10 FILE_LICENCE ( GPL2_OR_LATER );
15 #include <ipxe/asn1.h>
16 #include <ipxe/refcnt.h>
17 #include <ipxe/list.h>
19 /** An X.509 serial number */
21 /** Raw serial number */
22 struct asn1_cursor raw;
25 /** An X.509 issuer */
28 struct asn1_cursor raw;
33 /** Seconds since the Epoch */
37 /** An X.509 certificate validity period */
38 struct x509_validity {
39 /** Not valid before */
40 struct x509_time not_before;
41 /** Not valid after */
42 struct x509_time not_after;
45 /** An X.509 certificate public key */
46 struct x509_public_key {
47 /** Raw public key information */
48 struct asn1_cursor raw;
49 /** Public key algorithm */
50 struct asn1_algorithm *algorithm;
51 /** Raw public key bit string */
52 struct asn1_bit_string raw_bits;
55 /** An X.509 certificate subject */
58 struct asn1_cursor raw;
60 struct asn1_cursor common_name;
61 /** Public key information */
62 struct x509_public_key public_key;
65 /** An X.509 certificate signature */
66 struct x509_signature {
67 /** Signature algorithm */
68 struct asn1_algorithm *algorithm;
69 /** Signature value */
70 struct asn1_bit_string value;
73 /** An X.509 certificate basic constraints set */
74 struct x509_basic_constraints {
75 /** Subject is a CA */
78 unsigned int path_len;
81 /** Unlimited path length
83 * We use -2U, since this quantity represents one *fewer* than the
84 * maximum number of remaining certificates in a chain.
86 #define X509_PATH_LEN_UNLIMITED -2U
88 /** An X.509 certificate key usage */
89 struct x509_key_usage {
90 /** Key usage extension is present */
96 /** X.509 certificate key usage bits */
97 enum x509_key_usage_bits {
98 X509_DIGITAL_SIGNATURE = 0x0080,
99 X509_NON_REPUDIATION = 0x0040,
100 X509_KEY_ENCIPHERMENT = 0x0020,
101 X509_DATA_ENCIPHERMENT = 0x0010,
102 X509_KEY_AGREEMENT = 0x0008,
103 X509_KEY_CERT_SIGN = 0x0004,
104 X509_CRL_SIGN = 0x0002,
105 X509_ENCIPHER_ONLY = 0x0001,
106 X509_DECIPHER_ONLY = 0x8000,
109 /** An X.509 certificate extended key usage */
110 struct x509_extended_key_usage {
115 /** X.509 certificate extended key usage bits
117 * Extended key usages are identified by OID; these bits are purely an
118 * internal definition.
120 enum x509_extended_key_usage_bits {
121 X509_CODE_SIGNING = 0x0001,
122 X509_OCSP_SIGNING = 0x0002,
125 /** X.509 certificate OCSP responder */
126 struct x509_ocsp_responder {
128 struct asn1_cursor uri;
129 /** OCSP status is good */
133 /** X.509 certificate authority information access */
134 struct x509_authority_info_access {
135 /** OCSP responder */
136 struct x509_ocsp_responder ocsp;
139 /** X.509 certificate subject alternative name */
140 struct x509_subject_alt_name {
142 struct asn1_cursor names;
145 /** X.509 certificate general name types */
146 enum x509_general_name_types {
147 X509_GENERAL_NAME_DNS = ASN1_IMPLICIT_TAG ( 2 ),
148 X509_GENERAL_NAME_URI = ASN1_IMPLICIT_TAG ( 6 ),
149 X509_GENERAL_NAME_IP = ASN1_IMPLICIT_TAG ( 7 ),
152 /** An X.509 certificate extensions set */
153 struct x509_extensions {
154 /** Basic constraints */
155 struct x509_basic_constraints basic;
157 struct x509_key_usage usage;
158 /** Extended key usage */
159 struct x509_extended_key_usage ext_usage;
160 /** Authority information access */
161 struct x509_authority_info_access auth_info;
162 /** Subject alternative name */
163 struct x509_subject_alt_name alt_name;
166 /** A link in an X.509 certificate chain */
169 struct list_head list;
171 struct x509_certificate *cert;
174 /** An X.509 certificate chain */
176 /** Reference count */
177 struct refcnt refcnt;
179 struct list_head links;
182 /** An X.509 certificate */
183 struct x509_certificate {
184 /** Reference count */
185 struct refcnt refcnt;
187 /** Link in certificate store */
188 struct x509_link store;
190 /** Certificate has been validated */
192 /** Maximum number of subsequent certificates in chain */
193 unsigned int path_remaining;
195 /** Raw certificate */
196 struct asn1_cursor raw;
198 unsigned int version;
200 struct x509_serial serial;
201 /** Raw tbsCertificate */
202 struct asn1_cursor tbs;
203 /** Signature algorithm */
204 struct asn1_algorithm *signature_algorithm;
206 struct x509_issuer issuer;
208 struct x509_validity validity;
210 struct x509_subject subject;
212 struct x509_signature signature;
214 struct x509_extensions extensions;
218 * Get reference to X.509 certificate
220 * @v cert X.509 certificate
221 * @ret cert X.509 certificate
223 static inline __attribute__ (( always_inline )) struct x509_certificate *
