narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[crypto] Automatically download cross-signed certificates 

Automatically attempt to download any required cross-signing
certificates from http://ca.ipxe.org/auto, in order to enable the use
of standard SSL certificates issued by public CAs.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/6/head
Michael Brown 2012-05-08 16:55:32 +01:00
parent 2e4be01690
commit 3e6e0078e0
2 changed files with 287 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/include/ipxe/dhcp.h
View File

@ -364,6 +364,9 @@ struct dhcp_client_uuid {
/** Client private key */ /** Client private key */
#define DHCP_EB_KEY DHCP_ENCAP_OPT ( DHCP_EB_ENCAP, 0x5c ) #define DHCP_EB_KEY DHCP_ENCAP_OPT ( DHCP_EB_ENCAP, 0x5c )
/** Cross-signed certificate source */
#define DHCP_EB_CROSS_CERT DHCP_ENCAP_OPT ( DHCP_EB_ENCAP, 0x5d )
/** Skip PXE DHCP protocol extensions such as ProxyDHCP /** Skip PXE DHCP protocol extensions such as ProxyDHCP
* *
* If set to a non-zero value, iPXE will not wait for ProxyDHCP offers * If set to a non-zero value, iPXE will not wait for ProxyDHCP offers

295
src/net/validator.c
View File

@ -20,12 +20,21 @@
FILE_LICENCE ( GPL2_OR_LATER ); FILE_LICENCE ( GPL2_OR_LATER );
#include <string.h> #include <string.h>
#include <stdio.h>
#include <errno.h> #include <errno.h>
#include <ipxe/refcnt.h> #include <ipxe/refcnt.h>
#include <ipxe/malloc.h> #include <ipxe/malloc.h>
#include <ipxe/interface.h> #include <ipxe/interface.h>
#include <ipxe/xfer.h>
#include <ipxe/open.h>
#include <ipxe/iobuf.h>
#include <ipxe/xferbuf.h>
#include <ipxe/process.h> #include <ipxe/process.h>
#include <ipxe/x509.h> #include <ipxe/x509.h>
#include <ipxe/settings.h>
#include <ipxe/dhcp.h>
#include <ipxe/base64.h>
#include <ipxe/crc32.h>
#include <ipxe/validator.h> #include <ipxe/validator.h>
/** @file /** @file
@ -40,10 +49,14 @@ struct validator {
struct refcnt refcnt; struct refcnt refcnt;
/** Job control interface */ /** Job control interface */
struct interface job; struct interface job;
/** Data transfer interface */
struct interface xfer;
/** Process */ /** Process */
struct process process; struct process process;
/** X.509 certificate chain */ /** X.509 certificate chain */
struct x509_chain *chain; struct x509_chain *chain;
/** Data buffer */
struct xfer_buffer buffer;
}; };
/** /**
@ -57,6 +70,7 @@ static void validator_free ( struct refcnt *refcnt ) {
DBGC ( validator, "VALIDATOR %p freed\n", validator ); DBGC ( validator, "VALIDATOR %p freed\n", validator );
x509_chain_put ( validator->chain ); x509_chain_put ( validator->chain );
xferbuf_done ( &validator->buffer );
free ( validator ); free ( validator );
} }
@ -72,6 +86,7 @@ static void validator_finished ( struct validator *validator, int rc ) {
process_del ( &validator->process ); process_del ( &validator->process );
/* Close all interfaces */ /* Close all interfaces */
intf_shutdown ( &validator->xfer, rc );
intf_shutdown ( &validator->job, rc ); intf_shutdown ( &validator->job, rc );
} }
@ -90,6 +105,250 @@ static struct interface_operation validator_job_operations[] = {
static struct interface_descriptor validator_job_desc = static struct interface_descriptor validator_job_desc =
INTF_DESC ( struct validator, job, validator_job_operations ); INTF_DESC ( struct validator, job, validator_job_operations );
/****************************************************************************
*
* Cross-signing certificates
*
*/
/** Cross-signed certificate source setting */
struct setting crosscert_setting __setting ( SETTING_CRYPTO ) = {
.name = "crosscert",
.description = "Cross-signed certificate source",
.tag = DHCP_EB_CROSS_CERT,
.type = &setting_type_string,
};
/** Default cross-signed certificate source */
static const char crosscert_default[] = "http://ca.ipxe.org/auto";
/**
* Start download of cross-signing certificate
*
