[crypto] Add framework for OCSP

Add support for constructing OCSP queries and parsing OCSP responses.
(There is no support yet for actually issuing an OCSP query via an
HTTP POST.)

Signed-off-by: Michael Brown <mcb30@ipxe.org>

4 files changed, 125 insertions, 0 deletions

diff --git a/src/include/ipxe/asn1.h b/src/include/ipxe/asn1.h
index 3fbd09f..3e73b59 100644
--- a/src/include/ipxe/asn1.h
+++ b/src/include/ipxe/asn1.h
@@ -70,6 +70,9 @@ struct asn1_builder_header {
 /** ASN.1 object identifier */
 #define ASN1_OID 0x06
 
+/** ASN.1 enumeration */
+#define ASN1_ENUMERATED 0x0a
+
 /** ASN.1 UTC time */
 #define ASN1_UTC_TIME 0x17
 
@@ -204,6 +207,14 @@ struct asn1_builder_header {
 	ASN1_OID_SINGLE ( 5 ), ASN1_OID_SINGLE ( 7 ),		\
 	ASN1_OID_SINGLE ( 48 ), ASN1_OID_SINGLE ( 1 )
 
+/** ASN.1 OID for id-pkix-ocsp-basic ( 1.3.6.1.5.5.7.48.1.1) */
+#define ASN1_OID_OCSP_BASIC					\
+	ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ),	\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 5 ),		\
+	ASN1_OID_SINGLE ( 5 ), ASN1_OID_SINGLE ( 7 ),		\
+	ASN1_OID_SINGLE ( 48 ), ASN1_OID_SINGLE ( 1 ),		\
+	ASN1_OID_SINGLE ( 1 )
+
 /** ASN.1 OID for id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) */
 #define ASN1_OID_OCSPSIGNING					\
 	ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ),	\
diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h
index 2109cf2..108efc7 100644
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -260,6 +260,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #define ERRFILE_menu_ui		      ( ERRFILE_OTHER | 0x002c0000 )
 #define ERRFILE_menu_cmd	      ( ERRFILE_OTHER | 0x002d0000 )
 #define ERRFILE_validator	      ( ERRFILE_OTHER | 0x002e0000 )
+#define ERRFILE_ocsp		      ( ERRFILE_OTHER | 0x002f0000 )
 
 /** @} */
 
diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
new file mode 100644
index 0000000..e841492
--- /dev/null
+++ b/src/include/ipxe/ocsp.h
@@ -0,0 +1,108 @@
+#ifndef _IPXE_OCSP_H
+#define _IPXE_OCSP_H
+
+/** @file
+ *
+ * Online Certificate Status Protocol
+ *
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+#include <stdarg.h>
+#include <time.h>
+#include <ipxe/asn1.h>
+#include <ipxe/x509.h>
+#include <ipxe/refcnt.h>
+
+/** OCSP algorithm identifier */
+#define OCSP_ALGORITHM_IDENTIFIER( ... )				\
+	ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__,		\
+	ASN1_NULL, 0x00
+
+/* OCSP response statuses */
+#define OCSP_STATUS_SUCCESSFUL		0x00
+#define OCSP_STATUS_MALFORMED_REQUEST	0x01
+#define OCSP_STATUS_INTERNAL_ERROR	0x02
+#define OCSP_STATUS_TRY_LATER		0x03
+#define OCSP_STATUS_SIG_REQUIRED	0x05
+#define OCSP_STATUS_UNAUTHORIZED	0x06
+
+/** Margin of error allowed in OCSP response times
+ *
+ * We allow a generous margin of error: 12 hours to allow for the
+ * local time zone being non-GMT, plus 30 minutes to allow for general
+ * clock drift.
+ */
+#define OCSP_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )
+
+/** An OCSP request */
+struct ocsp_request {
+	/** Request builder */
+	struct asn1_builder builder;
+	/** Certificate ID */
+	struct asn1_cursor cert_id;
+};
+
+/** An OCSP response */
+struct ocsp_response {
+	/** Raw response */
+	void *data;
+	/** Raw tbsResponseData */
+	struct asn1_cursor tbs;
+	/** Time at which status is known to be correct */
+	time_t this_update;
+	/** Time at which newer status information will be available */
+	time_t next_update;
+	/** Signature algorithm */
+	struct asn1_algorithm *algorithm;
+	/** Signature value */
+	struct asn1_bit_string signature;
+	/** Signing certificate */
+	struct x509_certificate *signer;
+};
+
+/** An OCSP check */
+struct ocsp_check {
+	/** Reference count */
+	struct refcnt refcnt;
+	/** Certificate being checked */
+	struct x509_certificate *cert;
+	/** Issuing certificate */
+	struct x509_certificate *issuer;
+	/** Request */
+	struct ocsp_request request;
+	/** Response */
+	struct ocsp_response response;
+};
+
+/**
+ * Get reference to OCSP check
+ *
+ * @v ocsp		OCSP check
+ * @ret ocsp		OCSP check
+ */
+static inline __attribute__ (( always_inline )) struct ocsp_check *
+ocsp_get ( struct ocsp_check *ocsp ) {
+	ref_get ( &ocsp->refcnt );
+	return ocsp;
+}
+
+/**
+ * Drop reference to OCSP check
+ *
+ * @v ocsp		OCSP check
+ */
+static inline __attribute__ (( always_inline )) void
+ocsp_put ( struct ocsp_check *ocsp ) {
+	ref_put ( &ocsp->refcnt );
+}
+
+extern int ocsp_check ( struct x509_certificate *cert,
+			struct x509_certificate *issuer,
+			struct ocsp_check **ocsp );
+extern int ocsp_response ( struct ocsp_check *ocsp, const void *data,
+			   size_t len );
+extern int ocsp_validate ( struct ocsp_check *check, time_t time );
+
+#endif /* _IPXE_OCSP_H */
diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index 6dc31b4..a5626c8 100644
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -126,6 +126,8 @@ enum x509_extended_key_usage_bits {
 struct x509_ocsp_responder {
 	/** URI */
 	char *uri;
+	/** OCSP status is good */
+	int good;
 };
 
 /** X.509 certificate authority information access */
@@ -322,6 +324,9 @@ struct x509_root {
 
 extern int x509_certificate ( const void *data, size_t len,
 			      struct x509_certificate **cert );
+extern int x509_validate ( struct x509_certificate *cert,
+			   struct x509_certificate *issuer,
+			   time_t time, struct x509_root *root );
 
 extern struct x509_chain * x509_alloc_chain ( void );
 extern int x509_append ( struct x509_chain *chain,