diff options
| author | Michael Brown | 2014-03-28 16:45:10 +0100 |
|---|---|---|
| committer | Michael Brown | 2014-03-28 18:09:40 +0100 |
| commit | bc8ca6b8cea325e6507839e576d0d7eaa44e2af1 (patch) | |
| tree | d74ee501d55b6dbaa5f5842c697e57295776b82e /src/include/ipxe | |
| parent | [crypto] Add pubkey_match() to check for matching public/private key pairs (diff) | |
| download | ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.tar.gz ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.tar.xz ipxe-bc8ca6b8cea325e6507839e576d0d7eaa44e2af1.zip | |
[crypto] Generalise X.509 cache to a full certificate store
Expand the concept of the X.509 cache to provide the functionality of
a certificate store. Certificates in the store will be automatically
used to complete certificate chains where applicable.
The certificate store may be prepopulated at build time using the
CERT=... build command line option. For example:
make bin/ipxe.usb CERT=mycert1.crt,mycert2.crt
Certificates within the certificate store are not implicitly trusted;
the trust list is specified using TRUST=... as before. For example:
make bin/ipxe.usb CERT=root.crt TRUST=root.crt
This can be used to embed the full trusted root certificate within the
iPXE binary, which is potentially useful in an HTTPS-only environment
in which there is no HTTP server from which to automatically download
cross-signed certificates or other certificate chain fragments.
This usage of CERT= extends the existing use of CERT= to specify the
client certificate. The client certificate is now identified
automatically by checking for a match against the private key. For
example:
make bin/ipxe.usb CERT=root.crt,client.crt TRUST=root.crt KEY=client.key
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/include/ipxe')
| -rw-r--r-- | src/include/ipxe/certstore.h | 21 | ||||
| -rw-r--r-- | src/include/ipxe/clientcert.h | 43 | ||||
| -rw-r--r-- | src/include/ipxe/cms.h | 3 | ||||
| -rw-r--r-- | src/include/ipxe/privkey.h | 16 | ||||
| -rw-r--r-- | src/include/ipxe/tls.h | 4 | ||||
| -rw-r--r-- | src/include/ipxe/x509.h | 41 |
6 files changed, 63 insertions, 65 deletions
diff --git a/src/include/ipxe/certstore.h b/src/include/ipxe/certstore.h new file mode 100644 index 000000000..7456db621 --- /dev/null +++ b/src/include/ipxe/certstore.h @@ -0,0 +1,21 @@ +#ifndef _IPXE_CERTSTORE_H +#define _IPXE_CERTSTORE_H + +/** @file + * + * Certificate store + * + */ + +FILE_LICENCE ( GPL2_OR_LATER ); + +#include <ipxe/asn1.h> +#include <ipxe/x509.h> + +extern struct x509_chain certstore; + +extern struct x509_certificate * certstore_find ( struct asn1_cursor *raw ); +extern struct x509_certificate * certstore_find_key ( struct asn1_cursor *key ); +extern void certstore_add ( struct x509_certificate *cert ); + +#endif /* _IPXE_CERTSTORE_H */ diff --git a/src/include/ipxe/clientcert.h b/src/include/ipxe/clientcert.h deleted file mode 100644 index 08f62eb73..000000000 --- a/src/include/ipxe/clientcert.h +++ /dev/null @@ -1,43 +0,0 @@ -#ifndef _IPXE_CLIENTCERT_H -#define _IPXE_CLIENTCERT_H - -/** @file - * - * Client certificate store - * - */ - -FILE_LICENCE ( GPL2_OR_LATER ); - -#include <stdint.h> - -/** A client certificate */ -struct client_certificate { - /** Data */ - const void *data; - /** Length */ - size_t len; -}; - -/** A client private key */ -struct client_private_key { - /** Data */ - const void *data; - /** Length */ - size_t len; -}; - -extern struct client_certificate client_certificate; -extern struct client_private_key client_private_key; - -/** - * Check for presence of a client certificate - * - * @ret have_cert We have a client certificate and private key - */ -static inline int