robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2865 Commits
2 Branches
Tree: e103495563
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e103495563'
${ noResults }
ipxe/src/crypto/x509.c

x509.c 6.0KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181 
  1. /*

  2.  * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.

  3.  *

  4.  * This program is free software; you can redistribute it and/or

  5.  * modify it under the terms of the GNU General Public License as

  6.  * published by the Free Software Foundation; either version 2 of the

  7.  * License, or any later version.

  8.  *

  9.  * This program is distributed in the hope that it will be useful, but

  10.  * WITHOUT ANY WARRANTY; without even the implied warranty of

  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  12.  * General Public License for more details.

  13.  *

  14.  * You should have received a copy of the GNU General Public License

  15.  * along with this program; if not, write to the Free Software

  16.  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

  17.  */

  18. 

  19. #include <stdlib.h>

  20. #include <string.h>

  21. #include <errno.h>

  22. #include <gpxe/asn1.h>

  23. #include <gpxe/x509.h>

  24. 

  25. /** @file

  26.  *

  27.  * X.509 certificates

  28.  *

  29.  * The structure of X.509v3 certificates is concisely documented in

  30.  * RFC5280 section 4.1.  The structure of RSA public keys is

  31.  * documented in RFC2313.

  32.  */

  33. 

  34. /** Object Identifier for "rsaEncryption" (1.2.840.113549.1.1.1) */

  35. static const uint8_t oid_rsa_encryption[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,

  36. 					      0x0d, 0x01, 0x01, 0x01 };

  37. 

  38. /**

  39.  * Identify X.509 certificate public key

  40.  *

  41.  * @v certificate	Certificate

  42.  * @v algorithm		Public key algorithm to fill in

  43.  * @v pubkey		Public key value to fill in

  44.  * @ret rc		Return status code

  45.  */

  46. static int x509_public_key ( const struct asn1_cursor *certificate,

  47. 			     struct asn1_cursor *algorithm,

  48. 			     struct asn1_cursor *pubkey ) {

  49. 	struct asn1_cursor cursor;

  50. 	int rc;

  51. 

  52. 	/* Locate subjectPublicKeyInfo */

  53. 	memcpy ( &cursor, certificate, sizeof ( cursor ) );

  54. 	rc = ( asn1_enter ( &cursor, ASN1_SEQUENCE ), /* Certificate */

  55. 	       asn1_enter ( &cursor, ASN1_SEQUENCE ), /* tbsCertificate */

  56. 	       asn1_skip ( &cursor, ASN1_EXPLICIT_TAG ), /* version */

  57. 	       asn1_skip ( &cursor, ASN1_INTEGER ), /* serialNumber */

  58. 	       asn1_skip ( &cursor, ASN1_SEQUENCE ), /* signature */

  59. 	       asn1_skip ( &cursor, ASN1_SEQUENCE ), /* issuer */

  60. 	       asn1_skip ( &cursor, ASN1_SEQUENCE ), /* validity */

  61. 	       asn1_skip ( &cursor, ASN1_SEQUENCE ), /* name */

  62. 	       asn1_enter ( &cursor, ASN1_SEQUENCE )/* subjectPublicKeyInfo*/);

  63. 	if ( rc != 0 ) {

  64. 		DBG ( "Cannot locate subjectPublicKeyInfo in:\n" );

  65. 		DBG_HDA ( 0, certificate->data, certificate->len );

  66. 		return rc;

  67. 	}

  68. 

  69. 	/* Locate algorithm */

  70. 	memcpy ( algorithm, &cursor, sizeof ( *algorithm ) );

  71. 	rc = ( asn1_enter ( algorithm, ASN1_SEQUENCE ) /* algorithm */ );

  72. 	if ( rc != 0 ) {

  73. 		DBG ( "Cannot locate algorithm in:\n" );

  74. 		DBG_HDA ( 0, certificate->data, certificate->len );

  75. 		return rc;

  76. 	}

  77. 

  78. 	/* Locate subjectPublicKey */

  79. 	memcpy ( pubkey, &cursor, sizeof ( *pubkey ) );

  80. 	rc = ( asn1_skip ( pubkey, ASN1_SEQUENCE ), /* algorithm */

  81. 	       asn1_enter ( pubkey, ASN1_BIT_STRING ) /* subjectPublicKey*/ );

  82. 	if ( rc != 0 ) {

  83. 		DBG ( "Cannot locate subjectPublicKey in:\n" );

  84. 		DBG_HDA ( 0, certificate->data, certificate->len );

  85. 		return rc;

  86. 	}

  87. 

  88. 	return 0;

  89. }

  90. 

  91. /**

  92.  * Identify X.509 certificate RSA modulus and public exponent

  93.  *

  94.  * @v certificate	Certificate

  95.  * @v rsa		RSA public key to fill in

  96.  * @ret rc		Return status code

  97.  *

  98.  * The caller is responsible for eventually calling

  99.  * x509_free_rsa_public_key() to free the storage allocated to hold

  100.  * the RSA modulus and exponent.

