You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

x509.c 48KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772
  1. /*
  2. * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
  3. *
  4. * This program is free software; you can redistribute it and/or
  5. * modify it under the terms of the GNU General Public License as
  6. * published by the Free Software Foundation; either version 2 of the
  7. * License, or any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful, but
  10. * WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  12. * General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program; if not, write to the Free Software
  16. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  17. * 02110-1301, USA.
  18. *
  19. * You can also choose to distribute this program under the terms of
  20. * the Unmodified Binary Distribution Licence (as given in the file
  21. * COPYING.UBDL), provided that you have satisfied its requirements.
  22. */
  23. FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  24. #include <stdlib.h>
  25. #include <string.h>
  26. #include <errno.h>
  27. #include <assert.h>
  28. #include <ipxe/list.h>
  29. #include <ipxe/base16.h>
  30. #include <ipxe/asn1.h>
  31. #include <ipxe/crypto.h>
  32. #include <ipxe/md5.h>
  33. #include <ipxe/sha1.h>
  34. #include <ipxe/sha256.h>
  35. #include <ipxe/rsa.h>
  36. #include <ipxe/rootcert.h>
  37. #include <ipxe/certstore.h>
  38. #include <ipxe/socket.h>
  39. #include <ipxe/in.h>
  40. #include <ipxe/x509.h>
  41. #include <config/crypto.h>
  42. /** @file
  43. *
  44. * X.509 certificates
  45. *
  46. * The structure of X.509v3 certificates is documented in RFC 5280
  47. * section 4.1.
  48. */
  49. /* Disambiguate the various error causes */
  50. #define ENOTSUP_ALGORITHM \
  51. __einfo_error ( EINFO_ENOTSUP_ALGORITHM )
  52. #define EINFO_ENOTSUP_ALGORITHM \
  53. __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unsupported algorithm" )
  54. #define ENOTSUP_EXTENSION \
  55. __einfo_error ( EINFO_ENOTSUP_EXTENSION )
  56. #define EINFO_ENOTSUP_EXTENSION \
  57. __einfo_uniqify ( EINFO_ENOTSUP, 0x02, "Unsupported extension" )
  58. #define EINVAL_ALGORITHM \
  59. __einfo_error ( EINFO_EINVAL_ALGORITHM )
  60. #define EINFO_EINVAL_ALGORITHM \
  61. __einfo_uniqify ( EINFO_EINVAL, 0x01, "Invalid algorithm type" )
  62. #define EINVAL_ALGORITHM_MISMATCH \
  63. __einfo_error ( EINFO_EINVAL_ALGORITHM_MISMATCH )
  64. #define EINFO_EINVAL_ALGORITHM_MISMATCH \
  65. __einfo_uniqify ( EINFO_EINVAL, 0x04, "Signature algorithm mismatch" )
  66. #define EINVAL_PATH_LEN \
  67. __einfo_error ( EINFO_EINVAL_PATH_LEN )
  68. #define EINFO_EINVAL_PATH_LEN \
  69. __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid pathLenConstraint" )
  70. #define EINVAL_VERSION \
  71. __einfo_error ( EINFO_EINVAL_VERSION )
  72. #define EINFO_EINVAL_VERSION \
  73. __einfo_uniqify ( EINFO_EINVAL, 0x06, "Invalid version" )
  74. #define EACCES_WRONG_ISSUER \
  75. __einfo_error ( EINFO_EACCES_WRONG_ISSUER )
  76. #define EINFO_EACCES_WRONG_ISSUER \
  77. __einfo_uniqify ( EINFO_EACCES, 0x01, "Wrong issuer" )
  78. #define EACCES_NOT_CA \
  79. __einfo_error ( EINFO_EACCES_NOT_CA )
  80. #define EINFO_EACCES_NOT_CA \
  81. __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a CA certificate" )
  82. #define EACCES_KEY_USAGE \
  83. __einfo_error ( EINFO_EACCES_KEY_USAGE )
  84. #define EINFO_EACCES_KEY_USAGE \
  85. __einfo_uniqify ( EINFO_EACCES, 0x03, "Incorrect key usage" )
  86. #define EACCES_EXPIRED \
  87. __einfo_error ( EINFO_EACCES_EXPIRED )
  88. #define EINFO_EACCES_EXPIRED \
  89. __einfo_uniqify ( EINFO_EACCES, 0x04, "Expired (or not yet valid)" )
  90. #define EACCES_PATH_LEN \
  91. __einfo_error ( EINFO_EACCES_PATH_LEN )
  92. #define EINFO_EACCES_PATH_LEN \
  93. __einfo_uniqify ( EINFO_EACCES, 0x05, "Maximum path length exceeded" )
  94. #define EACCES_UNTRUSTED \
  95. __einfo_error ( EINFO_EACCES_UNTRUSTED )
  96. #define EINFO_EACCES_UNTRUSTED \
  97. __einfo_uniqify ( EINFO_EACCES, 0x06, "Untrusted root certificate" )
  98. #define EACCES_OUT_OF_ORDER \
  99. __einfo_error ( EINFO_EACCES_OUT_OF_ORDER )
  100. #define EINFO_EACCES_OUT_OF_ORDER \
  101. __einfo_uniqify ( EINFO_EACCES, 0x07, "Validation out of order" )
  102. #define EACCES_EMPTY \
  103. __einfo_error ( EINFO_EACCES_EMPTY )
  104. #define EINFO_EACCES_EMPTY \
  105. __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
  106. #define EACCES_OCSP_REQUIRED \
  107. __einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
  108. #define EINFO_EACCES_OCSP_REQUIRED \
  109. __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
  110. #define EACCES_WRONG_NAME \
  111. __einfo_error ( EINFO_EACCES_WRONG_NAME )
  112. #define EINFO_EACCES_WRONG_NAME \
  113. __einfo_uniqify ( EINFO_EACCES, 0x0a, "Incorrect certificate name" )
  114. #define EACCES_USELESS \
  115. __einfo_error ( EINFO_EACCES_USELESS )
  116. #define EINFO_EACCES_USELESS \
  117. __einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )
  118. /**
  119. * Get X.509 certificate name (for debugging)
  120. *
  121. * @v cert X.509 certificate
  122. * @ret name Name (for debugging)
  123. */
  124. const char * x509_name ( struct x509_certificate *cert ) {
  125. struct asn1_cursor *common_name = &cert->subject.common_name;
  126. struct digest_algorithm *digest = &sha1_algorithm;
  127. static char buf[64];
  128. uint8_t fingerprint[ digest->digestsize ];
  129. size_t len;
  130. len = common_name->len;
  131. if ( len ) {
  132. /* Certificate has a commonName: use that */
  133. if ( len > ( sizeof ( buf ) - 1 /* NUL */ ) )
  134. len = ( sizeof ( buf ) - 1 /* NUL */ );
  135. memcpy ( buf, common_name->data, len );
  136. buf[len] = '\0';
  137. } else {
  138. /* Certificate has no commonName: use SHA-1 fingerprint */
  139. x509_fingerprint ( cert, digest, fingerprint );
  140. base16_encode ( fingerprint, sizeof ( fingerprint ), buf );
  141. }
  142. return buf;
  143. }
  144. /** "commonName" object identifier */
  145. static uint8_t oid_common_name[] = { ASN1_OID_COMMON_NAME };
  146. /** "commonName" object identifier cursor */
  147. static struct asn1_cursor oid_common_name_cursor =
  148. ASN1_OID_CURSOR ( oid_common_name );
  149. /**
  150. * Parse X.509 certificate version
  151. *
  152. * @v cert X.509 certificate
  153. * @v raw ASN.1 cursor
  154. * @ret rc Return status code
  155. */
  156. static int x509_parse_version ( struct x509_certificate *cert,
  157. const struct asn1_cursor *raw ) {
  158. struct asn1_cursor cursor;
  159. int version;
  160. int rc;
  161. /* Enter version */
  162. memcpy ( &cursor, raw, sizeof ( cursor ) );
  163. asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 0 ) );
  164. /* Parse integer */
  165. if ( ( rc = asn1_integer ( &cursor, &version ) ) != 0 ) {
