robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5856 Commits
2 Branches
Tree: e7f67d5a4c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e7f67d5a4c'
${ noResults }
ipxe/src/crypto/certstore.c

certstore.c 8.3KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306 
  1. /*

  2.  * Copyright (C) 2014 Michael Brown <mbrown@fensystems.co.uk>.

  3.  *

  4.  * This program is free software; you can redistribute it and/or

  5.  * modify it under the terms of the GNU General Public License as

  6.  * published by the Free Software Foundation; either version 2 of the

  7.  * License, or any later version.

  8.  *

  9.  * This program is distributed in the hope that it will be useful, but

  10.  * WITHOUT ANY WARRANTY; without even the implied warranty of

  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  12.  * General Public License for more details.

  13.  *

  14.  * You should have received a copy of the GNU General Public License

  15.  * along with this program; if not, write to the Free Software

  16.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

  17.  * 02110-1301, USA.

  18.  *

  19.  * You can also choose to distribute this program under the terms of

  20.  * the Unmodified Binary Distribution Licence (as given in the file

  21.  * COPYING.UBDL), provided that you have satisfied its requirements.

  22.  */

  23. 

  24. FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

  25. 

  26. #include <string.h>

  27. #include <stdlib.h>

  28. #include <ipxe/init.h>

  29. #include <ipxe/dhcp.h>

  30. #include <ipxe/settings.h>

  31. #include <ipxe/malloc.h>

  32. #include <ipxe/crypto.h>

  33. #include <ipxe/asn1.h>

  34. #include <ipxe/x509.h>

  35. #include <ipxe/certstore.h>

  36. 

  37. /** @file

  38.  *

  39.  * Certificate store

  40.  *

  41.  */

  42. 

  43. /** Raw certificate data for all permanent stored certificates */

  44. #undef CERT

  45. #define CERT( _index, _path )						\

  46. 	extern char stored_cert_ ## _index ## _data[];			\

  47. 	extern char stored_cert_ ## _index ## _len[];			\

  48. 	__asm__ ( ".section \".rodata\", \"a\", " PROGBITS "\n\t"	\

  49. 		  "\nstored_cert_" #_index "_data:\n\t"			\

  50. 		  ".incbin \"" _path "\"\n\t"				\

  51. 		  "\nstored_cert_" #_index "_end:\n\t"			\

  52. 		  ".equ stored_cert_" #_index "_len, "			\

  53. 			"( stored_cert_" #_index "_end - "		\

  54. 			"  stored_cert_" #_index "_data )\n\t"		\

  55. 		  ".previous\n\t" );

  56. CERT_ALL

  57. 

  58. /** Raw certificate cursors for all permanent stored certificates */

  59. #undef CERT

  60. #define CERT( _index, _path ) {						\

  61. 	.data = stored_cert_ ## _index ## _data,			\

  62. 	.len = ( size_t ) stored_cert_ ## _index ## _len, 		\

  63. },

  64. static struct asn1_cursor certstore_raw[] = {

  65. 	CERT_ALL

  66. };

  67. 

  68. /** X.509 certificate structures for all permanent stored certificates */

  69. static struct x509_certificate certstore_certs[ sizeof ( certstore_raw ) /

  70. 						sizeof ( certstore_raw[0] ) ];

  71. 

  72. /** Certificate store */

  73. struct x509_chain certstore = {

  74. 	.refcnt = REF_INIT ( ref_no_free ),

  75. 	.links = LIST_HEAD_INIT ( certstore.links ),

  76. };

  77. 

  78. /**

  79.  * Mark stored certificate as most recently used

  80.  *

  81.  * @v cert		X.509 certificate

  82.  * @ret cert		X.509 certificate

  83.  */

  84. static struct x509_certificate *

  85. certstore_found ( struct x509_certificate *cert ) {

  86. 

  87. 	/* Mark as most recently used */

  88. 	list_del ( &cert->store.list );

  89. 	list_add ( &cert->store.list, &certstore.links );

  90. 	DBGC2 ( &certstore, "CERTSTORE found certificate %s\n",

  91. 		x509_name ( cert ) );

  92. 

  93. 	return cert;

  94. }

  95. 

