summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/crypto/ocsp.c2
-rw-r--r--src/crypto/x509.c8
-rw-r--r--src/include/ipxe/x509.h21
-rw-r--r--src/net/validator.c2
-rw-r--r--src/tests/ocsp_test.c2
5 files changed, 25 insertions, 10 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index e7adcdba..b83f4c03 100644
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -282,7 +282,7 @@ int ocsp_check ( struct x509_certificate *cert,
/* Sanity checks */
assert ( cert != NULL );
assert ( issuer != NULL );
- assert ( issuer->valid );
+ assert ( x509_is_valid ( issuer ) );
/* Allocate and initialise check */
*ocsp = zalloc ( sizeof ( **ocsp ) );
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 28267191..4d951509 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1320,7 +1320,7 @@ int x509_validate ( struct x509_certificate *cert,
root = &root_certificates;
/* Return success if certificate has already been validated */
- if ( cert->valid )
+ if ( x509_is_valid ( cert ) )
return 0;
/* Fail if certificate is invalid at specified time */
@@ -1329,7 +1329,7 @@ int x509_validate ( struct x509_certificate *cert,
/* Succeed if certificate is a trusted root certificate */
if ( x509_check_root ( cert, root ) == 0 ) {
- cert->valid = 1;
+ cert->flags |= X509_FL_VALIDATED;
cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
return 0;
}
@@ -1342,7 +1342,7 @@ int x509_validate ( struct x509_certificate *cert,
}
/* Fail unless issuer has already been validated */
- if ( ! issuer->valid ) {
+ if ( ! x509_is_valid ( issuer ) ) {
DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
issuer, x509_name ( issuer ) );
@@ -1376,7 +1376,7 @@ int x509_validate ( struct x509_certificate *cert,
cert->path_remaining = max_path_remaining;
/* Mark certificate as valid */
- cert->valid = 1;
+ cert->flags |= X509_FL_VALIDATED;
DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
cert, x509_name ( cert ) );
diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index 80c2e3c6..58f91c01 100644
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -189,8 +189,8 @@ struct x509_certificate {
/** Link in certificate store */
struct x509_link store;
- /** Certificate has been validated */
- int valid;
+ /** Flags */
+ unsigned int flags;
/** Maximum number of subsequent certificates in chain */
unsigned int path_remaining;
@@ -216,6 +216,12 @@ struct x509_certificate {
struct x509_extensions extensions;
};
+/** X.509 certificate flags */
+enum x509_flags {
+ /** Certificate has been validated */
+ X509_FL_VALIDATED = 0x0001,
+};
+
/**
* Get reference to X.509 certificate
*
@@ -374,12 +380,21 @@ extern int x509_check_root ( struct x509_certificate *cert,
extern int x509_check_time ( struct x509_certificate *cert, time_t time );
/**
+ * Check if X.509 certificate is valid
+ *
+ * @v cert X.509 certificate
+ */
+static inline int x509_is_valid ( struct x509_certificate *cert ) {
+ return ( cert->flags & X509_FL_VALIDATED );
+}
+
+/**
* Invalidate X.509 certificate
*
* @v cert X.509 certificate
*/
static inline void x509_invalidate ( struct x509_certificate *cert ) {
- cert->valid = 0;
+ cert->flags &= ~X509_FL_VALIDATED;
cert->path_remaining = 0;
}
diff --git a/src/net/validator.c b/src/net/validator.c
index 57ad0e7b..52845b6e 100644
--- a/src/net/validator.c
+++ b/src/net/validator.c
@@ -478,7 +478,7 @@ static void validator_step ( struct validator *validator ) {
issuer = link->cert;
if ( ! cert )
continue;
- if ( ! issuer->valid )
+ if ( ! x509_is_valid ( issuer ) )
continue;
/* The issuer is valid, but this certificate is not
* yet valid. If OCSP is applicable, start it.
diff --git a/src/tests/ocsp_test.c b/src/tests/ocsp_test.c
index c6d45859..a3349346 100644
--- a/src/tests/ocsp_test.c
+++ b/src/tests/ocsp_test.c
@@ -110,7 +110,7 @@ static void ocsp_prepare_test ( struct ocsp_test *test ) {
x509_invalidate ( cert );
/* Force-validate issuer certificate */
- issuer->valid = 1;
+ issuer->flags |= X509_FL_VALIDATED;
issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 );
}