robin.thoni
/
ipxe
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 11 Вики Активность
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
4692 коммитов
2 Ветки
Дерево: bc8ca6b8ce
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'bc8ca6b8ce'
${ noResults }
ipxe/src/include/ipxe/x509.h

x509.h 9.2KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387 
  1. #ifndef _IPXE_X509_H

  2. #define _IPXE_X509_H

  3. 

  4. /** @file

  5.  *

  6.  * X.509 certificates

  7.  *

  8.  */

  9. 

  10. FILE_LICENCE ( GPL2_OR_LATER );

  11. 

  12. #include <stdint.h>

  13. #include <stddef.h>

  14. #include <time.h>

  15. #include <ipxe/asn1.h>

  16. #include <ipxe/refcnt.h>

  17. #include <ipxe/list.h>

  18. 

  19. /** An X.509 serial number */

  20. struct x509_serial {

  21. 	/** Raw serial number */

  22. 	struct asn1_cursor raw;

  23. };

  24. 

  25. /** An X.509 issuer */

  26. struct x509_issuer {

  27. 	/** Raw issuer */

  28. 	struct asn1_cursor raw;

  29. };

  30. 

  31. /** An X.509 time */

  32. struct x509_time {

  33. 	/** Seconds since the Epoch */

  34. 	time_t time;

  35. };

  36. 

  37. /** An X.509 certificate validity period */

  38. struct x509_validity {

  39. 	/** Not valid before */

  40. 	struct x509_time not_before;

  41. 	/** Not valid after */

  42. 	struct x509_time not_after;

  43. };

  44. 

  45. /** Margin of error allowed in X.509 response times

  46.  *

  47.  * We allow a generous margin of error: 12 hours to allow for the

  48.  * local time zone being non-GMT, plus 30 minutes to allow for general

  49.  * clock drift.

  50.  */

  51. #define X509_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )

  52. 

  53. /** An X.509 certificate public key */

  54. struct x509_public_key {

  55. 	/** Raw public key information */

  56. 	struct asn1_cursor raw;

  57. 	/** Public key algorithm */

  58. 	struct asn1_algorithm *algorithm;

  59. 	/** Raw public key bit string */

  60. 	struct asn1_bit_string raw_bits;

  61. };

  62. 

  63. /** An X.509 certificate subject */

  64. struct x509_subject {

  65. 	/** Raw subject */

  66. 	struct asn1_cursor raw;

  67. 	/** Common name */

  68. 	struct asn1_cursor common_name;

  69. 	/** Public key information */

  70. 	struct x509_public_key public_key;

  71. };

  72. 

  73. /** An X.509 certificate signature */

  74. struct x509_signature {

  75. 	/** Signature algorithm */

  76. 	struct asn1_algorithm *algorithm;

  77. 	/** Signature value */

  78. 	struct asn1_bit_string value;

  79. };

  80. 

  81. /** An X.509 certificate basic constraints set */

  82. struct x509_basic_constraints {

  83. 	/** Subject is a CA */

  84. 	int ca;

  85. 	/** Path length */

  86. 	unsigned int path_len;

  87. };

  88. 

  89. /** Unlimited path length

  90.  *

  91.  * We use -2U, since this quantity represents one *fewer* than the

  92.  * maximum number of remaining certificates in a chain.

  93.  */

  94. #define X509_PATH_LEN_UNLIMITED -2U

  95. 

  96. /** An X.509 certificate key usage */

  97. struct x509_key_usage {

  98. 	/** Key usage extension is present */

  99. 	int present;

  100. 	/** Usage bits */

  101. 	unsigned int bits;

  102. };

  103. 

  104. /** X.509 certificate key usage bits */

  105. enum x509_key_usage_bits {

  106. 	X509_DIGITAL_SIGNATURE = 0x0080,

  107. 	X509_NON_REPUDIATION = 0x0040,

  108. 	X509_KEY_ENCIPHERMENT = 0x0020,

  109. 	X509_DATA_ENCIPHERMENT = 0x0010,

  110. 	X509_KEY_AGREEMENT = 0x0008,

  111. 	X509_KEY_CERT_SIGN = 0x0004,

  112. 	X509_CRL_SIGN = 0x0002,

  113. 	X509_ENCIPHER_ONLY = 0x0001,

  114. 	X509_DECIPHER_ONLY = 0x8000,

  115. };

  116. 

  117. /** An X.509 certificate extended key usage */

  118. struct x509_extended_key_usage {

  119. 	/** Usage bits */

  120. 	unsigned int bits;

  121. };

  122. 

  123. /** X.509 certificate extended key usage bits

  124.  *

  125.  * Extended key usages are identified by OID; these bits are purely an

  126.  * internal definition.

  127.  */

  128. enum x509_extended_key_usage_bits {

  129. 	X509_CODE_SIGNING = 0x0001,

  130. 	X509_OCSP_SIGNING = 0x0002,

  131. };

  132. 

