robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5827 Commits
2 Branches
Tree: a0021a30dd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a0021a30dd'
${ noResults }
ipxe/src/include/ipxe/ocsp.h

ocsp.h 3.2KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136 
  1. #ifndef _IPXE_OCSP_H

  2. #define _IPXE_OCSP_H

  3. 

  4. /** @file

  5.  *

  6.  * Online Certificate Status Protocol

  7.  *

  8.  */

  9. 

  10. FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

  11. 

  12. #include <stdarg.h>

  13. #include <time.h>

  14. #include <ipxe/asn1.h>

  15. #include <ipxe/x509.h>

  16. #include <ipxe/refcnt.h>

  17. 

  18. /** OCSP algorithm identifier */

  19. #define OCSP_ALGORITHM_IDENTIFIER( ... )				\

  20. 	ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__,		\

  21. 	ASN1_NULL, 0x00

  22. 

  23. /* OCSP response statuses */

  24. #define OCSP_STATUS_SUCCESSFUL		0x00

  25. #define OCSP_STATUS_MALFORMED_REQUEST	0x01

  26. #define OCSP_STATUS_INTERNAL_ERROR	0x02

  27. #define OCSP_STATUS_TRY_LATER		0x03

  28. #define OCSP_STATUS_SIG_REQUIRED	0x05

  29. #define OCSP_STATUS_UNAUTHORIZED	0x06

  30. 

  31. struct ocsp_check;

  32. 

  33. /** An OCSP request */

  34. struct ocsp_request {

  35. 	/** Request builder */

  36. 	struct asn1_builder builder;

  37. 	/** Certificate ID */

  38. 	struct asn1_cursor cert_id;

  39. };

  40. 

  41. /** An OCSP responder */

  42. struct ocsp_responder {

  43. 	/**

  44. 	 * Check if certificate is the responder's certificate

  45. 	 *

  46. 	 * @v ocsp		OCSP check

  47. 	 * @v cert		Certificate

  48. 	 * @ret difference	Difference as returned by memcmp()

  49. 	 */

  50. 	int ( * compare ) ( struct ocsp_check *ocsp,

  51. 			    struct x509_certificate *cert );

  52. 	/** Responder ID */

  53. 	struct asn1_cursor id;

  54. };

  55. 

  56. /** An OCSP response */

  57. struct ocsp_response {

  58. 	/** Raw response */

  59. 	void *data;

  60. 	/** Raw tbsResponseData */

  61. 	struct asn1_cursor tbs;

  62. 	/** Responder */

  63. 	struct ocsp_responder responder;

  64. 	/** Time at which status is known to be correct */

  65. 	time_t this_update;

  66. 	/** Time at which newer status information will be available */

  67. 	time_t next_update;

  68. 	/** Signature algorithm */

  69. 	struct asn1_algorithm *algorithm;

  70. 	/** Signature value */

  71. 	struct asn1_bit_string signature;

  72. 	/** Signing certificate */

  73. 	struct x509_certificate *signer;

  74. };

  75. 

  76. /** An OCSP check */

  77. struct ocsp_check {

  78. 	/** Reference count */

  79. 	struct refcnt refcnt;

  80. 	/** Certificate being checked */

  81. 	struct x509_certificate *cert;

  82. 	/** Issuing certificate */

  83. 	struct x509_certificate *issuer;

  84. 	/** URI string */

  85. 	char *uri_string;

  86. 	/** Request */

  87. 	struct ocsp_request request;

  88. 	/** Response */

  89. 	struct ocsp_response response;

  90. };

  91. 

  92. /**

  93.  * Get reference to OCSP check

  94.  *

  95.  * @v ocsp		OCSP check

  96.  * @ret ocsp		OCSP check

  97.  */

  98. static inline __attribute__ (( always_inline )) struct ocsp_check *

  99. ocsp_get ( struct ocsp_check *ocsp ) {

  100. 	ref_get ( &ocsp->refcnt );

  101. 	return ocsp;

  102. }

  103. 

  104. /**

  105.  * Drop reference to OCSP check

  106.  *

  107.  * @v ocsp		OCSP check

  108.  */

  109. static inline __attribute__ (( always_inline )) void

  110. ocsp_put ( struct ocsp_check *ocsp ) {

  111. 	ref_put ( &ocsp->refcnt );

  112. }

  113. 

  114. /**

  115.  * Check if X.509 certificate requires an OCSP check

  116.  *

  117.  * @v cert		X.509 certificate

  118.  * @ret ocsp_required	An OCSP check is required

  119.  */

  120. static inline int ocsp_required ( struct x509_certificate *cert ) {

  121. 

  122. 	/* An OCSP check is required if an OCSP URI exists but the

  123. 	 * OCSP status is not (yet) good.

  124. 	 */

  125. 	return ( cert->extensions.auth_info.ocsp.uri.len &&

  126. 		 ( ! cert->extensions.auth_info.ocsp.good ) );

  127. }

  128. 

  129. extern int ocsp_check ( struct x509_certificate *cert,

  130. 			struct x509_certificate *issuer,

  131. 			struct ocsp_check **ocsp );

  132. extern int ocsp_response ( struct ocsp_check *ocsp, const void *data,

  133. 			   size_t len );

  134. extern int ocsp_validate ( struct ocsp_check *check, time_t time );

  135. 

  136. #endif /* _IPXE_OCSP_H */