  101.  */

  102. int x509_rsa_public_key ( const struct asn1_cursor *certificate,

  103. 			  struct x509_rsa_public_key *rsa_pubkey ) {

  104. 	struct asn1_cursor algorithm;

  105. 	struct asn1_cursor pubkey;

  106. 	struct asn1_cursor modulus;

  107. 	struct asn1_cursor exponent;

  108. 	int rc;

  109. 

  110. 	/* First, extract the public key algorithm and key data */

  111. 	if ( ( rc = x509_public_key ( certificate, &algorithm,

  112. 				      &pubkey ) ) != 0 )

  113. 		return rc;

  114. 

  115. 	/* Check that algorithm is RSA */

  116. 	rc = ( asn1_enter ( &algorithm, ASN1_OID ) /* algorithm */ );

  117. 	if ( rc != 0 ) {

  118. 		DBG ( "Cannot locate algorithm:\n" );

  119. 		DBG_HDA ( 0, certificate->data, certificate->len );

  120. 	return rc;

  121. 	}

  122. 	if ( ( algorithm.len != sizeof ( oid_rsa_encryption ) ) ||

  123. 	     ( memcmp ( algorithm.data, &oid_rsa_encryption,

  124. 			sizeof ( oid_rsa_encryption ) ) != 0 ) ) {

  125. 		DBG ( "algorithm is not rsaEncryption in:\n" );

  126. 		DBG_HDA ( 0, certificate->data, certificate->len );

  127. 		return -ENOTSUP;

  128. 	}

  129. 

  130. 	/* Check that public key is a byte string, i.e. that the

  131. 	 * "unused bits" byte contains zero.

  132. 	 */

  133. 	if ( ( pubkey.len < 1 ) ||

  134. 	     ( ( *( uint8_t * ) pubkey.data ) != 0 ) ) {

  135. 		DBG ( "subjectPublicKey is not a byte string in:\n" );

  136. 		DBG_HDA ( 0, certificate->data, certificate->len );

  137. 		return -ENOTSUP;

  138. 	}

  139. 	pubkey.data++;

  140. 	pubkey.len--;

  141. 

  142. 	/* Pick out the modulus and exponent */

  143. 	rc = ( asn1_enter ( &pubkey, ASN1_SEQUENCE ) /* RSAPublicKey */ );

  144. 	if ( rc != 0 ) {

  145. 		DBG ( "Cannot locate RSAPublicKey in:\n" );

  146. 		DBG_HDA ( 0, certificate->data, certificate->len );

  147. 		return -ENOTSUP;

  148. 	}

  149. 	memcpy ( &modulus, &pubkey, sizeof ( modulus ) );

  150. 	rc = ( asn1_enter ( &modulus, ASN1_INTEGER ) /* modulus */ );

  151. 	if ( rc != 0 ) {

  152. 		DBG ( "Cannot locate modulus in:\n" );

  153. 		DBG_HDA ( 0, certificate->data, certificate->len );

  154. 		return -ENOTSUP;

  155. 	}

  156. 	memcpy ( &exponent, &pubkey, sizeof ( exponent ) );

  157. 	rc = ( asn1_skip ( &exponent, ASN1_INTEGER ), /* modulus */

  158. 	       asn1_enter ( &exponent, ASN1_INTEGER ) /* publicExponent */ );

  159. 	if ( rc != 0 ) {

  160. 		DBG ( "Cannot locate publicExponent in:\n" );

  161. 		DBG_HDA ( 0, certificate->data, certificate->len );

  162. 		return -ENOTSUP;

  163. 	}

  164. 

  165. 	/* Allocate space and copy out modulus and exponent */

  166. 	rsa_pubkey->modulus = malloc ( modulus.len + exponent.len );

  167. 	if ( ! rsa_pubkey->modulus )

  168. 		return -ENOMEM;

  169. 	rsa_pubkey->exponent = ( rsa_pubkey->modulus + modulus.len );

  170. 	memcpy ( rsa_pubkey->modulus, modulus.data, modulus.len );

  171. 	rsa_pubkey->modulus_len = modulus.len;

  172. 	memcpy ( rsa_pubkey->exponent, exponent.data, exponent.len );

  173. 	rsa_pubkey->exponent_len = exponent.len;

  174. 

  175. 	DBG2 ( "RSA modulus:\n" );

  176. 	DBG2_HDA ( 0, rsa_pubkey->modulus, rsa_pubkey->modulus_len );

  177. 	DBG2 ( "RSA exponent:\n" );

  178. 	DBG2_HDA ( 0, rsa_pubkey->exponent, rsa_pubkey->exponent_len );

  179. 

  180. 	return 0;

  181. }