/* * Copyright (C) 2012 Michael Brown . * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301, USA. * * You can also choose to distribute this program under the terms of * the Unmodified Binary Distribution Licence (as given in the file * COPYING.UBDL), provided that you have satisfied its requirements. */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /** @file * * Certificate validator * */ struct validator; /** A certificate validator action */ struct validator_action { /** Name */ const char *name; /** Action to take upon completed transfer */ int ( * done ) ( struct validator *validator, const void *data, size_t len ); }; /** A certificate validator */ struct validator { /** Reference count */ struct refcnt refcnt; /** Job control interface */ struct interface job; /** Data transfer interface */ struct interface xfer; /** Process */ struct process process; /** X.509 certificate chain */ struct x509_chain *chain; /** OCSP check */ struct ocsp_check *ocsp; /** Data buffer */ struct xfer_buffer buffer; /** Current action */ const struct validator_action *action; /** Current certificate * * This will always be present within the certificate chain * and so this pointer does not hold a reference to the * certificate. */ struct x509_certificate *cert; }; /** * Get validator name (for debug messages) * * @v validator Certificate validator * @ret name Validator name */ static const char * validator_name ( struct validator *validator ) { /* Use name of first certificate in chain */ return x509_name ( x509_first ( validator->chain ) ); } /** * Free certificate validator * * @v refcnt Reference count */ static void validator_free ( struct refcnt *refcnt ) { struct validator *validator = container_of ( refcnt, struct validator, refcnt ); DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n", validator, validator_name ( validator ) ); x509_chain_put ( validator->chain ); ocsp_put ( validator->ocsp ); xferbuf_free ( &validator->buffer ); free ( validator ); } /** * Mark certificate validation as finished * * @v validator Certificate validator * @v rc Reason for finishing */ static void validator_finished ( struct validator *validator, int rc ) { /* Remove process */ process_del ( &validator->process ); /* Close all interfaces */ intf_shutdown ( &validator->xfer, rc ); intf_shutdown ( &validator->job, rc ); } /**************************************************************************** * * Job control interface * */ /** * Report job progress * * @v validator Certificate validator * @v progress Progress report to fill in * @ret ongoing_rc Ongoing job status code (if known) */ static int validator_progress ( struct validator *validator, struct job_progress *progress ) { /* Report current action, if applicable */ if ( validator->action ) { snprintf ( progress->message, sizeof ( progress->message ), "%s %s", validator->action->name, x509_name ( validator->cert ) ); } return 0; } /** Certificate validator job control interface operations */ static struct interface_operation validator_job_operations[] = { INTF_OP ( job_progress, struct validator *, validator_progress ), INTF_OP ( intf_close, struct validator *, validator_finished ), }; /** Certificate validator job control interface descriptor */ static struct interface_descriptor validator_job_desc = INTF_DESC ( struct validator, job, validator_job_operations ); /**************************************************************************** * * Cross-signing certificates * */ /** Cross-signed certificate source setting */ const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={ .name = "crosscert", .description = "Cross-signed certificate source", .tag = DHCP_EB_CROSS_CERT, .type = &setting_type_string, }; /** Default cross-signed certificate source */ static const char crosscert_default[] = CROSSCERT; /** * Append cross-signing certificates to certificate chain * * @v validator Certificate validator * @v data Raw cross-signing certificate data * @v len Length of raw data * @ret rc Return status code */ static int validator_append ( struct validator *validator, const void *data, size_t len ) { struct asn1_cursor cursor; struct x509_chain *certs; struct x509_certificate *cert; struct x509_certificate *last; int rc; /* Allocate certificate list */ certs = x509_alloc_chain(); if ( ! certs ) { rc = -ENOMEM; goto err_alloc_certs; } /* Initialise cursor */ cursor.data = data; cursor.len = len; /* Enter certificateSet */ if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" could not enter " "certificateSet: %s\n", validator, validator_name ( validator ), strerror ( rc ) ); goto err_certificateset; } /* Add each certificate to list */ while ( cursor.len ) { /* Add certificate to chain */ if ( ( rc = x509_append_raw ( certs, cursor.data, cursor.len ) ) != