Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[crypto] Generalise X.509 cache to a full certificate store
Expand the concept of the X.509 cache to provide the functionality of
a certificate store.  Certificates in the store will be automatically
used to complete certificate chains where applicable.

The certificate store may be prepopulated at build time using the
CERT=... build command line option.  For example:

  make bin/ipxe.usb CERT=mycert1.crt,mycert2.crt

Certificates within the certificate store are not implicitly trusted;
the trust list is specified using TRUST=... as before.  For example:

  make bin/ipxe.usb CERT=root.crt TRUST=root.crt

This can be used to embed the full trusted root certificate within the
iPXE binary, which is potentially useful in an HTTPS-only environment
in which there is no HTTP server from which to automatically download
cross-signed certificates or other certificate chain fragments.

This usage of CERT= extends the existing use of CERT= to specify the
client certificate.  The client certificate is now identified
automatically by checking for a match against the private key.  For
example:

  make bin/ipxe.usb CERT=root.crt,client.crt TRUST=root.crt KEY=client.key

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Mar 28, 2014
1 parent 2dd3fff commit bc8ca6b
Show file tree
Hide file tree
Showing 18 changed files with 640 additions and 398 deletions.
1 change: 1 addition & 0 deletions src/Makefile
Expand Up @@ -34,6 +34,7 @@ OBJCOPY := $(CROSS_COMPILE)objcopy
NM := $(CROSS_COMPILE)nm
OBJDUMP := $(CROSS_COMPILE)objdump
OPENSSL := openssl
CSPLIT := csplit
PARSEROM := ./util/parserom.pl
FIXROM := ./util/fixrom.pl
SYMCHECK := ./util/symcheck.pl
Expand Down
52 changes: 36 additions & 16 deletions src/Makefile.housekeeping
Expand Up @@ -601,7 +601,7 @@ rootcert_DEPS += $(TRUSTED_FILES) $(TRUSTED_LIST)

CFLAGS_rootcert = $(if $(TRUSTED_FPS),-DTRUSTED="$(TRUSTED_FPS)")

# (Single-element) list of client certificates
# List of embedded certificates
#
CERT_LIST := $(BIN)/.certificate.list
ifeq ($(wildcard $(CERT_LIST)),)
Expand All @@ -617,24 +617,43 @@ $(CERT_LIST) : $(MAKEDEPS)

VERYCLEANUP += $(CERT_LIST)

# Embedded client certificate
# Embedded certificates concatenated and then split into one file per
# certificate (even if original files contained certificate chains)
#
CERT_INC := $(BIN)/.certificate.der
CERT_FILES := $(subst $(COMMA), ,$(CERT))
CERT_CONCAT := $(BIN)/.certificates.pem

ifdef CERT
$(CERT_INC) : $(CERT) $(CERT_LIST)
ifneq ($(CERT),)

CERT_COUNT := $(shell grep "BEGIN CERTIFICATE" $(CERT_FILES) | wc -l)

$(CERT_CONCAT) : $(CERT_FILES) $(CERT_LIST)
$(Q)cat $(CERT_FILES) > $@

# We must use an (otherwise unnecessary) pattern rule here to encode
# the fact that one "csplit" command generates multiple targets
CERT_PEMS := $(foreach i,$(call seq,1,$(CERT_COUNT)),\
$(BIN)/.certificate.pem.$(i))
$(subst .pem.,.%.,$(CERT_PEMS)) : $(BIN)/.certificates.%
$(Q)$(CSPLIT) -q -n 1 -f $(BIN)/.certificate.pem. $< \
'/BEGIN CERTIFICATE/' '{*}'

CERT_DERS := $(subst .certificate.pem.,.certificate.der.,$(CERT_PEMS))
$(BIN)/.certificate.der.% : $(BIN)/.certificate.pem.%
$(Q)$(OPENSSL) x509 -in $< -outform DER -out $@

clientcert_DEPS += $(CERT_INC)
CERT_ALL := $(foreach i,$(call seq,1,$(CERT_COUNT)),\
CERT ( $(i), \"$(word $(i),$(CERT_DERS))\" ))

endif

CLEANUP += $(CERT_INC)
certstore_DEPS += $(CERT_LIST) $(CERT_FILES) $(CERT_PEMS) $(CERT_DERS)

clientcert_DEPS += $(CERT_LIST)
CFLAGS_certstore += -DCERT_ALL="$(CERT_ALL)"