  133. /** X.509 certificate OCSP responder */

  134. struct x509_ocsp_responder {

  135. 	/** URI */

  136. 	struct asn1_cursor uri;

  137. 	/** OCSP status is good */

  138. 	int good;

  139. };

  140. 

  141. /** X.509 certificate authority information access */

  142. struct x509_authority_info_access {

  143. 	/** OCSP responder */

  144. 	struct x509_ocsp_responder ocsp;

  145. };

  146. 

  147. /** An X.509 certificate extensions set */

  148. struct x509_extensions {

  149. 	/** Basic constraints */

  150. 	struct x509_basic_constraints basic;

  151. 	/** Key usage */

  152. 	struct x509_key_usage usage;

  153. 	/** Extended key usage */

  154. 	struct x509_extended_key_usage ext_usage;

  155. 	/** Authority information access */

  156. 	struct x509_authority_info_access auth_info;

  157. };

  158. 

  159. /** A link in an X.509 certificate chain */

  160. struct x509_link {

  161. 	/** List of links */

  162. 	struct list_head list;

  163. 	/** Certificate */

  164. 	struct x509_certificate *cert;

  165. };

  166. 

  167. /** An X.509 certificate chain */

  168. struct x509_chain {

  169. 	/** Reference count */

  170. 	struct refcnt refcnt;

  171. 	/** List of links */

  172. 	struct list_head links;

  173. };

  174. 

  175. /** An X.509 certificate */

  176. struct x509_certificate {

  177. 	/** Reference count */

  178. 	struct refcnt refcnt;

  179. 

  180. 	/** Link in certificate store */

  181. 	struct x509_link store;

  182. 

  183. 	/** Certificate has been validated */

  184. 	int valid;

  185. 	/** Maximum number of subsequent certificates in chain */

  186. 	unsigned int path_remaining;

  187. 

  188. 	/** Raw certificate */

  189. 	struct asn1_cursor raw;

  190. 	/** Version */

  191. 	unsigned int version;

  192. 	/** Serial number */

  193. 	struct x509_serial serial;

  194. 	/** Raw tbsCertificate */

  195. 	struct asn1_cursor tbs;

  196. 	/** Signature algorithm */

  197. 	struct asn1_algorithm *signature_algorithm;

  198. 	/** Issuer */

  199. 	struct x509_issuer issuer;

  200. 	/** Validity */

  201. 	struct x509_validity validity;

  202. 	/** Subject */

  203. 	struct x509_subject subject;

  204. 	/** Signature */

  205. 	struct x509_signature signature;

  206. 	/** Extensions */

  207. 	struct x509_extensions extensions;

  208. };

  209. 

  210. /**

  211.  * Get reference to X.509 certificate

  212.  *

  213.  * @v cert		X.509 certificate

  214.  * @ret cert		X.509 certificate

  215.  */

  216. static inline __attribute__ (( always_inline )) struct x509_certificate *

  217. x509_get ( struct x509_certificate *cert ) {

  218. 	ref_get ( &cert->refcnt );

  219. 	return cert;

  220. }

  221. 

  222. /**

  223.  * Drop reference to X.509 certificate

  224.  *

  225.  * @v cert		X.509 certificate

  226.  */

  227. static inline __attribute__ (( always_inline )) void

  228. x509_put ( struct x509_certificate *cert ) {

  229. 	ref_put ( &cert->refcnt );

  230. }

  231. 

  232. /**

  233.  * Get reference to X.509 certificate chain

  234.  *

  235.  * @v chain		X.509 certificate chain

  236.  * @ret chain		X.509 certificate chain

  237.  */

  238. static inline __attribute__ (( always_inline )) struct x509_chain *

  239. x509_chain_get ( struct x509_chain *chain ) {

  240. 	ref_get ( &chain->refcnt );

  241. 	return chain;

  242. }

  243. 

  244. /**

  245.  * Drop reference to X.509 certificate chain

  246.  *

  247.  * @v chain		X.509 certificate chain

  248.  */

  249. static inline __attribute__ (( always_inline )) void

  250. x509_chain_put ( struct x509_chain *chain ) {

  251. 	ref_put ( &chain->refcnt );

  252. }

  253. 

  254. /**

  255.  * Get first certificate in X.509 certificate chain

  256.  *

  257.  * @v chain		X.509 certificate chain

  258.  * @ret cert		X.509 certificate, or NULL

  259.  */

  260. static inline __attribute__ (( always_inline )) struct x509_certificate *

  261. x509_first ( struct x509_chain *chain ) {

  262. 	struct x509_link *link;

  263. 

  264. 	link = list_first_entry ( &chain->links, struct x509_link, list );

  265. 	return ( link ? link->cert : NULL );

  266. }

  267. 

