diff options
author | Michael Brown | 2012-05-04 18:12:32 +0200 |
---|---|---|
committer | Michael Brown | 2012-05-04 18:54:31 +0200 |
commit | 557f467bab42b47d91b08e936fbe2ffa8e80f2e7 (patch) | |
tree | ac81d6db346318baa0048444f2989144b27a0eca /src/include/ipxe/tls.h | |
parent | [time] Add Linux time source using gettimeofday() (diff) | |
download | ipxe-557f467bab42b47d91b08e936fbe2ffa8e80f2e7.tar.gz ipxe-557f467bab42b47d91b08e936fbe2ffa8e80f2e7.tar.xz ipxe-557f467bab42b47d91b08e936fbe2ffa8e80f2e7.zip |
[crypto] Allow certificate chains to be long-lived data structures
At present, certificate chain validation is treated as an
instantaneous process that can be carried out using only data that is
already in memory. This model does not allow for validation to
include non-instantaneous steps, such as downloading a cross-signing
certificate, or determining certificate revocation status via OCSP.
Redesign the internal representation of certificate chains to allow
chains to outlive the scope of the original source of certificates
(such as a TLS Certificate record).
Allow for certificates to be cached, so that each certificate needs to
be validated only once.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/include/ipxe/tls.h')
-rw-r--r-- | src/include/ipxe/tls.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index 77223336..07f5d3eb 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -235,6 +235,9 @@ struct tls_session { /** Public-key algorithm used for Certificate Verify (if sent) */ struct pubkey_algorithm *verify_pubkey; + /** Server certificate chain */ + struct x509_chain *chain; + /** TX sequence number */ uint64_t tx_seq; /** TX pending transmissions */ |