diff options
| -rw-r--r-- | src/crypto/certstore.c | 8 | ||||
| -rw-r--r-- | src/crypto/x509.c | 71 | ||||
| -rw-r--r-- | src/include/ipxe/x509.h | 14 | ||||
| -rw-r--r-- | src/net/tls.c | 2 |
4 files changed, 55 insertions, 40 deletions
diff --git a/src/crypto/certstore.c b/src/crypto/certstore.c index f8ddbd3d7..31797c4cd 100644 --- a/src/crypto/certstore.c +++ b/src/crypto/certstore.c @@ -72,16 +72,16 @@ static struct x509_certificate certstore_certs[ sizeof ( certstore_raw ) / /** * Mark stored certificate as most recently used * - * @v certs X.509 certificate list + * @v store Certificate store * @v cert X.509 certificate */ -static void certstore_found ( struct x509_chain *certs, +static void certstore_found ( struct x509_chain *store, struct x509_certificate *cert ) { /* Mark as most recently used */ list_del ( &cert->store.list ); - list_add ( &cert->store.list, &certs->links ); - DBGC2 ( certs, "CERTSTORE found certificate %s\n", + list_add ( &cert->store.list, &store->links ); + DBGC2 ( store, "CERTSTORE found certificate %s\n", x509_name ( cert ) ); } diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 341b91449..acb85620f 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -1079,7 +1079,7 @@ int x509_certificate ( const void *data, size_t len, asn1_shrink_any ( &cursor ); /* Return stored certificate, if present */ - if ( ( *cert = x509_find ( &certstore, &cursor ) ) != NULL ) { + if ( ( *cert = x509_find ( NULL, &cursor ) ) != NULL ) { /* Add caller's reference */ x509_get ( *cert ); @@ -1714,16 +1714,19 @@ void x509_truncate ( struct x509_chain *chain, struct x509_link *link ) { /** * Mark X.509 certificate as found * - * @v certs X.509 certificate list + * @v store Certificate store * @v cert X.509 certificate * @ret cert X.509 certificate */ -static struct x509_certificate * x509_found ( struct x509_chain *certs, +static struct x509_certificate * x509_found ( struct x509_chain *store, struct x509_certificate *cert ) { + /* Sanity check */ + assert ( store != NULL ); + /* Mark as found, if applicable */ - if ( certs->found ) - certs->found ( certs, cert ); + if ( store->found ) + store->found ( store, cert ); return cert; } @@ -1731,22 +1734,26 @@ static struct x509_certificate * x509_found ( struct x509_chain *certs, /** * Identify X.509 certificate by raw certificate data * - * @v certs X.509 certificate list + * @v store Certificate store, or NULL to use default * @v raw Raw certificate data * @ret cert X.509 certificate, or NULL if not found */ -struct x509_certificate * x509_find ( struct x509_chain *certs, +struct x509_certificate * x509_find ( struct x509_chain *store, const struct asn1_cursor *raw ) { struct x509_link *link; struct x509_certificate *cert; + /* Use default certificate store if none specified */ + if ( ! store ) + store = &certstore; + /* Search for certificate within store */ - list_for_each_entry ( link, &certs->links, list ) { + list_for_each_entry ( link, &store->links, list ) { /* Check raw certificate data */ cert = link->cert; if ( asn1_compare ( raw, &cert->raw ) == 0 ) - return x509_found ( certs, cert ); + return x509_found ( store, cert ); } return NULL; @@ -1755,23 +1762,27 @@ struct x509_certificate * x509_find ( struct x509_chain *certs, /** * Identify X.509 certificate by subject * - * @v certs X.509 certificate list + * @v store Certificate store, or NULL to use default * @v subject Subject * @ret cert X.509 certificate, or NULL if not found */ struct x509_certificate * -x509_find_subject ( struct x509_chain *certs, +x509_find_subject ( struct x509_chain *store, const struct asn1_cursor *subject ) { struct x509_link *link; struct x509_certificate *cert; + /* Use default certificate store if none specified */ + if ( ! store ) + store = &certstore; + /* Scan through certificate list */ - list_for_each_entry ( link, &certs->links, list ) { + list_for_each_entry ( link, &store->links, list ) { /* Check subject */ cert = link->cert; if ( asn1_compare ( subject, &cert->subject.raw ) == 0 ) - return x509_found ( certs, cert ); + return x509_found ( store, cert ); } return NULL; @@ -1780,26 +1791,30 @@ x509_find_subject ( struct x509_chain *certs, /** * Identify X.509 certificate by issuer and serial number * - * @v certs X.509 certificate list + * @v store Certificate store, or NULL to use default * @v issuer Issuer * @v serial Serial number * @ret cert X.509 certificate, or NULL if not found */ struct x509_certificate * -x509_find_issuer_serial ( struct x509_chain *certs, +x509_find_issuer_serial ( struct x509_chain *store, const struct asn1_cursor *issuer, const struct asn1_cursor *serial ) { struct x509_link *link; struct x509_certificate *cert; + /* Use default certificate store if none specified */ + if ( ! store ) + store = &certstore; + /* Scan through certificate list */ - list_for_each_entry ( link, &certs->links, list ) { + list_for_each_entry ( link, &store->links, list ) { /* Check issuer and serial number */ cert = link->cert; if ( ( asn1_compare ( issuer, &cert->issuer.raw ) == 0 ) && ( asn1_compare ( serial, &cert->serial.raw ) == 0 ) ) - return x509_found ( certs, cert ); + return x509_found ( store, cert ); } return NULL; @@ -1808,17 +1823,21 @@ x509_find_issuer_serial ( struct x509_chain *certs, /** * Identify X.509 certificate by corresponding public key * - * @v certs X.509 certificate list + * @v store Certificate store, or NULL to use default * @v key Private key * @ret cert X.509 certificate, or NULL if not found */ -struct x509_certificate * x509_find_key ( struct x509_chain *certs, +struct x509_certificate * x509_find_key ( struct x509_chain *store, struct private_key *key ) { struct x509_link *link; struct x509_certificate *cert; + /* Use default certificate store if none specified */ + if ( ! store ) + store = &certstore; + /* Scan through certificate list */ - list_for_each_entry ( link, &certs->links, list ) { + list_for_each_entry ( link, &store->links, list ) { /* Check public key */ cert = link->cert; @@ -1826,7 +1845,7 @@ struct x509_certificate * x509_find_key ( struct x509_chain *certs, key->builder.data, key->builder.len, cert->subject.public_key.raw.data, cert->subject.public_key.raw.len ) == 0 ) - return x509_found ( certs, cert ); + return x509_found ( store, cert ); } return NULL; @@ -1836,13 +1855,13 @@ struct x509_certificate * x509_find_key ( struct x509_chain *certs, * Append X.509 certificates to X.509 certificate chain * * @v chain X.509 certificate chain - * @v certs X.509 certificate list + * @v store Certificate store, or NULL to use default * @ret rc Return status code * * Certificates will be automatically appended to the chain based upon * the subject and issuer names. */ -int x509_auto_append ( struct x509_chain *chain, struct x509_chain *certs ) { +int x509_auto_append ( struct x509_chain *chain, struct x509_chain *store ) { struct x509_certificate *cert; struct x509_certificate *previous; int rc; @@ -1859,7 +1878,7 @@ int x509_auto_append ( struct x509_chain *chain, struct x509_chain *certs ) { /* Find issuing certificate */ previous = cert; - cert = x509_find_subject ( certs, &cert->issuer.raw ); + cert = x509_find_subject ( store, &cert->issuer.raw ); if ( ! cert ) break; if ( cert == previous ) @@ -1888,10 +1907,6 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time, struct x509_link *link; int rc; - /* Use default certificate store if none specified */ - if ( ! store ) - store = &certstore; - /* Append any applicable certificates from the certificate store */ if ( ( rc = x509_auto_append ( chain, store ) ) != 0 ) return rc; diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h index 612743a77..e71cee8a3 100644 --- a/src/include/ipxe/x509.h +++ b/src/include/ipxe/x509.h @@ -204,10 +204,10 @@ struct x509_chain { struct list_head links; /** Mark certificate as found * - * @v certs X.509 certificate list + * @v store Certificate store * @v cert X.509 certificate */ - void ( * found ) ( struct x509_chain *certs, + void ( * found ) ( struct x509_chain *store, struct x509_certificate *cert ); }; @@ -432,19 +432,19 @@ extern int x509_append ( struct x509_chain *chain, extern int x509_append_raw ( struct x509_chain *chain, const void *data, size_t len ); extern void x509_truncate ( struct x509_chain *chain, struct x509_link *link ); -extern struct x509_certificate * x509_find ( struct x509_chain *certs, +extern struct x509_certificate * x509_find ( struct x509_chain *store, const struct asn1_cursor *raw ); extern struct x509_certificate * -x509_find_subject ( struct x509_chain *certs, +x509_find_subject ( struct x509_chain *store, const struct asn1_cursor *subject ); extern struct x509_certificate * -x509_find_issuer_serial ( struct x509_chain *certs, +x509_find_issuer_serial ( struct x509_chain *store, const struct asn1_cursor *issuer, const struct asn1_cursor *serial ); -extern struct x509_certificate * x509_find_key ( struct x509_chain *certs, +extern struct x509_certificate * x509_find_key ( struct x509_chain *store, struct private_key *key ); extern int x509_auto_append ( struct x509_chain *chain, - struct x509_chain *certs ); + struct x509_chain *store ); extern int x509_validate_chain ( struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root ); diff --git a/src/net/tls.c b/src/net/tls.c index 98414e2b1..c08057103 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -2467,7 +2467,7 @@ static int tls_new_certificate_request ( struct tls_connection *tls, tls->certs = NULL; /* Determine client certificate to be sent */ - cert = x509_find_key ( &certstore, tls->key ); + cert = x509_find_key ( NULL, tls->key ); if ( ! cert ) { DBGC ( tls, "TLS %p could not find certificate corresponding " "to private key\n", tls ); |