robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4699 Commits
2 Branches
Tree: f10726c8bb
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f10726c8bb'
${ noResults }
ipxe/src/include/ipxe/x509.h

x509.h 9.4KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393 
  1. #ifndef _IPXE_X509_H

  2. #define _IPXE_X509_H

  3. 

  4. /** @file

  5.  *

  6.  * X.509 certificates

  7.  *

  8.  */

  9. 

  10. FILE_LICENCE ( GPL2_OR_LATER );

  11. 

  12. #include <stdint.h>

  13. #include <stddef.h>

  14. #include <time.h>

  15. #include <ipxe/asn1.h>

  16. #include <ipxe/refcnt.h>

  17. #include <ipxe/list.h>

  18. 

  19. /** An X.509 serial number */

  20. struct x509_serial {

  21. 	/** Raw serial number */

  22. 	struct asn1_cursor raw;

  23. };

  24. 

  25. /** An X.509 issuer */

  26. struct x509_issuer {

  27. 	/** Raw issuer */

  28. 	struct asn1_cursor raw;

  29. };

  30. 

  31. /** An X.509 time */

  32. struct x509_time {

  33. 	/** Seconds since the Epoch */

  34. 	time_t time;

  35. };

  36. 

  37. /** An X.509 certificate validity period */

  38. struct x509_validity {

  39. 	/** Not valid before */

  40. 	struct x509_time not_before;

  41. 	/** Not valid after */

  42. 	struct x509_time not_after;

  43. };

  44. 

  45. /** An X.509 certificate public key */

  46. struct x509_public_key {

  47. 	/** Raw public key information */

  48. 	struct asn1_cursor raw;

  49. 	/** Public key algorithm */

  50. 	struct asn1_algorithm *algorithm;

  51. 	/** Raw public key bit string */

  52. 	struct asn1_bit_string raw_bits;

  53. };

  54. 

  55. /** An X.509 certificate subject */

  56. struct x509_subject {

  57. 	/** Raw subject */

  58. 	struct asn1_cursor raw;

  59. 	/** Common name */

  60. 	struct asn1_cursor common_name;

  61. 	/** Public key information */

  62. 	struct x509_public_key public_key;

  63. };

  64. 

  65. /** An X.509 certificate signature */

  66. struct x509_signature {

  67. 	/** Signature algorithm */

  68. 	struct asn1_algorithm *algorithm;

  69. 	/** Signature value */

  70. 	struct asn1_bit_string value;

  71. };

  72. 

  73. /** An X.509 certificate basic constraints set */

  74. struct x509_basic_constraints {

  75. 	/** Subject is a CA */

  76. 	int ca;

  77. 	/** Path length */

  78. 	unsigned int path_len;

  79. };

  80. 

  81. /** Unlimited path length

  82.  *

  83.  * We use -2U, since this quantity represents one *fewer* than the

  84.  * maximum number of remaining certificates in a chain.

  85.  */

  86. #define X509_PATH_LEN_UNLIMITED -2U

  87. 

  88. /** An X.509 certificate key usage */

  89. struct x509_key_usage {

  90. 	/** Key usage extension is present */

  91. 	int present;

  92. 	/** Usage bits */

  93. 	unsigned int bits;

  94. };

  95. 

  96. /** X.509 certificate key usage bits */

  97. enum x509_key_usage_bits {

  98. 	X509_DIGITAL_SIGNATURE = 0x0080,

  99. 	X509_NON_REPUDIATION = 0x0040,

  100. 	X509_KEY_ENCIPHERMENT = 0x0020,

  101. 	X509_DATA_ENCIPHERMENT = 0x0010,

  102. 	X509_KEY_AGREEMENT = 0x0008,

  103. 	X509_KEY_CERT_SIGN = 0x0004,

  104. 	X509_CRL_SIGN = 0x0002,

  105. 	X509_ENCIPHER_ONLY = 0x0001,

  106. 	X509_DECIPHER_ONLY = 0x8000,

  107. };

  108. 

  109. /** An X.509 certificate extended key usage */

  110. struct x509_extended_key_usage {

  111. 	/** Usage bits */

  112. 	unsigned int bits;

  113. };

  114. 

  115. /** X.509 certificate extended key usage bits

  116.  *

  117.  * Extended key usages are identified by OID; these bits are purely an

  118.  * internal definition.

  119.  */

  120. enum x509_extended_key_usage_bits {

  121. 	X509_CODE_SIGNING = 0x0001,

  122. 	X509_OCSP_SIGNING = 0x0002,

  123. };

  124. 

  125. /** X.509 certificate OCSP responder */

  126. struct x509_ocsp_responder {

  127. 	/** URI */

  128. 	struct asn1_cursor uri;

  129. 	/** OCSP status is good */

  130. 	int good;

  131. };

  132. 

  133. /** X.509 certificate authority information access */

  134. struct x509_authority_info_access {

  135. 	/** OCSP responder */

  136. 	struct x509_ocsp_responder ocsp;

  137. };

  138. 

