diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index e7adcdba..b83f4c03 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -282,7 +282,7 @@ int ocsp_check ( struct x509_certificate *cert, /* Sanity checks */ assert ( cert != NULL ); assert ( issuer != NULL ); - assert ( issuer->valid ); + assert ( x509_is_valid ( issuer ) ); /* Allocate and initialise check */ *ocsp = zalloc ( sizeof ( **ocsp ) ); diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 28267191..4d951509 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -1320,7 +1320,7 @@ int x509_validate ( struct x509_certificate *cert, root = &root_certificates; /* Return success if certificate has already been validated */ - if ( cert->valid ) + if ( x509_is_valid ( cert ) ) return 0; /* Fail if certificate is invalid at specified time */ @@ -1329,7 +1329,7 @@ int x509_validate ( struct x509_certificate *cert, /* Succeed if certificate is a trusted root certificate */ if ( x509_check_root ( cert, root ) == 0 ) { - cert->valid = 1; + cert->flags |= X509_FL_VALIDATED; cert->path_remaining = ( cert->extensions.basic.path_len + 1 ); return 0; } @@ -1342,7 +1342,7 @@ int x509_validate ( struct x509_certificate *cert, } /* Fail unless issuer has already been validated */ - if ( ! issuer->valid ) { + if ( ! x509_is_valid ( issuer ) ) { DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) ); DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n", issuer, x509_name ( issuer ) ); @@ -1376,7 +1376,7 @@ int x509_validate ( struct x509_certificate *cert, cert->path_remaining = max_path_remaining; /* Mark certificate as valid */ - cert->valid = 1; + cert->flags |= X509_FL_VALIDATED; DBGC ( cert, "X509 %p \"%s\" successfully validated using ", cert, x509_name ( cert ) ); diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h index 80c2e3c6..58f91c01 100644 --- a/src/include/ipxe/x509.h +++ b/src/include/ipxe/x509.h @@ -189,8 +189,8 @@ struct x509_certificate { /** Link in certificate store */ struct x509_link store; - /** Certificate has been validated */ - int valid; + /** Flags */ + unsigned int flags; /** Maximum number of subsequent certificates in chain */ unsigned int path_remaining; @@ -216,6 +216,12 @@ struct x509_certificate { struct x509_extensions extensions; }; +/** X.509 certificate flags */ +enum x509_flags { + /** Certificate has been validated */ + X509_FL_VALIDATED = 0x0001, +}; + /** * Get reference to X.509 certificate * @@ -373,13 +379,22 @@ extern int x509_check_root ( struct x509_certificate *cert, struct x509_root *root ); extern int x509_check_time ( struct x509_certificate *cert, time_t time ); +/** + * Check if X.509 certificate is valid + * + * @v cert X.509 certificate + */ +static inline int x509_is_valid ( struct x509_certificate *cert ) { + return ( cert->flags & X509_FL_VALIDATED ); +} + /** * Invalidate X.509 certificate * * @v cert X.509 certificate */ static inline void x509_invalidate ( struct x509_certificate *cert ) { - cert->valid = 0; + cert->flags &= ~X509_FL_VALIDATED; cert->path_remaining = 0; } diff --git a/src/net/validator.c b/src/net/validator.c index 57ad0e7b..52845b6e 100644 --- a/src/net/validator.c +++ b/src/net/validator.c @@ -478,7 +478,7 @@ static void validator_step ( struct validator *validator ) { issuer = link->cert; if ( ! cert ) continue; - if ( ! issuer->valid ) + if ( ! x509_is_valid ( issuer ) ) continue; /* The issuer is valid, but this certificate is not * yet valid. If OCSP is applicable, start it. diff --git a/src/tests/ocsp_test.c b/src/tests/ocsp_test.c index c6d45859..a3349346 100644 --- a/src/tests/ocsp_test.c +++ b/src/tests/ocsp_test.c @@ -110,7 +110,7 @@ static void ocsp_prepare_test ( struct ocsp_test *test ) { x509_invalidate ( cert ); /* Force-validate issuer certificate */ - issuer->valid = 1; + issuer->flags |= X509_FL_VALIDATED; issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 ); }