summaryrefslogtreecommitdiffstats
path: root/src/crypto/privkey.c
diff options
context:
space:
mode:
authorMichael Brown2014-03-28 16:45:10 +0100
committerMichael Brown2014-03-28 18:09:40 +0100
commitbc8ca6b8cea325e6507839e576d0d7eaa44e2af1 (patch)
treed74ee501d55b6dbaa5f5842c697e57295776b82e /src/crypto/privkey.c
parent[crypto] Add pubkey_match() to check for matching public/private key pairs (diff)
downloadipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.tar.gz
ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.tar.xz
ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.zip
[crypto] Generalise X.509 cache to a full certificate store
Expand the concept of the X.509 cache to provide the functionality of a certificate store. Certificates in the store will be automatically used to complete certificate chains where applicable. The certificate store may be prepopulated at build time using the CERT=... build command line option. For example: make bin/ipxe.usb CERT=mycert1.crt,mycert2.crt Certificates within the certificate store are not implicitly trusted; the trust list is specified using TRUST=... as before. For example: make bin/ipxe.usb CERT=root.crt TRUST=root.crt This can be used to embed the full trusted root certificate within the iPXE binary, which is potentially useful in an HTTPS-only environment in which there is no HTTP server from which to automatically download cross-signed certificates or other certificate chain fragments. This usage of CERT= extends the existing use of CERT= to specify the client certificate. The client certificate is now identified automatically by checking for a match against the private key. For example: make bin/ipxe.usb CERT=root.crt,client.crt TRUST=root.crt KEY=client.key Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto/privkey.c')
-rw-r--r--src/crypto/privkey.c118
1 files changed, 118 insertions, 0 deletions
diff --git a/src/crypto/privkey.c b/src/crypto/privkey.c
new file mode 100644
index 00000000..e010649c
--- /dev/null
+++ b/src/crypto/privkey.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ipxe/dhcp.h>
+#include <ipxe/settings.h>
+#include <ipxe/x509.h>
+#include <ipxe/privkey.h>
+
+/** @file
+ *
+ * Private key
+ *
+ * Life would in theory be easier if we could use a single file to
+ * hold both the certificate and corresponding private key.
+ * Unfortunately, the only common format which supports this is
+ * PKCS#12 (aka PFX), which is too ugly to be allowed anywhere near my
+ * codebase. See, for reference and amusement:
+ *
+ * http://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html
+ */
+
+/* Allow private key to be overridden if not explicitly specified */
+#ifdef PRIVATE_KEY
+#define ALLOW_KEY_OVERRIDE 0
+#else
+#define ALLOW_KEY_OVERRIDE 1
+#endif
+
+/* Raw private key data */
+extern char private_key_data[];
+extern char private_key_len[];
+__asm__ ( ".section \".rodata\", \"a\", @progbits\n\t"
+ "\nprivate_key_data:\n\t"
+#ifdef PRIVATE_KEY
+ ".incbin \"" PRIVATE_KEY "\"\n\t"
+#endif /* PRIVATE_KEY */
+ ".size private_key_data, ( . - private_key_data )\n\t"
+ ".equ private_key_len, ( . - private_key_data )\n\t"
+ ".previous\n\t" );
+
+/** Private key */
+struct asn1_cursor private_key = {
+ .data = private_key_data,
+ .len = ( ( size_t ) private_key_len ),
+};
+
+/** Private key setting */
+static struct setting privkey_setting __setting ( SETTING_CRYPTO, privkey ) = {
+ .name = "privkey",
+ .description = "Private key",
+ .tag = DHCP_EB_KEY,
+ .type = &setting_type_hex,
+};
+
+/**
+ * Apply private key configuration settings
+ *
+ * @ret rc Return status code
+ */
+static int privkey_apply_settings ( void ) {
+ static void *key_data = NULL;
+ int len;
+
+ /* Allow private key to be overridden only if not explicitly
+ * specified at build time.
+ */
+ if ( ALLOW_KEY_OVERRIDE ) {
+
+ /* Restore default private key */
+ private_key.data = private_key_data;
+ private_key.len = ( ( size_t ) private_key_len );
+
+ /* Fetch new private key, if any */
+ free ( key_data );
+ if ( ( len = fetch_raw_setting_copy ( NULL, &privkey_setting,
+ &key_data ) ) >= 0 ) {
+ private_key.data = key_data;
+ private_key.len = len;
+ }
+ }
+
+ /* Debug */
+ if ( private_key.len ) {
+ DBGC ( &private_key, "PRIVKEY using %s private key:\n",
+ ( key_data ? "external" : "built-in" ) );
+ DBGC_HDA ( &private_key, 0, private_key.data, private_key.len );
+ } else {
+ DBGC ( &private_key, "PRIVKEY has no private key\n" );
+ }
+
+ return 0;
+}
+
+/** Private key settings applicator */
+struct settings_applicator privkey_applicator __settings_applicator = {
+ .apply = privkey_apply_settings,
+};