aboutsummaryrefslogtreecommitdiffstats
path: root/src/include/ipxe/asn1.h
Commit message (Collapse)AuthorAgeFilesLines
* [crypto] Add definitions and tests for the NIST P-384 elliptic curveMichael Brown2025-01-301-0/+5
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add definitions and tests for the NIST P-256 elliptic curveMichael Brown2025-01-281-0/+6
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Support decryption of images via CMS envelopesMichael Brown2024-08-291-0/+13
| | | | | | | | Add support for decrypting images containing detached encrypted data using a cipher key obtained from a separate CMS envelope image (in DER or PEM format). Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Allow for extraction of ASN.1 algorithm parametersMichael Brown2024-08-281-2/+17
| | | | | | | | | | | Some ASN.1 OID-identified algorithms require additional parameters, such as an initialisation vector for a block cipher. The structure of the parameters is defined by the individual algorithm. Extend asn1_algorithm() to allow these additional parameters to be returned via a separate ASN.1 cursor. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Generalise cms_signature to cms_messageMichael Brown2024-08-141-1/+1
| | | | | | | | | | | | | | | | | There is some exploitable similarity between the data structures used for representing CMS signatures and CMS encryption keys. In both cases, the CMS message fundamentally encodes a list of participants (either message signers or message recipients), where each participant has an associated certificate and an opaque octet string representing the signature or encrypted cipher key. The ASN.1 structures are not identical, but are sufficiently similar to be worth exploiting: for example, the SignerIdentifier and RecipientIdentifier data structures are defined identically. Rename data structures and functions, and add the concept of a CMS message type. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add OID-identified algorithms for AES ciphersMichael Brown2024-08-141-0/+46
| | | | | | | Extend the definition of an ASN.1 OID-identified algorithm to include a potential cipher suite, and add identifiers for AES-CBC and AES-GCM. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Extend asn1_enter() to handle partial object cursorsMichael Brown2024-08-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | Handling large ASN.1 objects such as encrypted CMS files will require the ability to use the asn1_enter() and asn1_skip() family of functions on partial object cursors, where a defined additional length is known to exist after the end of the data buffer pointed to by the ASN.1 object cursor. We already have support for partial object cursors in the underlying asn1_start() operation used by both asn1_enter() and asn1_skip(), and this is used by the DER image probe routine to check that the potential DER file comprises a single ASN.1 SEQUENCE object. Add asn1_enter_partial() to formalise the process of entering an ASN.1 partial object, and refactor the DER image probe routine to use this instead of open-coding calls to the underlying asn1_start() operation. There is no need for an equivalent asn1_skip_partial() function, since only objects that are wholly contained within the partial cursor may be successfully skipped. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add X25519 OID-identified algorithm and TLS named curveMichael Brown2024-01-301-0/+7
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [libc] Replace linker_assert() with build_assert()Michael Brown2024-01-161-4/+3
| | | | | | | | | | | | | | | | | | | | | | | We currently implement build-time assertions via a mechanism that generates a call to an undefined external function that will cause the link to fail unless the compiler can prove that the asserted condition is true (and thereby eliminate the undefined function call). This assertion mechanism can be used for conditions that are not amenable to the use of static_assert(), since static_assert() will not allow for proofs via dead code elimination. Add __attribute__((error(...))) to the undefined external function, so that the error is raised at compile time rather than at link time. This allows us to provide a more meaningful error message (which will include the file name and line number, as with any other compile-time error), and avoids the need for the caller to specify a unique symbol name for the external function. Change the name from linker_assert() to build_assert(), since the assertion now takes place at compile time rather than at link time. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add support for PKCS#8 private key formatMichael Brown2023-06-021-0/+2
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [asn1] Define ASN1_SHORT() for constructing short tagged valuesMichael Brown2020-12-081-0/+5
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [asn1] Rename ASN1_OID_CURSOR to ASN1_CURSORMichael Brown2020-12-081-4/+4
| | | | | | | | There is nothing OID-specific about the ASN1_OID_CURSOR macro. Rename to allow it to be used for constructing ASN.1 cursors with arbitrary contents. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [asn1] Add constant for UTF-8 string tagMichael Brown2020-12-071-0/+3
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [build] Fix building on older versions of gccMichael Brown2020-08-231-16/+21
| | | | | | | | | | | | Older versions of gcc (observed with gcc 4.5.3) require attributes to be specified on the first declaration of a symbol, and will silently ignore attributes specified after the initial declaration. This causes the ASN.1 OID-identified algorithms to end up misaligned. Fix by adding __asn1_algorithm to the initial declarations in asn1.h. Debugged-by: Dentcho Bankov <dbankov@vmware.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Ensure that test code drags in required ASN.1 object identifiersMichael Brown2020-06-161-0/+18
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add MD4 message digest algorithmMichael Brown2017-11-121-0/+6
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Provide asn1_built() to construct a cursor from a builderMichael Brown2017-06-201-0/+24
| | | | | | | | | | | | | Our ASN.1 parsing code uses a struct asn1_cursor, while the object construction code uses a struct asn1_builder. These structures are identical apart from the const modifier applied to the data pointer in struct asn1_cursor. Provide asn1_built() to safely typecast a struct asn1_builder to a struct asn1_cursor, allowing constructed objects to be passed to functions expecting a struct asn1_cursor. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Expose asn1_grow()Michael Brown2017-06-201-0/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Allow for parsing of partial ASN.1 cursorsMichael Brown2016-07-281-0/+2
