david/ipxe
david
/
ipxe
Archived
1
0
Fork 0
Code

[crypto] Generalise X.509 "valid" field to a "flags" field 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown 2016-08-25 15:41:57 +01:00
parent e564a4e7d6
commit ff28b22568
5 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/crypto/ocsp.c
View File

@ -282,7 +282,7 @@ int ocsp_check ( struct x509_certificate *cert,
/* Sanity checks */ /* Sanity checks */
assert ( cert != NULL ); assert ( cert != NULL );
assert ( issuer != NULL ); assert ( issuer != NULL );
assert ( issuer->valid ); assert ( x509_is_valid ( issuer ) );
/* Allocate and initialise check */ /* Allocate and initialise check */
*ocsp = zalloc ( sizeof ( **ocsp ) ); *ocsp = zalloc ( sizeof ( **ocsp ) );

8
src/crypto/x509.c
View File

@ -1320,7 +1320,7 @@ int x509_validate ( struct x509_certificate *cert,
root = &root_certificates; root = &root_certificates;
/* Return success if certificate has already been validated */ /* Return success if certificate has already been validated */
if ( cert->valid ) if ( x509_is_valid ( cert ) )
return 0; return 0;
/* Fail if certificate is invalid at specified time */ /* Fail if certificate is invalid at specified time */
@ -1329,7 +1329,7 @@ int x509_validate ( struct x509_certificate *cert,
/* Succeed if certificate is a trusted root certificate */ /* Succeed if certificate is a trusted root certificate */
if ( x509_check_root ( cert, root ) == 0 ) { if ( x509_check_root ( cert, root ) == 0 ) {
cert->valid = 1; cert->flags |= X509_FL_VALIDATED;
cert->path_remaining = ( cert->extensions.basic.path_len + 1 ); cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
return 0; return 0;
} }
@ -1342,7 +1342,7 @@ int x509_validate ( struct x509_certificate *cert,
} }
/* Fail unless issuer has already been validated */ /* Fail unless issuer has already been validated */
if ( ! issuer->valid ) { if ( ! x509_is_valid ( issuer ) ) {
DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) ); DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n", DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
issuer, x509_name ( issuer ) ); issuer, x509_name ( issuer ) );
@ -1376,7 +1376,7 @@ int x509_validate ( struct x509_certificate *cert,
cert->path_remaining = max_path_remaining; cert->path_remaining = max_path_remaining;
/* Mark certificate as valid */ /* Mark certificate as valid */
cert->valid = 1; cert->flags |= X509_FL_VALIDATED;
DBGC ( cert, "X509 %p \"%s\" successfully validated using ", DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
cert, x509_name ( cert ) ); cert, x509_name ( cert ) );

21
src/include/ipxe/x509.h
View File

@ -189,8 +189,8 @@ struct x509_certificate {
/** Link in certificate store */ /** Link in certificate store */
struct x509_link store; struct x509_link store;
/** Certificate has been validated */ /** Flags */
int valid; unsigned int flags;
/** Maximum number of subsequent certificates in chain */ /** Maximum number of subsequent certificates in chain */
unsigned int path_remaining; unsigned int path_remaining;
@ -216,6 +216,12 @@ struct x509_certificate {
struct x509_extensions extensions; struct x509_extensions extensions;
}; };
/** X.509 certificate flags */
enum x509_flags {
/** Certificate has been validated */
X509_FL_VALIDATED = 0x0001,
};
/** /**
* Get reference to X.509 certificate * Get reference to X.509 certificate
* *
@ -373,13 +379,22 @@ extern int x509_check_root ( struct x509_certificate *cert,
struct x509_root *root ); struct x509_root *root );
extern int x509_check_time ( struct x509_certificate *cert, time_t time ); extern int x509_check_time ( struct x509_certificate *cert, time_t time );
/**
* Check if X.509 certificate is valid
*
* @v cert X.509 certificate
*/
static inline int x509_is_valid ( struct x509_certificate *cert ) {
return ( cert->flags & X509_FL_VALIDATED );
}
/** /**
* Invalidate X.509 certificate * Invalidate X.509 certificate
* *
* @v cert X.509 certificate * @v cert X.509 certificate
*/ */
static inline void x509_invalidate ( struct x509_certificate *cert ) { static inline void x509_invalidate ( struct x509_certificate *cert ) {
cert->valid = 0; cert->flags &= ~X509_FL_VALIDATED;
cert->path_remaining = 0; cert->path_remaining = 0;
} }

2
src/net/validator.c
View File

@ -478,7 +478,7 @@ static void validator_step ( struct validator *validator ) {
issuer = link->cert; issuer = link->cert;
if ( ! cert ) if ( ! cert )
continue; continue;
if ( ! issuer->valid ) if ( ! x509_is_valid ( issuer ) )
continue; continue;
/* The issuer is valid, but this certificate is not /* The issuer is valid, but this certificate is not
* yet valid. If OCSP is applicable, start it. * yet valid. If OCSP is applicable, start it.

2
src/tests/ocsp_test.c
View File

@ -110,7 +110,7 @@ static void ocsp_prepare_test ( struct ocsp_test *test ) {
x509_invalidate ( cert ); x509_invalidate ( cert );
/* Force-validate issuer certificate */ /* Force-validate issuer certificate */
issuer->valid = 1; issuer->flags |= X509_FL_VALIDATED;
issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 ); issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 );
} }