  96. /**

  97.  * Find certificate in store

  98.  *

  99.  * @v raw		Raw certificate data

  100.  * @ret cert		X.509 certificate, or NULL if not found

  101.  */

  102. struct x509_certificate * certstore_find ( struct asn1_cursor *raw ) {

  103. 	struct x509_certificate *cert;

  104. 

  105. 	/* Search for certificate within store */

  106. 	list_for_each_entry ( cert, &certstore.links, store.list ) {

  107. 		if ( asn1_compare ( raw, &cert->raw ) == 0 )

  108. 			return certstore_found ( cert );

  109. 	}

  110. 	return NULL;

  111. }

  112. 

  113. /**

  114.  * Find certificate in store corresponding to a private key

  115.  *

  116.  * @v key		Private key

  117.  * @ret cert		X.509 certificate, or NULL if not found

  118.  */

  119. struct x509_certificate * certstore_find_key ( struct asn1_cursor *key ) {

  120. 	struct x509_certificate *cert;

  121. 

  122. 	/* Search for certificate within store */

  123. 	list_for_each_entry ( cert, &certstore.links, store.list ) {

  124. 		if ( pubkey_match ( cert->signature_algorithm->pubkey,

  125. 				    key->data, key->len,

  126. 				    cert->subject.public_key.raw.data,

  127. 				    cert->subject.public_key.raw.len ) == 0 )

  128. 			return certstore_found ( cert );

  129. 	}

  130. 	return NULL;

  131. }

  132. 

  133. /**

  134.  * Add certificate to store

  135.  *

  136.  * @v cert		X.509 certificate

  137.  */

  138. void certstore_add ( struct x509_certificate *cert ) {

  139. 

  140. 	/* Add certificate to store */

  141. 	cert->store.cert = cert;

  142. 	x509_get ( cert );

  143. 	list_add ( &cert->store.list, &certstore.links );

  144. 	DBGC ( &certstore, "CERTSTORE added certificate %s\n",

  145. 	       x509_name ( cert ) );

  146. }

  147. 

  148. /**

  149.  * Remove certificate from store

  150.  *

  151.  * @v cert		X.509 certificate

  152.  */

  153. void certstore_del ( struct x509_certificate *cert ) {

  154. 

  155. 	/* Ignore attempts to remove permanent certificates */

  156. 	if ( cert->flags & X509_FL_PERMANENT )

  157. 		return;

  158. 

  159. 	/* Remove certificate from store */

  160. 	DBGC ( &certstore, "CERTSTORE removed certificate %s\n",

  161. 	       x509_name ( cert ) );

  162. 	list_del ( &cert->store.list );

  163. 	x509_put ( cert );

  164. }

  165. 

  166. /**

  167.  * Discard a stored certificate

  168.  *

  169.  * @ret discarded	Number of cached items discarded

  170.  */

  171. static unsigned int certstore_discard ( void ) {

  172. 	struct x509_certificate *cert;

  173. 

  174. 	/* Discard the least recently used certificate for which the

  175. 	 * only reference is held by the store itself.

  176. 	 */

  177. 	list_for_each_entry_reverse ( cert, &certstore.links, store.list ) {

  178. 

  179. 		/* Skip certificates for which another reference is held */

  180. 		if ( cert->refcnt.count > 0 )

  181. 			continue;

  182. 

  183. 		/* Skip certificates that were added at build time or

  184. 		 * added explicitly at run time.

  185. 		 */

  186. 		if ( cert->flags & ( X509_FL_PERMANENT | X509_FL_EXPLICIT ) )

  187. 			continue;

  188. 

  189. 		/* Discard certificate */

  190. 		certstore_del ( cert );

  191. 		return 1;

  192. 	}

  193. 

  194. 	return 0;

  195. }

  196. 

  197. /** Certificate store cache discarder */

  198. struct cache_discarder certstore_discarder __cache_discarder ( CACHE_NORMAL ) ={

  199. 	.discard = certstore_discard,

  200. };

  201. 

  202. /**

  203.  * Construct permanent certificate store

  204.  *

  205.  */

  206. static void certstore_init ( void ) {

  207. 	struct asn1_cursor *raw;

  208. 	struct x509_certificate *cert;

  209. 	int i;

  210. 	int rc;

  211. 

