diff options
| author | Michael Brown | 2014-03-28 16:45:10 +0100 |
|---|---|---|
| committer | Michael Brown | 2014-03-28 18:09:40 +0100 |
| commit | bc8ca6b8cea325e6507839e576d0d7eaa44e2af1 (patch) | |
| tree | d74ee501d55b6dbaa5f5842c697e57295776b82e /src/crypto/privkey.c | |
| parent | [crypto] Add pubkey_match() to check for matching public/private key pairs (diff) | |
| download | ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.tar.gz ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.tar.xz ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.zip | |
[crypto] Generalise X.509 cache to a full certificate store
Expand the concept of the X.509 cache to provide the functionality of
a certificate store. Certificates in the store will be automatically
used to complete certificate chains where applicable.
The certificate store may be prepopulated at build time using the
CERT=... build command line option. For example:
make bin/ipxe.usb CERT=mycert1.crt,mycert2.crt
Certificates within the certificate store are not implicitly trusted;
the trust list is specified using TRUST=... as before. For example:
make bin/ipxe.usb CERT=root.crt TRUST=root.crt
This can be used to embed the full trusted root certificate within the
iPXE binary, which is potentially useful in an HTTPS-only environment
in which there is no HTTP server from which to automatically download
cross-signed certificates or other certificate chain fragments.
This usage of CERT= extends the existing use of CERT= to specify the
client certificate. The client certificate is now identified
automatically by checking for a match against the private key. For
example:
make bin/ipxe.usb CERT=root.crt,client.crt TRUST=root.crt KEY=client.key
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto/privkey.c')
| -rw-r--r-- | src/crypto/privkey.c | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/src/crypto/privkey.c b/src/crypto/privkey.c new file mode 100644 index 00000000..e010649c --- /dev/null +++ b/src/crypto/privkey.c @@ -0,0 +1,118 @@ +/* + * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +FILE_LICENCE ( GPL2_OR_LATER ); + +#include <stdint.h> +#include <stdlib.h> +#include <string.h> +#include <ipxe/dhcp.h> +#include <ipxe/settings.h> +#include <ipxe/x509.h> +#include <ipxe/privkey.h> + +/** @file + * + * Private key + * + * Life would in theory be easier if we could use a single file to + * hold both the certificate and corresponding private key. + * Unfortunately, the only common format which supports this is + * PKCS#12 (aka PFX), which is too ugly to be allowed anywhere near my + * codebase. See, for reference and amusement: + * + * http://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html + */ + +/* Allow private key to be overridden if not explicitly specified */ +#ifdef PRIVATE_KEY +#define ALLOW_KEY_OVERRIDE 0 +#else +#define ALLOW_KEY_OVERRIDE 1 +#endif + +/* Raw private key data */ +extern char private_key_data[]; +extern char private_key_len[]; +__asm__ ( ".section \".rodata\", \"a\", @progbits\n\t" + "\nprivate_key_data:\n\t" +#ifdef PRIVATE_KEY + ".incbin \"" PRIVATE_KEY "\"\n\t" +#endif /* PRIVATE_KEY */ + ".size private_key_data, ( . - private_key_data )\n\t" + ".equ private_key_len, ( . - private_key_data )\n\t" + ".previous\n\t" ); + +/** Private key */ +struct asn1_cursor private_key = { + .data = private_key_data, + .len = ( ( size_t ) private_key_len ), +}; + +/** Private key setting */ +static struct setting privkey_setting __setting ( SETTING_CRYPTO, privkey ) = { + .name = "privkey", + .description = "Private key", + .tag = DHCP_EB_KEY, + .type = &setting_type_hex, +}; + +/** + * Apply private key configuration settings + * + * @ret rc Return status code + */ +static int privkey_apply_settings ( void ) { + static void *key_data = NULL; + int len; + + /* Allow private key to be overridden only if not explicitly + * specified at build time. + */ + if ( ALLOW_KEY_OVERRIDE ) { + + /* Restore default private key */ + private_key.data = private_key_data; + private_key.len = ( ( size_t ) private_key_len ); + + /* Fetch new private key, if any */ + free ( key_data ); + if ( ( len = fetch_raw_setting_copy ( NULL, &privkey_setting, + &key_data ) ) >= 0 ) { + private_key.data = key_data; + private_key.len = len; + } + } + + /* Debug */ + if ( private_key.len ) { + DBGC ( &private_key, "PRIVKEY using %s private key:\n", + ( key_data ? "external" : "built-in" ) ); + DBGC_HDA ( &private_key, 0, private_key.data, private_key.len ); + } else { + DBGC ( &private_key, "PRIVKEY has no private key\n" ); + } + + return 0; +} + +/** Private key settings applicator */ +struct settings_applicator privkey_applicator __settings_applicator = { + .apply = privkey_apply_settings, +}; |