  166. DBGC ( cert, "X509 %p cannot parse version: %s\n",
  167. cert, strerror ( rc ) );
  168. DBGC_HDA ( cert, 0, raw->data, raw->len );
  169. return rc;
  170. }
  171. /* Sanity check */
  172. if ( version < 0 ) {
  173. DBGC ( cert, "X509 %p invalid version %d\n", cert, version );
  174. DBGC_HDA ( cert, 0, raw->data, raw->len );
  175. return -EINVAL_VERSION;
  176. }
  177. /* Record version */
  178. cert->version = version;
  179. DBGC2 ( cert, "X509 %p is a version %d certificate\n",
  180. cert, ( cert->version + 1 ) );
  181. return 0;
  182. }
  183. /**
  184. * Parse X.509 certificate serial number
  185. *
  186. * @v cert X.509 certificate
  187. * @v raw ASN.1 cursor
  188. * @ret rc Return status code
  189. */
  190. static int x509_parse_serial ( struct x509_certificate *cert,
  191. const struct asn1_cursor *raw ) {
  192. struct x509_serial *serial = &cert->serial;
  193. int rc;
  194. /* Record raw serial number */
  195. memcpy ( &serial->raw, raw, sizeof ( serial->raw ) );
  196. if ( ( rc = asn1_shrink ( &serial->raw, ASN1_INTEGER ) ) != 0 ) {
  197. DBGC ( cert, "X509 %p cannot shrink serialNumber: %s\n",
  198. cert, strerror ( rc ) );
  199. return rc;
  200. }
  201. DBGC2 ( cert, "X509 %p issuer is:\n", cert );
  202. DBGC2_HDA ( cert, 0, serial->raw.data, serial->raw.len );
  203. return 0;
  204. }
  205. /**
  206. * Parse X.509 certificate issuer
  207. *
  208. * @v cert X.509 certificate
  209. * @v raw ASN.1 cursor
  210. * @ret rc Return status code
  211. */
  212. static int x509_parse_issuer ( struct x509_certificate *cert,
  213. const struct asn1_cursor *raw ) {
  214. struct x509_issuer *issuer = &cert->issuer;
  215. int rc;
  216. /* Record raw issuer */
  217. memcpy ( &issuer->raw, raw, sizeof ( issuer->raw ) );
  218. if ( ( rc = asn1_shrink ( &issuer->raw, ASN1_SEQUENCE ) ) != 0 ) {
  219. DBGC ( cert, "X509 %p cannot shrink issuer: %s\n",
  220. cert, strerror ( rc ) );
  221. return rc;
  222. }
  223. DBGC2 ( cert, "X509 %p issuer is:\n", cert );
  224. DBGC2_HDA ( cert, 0, issuer->raw.data, issuer->raw.len );
  225. return 0;
  226. }
  227. /**
  228. * Parse X.509 certificate validity
  229. *
  230. * @v cert X.509 certificate
  231. * @v raw ASN.1 cursor
  232. * @ret rc Return status code
  233. */
  234. static int x509_parse_validity ( struct x509_certificate *cert,
  235. const struct asn1_cursor *raw ) {
  236. struct x509_validity *validity = &cert->validity;
  237. struct x509_time *not_before = &validity->not_before;
  238. struct x509_time *not_after = &validity->not_after;
  239. struct asn1_cursor cursor;
  240. int rc;
  241. /* Enter validity */
  242. memcpy ( &cursor, raw, sizeof ( cursor ) );
  243. asn1_enter ( &cursor, ASN1_SEQUENCE );
  244. /* Parse notBefore */
  245. if ( ( rc = asn1_generalized_time ( &cursor,
  246. &not_before->time ) ) != 0 ) {
  247. DBGC ( cert, "X509 %p cannot parse notBefore: %s\n",
  248. cert, strerror ( rc ) );
  249. return rc;
  250. }
  251. DBGC2 ( cert, "X509 %p valid from time %lld\n",
  252. cert, not_before->time );
  253. asn1_skip_any ( &cursor );
  254. /* Parse notAfter */
  255. if ( ( rc = asn1_generalized_time ( &cursor,
  256. &not_after->time ) ) != 0 ) {
  257. DBGC ( cert, "X509 %p cannot parse notAfter: %s\n",
  258. cert, strerror ( rc ) );
  259. return rc;
  260. }
  261. DBGC2 ( cert, "X509 %p valid until time %lld\n",
  262. cert, not_after->time );
  263. return 0;
  264. }
  265. /**
  266. * Parse X.509 certificate common name
  267. *
  268. * @v cert X.509 certificate
  269. * @v raw ASN.1 cursor
  270. * @ret rc Return status code
  271. */
  272. static int x509_parse_common_name ( struct x509_certificate *cert,
  273. const struct asn1_cursor *raw ) {
  274. struct asn1_cursor cursor;
  275. struct asn1_cursor oid_cursor;
  276. struct asn1_cursor name_cursor;
  277. int rc;
  278. /* Enter name */
  279. memcpy ( &cursor, raw, sizeof ( cursor ) );
  280. asn1_enter ( &cursor, ASN1_SEQUENCE );
  281. /* Scan through name list */
  282. for ( ; cursor.len ; asn1_skip_any ( &cursor ) ) {
  283. /* Check for "commonName" OID */
  284. memcpy ( &oid_cursor, &cursor, sizeof ( oid_cursor ) );
  285. asn1_enter ( &oid_cursor, ASN1_SET );
  286. asn1_enter ( &oid_cursor, ASN1_SEQUENCE );
  287. memcpy ( &name_cursor, &oid_cursor, sizeof ( name_cursor ) );
  288. asn1_enter ( &oid_cursor, ASN1_OID );
  289. if ( asn1_compare ( &oid_common_name_cursor, &oid_cursor ) != 0)
  290. continue;
  291. asn1_skip_any ( &name_cursor );
  292. if ( ( rc = asn1_enter_any ( &name_cursor ) ) != 0 ) {
  293. DBGC ( cert, "X509 %p cannot locate name:\n", cert );
  294. DBGC_HDA ( cert, 0, raw->data, raw->len );
  295. return rc;
  296. }
  297. /* Record common name */
  298. memcpy ( &cert->subject.common_name, &name_cursor,
  299. sizeof ( cert->subject.common_name ) );
  300. return 0;
  301. }
  302. /* Certificates may not have a commonName */
  303. DBGC2 ( cert, "X509 %p no commonName found:\n", cert );
  304. return 0;
  305. }
  306. /**
  307. * Parse X.509 certificate subject
  308. *
  309. * @v cert X.509 certificate
  310. * @v raw ASN.1 cursor
  311. * @ret rc Return status code
  312. */
  313. static int x509_parse_subject ( struct x509_certificate *cert,
  314. const struct asn1_cursor *raw ) {
  315. struct x509_subject *subject = &cert->subject;
  316. int rc;
  317. /* Record raw subject */
  318. memcpy ( &subject->raw, raw, sizeof ( subject->raw ) );
  319. asn1_shrink_any ( &subject->raw );
  320. DBGC2 ( cert, "X509 %p subject is:\n", cert );
  321. DBGC2_HDA ( cert, 0, subject->raw.data, subject->raw.len );
  322. /* Parse common name */
  323. if ( ( rc = x509_parse_common_name ( cert, raw ) ) != 0 )
  324. return rc;
  325. DBGC2 ( cert, "X509 %p common name is \"%s\":\n", cert,
  326. x509_name ( cert ) );
  327. return 0;
  328. }
  329. /**
  330. * Parse X.509 certificate public key information
  331. *
  332. * @v cert X.509 certificate
  333. * @v raw ASN.1 cursor
  334. * @ret rc Return status code
  335. */
  336. static int x509_parse_public_key ( struct x509_certificate *cert,
  337. const struct asn1_cursor *raw ) {
  338. struct x509_public_key *public_key = &cert->subject.public_key;
  339. struct asn1_algorithm **algorithm = &public_key->algorithm;
  340. struct asn1_bit_string *raw_bits = &public_key->raw_bits;
  341. struct asn1_cursor cursor;
  342. int rc;
  343. /* Record raw subjectPublicKeyInfo */
  344. memcpy ( &cursor, raw, sizeof ( cursor ) );
  345. asn1_shrink_any ( &cursor );
  346. memcpy ( &public_key->raw, &cursor, sizeof ( public_key->raw ) );
  347. DBGC2 ( cert, "X509 %p public key is:\n", cert );
  348. DBGC2_HDA ( cert, 0, public_key->raw.data, public_key->raw.len );
  349. /* Enter subjectPublicKeyInfo */
  350. asn1_enter ( &cursor, ASN1_SEQUENCE );
