summaryrefslogtreecommitdiffstats
path: root/src/crypto/ocsp.c
Commit message (Collapse)AuthorAgeFilesLines
* [ocsp] Accept response certID with missing hashAlgorithm parametersMichael Brown2019-03-101-12/+30
| | | | | | | | | | | | | | | | | | One of the design goals of ASN.1 DER is to provide a canonical serialization of a data structure, thereby allowing for equality of values to be tested by simply comparing the serialized bytes. Some OCSP servers will modify the request certID to omit the optional (and null) "parameters" portion of the hashAlgorithm. This is arguably legal but breaks the ability to perform a straightforward bitwise comparison on the entire certID field between request and response. Fix by comparing the OID-identified hashAlgorithm separately from the remaining certID fields. Originally-fixed-by: Thilo Fromm <Thilo@kinvolk.io> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Generalise X.509 "valid" field to a "flags" fieldMichael Brown2016-08-251-1/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [ocsp] Avoid including a double path separator in request URIMichael Brown2016-01-211-28/+26Star
| | | | | | | | | | | | | The OCSP responder URI included within an X.509 certificate may or may not include a trailing slash. We currently rely on the fact that format_uri() incorrectly inserts an initial slash, which we include unconditionally within the OCSP request URI. Switch to using uri_encode() directly, and insert a slash only if the X.509 certificate's OCSP responder URI does not already include a trailing slash. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [base64] Add buffer size parameter to base64_encode() and base64_decode()Michael Brown2015-04-241-1/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Fix parsing of OCSP responder ID key hashMichael Brown2014-11-241-3/+8
| | | | | | | | | | | | | | | | | | | | We currently compare the entirety of the KeyHash object (including the ASN.1 tag and length byte) against the raw SHA-1 hash of the certificate's public key. This causes OCSP validation to fail for any responses which identify the responder by key hash rather than by name, and hence prevents the use of X.509 certificates where any certificate in the chain has an OCSP responder which chooses to identify itself via its key hash. Fix by adding the missing asn1_enter() required to enter the ASN.1 octet string containing the key hash. Also add a corresponding test case including an OCSP response where the responder is identified by key hash, to ensure that this functionality cannot be broken in future. Debugged-by: Brian Rak <brak@gameservers.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Allow signed timestamp error margin to be configured at build timeMichael Brown2014-03-301-2/+3
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Remove dynamically-allocated storage for certificate OCSP URIMichael Brown2014-03-251-7/+10
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Remove dynamically-allocated storage for certificate nameMichael Brown2014-03-251-43/+46
| | | | | | | | | | | | | | iPXE currently allocates a copy the certificate's common name as a string. This string is used by the TLS and CMS code to check certificate names against an expected name, and also appears in debugging messages. Provide a function x509_check_name() to centralise certificate name checking (in preparation for adding subjectAlternativeName support), and a function x509_name() to provide a name to be used in debugging messages, and remove the dynamically allocated string. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [ocsp] Handle OCSP responses that don't provide certificatesAlexander Chernyakhovsky2014-03-251-2/+7
| | | | | | | | | Certificate authorities are not required to send the certificate used to sign the OCSP response if the response is signed by the original issuer. Modified-by: Michael Brown <mcb30@ipxe.org> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [uri] Refactor URI parsing and formattingMichael Brown2014-02-271-31/+31
| | | | | | | | | | | | | | | | | | | | | | | | Add support for parsing of URIs containing literal IPv6 addresses (e.g. "http://[fe80::69ff:fe50:5845%25net0]/boot.ipxe"). Duplicate URIs by directly copying the relevant fields, rather than by formatting and reparsing a URI string. This relaxes the requirements on the URI formatting code and allows it to focus on generating human-readable URIs (e.g. by not escaping ':' characters within literal IPv6 addresses). As a side-effect, this allows relative URIs containing parameter lists (e.g. "../boot.php##params") to function as expected. Add validity check for FTP paths to ensure that only printable characters are accepted (since FTP is a human-readable line-based protocol with no support for character escaping). Construct TFTP next-server+filename URIs directly, rather than parsing a constructed "tftp://..." string, Add self-tests for URI functions. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Accept OCSP responses containing multiple certificatesMichael Brown2013-05-291-13/+132
| | | | | | | | | | | | | | RFC2560 mandates that a valid OCSP response will contain exactly one relevant certificate. However, some OCSP responders include extraneous certificates. iPXE currently assumes that the first certificate in the OCSP response is the relevant certificate; OCSP checks will therefore fail if the responder includes the extraneous certificates before the relevant certificate. Fix by using the responder ID to identify the relevant certificate. Reported-by: Christian Stroehmeier <stroemi@mail.uni-paderborn.de> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [libc] Use __einfo() tuple as first argument to EUNIQ()Michael Brown2013-04-191-1/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Allow an error margin on X.509 certificate validity periodsMichael Brown2012-06-201-2/+2
| | | | | | | | | | | | | iPXE has no concept of the local time zone, mainly because there is no viable way to obtain time zone information in the absence of local state. This causes potential problems with newly-issued certificates and certificates that are about to expire. Avoid such problems by allowing an error margin of around 12 hours on certificate validity periods, similar to the error margin already allowed for OCSP response timestamps. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Construct OCSP check URIMichael Brown2012-05-221-0/+74
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Fix margin of error for OCSP checksMichael Brown2012-05-221-2/+2
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Return a NULL OCSP check if construction failsMichael Brown2012-05-221-0/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add framework for OCSPMichael Brown2012-05-151-0/+749
Add support for constructing OCSP queries and parsing OCSP responses. (There is no support yet for actually issuing an OCSP query via an HTTP POST.) Signed-off-by: Michael Brown <mcb30@ipxe.org>