  212. 	/* Skip if we have no permanent stored certificates */

  213. 	if ( ! sizeof ( certstore_raw ) )

  214. 		return;

  215. 

  216. 	/* Add certificates */

  217. 	for ( i = 0 ; i < ( int ) ( sizeof ( certstore_raw ) /

  218. 				    sizeof ( certstore_raw[0] ) ) ; i++ ) {

  219. 

  220. 		/* Skip if certificate already present in store */

  221. 		raw = &certstore_raw[i];

  222. 		if ( ( cert = certstore_find ( raw ) ) != NULL ) {

  223. 			DBGC ( &certstore, "CERTSTORE permanent certificate %d "

  224. 			       "is a duplicate of %s\n", i, x509_name ( cert ));

  225. 			continue;

  226. 		}

  227. 

  228. 		/* Parse certificate */

  229. 		cert = &certstore_certs[i];

  230. 		ref_init ( &cert->refcnt, ref_no_free );

  231. 		if ( ( rc = x509_parse ( cert, raw ) ) != 0 ) {

  232. 			DBGC ( &certstore, "CERTSTORE could not parse "

  233. 			       "permanent certificate %d: %s\n",

  234. 			       i, strerror ( rc ) );

  235. 			continue;

  236. 		}

  237. 

  238. 		/* Add certificate to store.  Certificate will never

  239. 		 * be discarded from the store, since we retain a

  240. 		 * permanent reference to it.

  241. 		 */

  242. 		certstore_add ( cert );

  243. 		cert->flags |= X509_FL_PERMANENT;

  244. 		DBGC ( &certstore, "CERTSTORE permanent certificate %d is %s\n",

  245. 		       i, x509_name ( cert ) );

  246. 	}

  247. }

  248. 

  249. /** Certificate store initialisation function */

  250. struct init_fn certstore_init_fn __init_fn ( INIT_LATE ) = {

  251. 	.initialise = certstore_init,

  252. };

  253. 

  254. /** Additional certificate setting */

  255. static struct setting cert_setting __setting ( SETTING_CRYPTO, cert ) = {

  256. 	.name = "cert",

  257. 	.description = "Certificate",

  258. 	.tag = DHCP_EB_CERT,

  259. 	.type = &setting_type_hex,

  260. };

  261. 

  262. /**

  263.  * Apply certificate store configuration settings

  264.  *

  265.  * @ret rc		Return status code

  266.  */

  267. static int certstore_apply_settings ( void ) {

  268. 	static struct x509_certificate *cert = NULL;

  269. 	struct x509_certificate *old_cert;

  270. 	void *cert_data;

  271. 	int len;

  272. 	int rc;

  273. 

  274. 	/* Record any existing additional certificate */

  275. 	old_cert = cert;

  276. 	cert = NULL;

  277. 

  278. 	/* Add additional certificate, if any */

  279. 	if ( ( len = fetch_raw_setting_copy ( NULL, &cert_setting,

  280. 					      &cert_data ) ) >= 0 ) {

  281. 		if ( ( rc = x509_certificate ( cert_data, len, &cert ) ) == 0 ){

  282. 			DBGC ( &certstore, "CERTSTORE added additional "

  283. 			       "certificate %s\n", x509_name ( cert ) );

  284. 		} else {

  285. 			DBGC ( &certstore, "CERTSTORE could not parse "

  286. 			       "additional certificate: %s\n",

  287. 			       strerror ( rc ) );

  288. 			/* Do not fail; leave as an unusable certificate */

  289. 		}

  290. 		free ( cert_data );

  291. 	}

  292. 

  293. 	/* Free old additional certificiate.  Do this after reparsing

  294. 	 * the additional certificate; in the common case that the

  295. 	 * certificate has not changed, this will allow the stored

  296. 	 * certificate to be reused.

  297. 	 */

  298. 	x509_put ( old_cert );

  299. 

  300. 	return 0;

  301. }

  302. 

  303. /** Certificate store settings applicator */

  304. struct settings_applicator certstore_applicator __settings_applicator = {

  305. 	.apply = certstore_apply_settings,

  306. };