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" could not " "append certificate: %s\n", validator, validator_name ( validator ), strerror ( rc) ); DBGC_HDA ( validator, 0, cursor.data, cursor.len ); return rc; } cert = x509_last ( certs ); DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ", validator, validator_name ( validator ) ); DBGC ( validator, "%s\n", x509_name ( cert ) ); /* Move to next certificate */ asn1_skip_any ( &cursor ); } /* Append certificates to chain */ last = x509_last ( validator->chain ); if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" could not append " "certificates: %s\n", validator, validator_name ( validator ), strerror ( rc ) ); goto err_auto_append; } /* Check that at least one certificate has been added */ if ( last == x509_last ( validator->chain ) ) { DBGC ( validator, "VALIDATOR %p \"%s\" failed to append any " "applicable certificates\n", validator, validator_name ( validator ) ); rc = -EACCES; goto err_no_progress; } /* Drop reference to certificate list */ x509_chain_put ( certs ); return 0; err_no_progress: err_auto_append: err_certificateset: x509_chain_put ( certs ); err_alloc_certs: return rc; } /** Cross-signing certificate download validator action */ static const struct validator_action validator_crosscert = { .name = "XCRT", .done = validator_append, }; /** * Start download of cross-signing certificate * * @v validator Certificate validator * @v cert X.509 certificate * @ret rc Return status code */ static int validator_start_download ( struct validator *validator, struct x509_certificate *cert ) { const struct asn1_cursor *issuer = &cert->issuer.raw; const char *crosscert; char *crosscert_copy; char *uri_string; size_t uri_string_len; uint32_t crc; int len; int rc; /* Determine cross-signed certificate source */ fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy ); crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default ); if ( ! crosscert[0] ) { rc = -EINVAL; goto err_check_uri_string; } /* Allocate URI string */ uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */ + base64_encoded_len ( issuer->len ) + 1 /* NUL */ ); uri_string = zalloc ( uri_string_len ); if ( ! uri_string ) { rc = -ENOMEM; goto err_alloc_uri_string; } /* Generate CRC32 */ crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len ); /* Generate URI string */ len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=", crosscert, crc ); base64_encode ( issuer->data, issuer->len, ( uri_string + len ), ( uri_string_len - len ) ); DBGC ( validator, "VALIDATOR %p \"%s\" downloading ", validator, validator_name ( validator ) ); DBGC ( validator, "\"%s\" cross-signature from %s\n", x509_name ( cert ), uri_string ); /* Set completion handler */ validator->action = &validator_crosscert; validator->cert = cert; /* Open URI */ if ( ( rc = xfer_open_uri_string ( &validator->xfer, uri_string ) ) != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: " "%s\n", validator, validator_name ( validator ), uri_string, strerror ( rc ) ); goto err_open_uri_string; } /* Success */ rc = 0; err_open_uri_string: free ( uri_string ); err_alloc_uri_string: err_check_uri_string: free ( crosscert_copy ); return rc; } /**************************************************************************** * * OCSP checks * */ /** * Validate OCSP response * * @v validator Certificate validator * @v data Raw OCSP response * @v len Length of raw data * @ret rc Return status code */ static int validator_ocsp_validate ( struct validator *validator, const void *data, size_t len ) { time_t now; int rc; /* Record OCSP response */ if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP " "response: %s\n", validator, validator_name ( validator ),strerror ( rc ) ); return rc; } /* Validate OCSP response */ now = time ( NULL ); if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" could not validate " "OCSP response: %s\n", validator, validator_name ( validator ), strerror ( rc ) ); return rc; } /* Drop reference to OCSP check */ ocsp_put ( validator->ocsp ); validator->ocsp = NULL; return 0; } /** OCSP validator action */ static const struct validator_action validator_ocsp = { .name = "OCSP", .done = validator_ocsp_validate, }; /** * Start OCSP check * * @v validator Certificate validator * @v cert Certificate to check * @v issuer Issuing certificate * @ret rc Return status code */ static int validator_start_ocsp ( struct validator *validator, struct x509_certificate *cert, struct x509_certificate *issuer ) { const char *uri_string; int rc; /* Create OCSP check */ assert ( validator->ocsp == NULL ); if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP " "check: %s\n", validator, validator_name ( validator ), strerror ( rc ) ); return rc; } /* Set completion handler */ validator->action = &validator_ocsp; validator->cert = cert; /* Open URI */ uri_string = validator->ocsp->uri_string; DBGC ( validator, "VALIDATOR %p \"%s\" checking ", validator, validator_name ( validator ) ); DBGC ( validator, "\"%s\" via %s\n", x509_name ( cert ), uri_string ); if ( ( rc = xfer_open_uri_string ( &validator->xfer, uri_string ) ) != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: " "%s\n", validator, validator_name ( validator ), uri_string, strerror ( rc ) ); return rc; } return 0; } /**************************************************************************** * * Data transfer interface * */ /** * Close data transfer interface * * @v validator Certificate validator * @v rc Reason for close */ static void validator_xfer_close ( struct validator *validator, int rc ) { /* Close data transfer interface */ intf_restart ( &validator->xfer, rc ); /* Check for errors */ if ( rc != