &certstore, "CERTSTORE could not parse "
  229. "additional certificate: %s\n",
  230. strerror ( rc ) );
  231. /* Do not fail; leave as an unusable certificate */
  232. }
  233. free ( cert_data );
  234. }
  235. /* Free old additional certificiate. Do this after reparsing
  236. * the additional certificate; in the common case that the
  237. * certificate has not changed, this will allow the stored
  238. * certificate to be reused.
  239. */
  240. x509_put ( old_cert );
  241. return 0;
  242. }
  243. /** Certificate store settings applicator */
  244. struct settings_applicator certstore_applicator __settings_applicator = {
  245. .apply = certstore_apply_settings,
  246. };