[x509] Record root of trust used when validating a certificate

Record the root of trust used at the point that a certificate is
validated, redefine validation as checking a certificate against a
specific root of trust, and pass an explicit root of trust when
creating a TLS connection.

This allows a custom TLS connection to be used with a custom root of
trust, without causing any validated certificates to be treated as
valid for normal purposes.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

3 files changed, 13 insertions, 16 deletions

diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index a2d4f47..1e1093f 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -326,6 +326,8 @@ struct tls_connection {
 	/** Verification data */
 	struct tls_verify_data verify;
 
+	/** Root of trust (or NULL to use default) */
+	struct x509_root *root;
 	/** Server certificate chain */
 	struct x509_chain *chain;
 	/** Certificate validator */
@@ -378,6 +380,7 @@ struct tls_connection {
 /** RX I/O buffer alignment */
 #define TLS_RX_ALIGN 16
 
-extern int add_tls ( struct interface *xfer, const char *name );
+extern int add_tls ( struct interface *xfer, const char *name,
+		     struct x509_root *root );
 
 #endif /* _IPXE_TLS_H */
diff --git a/src/include/ipxe/validator.h b/src/include/ipxe/validator.h
index 0aee56e..367e404 100644
--- a/src/include/ipxe/validator.h
+++ b/src/include/ipxe/validator.h
@@ -12,6 +12,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/interface.h>
 #include <ipxe/x509.h>
 
-extern int create_validator ( struct interface *job, struct x509_chain *chain );
+extern int create_validator ( struct interface *job, struct x509_chain *chain,
+			      struct x509_root *root );
 
 #endif /* _IPXE_VALIDATOR_H */
diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index 78eeafb..cac2f19 100644
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -191,6 +191,8 @@ struct x509_certificate {
 
 	/** Flags */
 	unsigned int flags;
+	/** Root against which certificate has been validated (if any) */
+	struct x509_root *root;
 	/** Maximum number of subsequent certificates in chain */
 	unsigned int path_remaining;
 
@@ -218,12 +220,10 @@ struct x509_certificate {
 
 /** X.509 certificate flags */
 enum x509_flags {
-	/** Certificate has been validated */
-	X509_FL_VALIDATED = 0x0001,
 	/** Certificate was added at build time */
-	X509_FL_PERMANENT = 0x0002,
+	X509_FL_PERMANENT = 0x0001,
 	/** Certificate was added explicitly at run time */
-	X509_FL_EXPLICIT = 0x0004,
+	X509_FL_EXPLICIT = 0x0002,
 };
 
 /**
@@ -355,6 +355,8 @@ extern int x509_parse ( struct x509_certificate *cert,
 			const struct asn1_cursor *raw );
 extern int x509_certificate ( const void *data, size_t len,
 			      struct x509_certificate **cert );
+extern int x509_is_valid ( struct x509_certificate *cert,
+			   struct x509_root *root );
 extern int x509_validate ( struct x509_certificate *cert,
 			   struct x509_certificate *issuer,
 			   time_t time, struct x509_root *root );
@@ -384,21 +386,12 @@ extern int x509_check_root ( struct x509_certificate *cert,
 extern int x509_check_time ( struct x509_certificate *cert, time_t time );
 
 /**
- * Check if X.509 certificate is valid
- *
- * @v cert		X.509 certificate
- */
-static inline int x509_is_valid ( struct x509_certificate *cert ) {
-	return ( cert->flags & X509_FL_VALIDATED );
-}
-
-/**
  * Invalidate X.509 certificate
  *
  * @v cert		X.509 certificate
  */
 static inline void x509_invalidate ( struct x509_certificate *cert ) {
-	cert->flags &= ~X509_FL_VALIDATED;
+	cert->root = NULL;
 	cert->path_remaining = 0;
 }