  351. /* Parse algorithm */
  352. if ( ( rc = asn1_pubkey_algorithm ( &cursor, algorithm ) ) != 0 ) {
  353. DBGC ( cert, "X509 %p could not parse public key algorithm: "
  354. "%s\n", cert, strerror ( rc ) );
  355. return rc;
  356. }
  357. DBGC2 ( cert, "X509 %p public key algorithm is %s\n",
  358. cert, (*algorithm)->name );
  359. asn1_skip_any ( &cursor );
  360. /* Parse bit string */
  361. if ( ( rc = asn1_bit_string ( &cursor, raw_bits ) ) != 0 ) {
  362. DBGC ( cert, "X509 %p could not parse public key bits: %s\n",
  363. cert, strerror ( rc ) );
  364. return rc;
  365. }
  366. return 0;
  367. }
  368. /**
  369. * Parse X.509 certificate basic constraints
  370. *
  371. * @v cert X.509 certificate
  372. * @v raw ASN.1 cursor
  373. * @ret rc Return status code
  374. */
  375. static int x509_parse_basic_constraints ( struct x509_certificate *cert,
  376. const struct asn1_cursor *raw ) {
  377. struct x509_basic_constraints *basic = &cert->extensions.basic;
  378. struct asn1_cursor cursor;
  379. int ca = 0;
  380. int path_len;
  381. int rc;
  382. /* Enter basicConstraints */
  383. memcpy ( &cursor, raw, sizeof ( cursor ) );
  384. asn1_enter ( &cursor, ASN1_SEQUENCE );
  385. /* Parse "cA", if present */
  386. if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
  387. ca = asn1_boolean ( &cursor );
  388. if ( ca < 0 ) {
  389. rc = ca;
  390. DBGC ( cert, "X509 %p cannot parse cA: %s\n",
  391. cert, strerror ( rc ) );
  392. DBGC_HDA ( cert, 0, raw->data, raw->len );
  393. return rc;
  394. }
  395. asn1_skip_any ( &cursor );
  396. }
  397. basic->ca = ca;
  398. DBGC2 ( cert, "X509 %p is %sa CA certificate\n",
  399. cert, ( basic->ca ? "" : "not " ) );
  400. /* Ignore everything else unless "cA" is true */
  401. if ( ! ca )
  402. return 0;
  403. /* Parse "pathLenConstraint", if present and applicable */
  404. basic->path_len = X509_PATH_LEN_UNLIMITED;
  405. if ( asn1_type ( &cursor ) == ASN1_INTEGER ) {
  406. if ( ( rc = asn1_integer ( &cursor, &path_len ) ) != 0 ) {
  407. DBGC ( cert, "X509 %p cannot parse pathLenConstraint: "
  408. "%s\n", cert, strerror ( rc ) );
  409. DBGC_HDA ( cert, 0, raw->data, raw->len );
  410. return rc;
  411. }
  412. if ( path_len < 0 ) {
  413. DBGC ( cert, "X509 %p invalid pathLenConstraint %d\n",
  414. cert, path_len );
  415. DBGC_HDA ( cert, 0, raw->data, raw->len );
  416. return -EINVAL;
  417. }
  418. basic->path_len = path_len;
  419. DBGC2 ( cert, "X509 %p path length constraint is %d\n",
  420. cert, basic->path_len );
  421. }
  422. return 0;
  423. }
  424. /**
  425. * Parse X.509 certificate key usage
  426. *
  427. * @v cert X.509 certificate
  428. * @v raw ASN.1 cursor
  429. * @ret rc Return status code
  430. */
  431. static int x509_parse_key_usage ( struct x509_certificate *cert,
  432. const struct asn1_cursor *raw ) {
  433. struct x509_key_usage *usage = &cert->extensions.usage;
  434. struct asn1_bit_string bit_string;
  435. const uint8_t *bytes;
  436. size_t len;
  437. unsigned int i;
  438. int rc;
  439. /* Mark extension as present */
  440. usage->present = 1;
  441. /* Parse bit string */
  442. if ( ( rc = asn1_bit_string ( raw, &bit_string ) ) != 0 ) {
  443. DBGC ( cert, "X509 %p could not parse key usage: %s\n",
  444. cert, strerror ( rc ) );
  445. return rc;
  446. }
  447. /* Parse key usage bits */
  448. bytes = bit_string.data;
  449. len = bit_string.len;
  450. if ( len > sizeof ( usage->bits ) )
  451. len = sizeof ( usage->bits );
  452. for ( i = 0 ; i < len ; i++ ) {
  453. usage->bits |= ( *(bytes++) << ( 8 * i ) );
  454. }
  455. DBGC2 ( cert, "X509 %p key usage is %08x\n", cert, usage->bits );
  456. return 0;
  457. }
  458. /** "id-kp-codeSigning" object identifier */
  459. static uint8_t oid_code_signing[] = { ASN1_OID_CODESIGNING };
  460. /** "id-kp-OCSPSigning" object identifier */
  461. static uint8_t oid_ocsp_signing[] = { ASN1_OID_OCSPSIGNING };
  462. /** Supported key purposes */
  463. static struct x509_key_purpose x509_key_purposes[] = {
  464. {
  465. .name = "codeSigning",
  466. .bits = X509_CODE_SIGNING,
  467. .oid = ASN1_OID_CURSOR ( oid_code_signing ),
  468. },
  469. {
  470. .name = "ocspSigning",
  471. .bits = X509_OCSP_SIGNING,
  472. .oid = ASN1_OID_CURSOR ( oid_ocsp_signing ),
  473. },
  474. };
  475. /**
  476. * Parse X.509 certificate key purpose identifier
  477. *
  478. * @v cert X.509 certificate
  479. * @v raw ASN.1 cursor
  480. * @ret rc Return status code
  481. */
  482. static int x509_parse_key_purpose ( struct x509_certificate *cert,
  483. const struct asn1_cursor *raw ) {
  484. struct x509_extended_key_usage *ext_usage = &cert->extensions.ext_usage;
  485. struct x509_key_purpose *purpose;
  486. struct asn1_cursor cursor;
  487. unsigned int i;
  488. int rc;
  489. /* Enter keyPurposeId */
  490. memcpy ( &cursor, raw, sizeof ( cursor ) );
  491. if ( ( rc = asn1_enter ( &cursor, ASN1_OID ) ) != 0 ) {
  492. DBGC ( cert, "X509 %p invalid keyPurposeId:\n", cert );
  493. DBGC_HDA ( cert, 0, raw->data, raw->len );
  494. return rc;
  495. }
  496. /* Identify key purpose */
  497. for ( i = 0 ; i < ( sizeof ( x509_key_purposes ) /
  498. sizeof ( x509_key_purposes[0] ) ) ; i++ ) {
  499. purpose = &x509_key_purposes[i];
  500. if ( asn1_compare ( &cursor, &purpose->oid ) == 0 ) {
  501. DBGC2 ( cert, "X509 %p has key purpose %s\n",
  502. cert, purpose->name );
  503. ext_usage->bits |= purpose->bits;
  504. return 0;
  505. }
  506. }
  507. /* Ignore unrecognised key purposes */
  508. return 0;
  509. }
  510. /**
  511. * Parse X.509 certificate extended key usage
  512. *
  513. * @v cert X.509 certificate
  514. * @v raw ASN.1 cursor
  515. * @ret rc Return status code
  516. */
  517. static int x509_parse_extended_key_usage ( struct x509_certificate *cert,
  518. const struct asn1_cursor *raw ) {
  519. struct asn1_cursor cursor;
  520. int rc;
  521. /* Enter extKeyUsage */
  522. memcpy ( &cursor, raw, sizeof ( cursor ) );
  523. asn1_enter ( &cursor, ASN1_SEQUENCE );
  524. /* Parse each extended key usage in turn */
  525. while ( cursor.len ) {
  526. if ( ( rc = x509_parse_key_purpose ( cert, &cursor ) ) != 0 )
  527. return rc;
  528. asn1_skip_any ( &cursor );
  529. }
  530. return 0;
  531. }
  532. /**
  533. * Parse X.509 certificate OCSP access method
  534. *
  535. * @v cert X.509 certificate
  536. * @v raw ASN.1 cursor
  537. * @ret rc Return status code
  538. */
  539. static int x509_parse_ocsp ( struct x509_certificate *cert,
  540. const struct asn1_cursor *raw ) {
  541. struct x509_ocsp_responder *ocsp = &cert->extensions.auth_info.ocsp;
  542. struct asn1_cursor *uri = &ocsp->uri;
  543. int rc;
  544. /* Enter accessLocation */
  545. memcpy ( uri, raw, sizeof ( *uri ) );
  546. if ( ( rc = asn1_enter ( uri, X509_GENERAL_NAME_URI ) ) != 0 ) {