224 x509_get ( struct x509_certificate *cert ) {
225 ref_get ( &cert->refcnt );
230 * Drop reference to X.509 certificate
232 * @v cert X.509 certificate
234 static inline __attribute__ (( always_inline )) void
235 x509_put ( struct x509_certificate *cert ) {
236 ref_put ( &cert->refcnt );
240 * Get reference to X.509 certificate chain
242 * @v chain X.509 certificate chain
243 * @ret chain X.509 certificate chain
245 static inline __attribute__ (( always_inline )) struct x509_chain *
246 x509_chain_get ( struct x509_chain *chain ) {
247 ref_get ( &chain->refcnt );
252 * Drop reference to X.509 certificate chain
254 * @v chain X.509 certificate chain
256 static inline __attribute__ (( always_inline )) void
257 x509_chain_put ( struct x509_chain *chain ) {
258 ref_put ( &chain->refcnt );
262 * Get first certificate in X.509 certificate chain
264 * @v chain X.509 certificate chain
265 * @ret cert X.509 certificate, or NULL
267 static inline __attribute__ (( always_inline )) struct x509_certificate *
268 x509_first ( struct x509_chain *chain ) {
269 struct x509_link *link;
271 link = list_first_entry ( &chain->links, struct x509_link, list );
272 return ( link ? link->cert : NULL );
276 * Get last certificate in X.509 certificate chain
278 * @v chain X.509 certificate chain
279 * @ret cert X.509 certificate, or NULL
281 static inline __attribute__ (( always_inline )) struct x509_certificate *
282 x509_last ( struct x509_chain *chain ) {
283 struct x509_link *link;
285 link = list_last_entry ( &chain->links, struct x509_link, list );
286 return ( link ? link->cert : NULL );
289 /** An X.509 extension */
290 struct x509_extension {
293 /** Object identifier */
294 struct asn1_cursor oid;
297 * @v cert X.509 certificate
298 * @v raw ASN.1 cursor
299 * @ret rc Return status code
301 int ( * parse ) ( struct x509_certificate *cert,
302 const struct asn1_cursor *raw );
305 /** An X.509 key purpose */
306 struct x509_key_purpose {
309 /** Object identifier */
310 struct asn1_cursor oid;
311 /** Extended key usage bits */
315 /** An X.509 access method */
316 struct x509_access_method {
319 /** Object identifier */
320 struct asn1_cursor oid;
321 /** Parse access method
323 * @v cert X.509 certificate
324 * @v raw ASN.1 cursor
325 * @ret rc Return status code
327 int ( * parse ) ( struct x509_certificate *cert,
328 const struct asn1_cursor *raw );
331 /** An X.509 root certificate store */
333 /** Fingerprint digest algorithm */
334 struct digest_algorithm *digest;
335 /** Number of certificates */
337 /** Certificate fingerprints */
338 const void *fingerprints;
341 extern const char * x509_name ( struct x509_certificate *cert );
342 extern int x509_parse ( struct x509_certificate *cert,
343 const struct asn1_cursor *raw );
344 extern int x509_certificate ( const void *data, size_t len,
345 struct x509_certificate **cert );
346 extern int x509_validate ( struct x509_certificate *cert,
347 struct x509_certificate *issuer,
348 time_t time, struct x509_root *root );
349 extern int x509_check_name ( struct x509_certificate *cert, const char *name );
351 extern struct x509_chain * x509_alloc_chain ( void );
352 extern int x509_append ( struct x509_chain *chain,
353 struct x509_certificate *cert );
354 extern int x509_append_raw ( struct x509_chain *chain, const void *data,
356 extern int x509_auto_append ( struct x509_chain *chain,
357 struct x509_chain *certs );
358 extern int x509_validate_chain ( struct x509_chain *chain, time_t time,
359 struct x509_chain *store,
360 struct x509_root *root );
362 /* Functions exposed only for unit testing */
363 extern int x509_check_issuer ( struct x509_certificate *cert,
364 struct x509_certificate *issuer );
365 extern void x509_fingerprint ( struct x509_certificate *cert,
366 struct digest_algorithm *digest,
368 extern int x509_check_root ( struct x509_certificate *cert,
369 struct x509_root *root );
370 extern int x509_check_time ( struct x509_certificate *cert, time_t time );
373 * Invalidate X.509 certificate
375 * @v cert X.509 certificate
377 static inline void x509_invalidate ( struct x509_certificate *cert ) {
379 cert->path_remaining = 0;
383 * Invalidate X.509 certificate chain
385 * @v chain X.509 certificate chain
387 static inline void x509_invalidate_chain ( struct x509_chain *chain ) {
388 struct x509_link *link;
390 list_for_each_entry ( link, &chain->links, list )
391 x509_invalidate ( link->cert );
394 #endif /* _IPXE_X509_H */