  139. /** X.509 certificate subject alternative name */

  140. struct x509_subject_alt_name {

  141. 	/** Names */

  142. 	struct asn1_cursor names;

  143. };

  144. 

  145. /** X.509 certificate general name types */

  146. enum x509_general_name_types {

  147. 	X509_GENERAL_NAME_DNS = ASN1_IMPLICIT_TAG ( 2 ),

  148. 	X509_GENERAL_NAME_URI = ASN1_IMPLICIT_TAG ( 6 ),

  149. };

  150. 

  151. /** An X.509 certificate extensions set */

  152. struct x509_extensions {

  153. 	/** Basic constraints */

  154. 	struct x509_basic_constraints basic;

  155. 	/** Key usage */

  156. 	struct x509_key_usage usage;

  157. 	/** Extended key usage */

  158. 	struct x509_extended_key_usage ext_usage;

  159. 	/** Authority information access */

  160. 	struct x509_authority_info_access auth_info;

  161. 	/** Subject alternative name */

  162. 	struct x509_subject_alt_name alt_name;

  163. };

  164. 

  165. /** A link in an X.509 certificate chain */

  166. struct x509_link {

  167. 	/** List of links */

  168. 	struct list_head list;

  169. 	/** Certificate */

  170. 	struct x509_certificate *cert;

  171. };

  172. 

  173. /** An X.509 certificate chain */

  174. struct x509_chain {

  175. 	/** Reference count */

  176. 	struct refcnt refcnt;

  177. 	/** List of links */

  178. 	struct list_head links;

  179. };

  180. 

  181. /** An X.509 certificate */

  182. struct x509_certificate {

  183. 	/** Reference count */

  184. 	struct refcnt refcnt;

  185. 

  186. 	/** Link in certificate store */

  187. 	struct x509_link store;

  188. 

  189. 	/** Certificate has been validated */

  190. 	int valid;

  191. 	/** Maximum number of subsequent certificates in chain */

  192. 	unsigned int path_remaining;

  193. 

  194. 	/** Raw certificate */

  195. 	struct asn1_cursor raw;

  196. 	/** Version */

  197. 	unsigned int version;

  198. 	/** Serial number */

  199. 	struct x509_serial serial;

  200. 	/** Raw tbsCertificate */

  201. 	struct asn1_cursor tbs;

  202. 	/** Signature algorithm */

  203. 	struct asn1_algorithm *signature_algorithm;

  204. 	/** Issuer */

  205. 	struct x509_issuer issuer;

  206. 	/** Validity */

  207. 	struct x509_validity validity;

  208. 	/** Subject */

  209. 	struct x509_subject subject;

  210. 	/** Signature */

  211. 	struct x509_signature signature;

  212. 	/** Extensions */

  213. 	struct x509_extensions extensions;

  214. };

  215. 

  216. /**

  217.  * Get reference to X.509 certificate

  218.  *

  219.  * @v cert		X.509 certificate

  220.  * @ret cert		X.509 certificate

  221.  */

  222. static inline __attribute__ (( always_inline )) struct x509_certificate *

  223. x509_get ( struct x509_certificate *cert ) {

  224. 	ref_get ( &cert->refcnt );

  225. 	return cert;

  226. }

  227. 

  228. /**

  229.  * Drop reference to X.509 certificate

  230.  *

  231.  * @v cert		X.509 certificate

  232.  */

  233. static inline __attribute__ (( always_inline )) void

  234. x509_put ( struct x509_certificate *cert ) {

  235. 	ref_put ( &cert->refcnt );

  236. }

  237. 

  238. /**

  239.  * Get reference to X.509 certificate chain

  240.  *

  241.  * @v chain		X.509 certificate chain

  242.  * @ret chain		X.509 certificate chain

  243.  */

  244. static inline __attribute__ (( always_inline )) struct x509_chain *

  245. x509_chain_get ( struct x509_chain *chain ) {

  246. 	ref_get ( &chain->refcnt );

  247. 	return chain;

  248. }

  249. 

  250. /**

  251.  * Drop reference to X.509 certificate chain

  252.  *

  253.  * @v chain		X.509 certificate chain

  254.  */

  255. static inline __attribute__ (( always_inline )) void

  256. x509_chain_put ( struct x509_chain *chain ) {

  257. 	ref_put ( &chain->refcnt );

  258. }

  259. 

  260. /**

  261.  * Get first certificate in X.509 certificate chain

  262.  *

  263.  * @v chain		X.509 certificate chain

  264.  * @ret cert		X.509 certificate, or NULL

  265.  */

  266. static inline __attribute__ (( always_inline )) struct x509_certificate *

  267. x509_first ( struct x509_chain *chain ) {

  268. 	struct x509_link *link;

  269. 

