3 files changed, 62 insertions, 3 deletions

diff --git a/src/include/ipxe/certstore.h b/src/include/ipxe/certstore.h
index e4c789cfd..ce96666cf 100644
--- a/src/include/ipxe/certstore.h
+++ b/src/include/ipxe/certstore.h
@@ -11,11 +11,12 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 
 #include <ipxe/asn1.h>
 #include <ipxe/x509.h>
+#include <ipxe/privkey.h>
 
 extern struct x509_chain certstore;
 
 extern struct x509_certificate * certstore_find ( struct asn1_cursor *raw );
-extern struct x509_certificate * certstore_find_key ( struct asn1_cursor *key );
+extern struct x509_certificate * certstore_find_key ( struct private_key *key );
 extern void certstore_add ( struct x509_certificate *cert );
 extern void certstore_del ( struct x509_certificate *cert );
 
diff --git a/src/include/ipxe/privkey.h b/src/include/ipxe/privkey.h
index 81108b6bf..a65cf6106 100644
--- a/src/include/ipxe/privkey.h
+++ b/src/include/ipxe/privkey.h
@@ -10,7 +10,60 @@
 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 
 #include <ipxe/asn1.h>
+#include <ipxe/refcnt.h>
 
-extern struct asn1_cursor private_key;
+/** A private key */
+struct private_key {
+	/** Reference counter */
+	struct refcnt refcnt;
+	/** ASN.1 object builder */
+	struct asn1_builder builder;
+};
+
+/**
+ * Get reference to private key
+ *
+ * @v key		Private key
+ * @ret key		Private key
+ */
+static inline __attribute__ (( always_inline )) struct private_key *
+privkey_get ( struct private_key *key ) {
+	ref_get ( &key->refcnt );
+	return key;
+}
+
+/**
+ * Drop reference to private key
+ *
+ * @v key		Private key
+ */
+static inline __attribute__ (( always_inline )) void
+privkey_put ( struct private_key *key ) {
+	ref_put ( &key->refcnt );
+}
+
+/**
+ * Get private key ASN.1 cursor
+ *
+ * @v key		Private key
+ * @ret cursor		ASN.1 cursor
+ */
+static inline __attribute__ (( always_inline )) struct asn1_cursor *
+privkey_cursor ( struct private_key *key ) {
+	return asn1_built ( &key->builder );
+}
+
+extern void privkey_free ( struct refcnt *refcnt );
+
+/**
+ * Initialise empty private key
+ *
+ */
+static inline __attribute__ (( always_inline )) void
+privkey_init ( struct private_key *key ) {
+	ref_init ( &key->refcnt, privkey_free );
+}
+
+extern struct private_key private_key;
 
 #endif /* _IPXE_PRIVKEY_H */
diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index 8345c9a26..8b03579cc 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -18,6 +18,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/sha1.h>
 #include <ipxe/sha256.h>
 #include <ipxe/x509.h>
+#include <ipxe/privkey.h>
 #include <ipxe/pending.h>
 #include <ipxe/iobuf.h>
 #include <ipxe/tables.h>
@@ -257,6 +258,8 @@ struct tls_session {
 	const char *name;
 	/** Root of trust */
 	struct x509_root *root;
+	/** Private key */
+	struct private_key *key;
 
 	/** Session ID */
 	uint8_t id[32];
@@ -322,6 +325,8 @@ struct tls_connection {
 	struct digest_algorithm *handshake_digest;
 	/** Digest algorithm context used for handshake verification */
 	uint8_t *handshake_ctx;
+	/** Private key */
+	struct private_key *key;
 	/** Client certificate chain (if used) */
 	struct x509_chain *certs;
 	/** Secure renegotiation flag */
@@ -384,6 +389,6 @@ struct tls_connection {
 #define TLS_RX_ALIGN 16
 
 extern int add_tls ( struct interface *xfer, const char *name,
-		     struct x509_root *root );
+		     struct x509_root *root, struct private_key *key );
 
 #endif /* _IPXE_TLS_H */