  547. DBGC ( cert, "X509 %p OCSP does not contain "
  548. "uniformResourceIdentifier:\n", cert );
  549. DBGC_HDA ( cert, 0, raw->data, raw->len );
  550. return rc;
  551. }
  552. DBGC2 ( cert, "X509 %p OCSP URI is:\n", cert );
  553. DBGC2_HDA ( cert, 0, uri->data, uri->len );
  554. return 0;
  555. }
  556. /** "id-ad-ocsp" object identifier */
  557. static uint8_t oid_ad_ocsp[] = { ASN1_OID_OCSP };
  558. /** Supported access methods */
  559. static struct x509_access_method x509_access_methods[] = {
  560. {
  561. .name = "OCSP",
  562. .oid = ASN1_OID_CURSOR ( oid_ad_ocsp ),
  563. .parse = x509_parse_ocsp,
  564. },
  565. };
  566. /**
  567. * Identify X.509 access method by OID
  568. *
  569. * @v oid OID
  570. * @ret method Access method, or NULL
  571. */
  572. static struct x509_access_method *
  573. x509_find_access_method ( const struct asn1_cursor *oid ) {
  574. struct x509_access_method *method;
  575. unsigned int i;
  576. for ( i = 0 ; i < ( sizeof ( x509_access_methods ) /
  577. sizeof ( x509_access_methods[0] ) ) ; i++ ) {
  578. method = &x509_access_methods[i];
  579. if ( asn1_compare ( &method->oid, oid ) == 0 )
  580. return method;
  581. }
  582. return NULL;
  583. }
  584. /**
  585. * Parse X.509 certificate access description
  586. *
  587. * @v cert X.509 certificate
  588. * @v raw ASN.1 cursor
  589. * @ret rc Return status code
  590. */
  591. static int x509_parse_access_description ( struct x509_certificate *cert,
  592. const struct asn1_cursor *raw ) {
  593. struct asn1_cursor cursor;
  594. struct asn1_cursor subcursor;
  595. struct x509_access_method *method;
  596. int rc;
  597. /* Enter keyPurposeId */
  598. memcpy ( &cursor, raw, sizeof ( cursor ) );
  599. asn1_enter ( &cursor, ASN1_SEQUENCE );
  600. /* Try to identify access method */
  601. memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
  602. asn1_enter ( &subcursor, ASN1_OID );
  603. method = x509_find_access_method ( &subcursor );
  604. asn1_skip_any ( &cursor );
  605. DBGC2 ( cert, "X509 %p found access method %s\n",
  606. cert, ( method ? method->name : "<unknown>" ) );
  607. /* Parse access location, if applicable */
  608. if ( method && ( ( rc = method->parse ( cert, &cursor ) ) != 0 ) )
  609. return rc;
  610. return 0;
  611. }
  612. /**
  613. * Parse X.509 certificate authority information access
  614. *
  615. * @v cert X.509 certificate
  616. * @v raw ASN.1 cursor
  617. * @ret rc Return status code
  618. */
  619. static int x509_parse_authority_info_access ( struct x509_certificate *cert,
  620. const struct asn1_cursor *raw ) {
  621. struct asn1_cursor cursor;
  622. int rc;
  623. /* Enter authorityInfoAccess */
  624. memcpy ( &cursor, raw, sizeof ( cursor ) );
  625. asn1_enter ( &cursor, ASN1_SEQUENCE );
  626. /* Parse each access description in turn */
  627. while ( cursor.len ) {
  628. if ( ( rc = x509_parse_access_description ( cert,
  629. &cursor ) ) != 0 )
  630. return rc;
  631. asn1_skip_any ( &cursor );
  632. }
  633. return 0;
  634. }
  635. /**
  636. * Parse X.509 certificate subject alternative name
  637. *
  638. * @v cert X.509 certificate
  639. * @v raw ASN.1 cursor
  640. * @ret rc Return status code
  641. */
  642. static int x509_parse_subject_alt_name ( struct x509_certificate *cert,
  643. const struct asn1_cursor *raw ) {
  644. struct x509_subject_alt_name *alt_name = &cert->extensions.alt_name;
  645. struct asn1_cursor *names = &alt_name->names;
  646. int rc;
  647. /* Enter subjectAltName */
  648. memcpy ( names, raw, sizeof ( *names ) );
  649. if ( ( rc = asn1_enter ( names, ASN1_SEQUENCE ) ) != 0 ) {
  650. DBGC ( cert, "X509 %p invalid subjectAltName: %s\n",
  651. cert, strerror ( rc ) );
  652. DBGC_HDA ( cert, 0, raw->data, raw->len );
  653. return rc;
  654. }
  655. DBGC2 ( cert, "X509 %p has subjectAltName:\n", cert );
  656. DBGC2_HDA ( cert, 0, names->data, names->len );
  657. return 0;
  658. }
  659. /** "id-ce-basicConstraints" object identifier */
  660. static uint8_t oid_ce_basic_constraints[] =
  661. { ASN1_OID_BASICCONSTRAINTS };
  662. /** "id-ce-keyUsage" object identifier */
  663. static uint8_t oid_ce_key_usage[] =
  664. { ASN1_OID_KEYUSAGE };
  665. /** "id-ce-extKeyUsage" object identifier */
  666. static uint8_t oid_ce_ext_key_usage[] =
  667. { ASN1_OID_EXTKEYUSAGE };
  668. /** "id-pe-authorityInfoAccess" object identifier */
  669. static uint8_t oid_pe_authority_info_access[] =
  670. { ASN1_OID_AUTHORITYINFOACCESS };
  671. /** "id-ce-subjectAltName" object identifier */
  672. static uint8_t oid_ce_subject_alt_name[] =
  673. { ASN1_OID_SUBJECTALTNAME };
  674. /** Supported certificate extensions */
  675. static struct x509_extension x509_extensions[] = {
  676. {
  677. .name = "basicConstraints",
  678. .oid = ASN1_OID_CURSOR ( oid_ce_basic_constraints ),
  679. .parse = x509_parse_basic_constraints,
  680. },
  681. {
  682. .name = "keyUsage",
  683. .oid = ASN1_OID_CURSOR ( oid_ce_key_usage ),
  684. .parse = x509_parse_key_usage,
  685. },
  686. {
  687. .name = "extKeyUsage",
  688. .oid = ASN1_OID_CURSOR ( oid_ce_ext_key_usage ),
  689. .parse = x509_parse_extended_key_usage,
  690. },
  691. {
  692. .name = "authorityInfoAccess",
  693. .oid = ASN1_OID_CURSOR ( oid_pe_authority_info_access ),
  694. .parse = x509_parse_authority_info_access,
  695. },
  696. {
  697. .name = "subjectAltName",
  698. .oid = ASN1_OID_CURSOR ( oid_ce_subject_alt_name ),
  699. .parse = x509_parse_subject_alt_name,
  700. },
  701. };
  702. /**
  703. * Identify X.509 extension by OID
  704. *
  705. * @v oid OID
  706. * @ret extension Extension, or NULL
  707. */
  708. static struct x509_extension *
  709. x509_find_extension ( const struct asn1_cursor *oid ) {
  710. struct x509_extension *extension;
  711. unsigned int i;
  712. for ( i = 0 ; i < ( sizeof ( x509_extensions ) /
  713. sizeof ( x509_extensions[0] ) ) ; i++ ) {
  714. extension = &x509_extensions[i];
  715. if ( asn1_compare ( &extension->oid, oid ) == 0 )
  716. return extension;
  717. }
  718. return NULL;
  719. }
  720. /**
  721. * Parse X.509 certificate extension
  722. *
  723. * @v cert X.509 certificate
  724. * @v raw ASN.1 cursor
  725. * @ret rc Return status code
  726. */
  727. static int x509_parse_extension ( struct x509_certificate *cert,
  728. const struct asn1_cursor *raw ) {
  729. struct asn1_cursor cursor;
  730. struct asn1_cursor subcursor;
  731. struct x509_extension *extension;
  732. int is_critical = 0;
  733. int rc;
  734. /* Enter extension */
  735. memcpy ( &cursor, raw, sizeof ( cursor ) );
  736. asn1_enter ( &cursor, ASN1_SEQUENCE );
  737. /* Try to identify extension */
  738. memcpy ( &subcursor, &cursor, sizeof ( subcursor ) );
  739. asn1_enter ( &subcursor, ASN1_OID );