have_client_certificate ( void ) { - return ( ( client_certificate.len > 0 ) && - ( client_private_key.len > 0 ) ); -} - -#endif /* _IPXE_CLIENTCERT_H */ diff --git a/src/include/ipxe/cms.h b/src/include/ipxe/cms.h index eadeca4b8..e026ebd2f 100644 --- a/src/include/ipxe/cms.h +++ b/src/include/ipxe/cms.h @@ -70,6 +70,7 @@ cms_put ( struct cms_signature *sig ) { extern int cms_signature ( const void *data, size_t len, struct cms_signature **sig ); extern int cms_verify ( struct cms_signature *sig, userptr_t data, size_t len, - const char *name, time_t time, struct x509_root *root ); + const char *name, time_t time, struct x509_chain *store, + struct x509_root *root ); #endif /* _IPXE_CMS_H */ diff --git a/src/include/ipxe/privkey.h b/src/include/ipxe/privkey.h new file mode 100644 index 000000000..39049ac9f --- /dev/null +++ b/src/include/ipxe/privkey.h @@ -0,0 +1,16 @@ +#ifndef _IPXE_PRIVKEY_H +#define _IPXE_PRIVKEY_H + +/** @file + * + * Private key + * + */ + +FILE_LICENCE ( GPL2_OR_LATER ); + +#include <ipxe/asn1.h> + +extern struct asn1_cursor private_key; + +#endif /* _IPXE_PRIVKEY_H */ diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index f8a754096..586da26ec 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -241,8 +241,8 @@ struct tls_session { struct digest_algorithm *handshake_digest; /** Digest algorithm context used for handshake verification */ uint8_t *handshake_ctx; - /** Public-key algorithm used for Certificate Verify (if sent) */ - struct pubkey_algorithm *verify_pubkey; + /** Client certificate (if used) */ + struct x509_certificate *cert; /** Server certificate chain */ struct x509_chain *chain; diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h index 483153bbe..52302aeab 100644 --- a/src/include/ipxe/x509.h +++ b/src/include/ipxe/x509.h @@ -156,12 +156,29 @@ struct x509_extensions { struct x509_authority_info_access auth_info; }; +/** A link in an X.509 certificate chain */ +struct x509_link { + /** List of links */ + struct list_head list; + /** Certificate */ + struct x509_certificate *cert; +}; + +/** An X.509 certificate chain */ +struct x509_chain { + /** Reference count */ + struct refcnt refcnt; + /** List of links */ + struct list_head links; +}; + /** An X.509 certificate */ struct x509_certificate { /** Reference count */ struct refcnt refcnt; - /** List of certificates in cache */ - struct list_head list; + + /** Link in certificate store */ + struct x509_link store; /** Certificate has been validated */ int valid; @@ -212,22 +229,6 @@ x509_put ( struct x509_certificate *cert ) { ref_put ( &cert->refcnt ); } -/** A link in an X.509 certificate chain */ -struct x509_link { - /** List of links */ - struct list_head list; - /** Certificate */ - struct x509_certificate *cert; -}; - -/** An X.509 certificate chain */ -struct x509_chain { - /** Reference count */ - struct refcnt refcnt; - /** List of links */ - struct list_head links; -}; - /** * Get reference to X.509 certificate chain * @@ -331,7 +332,8 @@ struct x509_root { }; extern const char * x509_name ( struct x509_certificate *cert ); - +extern int x509_parse ( struct x509_certificate *cert, + const struct asn1_cursor *raw ); extern int x509_certificate ( const void *data, size_t len, struct x509_certificate **cert ); extern int x509_validate ( struct x509_certificate *cert, @@ -347,6 +349,7 @@ extern int x509_append_raw ( struct x509_chain *chain, const void *data, extern int x509_auto_append ( struct x509_chain *chain, struct x509_chain *certs ); extern int x509_validate_chain ( struct x509_chain *chain, time_t time, + struct x509_chain *store, struct x509_root *root ); /* Functions exposed only for unit testing */ |