| | | | | | | | | Allow code to create a partial ASN.1 cursor containing only the type and length bytes, so that asn1_start() may be used to determine the length of a large ASN.1 blob without first allocating memory to hold the entire blob. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Remove obsolete extern declaration for asn1_invalidate_cursor()Michael Brown2016-07-281-1/+0
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Allow for zero-length ASN.1 cursorsMichael Brown2016-03-111-2/+14
| | | | | | | | | | | | | The assumption in asn1_type() that an ASN.1 cursor will always contain a type byte is incorrect. A cursor that has been cleanly invalidated via asn1_invalidate_cursor() will contain a type byte, but there are other ways in which to arrive at a zero-length cursor. Fix by explicitly checking the cursor length in asn1_type(). This allows asn1_invalidate_cursor() to be reduced to simply zeroing the length field. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add ASN.1 OIDs for sha{224,384,512}WithRsaEncryptionTufan Karadere2015-08-021-0/+18
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add SHA-512/224 algorithmMichael Brown2015-04-121-0/+7
| | | | | | | | | | SHA-512/224 is almost identical to SHA-512, with differing initial hash values and a truncated output length. This implementation has been verified using the NIST SHA-512/224 test vectors. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add SHA-512/256 algorithmMichael Brown2015-04-121-0/+7
| | | | | | | | | | SHA-512/256 is almost identical to SHA-512, with differing initial hash values and a truncated output length. This implementation has been verified using the NIST SHA-512/256 test vectors. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add SHA-384 algorithmMichael Brown2015-04-121-0/+7
| | | | | | | | | | SHA-384 is almost identical to SHA-512, with differing initial hash values and a truncated output length. This implementation has been verified using the NIST SHA-384 test vectors. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add SHA-512 algorithmMichael Brown2015-04-121-0/+7
| | | | | | | This implementation has been verified using the NIST SHA-512 test vectors. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add SHA-224 algorithmMichael Brown2015-04-121-0/+7
| | | | | | | | | | SHA-224 is almost identical to SHA-256, with differing initial hash values and a truncated output length. This implementation has been verified using the NIST SHA-224 test vectors. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [legal] Relicense files under GPL2_OR_LATER_OR_UBDLMichael Brown2015-03-021-1/+1
| | | | | | | Relicense files for which I am the sole author (as identified by util/relicense.pl). Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add support for subjectAltName and wildcard certificatesMichael Brown2014-03-311-0/+5
| | | | | Originally-implemented-by: Alex Chernyakhovsky <achernya@google.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add framework for OCSPMichael Brown2012-05-151-0/+11
| | | | | | | | Add support for constructing OCSP queries and parsing OCSP responses. (There is no support yet for actually issuing an OCSP query via an HTTP POST.) Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add functions for constructing ASN.1 objectsMichael Brown2012-05-141-0/+33
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Parse OCSPSigning key purpose, if presentMichael Brown2012-05-141-0/+7
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Generalise x509_parse_bit_string() to asn1_bit_string()Michael Brown2012-05-141-9/+9
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Generalise asn1_{digest,pubkey,signature}_algorithm()Michael Brown2012-05-141-2/+8
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Generalise x509_parse_time() to asn1_generalized_time()Michael Brown2012-05-141-0/+3
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Parse OCSP responder URI from X.509 certificateMichael Brown2012-05-041-0/+17
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add support for Cryptographic Message Syntax (PKCS #7)Michael Brown2012-03-221-0/+6
| | | | | | | | | | | | The Cryptographic Message Syntax (PKCS#7) provides a format for encapsulating digital signatures of arbitrary binary blobs. A signature can be generated using openssl cms -sign -in <file to sign> -binary -noattr \ -signer <signer>.crt -inkey <signer>.key -certfile <CA>.crt \ -outform DER -out <signature> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Parse X.509 extended key usage extensionMichael Brown2012-03-221-0/+12
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Generalise X.509 OID-identified algorithm to asn1.cMichael Brown2012-03-221-0/+23
| | | | | | | | The concept of an OID-identified algorithm as defined in X.509 is used in some other standards (e.g. PKCS#7). Generalise this functionality and provide it as part of the ASN.1 core. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Treat ASN.1 OIDs as opaqueMichael Brown2012-03-211-105/+60
| | | | | | | | | OIDs are theoretically part of a global hierarchy. However, the hierarchy is sufficiently disorganised as to be essentially meaningless for all purposes other than guaranteeing uniqueness. Ignore the hierarchical nature of OIDs and treat them as opaque. Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Move all ASN.1 OIDs to asn1.hMichael Brown2012-03-211-0/+91
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add more ASN.1 functions for X.509 certificate parsingMichael Brown2012-03-181-7/+19
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [crypto] Add ASN.1 functions for X.509 certificate parsingMichael Brown2012-03-131-13/+94
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Use const to mark incoming data being processedMichael Brown2012-03-131-1/+1
| | | | Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [tls] Accept certificates without a version numberMichael Brown2011-08-121-0/+12
| | | | | | | The version field of an X.509 certificate appears to be optional. Reported-by: Sebastiano Manusia <Sebastiano.Manusia@chuv.ch> Signed-off-by: Michael Brown <mcb30@ipxe.org>
* [build] Rename gPXE to iPXEMichael Brown2010-04-191-0/+34
Access to the gpxe.org and etherboot.org domains and associated resources has been revoked by the registrant of the domain. Work around this problem by renaming project from gPXE to iPXE, and updating URLs to match. Also update README, LOG and COPYRIGHTS to remove obsolete information. Signed-off-by: Michael Brown <mcb30@ipxe.org>