  740. extension = x509_find_extension ( &subcursor );
  741. asn1_skip_any ( &cursor );
  742. DBGC2 ( cert, "X509 %p found extension %s\n",
  743. cert, ( extension ? extension->name : "<unknown>" ) );
  744. /* Identify criticality */
  745. if ( asn1_type ( &cursor ) == ASN1_BOOLEAN ) {
  746. is_critical = asn1_boolean ( &cursor );
  747. if ( is_critical < 0 ) {
  748. rc = is_critical;
  749. DBGC ( cert, "X509 %p cannot parse extension "
  750. "criticality: %s\n", cert, strerror ( rc ) );
  751. DBGC_HDA ( cert, 0, raw->data, raw->len );
  752. return rc;
  753. }
  754. asn1_skip_any ( &cursor );
  755. }
  756. /* Handle unknown extensions */
  757. if ( ! extension ) {
  758. if ( is_critical ) {
  759. /* Fail if we cannot handle a critical extension */
  760. DBGC ( cert, "X509 %p cannot handle critical "
  761. "extension:\n", cert );
  762. DBGC_HDA ( cert, 0, raw->data, raw->len );
  763. return -ENOTSUP_EXTENSION;
  764. } else {
  765. /* Ignore unknown non-critical extensions */
  766. return 0;
  767. }
  768. };
  769. /* Extract extnValue */
  770. if ( ( rc = asn1_enter ( &cursor, ASN1_OCTET_STRING ) ) != 0 ) {
  771. DBGC ( cert, "X509 %p extension missing extnValue:\n", cert );
  772. DBGC_HDA ( cert, 0, raw->data, raw->len );
  773. return rc;
  774. }
  775. /* Parse extension */
  776. if ( ( rc = extension->parse ( cert, &cursor ) ) != 0 )
  777. return rc;
  778. return 0;
  779. }
  780. /**
  781. * Parse X.509 certificate extensions, if present
  782. *
  783. * @v cert X.509 certificate
  784. * @v raw ASN.1 cursor
  785. * @ret rc Return status code
  786. */
  787. static int x509_parse_extensions ( struct x509_certificate *cert,
  788. const struct asn1_cursor *raw ) {
  789. struct asn1_cursor cursor;
  790. int rc;
  791. /* Enter extensions, if present */
  792. memcpy ( &cursor, raw, sizeof ( cursor ) );
  793. asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 3 ) );
  794. asn1_enter ( &cursor, ASN1_SEQUENCE );
  795. /* Parse each extension in turn */
  796. while ( cursor.len ) {
  797. if ( ( rc = x509_parse_extension ( cert, &cursor ) ) != 0 )
  798. return rc;
  799. asn1_skip_any ( &cursor );
  800. }
  801. return 0;
  802. }
  803. /**
  804. * Parse X.509 certificate tbsCertificate
  805. *
  806. * @v cert X.509 certificate
  807. * @v raw ASN.1 cursor
  808. * @ret rc Return status code
  809. */
  810. static int x509_parse_tbscertificate ( struct x509_certificate *cert,
  811. const struct asn1_cursor *raw ) {
  812. struct asn1_algorithm **algorithm = &cert->signature_algorithm;
  813. struct asn1_cursor cursor;
  814. int rc;
  815. /* Record raw tbsCertificate */
  816. memcpy ( &cursor, raw, sizeof ( cursor ) );
  817. asn1_shrink_any ( &cursor );
  818. memcpy ( &cert->tbs, &cursor, sizeof ( cert->tbs ) );
  819. /* Enter tbsCertificate */
  820. asn1_enter ( &cursor, ASN1_SEQUENCE );
  821. /* Parse version, if present */
  822. if ( asn1_type ( &cursor ) == ASN1_EXPLICIT_TAG ( 0 ) ) {
  823. if ( ( rc = x509_parse_version ( cert, &cursor ) ) != 0 )
  824. return rc;
  825. asn1_skip_any ( &cursor );
  826. }
  827. /* Parse serialNumber */
  828. if ( ( rc = x509_parse_serial ( cert, &cursor ) ) != 0 )
  829. return rc;
  830. asn1_skip_any ( &cursor );
  831. /* Parse signature */
  832. if ( ( rc = asn1_signature_algorithm ( &cursor, algorithm ) ) != 0 ) {
  833. DBGC ( cert, "X509 %p could not parse signature algorithm: "
  834. "%s\n", cert, strerror ( rc ) );
  835. return rc;
  836. }
  837. DBGC2 ( cert, "X509 %p tbsCertificate signature algorithm is %s\n",
  838. cert, (*algorithm)->name );
  839. asn1_skip_any ( &cursor );
  840. /* Parse issuer */
  841. if ( ( rc = x509_parse_issuer ( cert, &cursor ) ) != 0 )
  842. return rc;
  843. asn1_skip_any ( &cursor );
  844. /* Parse validity */
  845. if ( ( rc = x509_parse_validity ( cert, &cursor ) ) != 0 )
  846. return rc;
  847. asn1_skip_any ( &cursor );
  848. /* Parse subject */
  849. if ( ( rc = x509_parse_subject ( cert, &cursor ) ) != 0 )
  850. return rc;
  851. asn1_skip_any ( &cursor );
  852. /* Parse subjectPublicKeyInfo */
  853. if ( ( rc = x509_parse_public_key ( cert, &cursor ) ) != 0 )
  854. return rc;
  855. asn1_skip_any ( &cursor );
  856. /* Parse extensions, if present */
  857. if ( ( rc = x509_parse_extensions ( cert, &cursor ) ) != 0 )
  858. return rc;
  859. return 0;
  860. }
  861. /**
  862. * Parse X.509 certificate from ASN.1 data
  863. *
  864. * @v cert X.509 certificate
  865. * @v raw ASN.1 cursor
  866. * @ret rc Return status code
  867. */
  868. int x509_parse ( struct x509_certificate *cert,
  869. const struct asn1_cursor *raw ) {
  870. struct x509_signature *signature = &cert->signature;
  871. struct asn1_algorithm **signature_algorithm = &signature->algorithm;
  872. struct asn1_bit_string *signature_value = &signature->value;
  873. struct asn1_cursor cursor;
  874. int rc;
  875. /* Record raw certificate */
  876. memcpy ( &cursor, raw, sizeof ( cursor ) );
  877. memcpy ( &cert->raw, &cursor, sizeof ( cert->raw ) );
  878. /* Enter certificate */
  879. asn1_enter ( &cursor, ASN1_SEQUENCE );
  880. /* Parse tbsCertificate */
  881. if ( ( rc = x509_parse_tbscertificate ( cert, &cursor ) ) != 0 )
  882. return rc;
  883. asn1_skip_any ( &cursor );
  884. /* Parse signatureAlgorithm */
  885. if ( ( rc = asn1_signature_algorithm ( &cursor,
  886. signature_algorithm ) ) != 0 ) {
  887. DBGC ( cert, "X509 %p could not parse signature algorithm: "
  888. "%s\n", cert, strerror ( rc ) );
  889. return rc;
  890. }
  891. DBGC2 ( cert, "X509 %p signatureAlgorithm is %s\n",
  892. cert, (*signature_algorithm)->name );
  893. asn1_skip_any ( &cursor );
  894. /* Parse signatureValue */
  895. if ( ( rc = asn1_integral_bit_string ( &cursor,
  896. signature_value ) ) != 0 ) {
  897. DBGC ( cert, "X509 %p could not parse signature value: %s\n",
  898. cert, strerror ( rc ) );
  899. return rc;
  900. }
  901. DBGC2 ( cert, "X509 %p signatureValue is:\n", cert );
  902. DBGC2_HDA ( cert, 0, signature_value->data, signature_value->len );
  903. /* Check that algorithm in tbsCertificate matches algorithm in
  904. * signature
  905. */
  906. if ( signature->algorithm != (*signature_algorithm) ) {
  907. DBGC ( cert, "X509 %p signature algorithm %s does not match "
  908. "signatureAlgorithm %s\n",
  909. cert, signature->algorithm->name,
  910. (*signature_algorithm)->name );
  911. return -EINVAL_ALGORITHM_MISMATCH;
  912. }
  913. return 0;
  914. }
  915. /**
  916. * Create X.509 certificate
  917. *
  918. * @v data Raw certificate data
  919. * @v len Length of raw data
  920. * @ret cert X.509 certificate
  921. * @ret rc Return status code
  922. *
  923. * On success, the caller holds a reference to the X.509 certificate,
  924. * and is responsible for ultimately calling x509_put().
