/** Root certificates */
struct x509_root root_certificates = {
+ .refcnt = REF_INIT ( ref_no_free ),
.digest = &sha256_algorithm,
.count = ( sizeof ( fingerprints ) / FINGERPRINT_LEN ),
.fingerprints = fingerprints,
#define EINFO_EACCES_USELESS \
__einfo_uniqify ( EINFO_EACCES, 0x0b, "No usable certificates" )
+/**
+ * Free X.509 certificate
+ *
+ * @v refcnt Reference count
+ */
+static void x509_free ( struct refcnt *refcnt ) {
+ struct x509_certificate *cert =
+ container_of ( refcnt, struct x509_certificate, refcnt );
+
+ x509_root_put ( cert->root );
+ free ( cert );
+}
+
/**
* Get X.509 certificate display name
*
*cert = zalloc ( sizeof ( **cert ) + cursor.len );
if ( ! *cert )
return -ENOMEM;
- ref_init ( &(*cert)->refcnt, NULL );
+ ref_init ( &(*cert)->refcnt, x509_free );
raw = ( *cert + 1 );
/* Copy raw data */
return ( cert->root == root );
}
+/**
+ * Set X.509 certificate as validated
+ *
+ * @v cert X.509 certificate
+ * @v issuer Issuing X.509 certificate (or NULL)
+ * @v root Root certificate list
+ */
+static void x509_set_valid ( struct x509_certificate *cert,
+ struct x509_certificate *issuer,
+ struct x509_root *root ) {
+ unsigned int max_path_remaining;
+
+ /* Sanity checks */
+ assert ( root != NULL );
+ assert ( ( issuer == NULL ) || ( issuer->path_remaining >= 1 ) );
+
+ /* Record validation root */
+ x509_root_put ( cert->root );
+ cert->root = x509_root_get ( root );
+
+ /* Calculate effective path length */
+ cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
+ if ( issuer ) {
+ max_path_remaining = ( issuer->path_remaining - 1 );
+ if ( cert->path_remaining > max_path_remaining )
+ cert->path_remaining = max_path_remaining;
+ }
+}
+
/**
* Validate X.509 certificate
*
int x509_validate ( struct x509_certificate *cert,
struct x509_certificate *issuer,
time_t time, struct x509_root *root ) {
- unsigned int max_path_remaining;
int rc;
/* Use default root certificate store if none specified */
/* Succeed if certificate is a trusted root certificate */
if ( x509_check_root ( cert, root ) == 0 ) {
- cert->root = root;
- cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
+ x509_set_valid ( cert, NULL, root );
return 0;
}
return -EACCES_OCSP_REQUIRED;
}
- /* Calculate effective path length */
- cert->path_remaining = ( issuer->path_remaining - 1 );
- max_path_remaining = ( cert->extensions.basic.path_len + 1 );
- if ( cert->path_remaining > max_path_remaining )
- cert->path_remaining = max_path_remaining;
-
/* Mark certificate as valid */
- cert->root = root;
+ x509_set_valid ( cert, issuer, root );
DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
cert, x509_name ( cert ) );
const struct asn1_cursor *raw );
};
-/** An X.509 root certificate store */
+/** An X.509 root certificate list */
struct x509_root {
+ /** Reference count */
+ struct refcnt refcnt;
/** Fingerprint digest algorithm */
struct digest_algorithm *digest;
/** Number of certificates */
const void *fingerprints;
};
+/**
+ * Get reference to X.509 root certificate list
+ *
+ * @v root X.509 root certificate list
+ * @ret root X.509 root certificate list
+ */
+static inline __attribute__ (( always_inline )) struct x509_root *
+x509_root_get ( struct x509_root *root ) {
+ ref_get ( &root->refcnt );
+ return root;
+}
+
+/**
+ * Drop reference to X.509 root certificate list
+ *
+ * @v root X.509 root certificate list
+ */
+static inline __attribute__ (( always_inline )) void
+x509_root_put ( struct x509_root *root ) {
+ ref_put ( &root->refcnt );
+}
+
extern const char * x509_name ( struct x509_certificate *cert );
extern int x509_parse ( struct x509_certificate *cert,
const struct asn1_cursor *raw );
* @v cert X.509 certificate
*/
static inline void x509_invalidate ( struct x509_certificate *cert ) {
+ x509_root_put ( cert->root );
cert->root = NULL;
cert->path_remaining = 0;
}
}
x509_chain_put ( tls->certs );
x509_chain_put ( tls->chain );
+ x509_root_put ( tls->root );
/* Drop reference to session */
assert ( list_empty ( &tls->list ) );
intf_init ( &tls->validator, &tls_validator_desc, &tls->refcnt );
process_init_stopped ( &tls->process, &tls_process_desc,
&tls->refcnt );
- tls->root = root;
+ tls->root = x509_root_get ( root );
tls->version = TLS_VERSION_TLS_1_2;
tls_clear_cipher ( tls, &tls->tx_cipherspec );
tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );
DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",
validator, validator_name ( validator ) );
+ x509_root_put ( validator->root );
x509_chain_put ( validator->chain );
ocsp_put ( validator->ocsp );
xferbuf_free ( &validator->buffer );
&validator->refcnt );
process_init ( &validator->process, &validator_process_desc,
&validator->refcnt );
- validator->root = root;
+ validator->root = x509_root_get ( root );
validator->chain = x509_chain_get ( chain );
xferbuf_malloc_init ( &validator->buffer );
/** Root certificate list containing the iPXE self-test root CA */
static struct x509_root test_root = {
+ .refcnt = REF_INIT ( ref_no_free ),
.digest = &cms_test_algorithm,
.count = 1,
.fingerprints = root_crt_fingerprint,
/** Certificate store containing a dummy fingerprint */
static struct x509_root dummy_root = {
+ .refcnt = REF_INIT ( ref_no_free ),
.digest = &cms_test_algorithm,
.count = 1,
.fingerprints = dummy_fingerprint,
/** Root certificate list containing the iPXE self-test root CA */
static struct x509_root test_root = {
+ .refcnt = REF_INIT ( ref_no_free ),
.digest = &x509_test_algorithm,
.count = 1,
.fingerprints = root_crt_fingerprint,
/** Root certificate list containing the iPXE self-test intermediate CA */
static struct x509_root intermediate_root = {
+ .refcnt = REF_INIT ( ref_no_free ),
.digest = &x509_test_algorithm,
.count = 1,
.fingerprints = intermediate_crt_fingerprint,
/** Certificate store containing a dummy fingerprint */
static struct x509_root dummy_root = {
+ .refcnt = REF_INIT ( ref_no_free ),
.digest = &x509_test_algorithm,
.count = 1,
.fingerprints = dummy_fingerprint,
projects / thirdparty / ipxe.git / commitdiff