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" transfer failed: %s\n", validator, validator_name ( validator ), strerror ( rc ) ); goto err_transfer; } DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n", validator, validator_name ( validator ) ); /* Process completed download */ assert ( validator->action != NULL ); if ( ( rc = validator->action->done ( validator, validator->buffer.data, validator->buffer.len ) ) != 0 ) goto err_append; /* Free downloaded data */ xferbuf_free ( &validator->buffer ); /* Resume validation process */ process_add ( &validator->process ); return; err_append: err_transfer: validator_finished ( validator, rc ); } /** * Receive data * * @v validator Certificate validator * @v iobuf I/O buffer * @v meta Data transfer metadata * @ret rc Return status code */ static int validator_xfer_deliver ( struct validator *validator, struct io_buffer *iobuf, struct xfer_metadata *meta ) { int rc; /* Add data to buffer */ if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ), meta ) ) != 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" could not receive " "data: %s\n", validator, validator_name ( validator ), strerror ( rc ) ); validator_finished ( validator, rc ); return rc; } return 0; } /** Certificate validator data transfer interface operations */ static struct interface_operation validator_xfer_operations[] = { INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ), INTF_OP ( intf_close, struct validator *, validator_xfer_close ), }; /** Certificate validator data transfer interface descriptor */ static struct interface_descriptor validator_xfer_desc = INTF_DESC ( struct validator, xfer, validator_xfer_operations ); /**************************************************************************** * * Validation process * */ /** * Certificate validation process * * @v validator Certificate validator */ static void validator_step ( struct validator *validator ) { struct x509_link *link; struct x509_certificate *cert; struct x509_certificate *issuer = NULL; struct x509_certificate *last; time_t now; int rc; /* Try validating chain. Try even if the chain is incomplete, * since certificates may already have been validated * previously. */ now = time ( NULL ); if ( ( rc = x509_validate_chain ( validator->chain, now, NULL, NULL ) ) == 0 ) { DBGC ( validator, "VALIDATOR %p \"%s\" validated\n", validator, validator_name ( validator ) ); validator_finished ( validator, 0 ); return; } /* If there is a certificate that could be validated using * OCSP, try it. */ list_for_each_entry ( link, &validator->chain->links, list ) { cert = issuer; issuer = link->cert; if ( ! cert ) continue; if ( ! x509_is_valid ( issuer ) ) continue; /* The issuer is valid, but this certificate is not * yet valid. If OCSP is applicable, start it. */ if ( ocsp_required ( cert ) ) { /* Start OCSP */ if ( ( rc = validator_start_ocsp ( validator, cert, issuer ) ) != 0 ) { validator_finished ( validator, rc ); return; } return; } /* Otherwise, this is a permanent failure */ validator_finished ( validator, rc ); return; } /* If chain ends with a self-issued certificate, then there is * nothing more to do. */ last = x509_last ( validator->chain ); if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) { validator_finished ( validator, rc ); return; } /* Otherwise, try to download a suitable cross-signing * certificate. */ if ( ( rc = validator_start_download ( validator, last ) ) != 0 ) { validator_finished ( validator, rc ); return; } } /** Certificate validator process descriptor */ static struct process_descriptor validator_process_desc = PROC_DESC_ONCE ( struct validator, process, validator_step ); /**************************************************************************** * * Instantiator * */ /** * Instantiate a certificate validator * * @v job Job control interface * @v chain X.509 certificate chain * @ret rc Return status code */ int create_validator ( struct interface *job, struct x509_chain *chain ) { struct validator *validator; int rc; /* Sanity check */ if ( ! chain ) { rc = -EINVAL; goto err_sanity; } /* Allocate and initialise structure */ validator = zalloc ( sizeof ( *validator ) ); if ( ! validator ) { rc = -ENOMEM; goto err_alloc; } ref_init ( &validator->refcnt, validator_free ); intf_init ( &validator->job, &validator_job_desc, &validator->refcnt ); intf_init ( &validator->xfer, &validator_xfer_desc, &validator->refcnt ); process_init ( &validator->process, &validator_process_desc, &validator->refcnt ); validator->chain = x509_chain_get ( chain ); xferbuf_malloc_init ( &validator->buffer ); /* Attach parent interface, mortalise self, and return */ intf_plug_plug ( &validator->job, job ); ref_put ( &validator->refcnt ); DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n", validator, validator_name ( validator ), validator->chain ); return 0; validator_finished ( validator, rc ); ref_put ( &validator->refcnt ); err_alloc: err_sanity: return rc; }