  925. */
  926. int x509_certificate ( const void *data, size_t len,
  927. struct x509_certificate **cert ) {
  928. struct asn1_cursor cursor;
  929. void *raw;
  930. int rc;
  931. /* Initialise cursor */
  932. cursor.data = data;
  933. cursor.len = len;
  934. asn1_shrink_any ( &cursor );
  935. /* Return stored certificate, if present */
  936. if ( ( *cert = certstore_find ( &cursor ) ) != NULL ) {
  937. /* Add caller's reference */
  938. x509_get ( *cert );
  939. return 0;
  940. }
  941. /* Allocate and initialise certificate */
  942. *cert = zalloc ( sizeof ( **cert ) + cursor.len );
  943. if ( ! *cert )
  944. return -ENOMEM;
  945. ref_init ( &(*cert)->refcnt, NULL );
  946. raw = ( *cert + 1 );
  947. /* Copy raw data */
  948. memcpy ( raw, cursor.data, cursor.len );
  949. cursor.data = raw;
  950. /* Parse certificate */
  951. if ( ( rc = x509_parse ( *cert, &cursor ) ) != 0 ) {
  952. x509_put ( *cert );
  953. *cert = NULL;
  954. return rc;
  955. }
  956. /* Add certificate to store */
  957. certstore_add ( *cert );
  958. return 0;
  959. }
  960. /**
  961. * Check X.509 certificate signature
  962. *
  963. * @v cert X.509 certificate
  964. * @v public_key X.509 public key
  965. * @ret rc Return status code
  966. */
  967. static int x509_check_signature ( struct x509_certificate *cert,
  968. struct x509_public_key *public_key ) {
  969. struct x509_signature *signature = &cert->signature;
  970. struct asn1_algorithm *algorithm = signature->algorithm;
  971. struct digest_algorithm *digest = algorithm->digest;
  972. struct pubkey_algorithm *pubkey = algorithm->pubkey;
  973. uint8_t digest_ctx[ digest->ctxsize ];
  974. uint8_t digest_out[ digest->digestsize ];
  975. uint8_t pubkey_ctx[ pubkey->ctxsize ];
  976. int rc;
  977. /* Sanity check */
  978. assert ( cert->signature_algorithm == cert->signature.algorithm );
  979. /* Calculate certificate digest */
  980. digest_init ( digest, digest_ctx );
  981. digest_update ( digest, digest_ctx, cert->tbs.data, cert->tbs.len );
  982. digest_final ( digest, digest_ctx, digest_out );
  983. DBGC2 ( cert, "X509 %p \"%s\" digest:\n", cert, x509_name ( cert ) );
  984. DBGC2_HDA ( cert, 0, digest_out, sizeof ( digest_out ) );
  985. /* Check that signature public key algorithm matches signer */
  986. if ( public_key->algorithm->pubkey != pubkey ) {
  987. DBGC ( cert, "X509 %p \"%s\" signature algorithm %s does not "
  988. "match signer's algorithm %s\n",
  989. cert, x509_name ( cert ), algorithm->name,
  990. public_key->algorithm->name );
  991. rc = -EINVAL_ALGORITHM_MISMATCH;
  992. goto err_mismatch;
  993. }
  994. /* Verify signature using signer's public key */
  995. if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, public_key->raw.data,
  996. public_key->raw.len ) ) != 0 ) {
  997. DBGC ( cert, "X509 %p \"%s\" cannot initialise public key: "
  998. "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
  999. goto err_pubkey_init;
  1000. }
  1001. if ( ( rc = pubkey_verify ( pubkey, pubkey_ctx, digest, digest_out,
  1002. signature->value.data,
  1003. signature->value.len ) ) != 0 ) {
  1004. DBGC ( cert, "X509 %p \"%s\" signature verification failed: "
  1005. "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
  1006. goto err_pubkey_verify;
  1007. }
  1008. /* Success */
  1009. rc = 0;
  1010. err_pubkey_verify:
  1011. pubkey_final ( pubkey, pubkey_ctx );
  1012. err_pubkey_init:
  1013. err_mismatch:
  1014. return rc;
  1015. }
  1016. /**
  1017. * Check X.509 certificate against issuer certificate
  1018. *
  1019. * @v cert X.509 certificate
  1020. * @v issuer X.509 issuer certificate
  1021. * @ret rc Return status code
  1022. */
  1023. int x509_check_issuer ( struct x509_certificate *cert,
  1024. struct x509_certificate *issuer ) {
  1025. struct x509_public_key *public_key = &issuer->subject.public_key;
  1026. int rc;
  1027. /* Check issuer. In theory, this should be a full X.500 DN
  1028. * comparison, which would require support for a plethora of
  1029. * abominations such as TeletexString (which allows the
  1030. * character set to be changed mid-string using escape codes).
  1031. * In practice, we assume that anyone who deliberately changes
  1032. * the encoding of the issuer DN is probably a masochist who
  1033. * will rather enjoy the process of figuring out exactly why
  1034. * their certificate doesn't work.
  1035. *
  1036. * See http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
  1037. * for some enjoyable ranting on this subject.
  1038. */
  1039. if ( asn1_compare ( &cert->issuer.raw, &issuer->subject.raw ) != 0 ) {
  1040. DBGC ( cert, "X509 %p \"%s\" issuer does not match ",
  1041. cert, x509_name ( cert ) );
  1042. DBGC ( cert, "X509 %p \"%s\" subject\n",
  1043. issuer, x509_name ( issuer ) );
  1044. DBGC_HDA ( cert, 0, cert->issuer.raw.data,
  1045. cert->issuer.raw.len );
  1046. DBGC_HDA ( issuer, 0, issuer->subject.raw.data,
  1047. issuer->subject.raw.len );
  1048. return -EACCES_WRONG_ISSUER;
  1049. }
  1050. /* Check that issuer is allowed to sign certificates */
  1051. if ( ! issuer->extensions.basic.ca ) {
  1052. DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
  1053. issuer, x509_name ( issuer ) );
  1054. DBGC ( issuer, "X509 %p \"%s\": not a CA certificate\n",
  1055. cert, x509_name ( cert ) );
  1056. return -EACCES_NOT_CA;
  1057. }
  1058. if ( issuer->extensions.usage.present &&
  1059. ( ! ( issuer->extensions.usage.bits & X509_KEY_CERT_SIGN ) ) ) {
  1060. DBGC ( issuer, "X509 %p \"%s\" cannot sign ",
  1061. issuer, x509_name ( issuer ) );
  1062. DBGC ( issuer, "X509 %p \"%s\": no keyCertSign usage\n",
  1063. cert, x509_name ( cert ) );
  1064. return -EACCES_KEY_USAGE;
  1065. }
  1066. /* Check signature */
  1067. if ( ( rc = x509_check_signature ( cert, public_key ) ) != 0 )
  1068. return rc;
  1069. return 0;
  1070. }
  1071. /**
  1072. * Calculate X.509 certificate fingerprint
  1073. *
  1074. * @v cert X.509 certificate
  1075. * @v digest Digest algorithm
  1076. * @v fingerprint Fingerprint buffer
  1077. */
  1078. void x509_fingerprint ( struct x509_certificate *cert,
  1079. struct digest_algorithm *digest,
  1080. void *fingerprint ) {
  1081. uint8_t ctx[ digest->ctxsize ];
  1082. /* Calculate fingerprint */
  1083. digest_init ( digest, ctx );
  1084. digest_update ( digest, ctx, cert->raw.data, cert->raw.len );
  1085. digest_final ( digest, ctx, fingerprint );
  1086. }
  1087. /**
  1088. * Check X.509 root certificate
  1089. *
  1090. * @v cert X.509 certificate
  1091. * @v root X.509 root certificate list
  1092. * @ret rc Return status code
  1093. */
  1094. int x509_check_root ( struct x509_certificate *cert, struct x509_root *root ) {
  1095. struct digest_algorithm *digest = root->digest;
  1096. uint8_t fingerprint[ digest->digestsize ];
  1097. const uint8_t *root_fingerprint = root->fingerprints;
  1098. unsigned int i;
  1099. /* Calculate certificate fingerprint */
  1100. x509_fingerprint ( cert, digest, fingerprint );
  1101. /* Check fingerprint against all root certificates */
  1102. for ( i = 0 ; i < root->count ; i++ ) {
  1103. if ( memcmp ( fingerprint, root_fingerprint,
  1104. sizeof ( fingerprint ) ) == 0 ) {
  1105. DBGC ( cert, "X509 %p \"%s\" is a root certificate\n",
  1106. cert, x509_name ( cert ) );
  1107. return 0;
  1108. }
  1109. root_fingerprint += sizeof ( fingerprint );
  1110. }
  1111. DBGC2 ( cert, "X509 %p \"%s\" is not a root certificate\n",
  1112. cert, x509_name ( cert ) );
  1113. return -ENOENT;
  1114. }
  1115. /**
  1116. * Check X.509 certificate validity period
  1117. *
  1118. * @v cert X.509 certificate
  1119. * @v time Time at which to check certificate
  1120. * @ret rc Return status code
  1121. */
  1122. int x509_check_time ( struct x509_certificate *cert, time_t time ) {
  1123. struct x509_validity *validity = &cert->validity;
  1124. /* Check validity period */
  1125. if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
  1126. DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
  1127. cert, x509_name ( cert ), time );
  1128. return -EACCES_EXPIRED;
  1129. }
  1130. if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
  1131. DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
  1132. cert, x509_name ( cert ), time );
  1133. return -EACCES_EXPIRED;
  1134. }
  1135. DBGC2 ( cert, "X509 %p \"%s\" is valid (at time %lld)\n",
  1136. cert, x509_name ( cert ), time );
  1137. return 0;
  1138. }
  1139. /**
  1140. * Validate X.509 certificate
  1141. *
  1142. * @v cert X.509 certificate
  1143. * @v issuer Issuing X.509 certificate (or NULL)
  1144. * @v time Time at which to validate certificate
  1145. * @v root Root certificate list, or NULL to use default
  1146. * @ret rc Return status code
  1147. *
  1148. * The issuing certificate must have already been validated.
