diff options
| author | Michael Brown | 2016-08-25 16:41:57 +0200 |
|---|---|---|
| committer | Michael Brown | 2016-08-25 16:41:57 +0200 |
| commit | ff28b22568ebc2cb885beae5d0c95ddcf94dca8a (patch) | |
| tree | 56b4698a7e833c37b4ba2bf1feb1dbb9824bd8a0 /src | |
| parent | [crypto] Add image_x509() to extract X.509 certificates from image (diff) | |
| download | ipxe-ff28b22568ebc2cb885beae5d0c95ddcf94dca8a.tar.gz ipxe-ff28b22568ebc2cb885beae5d0c95ddcf94dca8a.tar.xz ipxe-ff28b22568ebc2cb885beae5d0c95ddcf94dca8a.zip | |
[crypto] Generalise X.509 "valid" field to a "flags" field
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/crypto/ocsp.c | 2 | ||||
| -rw-r--r-- | src/crypto/x509.c | 8 | ||||
| -rw-r--r-- | src/include/ipxe/x509.h | 21 | ||||
| -rw-r--r-- | src/net/validator.c | 2 | ||||
| -rw-r--r-- | src/tests/ocsp_test.c | 2 |
5 files changed, 25 insertions, 10 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index e7adcdba..b83f4c03 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -282,7 +282,7 @@ int ocsp_check ( struct x509_certificate *cert, /* Sanity checks */ assert ( cert != NULL ); assert ( issuer != NULL ); - assert ( issuer->valid ); + assert ( x509_is_valid ( issuer ) ); /* Allocate and initialise check */ *ocsp = zalloc ( sizeof ( **ocsp ) ); diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 28267191..4d951509 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -1320,7 +1320,7 @@ int x509_validate ( struct x509_certificate *cert, root = &root_certificates; /* Return success if certificate has already been validated */ - if ( cert->valid ) + if ( x509_is_valid ( cert ) ) return 0; /* Fail if certificate is invalid at specified time */ @@ -1329,7 +1329,7 @@ int x509_validate ( struct x509_certificate *cert, /* Succeed if certificate is a trusted root certificate */ if ( x509_check_root ( cert, root ) == 0 ) { - cert->valid = 1; + cert->flags |= X509_FL_VALIDATED; cert->path_remaining = ( cert->extensions.basic.path_len + 1 ); return 0; } @@ -1342,7 +1342,7 @@ int x509_validate ( struct x509_certificate *cert, } /* Fail unless issuer has already been validated */ - if ( ! issuer->valid ) { + if ( ! x509_is_valid ( issuer ) ) { DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) ); DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n", issuer, x509_name ( issuer ) ); @@ -1376,7 +1376,7 @@ int x509_validate ( struct x509_certificate *cert, cert->path_remaining = max_path_remaining; /* Mark certificate as valid */ - cert->valid = 1; + cert->flags |= X509_FL_VALIDATED; DBGC ( cert, "X509 %p \"%s\" successfully validated using ", cert, x509_name ( cert ) ); diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h index 80c2e3c6..58f91c01 100644 --- a/src/include/ipxe/x509.h +++ b/src/include/ipxe/x509.h @@ -189,8 +189,8 @@ struct x509_certificate { /** Link in certificate store */ struct x509_link store; - /** Certificate has been validated */ - int valid; + /** Flags */ + unsigned int flags; /** Maximum number of subsequent certificates in chain */ unsigned int path_remaining; @@ -216,6 +216,12 @@ struct x509_certificate { struct x509_extensions extensions; }; +/** X.509 certificate flags */ +enum x509_flags { + /** Certificate has been validated */ + X509_FL_VALIDATED = 0x0001, +}; + /** * Get reference to X.509 certificate * @@ -374,12 +380,21 @@ extern int x509_check_root ( struct x509_certificate *cert, extern int x509_check_time ( struct x509_certificate *cert, time_t time ); /** + * Check if X.509 certificate is valid + * + * @v cert X.509 certificate + */ +static inline int x509_is_valid ( struct x509_certificate *cert ) { + return ( cert->flags & X509_FL_VALIDATED ); +} + +/** * Invalidate X.509 certificate * * @v cert X.509 certificate */ static inline void x509_invalidate ( struct x509_certificate *cert ) { - cert->valid = 0; + cert->flags &= ~X509_FL_VALIDATED; cert->path_remaining = 0; } diff --git a/src/net/validator.c b/src/net/validator.c index 57ad0e7b..52845b6e 100644 --- a/src/net/validator.c +++ b/src/net/validator.c @@ -478,7 +478,7 @@ static void validator_step ( struct validator *validator ) { issuer = link->cert; if ( ! cert ) continue; - if ( ! issuer->valid ) + if ( ! x509_is_valid ( issuer ) ) continue; /* The issuer is valid, but this certificate is not * yet valid. If OCSP is applicable, start it. diff --git a/src/tests/ocsp_test.c b/src/tests/ocsp_test.c index c6d45859..a3349346 100644 --- a/src/tests/ocsp_test.c +++ b/src/tests/ocsp_test.c @@ -110,7 +110,7 @@ static void ocsp_prepare_test ( struct ocsp_test *test ) { x509_invalidate ( cert ); /* Force-validate issuer certificate */ - issuer->valid = 1; + issuer->flags |= X509_FL_VALIDATED; issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 ); } |