  270. 	link = list_first_entry ( &chain->links, struct x509_link, list );

  271. 	return ( link ? link->cert : NULL );

  272. }

  273. 

  274. /**

  275.  * Get last certificate in X.509 certificate chain

  276.  *

  277.  * @v chain		X.509 certificate chain

  278.  * @ret cert		X.509 certificate, or NULL

  279.  */

  280. static inline __attribute__ (( always_inline )) struct x509_certificate *

  281. x509_last ( struct x509_chain *chain ) {

  282. 	struct x509_link *link;

  283. 

  284. 	link = list_last_entry ( &chain->links, struct x509_link, list );

  285. 	return ( link ? link->cert : NULL );

  286. }

  287. 

  288. /** An X.509 extension */

  289. struct x509_extension {

  290. 	/** Name */

  291. 	const char *name;

  292. 	/** Object identifier */

  293. 	struct asn1_cursor oid;

  294. 	/** Parse extension

  295. 	 *

  296. 	 * @v cert		X.509 certificate

  297. 	 * @v raw		ASN.1 cursor

  298. 	 * @ret rc		Return status code

  299. 	 */

  300. 	int ( * parse ) ( struct x509_certificate *cert,

  301. 			  const struct asn1_cursor *raw );

  302. };

  303. 

  304. /** An X.509 key purpose */

  305. struct x509_key_purpose {

  306. 	/** Name */

  307. 	const char *name;

  308. 	/** Object identifier */

  309. 	struct asn1_cursor oid;

  310. 	/** Extended key usage bits */

  311. 	unsigned int bits;

  312. };

  313. 

  314. /** An X.509 access method */

  315. struct x509_access_method {

  316. 	/** Name */

  317. 	const char *name;

  318. 	/** Object identifier */

  319. 	struct asn1_cursor oid;

  320. 	/** Parse access method

  321. 	 *

  322. 	 * @v cert		X.509 certificate

  323. 	 * @v raw		ASN.1 cursor

  324. 	 * @ret rc		Return status code

  325. 	 */

  326. 	int ( * parse ) ( struct x509_certificate *cert,

  327. 			  const struct asn1_cursor *raw );

  328. };

  329. 

  330. /** An X.509 root certificate store */

  331. struct x509_root {

  332. 	/** Fingerprint digest algorithm */

  333. 	struct digest_algorithm *digest;

  334. 	/** Number of certificates */

  335. 	unsigned int count;

  336. 	/** Certificate fingerprints */

  337. 	const void *fingerprints;

  338. };

  339. 

  340. extern const char * x509_name ( struct x509_certificate *cert );

  341. extern int x509_parse ( struct x509_certificate *cert,

  342. 			const struct asn1_cursor *raw );

  343. extern int x509_certificate ( const void *data, size_t len,

  344. 			      struct x509_certificate **cert );

  345. extern int x509_validate ( struct x509_certificate *cert,

  346. 			   struct x509_certificate *issuer,

  347. 			   time_t time, struct x509_root *root );

  348. extern int x509_check_name ( struct x509_certificate *cert, const char *name );

  349. 

  350. extern struct x509_chain * x509_alloc_chain ( void );

  351. extern int x509_append ( struct x509_chain *chain,

  352. 			 struct x509_certificate *cert );

  353. extern int x509_append_raw ( struct x509_chain *chain, const void *data,

  354. 			     size_t len );

  355. extern int x509_auto_append ( struct x509_chain *chain,

  356. 			      struct x509_chain *certs );

  357. extern int x509_validate_chain ( struct x509_chain *chain, time_t time,

  358. 				 struct x509_chain *store,

  359. 				 struct x509_root *root );

  360. 

  361. /* Functions exposed only for unit testing */

  362. extern int x509_check_issuer ( struct x509_certificate *cert,

  363. 			       struct x509_certificate *issuer );

  364. extern void x509_fingerprint ( struct x509_certificate *cert,

  365. 			       struct digest_algorithm *digest,

  366. 			       void *fingerprint );

  367. extern int x509_check_root ( struct x509_certificate *cert,

  368. 			     struct x509_root *root );

  369. extern int x509_check_time ( struct x509_certificate *cert, time_t time );

  370. 

  371. /**

  372.  * Invalidate X.509 certificate

  373.  *

  374.  * @v cert		X.509 certificate

  375.  */

  376. static inline void x509_invalidate ( struct x509_certificate *cert ) {

  377. 	cert->valid = 0;

  378. 	cert->path_remaining = 0;

  379. }

  380. 

  381. /**

  382.  * Invalidate X.509 certificate chain

  383.  *

  384.  * @v chain		X.509 certificate chain

  385.  */

  386. static inline void x509_invalidate_chain ( struct x509_chain *chain ) {

  387. 	struct x509_link *link;

  388. 

  389. 	list_for_each_entry ( link, &chain->links, list )

  390. 		x509_invalidate ( link->cert );

  391. }

  392. 

  393. #endif /* _IPXE_X509_H */