  1149. *
  1150. * Validation results are cached: if a certificate has already been
  1151. * successfully validated then @c issuer, @c time, and @c root will be
  1152. * ignored.
  1153. */
  1154. int x509_validate ( struct x509_certificate *cert,
  1155. struct x509_certificate *issuer,
  1156. time_t time, struct x509_root *root ) {
  1157. unsigned int max_path_remaining;
  1158. int rc;
  1159. /* Use default root certificate store if none specified */
  1160. if ( ! root )
  1161. root = &root_certificates;
  1162. /* Return success if certificate has already been validated */
  1163. if ( cert->valid )
  1164. return 0;
  1165. /* Fail if certificate is invalid at specified time */
  1166. if ( ( rc = x509_check_time ( cert, time ) ) != 0 )
  1167. return rc;
  1168. /* Succeed if certificate is a trusted root certificate */
  1169. if ( x509_check_root ( cert, root ) == 0 ) {
  1170. cert->valid = 1;
  1171. cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
  1172. return 0;
  1173. }
  1174. /* Fail unless we have an issuer */
  1175. if ( ! issuer ) {
  1176. DBGC2 ( cert, "X509 %p \"%s\" has no issuer\n",
  1177. cert, x509_name ( cert ) );
  1178. return -EACCES_UNTRUSTED;
  1179. }
  1180. /* Fail unless issuer has already been validated */
  1181. if ( ! issuer->valid ) {
  1182. DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
  1183. DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
  1184. issuer, x509_name ( issuer ) );
  1185. return -EACCES_OUT_OF_ORDER;
  1186. }
  1187. /* Fail if issuing certificate cannot validate this certificate */
  1188. if ( ( rc = x509_check_issuer ( cert, issuer ) ) != 0 )
  1189. return rc;
  1190. /* Fail if path length constraint is violated */
  1191. if ( issuer->path_remaining == 0 ) {
  1192. DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
  1193. DBGC ( cert, "issuer %p \"%s\" path length exceeded\n",
  1194. issuer, x509_name ( issuer ) );
  1195. return -EACCES_PATH_LEN;
  1196. }
  1197. /* Fail if OCSP is required */
  1198. if ( cert->extensions.auth_info.ocsp.uri.len &&
  1199. ( ! cert->extensions.auth_info.ocsp.good ) ) {
  1200. DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
  1201. cert, x509_name ( cert ) );
  1202. return -EACCES_OCSP_REQUIRED;
  1203. }
  1204. /* Calculate effective path length */
  1205. cert->path_remaining = ( issuer->path_remaining - 1 );
  1206. max_path_remaining = ( cert->extensions.basic.path_len + 1 );
  1207. if ( cert->path_remaining > max_path_remaining )
  1208. cert->path_remaining = max_path_remaining;
  1209. /* Mark certificate as valid */
  1210. cert->valid = 1;
  1211. DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
  1212. cert, x509_name ( cert ) );
  1213. DBGC ( cert, "issuer %p \"%s\"\n", issuer, x509_name ( issuer ) );
  1214. return 0;
  1215. }
  1216. /**
  1217. * Check X.509 certificate alternative dNSName
  1218. *
  1219. * @v cert X.509 certificate
  1220. * @v raw ASN.1 cursor
  1221. * @v name Name
  1222. * @ret rc Return status code
  1223. */
  1224. static int x509_check_dnsname ( struct x509_certificate *cert,
  1225. const struct asn1_cursor *raw,
  1226. const char *name ) {
  1227. const char *fullname = name;
  1228. const char *dnsname = raw->data;
  1229. size_t len = raw->len;
  1230. /* Check for wildcards */
  1231. if ( ( len >= 2 ) && ( dnsname[0] == '*' ) && ( dnsname[1] == '.' ) ) {
  1232. /* Skip initial "*." */
  1233. dnsname += 2;
  1234. len -= 2;
  1235. /* Skip initial portion of name to be tested */
  1236. name = strchr ( name, '.' );
  1237. if ( ! name )
  1238. return -ENOENT;
  1239. name++;
  1240. }
  1241. /* Compare names */
  1242. if ( ! ( ( strlen ( name ) == len ) &&
  1243. ( memcmp ( name, dnsname, len ) == 0 ) ) )
  1244. return -ENOENT;
  1245. if ( name != fullname ) {
  1246. DBGC2 ( cert, "X509 %p \"%s\" found wildcard match for "
  1247. "\"*.%s\"\n", cert, x509_name ( cert ), name );
  1248. }
  1249. return 0;
  1250. }
  1251. /**
  1252. * Check X.509 certificate alternative iPAddress
  1253. *
  1254. * @v cert X.509 certificate
  1255. * @v raw ASN.1 cursor
  1256. * @v name Name
  1257. * @ret rc Return status code
  1258. */
  1259. static int x509_check_ipaddress ( struct x509_certificate *cert,
  1260. const struct asn1_cursor *raw,
  1261. const char *name ) {
  1262. struct sockaddr sa;
  1263. sa_family_t family;
  1264. const void *address;
  1265. int rc;
  1266. /* Determine address family */
  1267. if ( raw->len == sizeof ( struct in_addr ) ) {
  1268. struct sockaddr_in *sin = ( ( struct sockaddr_in * ) &sa );
  1269. family = AF_INET;
  1270. address = &sin->sin_addr;
  1271. } else if ( raw->len == sizeof ( struct in6_addr ) ) {
  1272. struct sockaddr_in6 *sin6 = ( ( struct sockaddr_in6 * ) &sa );
  1273. family = AF_INET6;
  1274. address = &sin6->sin6_addr;
  1275. } else {
  1276. DBGC ( cert, "X509 %p \"%s\" has iPAddress with unexpected "
  1277. "length %zd\n", cert, x509_name ( cert ), raw->len );
  1278. DBGC_HDA ( cert, 0, raw->data, raw->len );
  1279. return -EINVAL;
  1280. }
  1281. /* Attempt to convert name to a socket address */
  1282. if ( ( rc = sock_aton ( name, &sa ) ) != 0 ) {
  1283. DBGC2 ( cert, "X509 %p \"%s\" cannot parse \"%s\" as "
  1284. "iPAddress: %s\n", cert, x509_name ( cert ), name,
  1285. strerror ( rc ) );
  1286. return rc;
  1287. }
  1288. if ( sa.sa_family != family )
  1289. return -ENOENT;
  1290. /* Compare addresses */
  1291. if ( memcmp ( address, raw->data, raw->len ) != 0 )
  1292. return -ENOENT;
  1293. DBGC2 ( cert, "X509 %p \"%s\" found iPAddress match for \"%s\"\n",
  1294. cert, x509_name ( cert ), sock_ntoa ( &sa ) );
  1295. return 0;
  1296. }
  1297. /**
  1298. * Check X.509 certificate alternative name
  1299. *
  1300. * @v cert X.509 certificate
  1301. * @v raw ASN.1 cursor
  1302. * @v name Name
  1303. * @ret rc Return status code
  1304. */
  1305. static int x509_check_alt_name ( struct x509_certificate *cert,
  1306. const struct asn1_cursor *raw,
  1307. const char *name ) {
  1308. struct asn1_cursor alt_name;
  1309. unsigned int type;
  1310. /* Enter generalName */
  1311. memcpy ( &alt_name, raw, sizeof ( alt_name ) );
  1312. type = asn1_type ( &alt_name );
  1313. asn1_enter_any ( &alt_name );
  1314. /* Check this name */
  1315. switch ( type ) {
  1316. case X509_GENERAL_NAME_DNS :
  1317. return x509_check_dnsname ( cert, &alt_name, name );
  1318. case X509_GENERAL_NAME_IP :
  1319. return x509_check_ipaddress ( cert, &alt_name, name );
  1320. default:
  1321. DBGC2 ( cert, "X509 %p \"%s\" unknown name of type %#02x:\n",
  1322. cert, x509_name ( cert ), type );
  1323. DBGC2_HDA ( cert, 0, alt_name.data, alt_name.len );
  1324. return -ENOTSUP;
  1325. }
  1326. }
  1327. /**
  1328. * Check X.509 certificate name
  1329. *
  1330. * @v cert X.509 certificate
  1331. * @v name Name
  1332. * @ret rc Return status code
  1333. */
  1334. int x509_check_name ( struct x509_certificate *cert, const char *name ) {
  1335. struct asn1_cursor *common_name = &cert->subject.common_name;
  1336. struct asn1_cursor alt_name;
  1337. int rc;
  1338. /* Check commonName */
  1339. if ( x509_check_dnsname ( cert, common_name, name ) == 0 ) {