CFLAGS_clientcert += $(if $(CERT),-DCERTIFICATE="\"$(CERT_INC)\"")
CLEANUP += $(BIN)/.certificate.* $(BIN)/.certificates.*

# (Single-element) list of client private keys
# (Single-element) list of private keys
#
ifdef KEY
PRIVKEY := $(KEY) # Maintain backwards compatibility
Expand All @@ -653,29 +672,30 @@ $(PRIVKEY_LIST) : $(MAKEDEPS)

VERYCLEANUP += $(PRIVKEY_LIST)

# Embedded client private key
# Embedded private key
#
PRIVKEY_INC := $(BIN)/.private_key.der

ifdef PRIVKEY
$(PRIVKEY_INC) : $(PRIVKEY) $(PRIVKEY_LIST)
$(Q)$(OPENSSL) rsa -in $< -outform DER -out $@

clientcert_DEPS += $(PRIVKEY_INC)
privkey_DEPS += $(PRIVKEY_INC)
endif

CLEANUP += $(PRIVKEY_INC)
CLEANUP += $(BIN)/.private_key.*

clientcert_DEPS += $(PRIVKEY_LIST)
privkey_DEPS += $(PRIVKEY_LIST)

CFLAGS_clientcert += $(if $(PRIVKEY),-DPRIVATE_KEY="\"$(PRIVKEY_INC)\"")
CFLAGS_privkey += $(if $(PRIVKEY),-DPRIVATE_KEY="\"$(PRIVKEY_INC)\"")

# These files use .incbin inline assembly to include a binary file.
# Unfortunately ccache does not detect this dependency and caches
# builds even when the binary file has changed.
#
$(BIN)/embedded.% : override CC := env CCACHE_DISABLE=1 $(CC)
$(BIN)/clientcert.% : override CC := env CCACHE_DISABLE=1 $(CC)
$(BIN)/certstore.% : override CC := env CCACHE_DISABLE=1 $(CC)
$(BIN)/privkey.% : override CC := env CCACHE_DISABLE=1 $(CC)

# Version number
#
Expand Down
275 changes: 275 additions & 0 deletions src/crypto/certstore.c
@@ -0,0 +1,275 @@
/*
* Copyright (C) 2014 Michael Brown <mbrown@fensystems.co.uk>.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/

FILE_LICENCE ( GPL2_OR_LATER );

#include <string.h>
#include <stdlib.h>
#include <ipxe/init.h>
#include <ipxe/dhcp.h>
#include <ipxe/settings.h>
#include <ipxe/malloc.h>
#include <ipxe/crypto.h>
#include <ipxe/asn1.h>
#include <ipxe/x509.h>
#include <ipxe/certstore.h>

/** @file
*
* Certificate store
*
*/

/** Raw certificate data for all permanent stored certificates */
#undef CERT
#define CERT( _index, _path ) \
extern char stored_cert_ ## _index ## _data[]; \
extern char stored_cert_ ## _index ## _len[]; \
__asm__ ( ".section \".rodata\", \"a\", @progbits\n\t" \
"\nstored_cert_" #_index "_data:\n\t" \
".incbin \"" _path "\"\n\t" \
"\nstored_cert_" #_index "_end:\n\t" \
".equ stored_cert_" #_index "_len, " \
"( stored_cert_" #_index "_end - " \
" stored_cert_" #_index "_data )\n\t" \
".previous\n\t" );
CERT_ALL

/** Raw certificate cursors for all permanent stored certificates */
#undef CERT
#define CERT( _index, _path ) { \
.data = stored_cert_ ## _index ## _data, \
.len = ( size_t ) stored_cert_ ## _index ## _len, \
},
static struct asn1_cursor certstore_raw[] = {
CERT_ALL
};

/** X.509 certificate structures for all permanent stored certificates */
static struct x509_certificate certstore_certs[ sizeof ( certstore_raw ) /
sizeof ( certstore_raw[0] ) ];