* @v validator Certificate validator
* @v issuer Required issuer
* @ret rc Return status code
*/
static int validator_start_download ( struct validator *validator,
const struct asn1_cursor *issuer ) {
const char *crosscert;
char *crosscert_copy;
char *uri_string;
size_t uri_string_len;
uint32_t crc;
int len;
int rc;
/* Determine cross-signed certificate source */
len = fetch_string_setting_copy ( NULL, &crosscert_setting,
&crosscert_copy );
if ( len < 0 ) {
rc = len;
DBGC ( validator, "VALIDATOR %p could not fetch crosscert "
"setting: %s\n", validator, strerror ( rc ) );
goto err_fetch_crosscert;
}
crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
/* Allocate URI string */
uri_string_len = ( strlen ( crosscert ) + 14 /* "/%08x.der?" */ +
base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
uri_string = zalloc ( uri_string_len );
if ( ! uri_string ) {
rc = -ENOMEM;
goto err_alloc_uri_string;
}
/* Generate CRC32 */
crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
/* Generate URI string */
len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?",
crosscert, crc );
base64_encode ( issuer->data, issuer->len, ( uri_string + len ) );
DBGC ( validator, "VALIDATOR %p downloading cross-signed certificate "
"from %s\n", validator, uri_string );
/* Open URI */
if ( ( rc = xfer_open_uri_string ( &validator->xfer,
uri_string ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
validator, uri_string, strerror ( rc ) );
goto err_open_uri_string;
}
/* Success */
rc = 0;
err_open_uri_string:
free ( uri_string );
err_alloc_uri_string:
free ( crosscert_copy );
err_fetch_crosscert:
return rc;
}
/**
* Append cross-signing certificates to certificate chain
*
* @v validator Certificate validator
* @v data Raw cross-signing certificate data
* @v len Length of raw data
* @ret rc Return status code
*/
static int validator_append ( struct validator *validator,
const void *data, size_t len ) {
struct asn1_cursor cursor;
struct x509_chain *certs;
struct x509_certificate *cert;
struct x509_certificate *last;
int rc;
/* Allocate certificate list */
certs = x509_alloc_chain();
if ( ! certs ) {
rc = -ENOMEM;
goto err_alloc_certs;
}
/* Initialise cursor */
cursor.data = data;
cursor.len = len;
/* Enter certificateSet */
if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not enter "
"certificateSet: %s\n", validator, strerror ( rc ) );
goto err_certificateset;
}
/* Add each certificate to list */
while ( cursor.len ) {
/* Add certificate to chain */
if ( ( rc = x509_append_raw ( certs, cursor.data,
cursor.len ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not append "
"certificate: %s\n",
validator, strerror ( rc) );
DBGC_HDA ( validator, 0, cursor.data, cursor.len );
return rc;
}
cert = x509_last ( certs );
DBGC ( validator, "VALIDATOR %p found certificate %s\n",
validator, cert->subject.name );
/* Move to next certificate */
asn1_skip_any ( &cursor );
}
/* Append certificates to chain */
last = x509_last ( validator->chain );
if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not append "
"certificates: %s\n", validator, strerror ( rc ) );
goto err_auto_append;
}
/* Check that at least one certificate has been added */
if ( last == x509_last ( validator->chain ) ) {
DBGC ( validator, "VALIDATOR %p failed to append any "
"applicable certificates\n", validator );
rc = -EACCES;
goto err_no_progress;
}
/* Drop reference to certificate list */
x509_chain_put ( certs );
return 0;
err_no_progress:
err_auto_append:
err_certificateset:
x509_chain_put ( certs );
err_alloc_certs:
return rc;
}
/****************************************************************************
*
* Data transfer interface
*
*/
/**
* Close data transfer interface
*
* @v validator Certificate validator
* @v rc Reason for close
*/
static void validator_xfer_close ( struct validator *validator, int rc ) {
/* Close data transfer interface */
intf_restart ( &validator->xfer, rc );