  1340. DBGC2 ( cert, "X509 %p \"%s\" commonName matches \"%s\"\n",
  1341. cert, x509_name ( cert ), name );
  1342. return 0;
  1343. }
  1344. /* Check any subjectAlternativeNames */
  1345. memcpy ( &alt_name, &cert->extensions.alt_name.names,
  1346. sizeof ( alt_name ) );
  1347. for ( ; alt_name.len ; asn1_skip_any ( &alt_name ) ) {
  1348. if ( ( rc = x509_check_alt_name ( cert, &alt_name,
  1349. name ) ) == 0 ) {
  1350. DBGC2 ( cert, "X509 %p \"%s\" subjectAltName matches "
  1351. "\"%s\"\n", cert, x509_name ( cert ), name );
  1352. return 0;
  1353. }
  1354. }
  1355. DBGC ( cert, "X509 %p \"%s\" does not match name \"%s\"\n",
  1356. cert, x509_name ( cert ), name );
  1357. return -EACCES_WRONG_NAME;
  1358. }
  1359. /**
  1360. * Free X.509 certificate chain
  1361. *
  1362. * @v refcnt Reference count
  1363. */
  1364. static void x509_free_chain ( struct refcnt *refcnt ) {
  1365. struct x509_chain *chain =
  1366. container_of ( refcnt, struct x509_chain, refcnt );
  1367. struct x509_link *link;
  1368. struct x509_link *tmp;
  1369. DBGC2 ( chain, "X509 chain %p freed\n", chain );
  1370. /* Free each link in the chain */
  1371. list_for_each_entry_safe ( link, tmp, &chain->links, list ) {
  1372. x509_put ( link->cert );
  1373. list_del ( &link->list );
  1374. free ( link );
  1375. }
  1376. /* Free chain */
  1377. free ( chain );
  1378. }
  1379. /**
  1380. * Allocate X.509 certificate chain
  1381. *
  1382. * @ret chain X.509 certificate chain, or NULL
  1383. */
  1384. struct x509_chain * x509_alloc_chain ( void ) {
  1385. struct x509_chain *chain;
  1386. /* Allocate chain */
  1387. chain = zalloc ( sizeof ( *chain ) );
  1388. if ( ! chain )
  1389. return NULL;
  1390. /* Initialise chain */
  1391. ref_init ( &chain->refcnt, x509_free_chain );
  1392. INIT_LIST_HEAD ( &chain->links );
  1393. DBGC2 ( chain, "X509 chain %p allocated\n", chain );
  1394. return chain;
  1395. }
  1396. /**
  1397. * Append X.509 certificate to X.509 certificate chain
  1398. *
  1399. * @v chain X.509 certificate chain
  1400. * @v cert X.509 certificate
  1401. * @ret rc Return status code
  1402. */
  1403. int x509_append ( struct x509_chain *chain, struct x509_certificate *cert ) {
  1404. struct x509_link *link;
  1405. /* Allocate link */
  1406. link = zalloc ( sizeof ( *link ) );
  1407. if ( ! link )
  1408. return -ENOMEM;
  1409. /* Add link to chain */
  1410. link->cert = x509_get ( cert );
  1411. list_add_tail ( &link->list, &chain->links );
  1412. DBGC ( chain, "X509 chain %p added X509 %p \"%s\"\n",
  1413. chain, cert, x509_name ( cert ) );
  1414. return 0;
  1415. }
  1416. /**
  1417. * Append X.509 certificate to X.509 certificate chain
  1418. *
  1419. * @v chain X.509 certificate chain
  1420. * @v data Raw certificate data
  1421. * @v len Length of raw data
  1422. * @ret rc Return status code
  1423. */
  1424. int x509_append_raw ( struct x509_chain *chain, const void *data,
  1425. size_t len ) {
  1426. struct x509_certificate *cert;
  1427. int rc;
  1428. /* Parse certificate */
  1429. if ( ( rc = x509_certificate ( data, len, &cert ) ) != 0 )
  1430. goto err_parse;
  1431. /* Append certificate to chain */
  1432. if ( ( rc = x509_append ( chain, cert ) ) != 0 )
  1433. goto err_append;
  1434. /* Drop reference to certificate */
  1435. x509_put ( cert );
  1436. return 0;
  1437. err_append:
  1438. x509_put ( cert );
  1439. err_parse:
  1440. return rc;
  1441. }
  1442. /**
  1443. * Identify X.509 certificate by subject
  1444. *
  1445. * @v certs X.509 certificate list
  1446. * @v subject Subject
  1447. * @ret cert X.509 certificate, or NULL if not found
  1448. */
  1449. static struct x509_certificate *
  1450. x509_find_subject ( struct x509_chain *certs,
  1451. const struct asn1_cursor *subject ) {
  1452. struct x509_link *link;
  1453. struct x509_certificate *cert;
  1454. /* Scan through certificate list */
  1455. list_for_each_entry ( link, &certs->links, list ) {
  1456. /* Check subject */
  1457. cert = link->cert;
  1458. if ( asn1_compare ( subject, &cert->subject.raw ) == 0 )
  1459. return cert;
  1460. }
  1461. return NULL;
  1462. }
  1463. /**
  1464. * Append X.509 certificates to X.509 certificate chain
  1465. *
  1466. * @v chain X.509 certificate chain
  1467. * @v certs X.509 certificate list
  1468. * @ret rc Return status code
  1469. *
  1470. * Certificates will be automatically appended to the chain based upon
  1471. * the subject and issuer names.
  1472. */
  1473. int x509_auto_append ( struct x509_chain *chain, struct x509_chain *certs ) {
  1474. struct x509_certificate *cert;
  1475. struct x509_certificate *previous;
  1476. int rc;
  1477. /* Get current certificate */
  1478. cert = x509_last ( chain );
  1479. if ( ! cert ) {
  1480. DBGC ( chain, "X509 chain %p has no certificates\n", chain );
  1481. return -EACCES_EMPTY;
  1482. }
  1483. /* Append certificates, in order */
  1484. while ( 1 ) {
  1485. /* Find issuing certificate */
  1486. previous = cert;
  1487. cert = x509_find_subject ( certs, &cert->issuer.raw );
  1488. if ( ! cert )
  1489. break;
  1490. if ( cert == previous )
  1491. break;
  1492. /* Append certificate to chain */
  1493. if ( ( rc = x509_append ( chain, cert ) ) != 0 )
  1494. return rc;
  1495. }
  1496. return 0;
  1497. }
  1498. /**
  1499. * Validate X.509 certificate chain
  1500. *
  1501. * @v chain X.509 certificate chain
  1502. * @v time Time at which to validate certificates
  1503. * @v store Certificate store, or NULL to use default
  1504. * @v root Root certificate list, or NULL to use default
  1505. * @ret rc Return status code
  1506. */
  1507. int x509_validate_chain ( struct x509_chain *chain, time_t time,
  1508. struct x509_chain *store, struct x509_root *root ) {
  1509. struct x509_certificate *issuer = NULL;
  1510. struct x509_link *link;
  1511. int rc;
  1512. /* Use default certificate store if none specified */
  1513. if ( ! store )
  1514. store = &certstore;
  1515. /* Append any applicable certificates from the certificate store */
  1516. if ( ( rc = x509_auto_append ( chain, store ) ) != 0 )
  1517. return rc;
  1518. /* Find first certificate that can be validated as a
  1519. * standalone (i.e. is already valid, or can be validated as
  1520. * a trusted root certificate).
  1521. */
  1522. list_for_each_entry ( link, &chain->links, list ) {
  1523. /* Try validating this certificate as a standalone */
  1524. if ( ( rc = x509_validate ( link->cert, NULL, time,
  1525. root ) ) != 0 )
  1526. continue;
  1527. /* Work back up to start of chain, performing pairwise
  1528. * validation.
  1529. */
  1530. issuer = link->cert;
  1531. list_for_each_entry_continue_reverse ( link, &chain->links,
  1532. list ) {
  1533. /* Validate this certificate against its issuer */
  1534. if ( ( rc = x509_validate ( link->cert, issuer, time,
  1535. root ) ) != 0 )
  1536. return rc;
  1537. issuer = link->cert;
  1538. }
  1539. return 0;
  1540. }
  1541. DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
  1542. return -EACCES_USELESS;
  1543. }
  1544. /* Drag in objects via x509_validate() */
  1545. REQUIRING_SYMBOL ( x509_validate );
  1546. /* Drag in certificate store */
  1547. REQUIRE_OBJECT ( certstore );