diff options
author | Michael Brown <mcb30@ipxe.org> | 2012-05-14 18:22:38 +0100 |
---|---|---|
committer | Michael Brown <mcb30@ipxe.org> | 2012-05-15 13:24:23 +0100 |
commit | 39ac285a8abced92b03842a8ce48957550d454ad (patch) | |
tree | a74d4c2232a99806b91ebbefd4f840b958c9e94b /src/include/ipxe | |
parent | deac4ea1baa62ab554b57179e481c1b255716bb1 (diff) | |
download | ipxe-39ac285a8abced92b03842a8ce48957550d454ad.zip ipxe-39ac285a8abced92b03842a8ce48957550d454ad.tar.gz ipxe-39ac285a8abced92b03842a8ce48957550d454ad.tar.bz2 |
[crypto] Add framework for OCSP
Add support for constructing OCSP queries and parsing OCSP responses.
(There is no support yet for actually issuing an OCSP query via an
HTTP POST.)
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/include/ipxe')
-rw-r--r-- | src/include/ipxe/asn1.h | 11 | ||||
-rw-r--r-- | src/include/ipxe/errfile.h | 1 | ||||
-rw-r--r-- | src/include/ipxe/ocsp.h | 108 | ||||
-rw-r--r-- | src/include/ipxe/x509.h | 5 |
4 files changed, 125 insertions, 0 deletions
diff --git a/src/include/ipxe/asn1.h b/src/include/ipxe/asn1.h index 3fbd09f..3e73b59 100644 --- a/src/include/ipxe/asn1.h +++ b/src/include/ipxe/asn1.h @@ -70,6 +70,9 @@ struct asn1_builder_header { /** ASN.1 object identifier */ #define ASN1_OID 0x06 +/** ASN.1 enumeration */ +#define ASN1_ENUMERATED 0x0a + /** ASN.1 UTC time */ #define ASN1_UTC_TIME 0x17 @@ -204,6 +207,14 @@ struct asn1_builder_header { ASN1_OID_SINGLE ( 5 ), ASN1_OID_SINGLE ( 7 ), \ ASN1_OID_SINGLE ( 48 ), ASN1_OID_SINGLE ( 1 ) +/** ASN.1 OID for id-pkix-ocsp-basic ( 1.3.6.1.5.5.7.48.1.1) */ +#define ASN1_OID_OCSP_BASIC \ + ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ), \ + ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 5 ), \ + ASN1_OID_SINGLE ( 5 ), ASN1_OID_SINGLE ( 7 ), \ + ASN1_OID_SINGLE ( 48 ), ASN1_OID_SINGLE ( 1 ), \ + ASN1_OID_SINGLE ( 1 ) + /** ASN.1 OID for id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) */ #define ASN1_OID_OCSPSIGNING \ ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ), \ diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h index 2109cf2..108efc7 100644 --- a/src/include/ipxe/errfile.h +++ b/src/include/ipxe/errfile.h @@ -260,6 +260,7 @@ FILE_LICENCE ( GPL2_OR_LATER ); #define ERRFILE_menu_ui ( ERRFILE_OTHER | 0x002c0000 ) #define ERRFILE_menu_cmd ( ERRFILE_OTHER | 0x002d0000 ) #define ERRFILE_validator ( ERRFILE_OTHER | 0x002e0000 ) +#define ERRFILE_ocsp ( ERRFILE_OTHER | 0x002f0000 ) /** @} */ diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h new file mode 100644 index 0000000..e841492 --- /dev/null +++ b/src/include/ipxe/ocsp.h @@ -0,0 +1,108 @@ +#ifndef _IPXE_OCSP_H +#define _IPXE_OCSP_H + +/** @file + * + * Online Certificate Status Protocol + * + */ + +FILE_LICENCE ( GPL2_OR_LATER ); + +#include <stdarg.h> +#include <time.h> +#include <ipxe/asn1.h> +#include <ipxe/x509.h> +#include <ipxe/refcnt.h> + +/** OCSP algorithm identifier */ +#define OCSP_ALGORITHM_IDENTIFIER( ... ) \ + ASN1_OID, VA_ARG_COUNT ( __VA_ARGS__ ), __VA_ARGS__, \ + ASN1_NULL, 0x00 + +/* OCSP response statuses */ +#define OCSP_STATUS_SUCCESSFUL 0x00 +#define OCSP_STATUS_MALFORMED_REQUEST 0x01 +#define OCSP_STATUS_INTERNAL_ERROR 0x02 +#define OCSP_STATUS_TRY_LATER 0x03 +#define OCSP_STATUS_SIG_REQUIRED 0x05 +#define OCSP_STATUS_UNAUTHORIZED 0x06 + +/** Margin of error allowed in OCSP response times + * + * We allow a generous margin of error: 12 hours to allow for the + * local time zone being non-GMT, plus 30 minutes to allow for general + * clock drift. + */ +#define OCSP_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 ) + +/** An OCSP request */ +struct ocsp_request { + /** Request builder */ + struct asn1_builder builder; + /** Certificate ID */ + struct asn1_cursor cert_id; +}; + +/** An OCSP response */ +struct ocsp_response { + /** Raw response */ + void *data; + /** Raw tbsResponseData */ + struct asn1_cursor tbs; + /** Time at which status is known to be correct */ + time_t this_update; + /** Time at which newer status information will be available */ + time_t next_update; + /** Signature algorithm */ + struct asn1_algorithm *algorithm; + /** Signature value */ + struct asn1_bit_string signature; + /** Signing certificate */ + struct x509_certificate *signer; +}; + +/** An OCSP check */ +struct ocsp_check { + /** Reference count */ + struct refcnt refcnt; + /** Certificate being checked */ + struct x509_certificate *cert; + /** Issuing certificate */ + struct x509_certificate *issuer; + /** Request */ + struct ocsp_request request; + /** Response */ + struct ocsp_response response; +}; + +/** + * Get reference to OCSP check + * + * @v ocsp OCSP check + * @ret ocsp OCSP check + */ +static inline __attribute__ (( always_inline )) struct ocsp_check * +ocsp_get ( struct ocsp_check *ocsp ) { + ref_get ( &ocsp->refcnt ); + return ocsp; +} + +/** + * Drop reference to OCSP check + * + * @v ocsp OCSP check + */ +static inline __attribute__ (( always_inline )) void +ocsp_put ( struct ocsp_check *ocsp ) { + ref_put ( &ocsp->refcnt ); +} + +extern int ocsp_check ( struct x509_certificate *cert, + struct x509_certificate *issuer, + struct ocsp_check **ocsp ); +extern int ocsp_response ( struct ocsp_check *ocsp, const void *data, + size_t len ); +extern int ocsp_validate ( struct ocsp_check *check, time_t time ); + +#endif /* _IPXE_OCSP_H */ diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h index 6dc31b4..a5626c8 100644 --- a/src/include/ipxe/x509.h +++ b/src/include/ipxe/x509.h @@ -126,6 +126,8 @@ enum x509_extended_key_usage_bits { struct x509_ocsp_responder { /** URI */ char *uri; + /** OCSP status is good */ + int good; }; /** X.509 certificate authority information access */ @@ -322,6 +324,9 @@ struct x509_root { extern int x509_certificate ( const void *data, size_t len, struct x509_certificate **cert ); +extern int x509_validate ( struct x509_certificate *cert, + struct x509_certificate *issuer, + time_t time, struct x509_root *root ); extern struct x509_chain * x509_alloc_chain ( void ); extern int x509_append ( struct x509_chain *chain, |