/* Check for errors */
if ( rc != 0 ) {
DBGC ( validator, "VALIDATOR %p download failed: %s\n",
validator, strerror ( rc ) );
goto err_download;
}
DBGC ( validator, "VALIDATOR %p download complete\n", validator );
/* Append downloaded certificates */
if ( ( rc = validator_append ( validator, validator->buffer.data,
validator->buffer.len ) ) != 0 )
goto err_append;
/* Free downloaded data */
xferbuf_done ( &validator->buffer );
/* Resume validation process */
process_add ( &validator->process );
return;
err_append:
err_download:
validator_finished ( validator, rc );
}
/**
* Receive data
*
* @v validator Certificate validator
* @v iobuf I/O buffer
* @v meta Data transfer metadata
* @ret rc Return status code
*/
static int validator_xfer_deliver ( struct validator *validator,
struct io_buffer *iobuf,
struct xfer_metadata *meta ) {
int rc;
/* Add data to buffer */
if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
meta ) ) != 0 ) {
DBGC ( validator, "VALIDATOR %p could not receive data: %s\n",
validator, strerror ( rc ) );
validator_finished ( validator, rc );
return rc;
}
return 0;
}
/** Certificate validator data transfer interface operations */
static struct interface_operation validator_xfer_operations[] = {
INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
};
/** Certificate validator data transfer interface descriptor */
static struct interface_descriptor validator_xfer_desc =
INTF_DESC ( struct validator, xfer, validator_xfer_operations );
/**************************************************************************** /****************************************************************************
* *
* Validation process * Validation process
@ -102,25 +361,37 @@ static struct interface_descriptor validator_job_desc =
* @v validator Certificate validator * @v validator Certificate validator
*/ */
static void validator_step ( struct validator *validator ) { static void validator_step ( struct validator *validator ) {
struct x509_certificate *last = x509_last ( validator->chain );
time_t now; time_t now;
int rc; int rc;
/* Attempt to validate certificate chain */ /* Try validating chain. Try even if the chain is incomplete,
* since certificates may already have been validated
* previously.
*/
now = time ( NULL ); now = time ( NULL );
if ( ( rc = x509_validate_chain ( validator->chain, now, if ( ( rc = x509_validate_chain ( validator->chain, now,
NULL ) ) != 0 ) { NULL ) ) == 0 ) {
DBGC ( validator, "VALIDATOR %p could not validate chain: %s\n", validator_finished ( validator, 0 );
validator, strerror ( rc ) ); return;
goto err_validate;
} }
/* Mark validation as complete */ /* If chain ends with a self-issued certificate, then there is
validator_finished ( validator, 0 ); * nothing more to do.
*/
if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {
validator_finished ( validator, rc );
return;
}
return; /* Otherwise, try to download a suitable cross-signing
* certificate.
err_validate: */
validator_finished ( validator, rc ); if ( ( rc = validator_start_download ( validator,
&last->issuer.raw ) ) != 0 ) {
validator_finished ( validator, rc );
return;
}
} }
/** Certificate validator process descriptor */ /** Certificate validator process descriptor */
@ -159,6 +430,8 @@ int create_validator ( struct interface *job, struct x509_chain *chain ) {
ref_init ( &validator->refcnt, validator_free ); ref_init ( &validator->refcnt, validator_free );
intf_init ( &validator->job, &validator_job_desc, intf_init ( &validator->job, &validator_job_desc,
&validator->refcnt ); &validator->refcnt );
intf_init ( &validator->xfer, &validator_xfer_desc,
&validator->refcnt );
process_init ( &validator->process, &validator_process_desc, process_init ( &validator->process, &validator_process_desc,
&validator->refcnt ); &validator->refcnt );
validator->chain = x509_chain_get ( chain ); validator->chain = x509_chain_get ( chain );