  268. /**

  269.  * Get last certificate in X.509 certificate chain

  270.  *

  271.  * @v chain		X.509 certificate chain

  272.  * @ret cert		X.509 certificate, or NULL

  273.  */

  274. static inline __attribute__ (( always_inline )) struct x509_certificate *

  275. x509_last ( struct x509_chain *chain ) {

  276. 	struct x509_link *link;

  277. 

  278. 	link = list_last_entry ( &chain->links, struct x509_link, list );

  279. 	return ( link ? link->cert : NULL );

  280. }

  281. 

  282. /** An X.509 extension */

  283. struct x509_extension {

  284. 	/** Name */

  285. 	const char *name;

  286. 	/** Object identifier */

  287. 	struct asn1_cursor oid;

  288. 	/** Parse extension

  289. 	 *

  290. 	 * @v cert		X.509 certificate

  291. 	 * @v raw		ASN.1 cursor

  292. 	 * @ret rc		Return status code

  293. 	 */

  294. 	int ( * parse ) ( struct x509_certificate *cert,

  295. 			  const struct asn1_cursor *raw );

  296. };

  297. 

  298. /** An X.509 key purpose */

  299. struct x509_key_purpose {

  300. 	/** Name */

  301. 	const char *name;

  302. 	/** Object identifier */

  303. 	struct asn1_cursor oid;

  304. 	/** Extended key usage bits */

  305. 	unsigned int bits;

  306. };

  307. 

  308. /** An X.509 access method */

  309. struct x509_access_method {

  310. 	/** Name */

  311. 	const char *name;

  312. 	/** Object identifier */

  313. 	struct asn1_cursor oid;

  314. 	/** Parse access method

  315. 	 *

  316. 	 * @v cert		X.509 certificate

  317. 	 * @v raw		ASN.1 cursor

  318. 	 * @ret rc		Return status code

  319. 	 */

  320. 	int ( * parse ) ( struct x509_certificate *cert,

  321. 			  const struct asn1_cursor *raw );

  322. };

  323. 

  324. /** An X.509 root certificate store */

  325. struct x509_root {

  326. 	/** Fingerprint digest algorithm */

  327. 	struct digest_algorithm *digest;

  328. 	/** Number of certificates */

  329. 	unsigned int count;

  330. 	/** Certificate fingerprints */

  331. 	const void *fingerprints;

  332. };

  333. 

  334. extern const char * x509_name ( struct x509_certificate *cert );

  335. extern int x509_parse ( struct x509_certificate *cert,

  336. 			const struct asn1_cursor *raw );

  337. extern int x509_certificate ( const void *data, size_t len,

  338. 			      struct x509_certificate **cert );

  339. extern int x509_validate ( struct x509_certificate *cert,

  340. 			   struct x509_certificate *issuer,

  341. 			   time_t time, struct x509_root *root );

  342. extern int x509_check_name ( struct x509_certificate *cert, const char *name );

  343. 

  344. extern struct x509_chain * x509_alloc_chain ( void );

  345. extern int x509_append ( struct x509_chain *chain,

  346. 			 struct x509_certificate *cert );

  347. extern int x509_append_raw ( struct x509_chain *chain, const void *data,

  348. 			     size_t len );

  349. extern int x509_auto_append ( struct x509_chain *chain,

  350. 			      struct x509_chain *certs );

  351. extern int x509_validate_chain ( struct x509_chain *chain, time_t time,

  352. 				 struct x509_chain *store,

  353. 				 struct x509_root *root );

  354. 

  355. /* Functions exposed only for unit testing */

  356. extern int x509_check_issuer ( struct x509_certificate *cert,

  357. 			       struct x509_certificate *issuer );

  358. extern void x509_fingerprint ( struct x509_certificate *cert,

  359. 			       struct digest_algorithm *digest,

  360. 			       void *fingerprint );

  361. extern int x509_check_root ( struct x509_certificate *cert,

  362. 			     struct x509_root *root );

  363. extern int x509_check_time ( struct x509_certificate *cert, time_t time );

  364. 

  365. /**

  366.  * Invalidate X.509 certificate

  367.  *

  368.  * @v cert		X.509 certificate

  369.  */

  370. static inline void x509_invalidate ( struct x509_certificate *cert ) {

  371. 	cert->valid = 0;

  372. 	cert->path_remaining = 0;

  373. }

  374. 

  375. /**

  376.  * Invalidate X.509 certificate chain

  377.  *

  378.  * @v chain		X.509 certificate chain

  379.  */

  380. static inline void x509_invalidate_chain ( struct x509_chain *chain ) {

  381. 	struct x509_link *link;

  382. 

  383. 	list_for_each_entry ( link, &chain->links, list )

  384. 		x509_invalidate ( link->cert );

  385. }

  386. 

  387. #endif /* _IPXE_X509_H */