/** Certificate store */
struct x509_chain certstore = {
.refcnt = REF_INIT ( ref_no_free ),
.links = LIST_HEAD_INIT ( certstore.links ),
};

/**
* Mark stored certificate as most recently used
*
* @v cert X.509 certificate
* @ret cert X.509 certificate
*/
static struct x509_certificate *
certstore_found ( struct x509_certificate *cert ) {

/* Mark as most recently used */
list_del ( &cert->store.list );
list_add ( &cert->store.list, &certstore.links );
DBGC2 ( &certstore, "CERTSTORE found certificate %s\n",
x509_name ( cert ) );

return cert;
}

/**
* Find certificate in store
*
* @v raw Raw certificate data
* @ret cert X.509 certificate, or NULL if not found
*/
struct x509_certificate * certstore_find ( struct asn1_cursor *raw ) {
struct x509_certificate *cert;

/* Search for certificate within store */
list_for_each_entry ( cert, &certstore.links, store.list ) {
if ( asn1_compare ( raw, &cert->raw ) == 0 )
return certstore_found ( cert );
}
return NULL;
}

/**
* Find certificate in store corresponding to a private key
*
* @v key Private key
* @ret cert X.509 certificate, or NULL if not found
*/
struct x509_certificate * certstore_find_key ( struct asn1_cursor *key ) {
struct x509_certificate *cert;

/* Search for certificate within store */
list_for_each_entry ( cert, &certstore.links, store.list ) {
if ( pubkey_match ( cert->signature_algorithm->pubkey,
key->data, key->len,
cert->subject.public_key.raw.data,
cert->subject.public_key.raw.len ) == 0 )
return certstore_found ( cert );
}
return NULL;
}

/**
* Add certificate to store
*
* @v cert X.509 certificate
*/
void certstore_add ( struct x509_certificate *cert ) {

/* Add certificate to store */
cert->store.cert = cert;
x509_get ( cert );
list_add ( &cert->store.list, &certstore.links );
DBGC ( &certstore, "CERTSTORE added certificate %s\n",
x509_name ( cert ) );
}

/**
* Discard a stored certificate
*
* @ret discarded Number of cached items discarded
*/
static unsigned int certstore_discard ( void ) {
struct x509_certificate *cert;

/* Discard the least recently used certificate for which the
* only reference is held by the store itself.
*/
list_for_each_entry_reverse ( cert, &certstore.links, store.list ) {
if ( cert->refcnt.count == 0 ) {
DBGC ( &certstore, "CERTSTORE discarded certificate "
"%s\n", x509_name ( cert ) );
list_del ( &cert->store.list );
x509_put ( cert );
return 1;
}
}
return 0;
}

/** Certificate store cache discarder */
struct cache_discarder certstore_discarder __cache_discarder ( CACHE_NORMAL ) ={
.discard = certstore_discard,
};

/**
* Construct permanent certificate store
*
*/
static void certstore_init ( void ) {
struct asn1_cursor *raw;
struct x509_certificate *cert;
int i;
int rc;

/* Skip if we have no permanent stored certificates */
if ( ! sizeof ( certstore_raw ) )
return;

/* Add certificates */
for ( i = 0 ; i < ( int ) ( sizeof ( certstore_raw ) /
sizeof ( certstore_raw[0] ) ) ; i++ ) {

/* Skip if certificate already present in store */
raw = &certstore_raw[i];
if ( ( cert = certstore_find ( raw ) ) != NULL ) {
DBGC ( &certstore, "CERTSTORE permanent certificate %d "
"is a duplicate of %s\n", i, x509_name ( cert ));
continue;
}

/* Parse certificate */
cert = &certstore_certs[i];
ref_init ( &cert->refcnt, ref_no_free );
if ( ( rc = x509_parse ( cert, raw ) ) != 0 ) {
DBGC ( &certstore, "CERTSTORE could not parse "
"permanent certificate %d: %s\n",
i, strerror ( rc ) );
continue;
}

/* Add certificate to store. Certificate will never
* be discarded from the store, since we retain a
* permanent reference to it.
*/
certstore_add ( cert );
DBGC ( &certstore, "CERTSTORE permanent certificate %d is %s\n",
i, x509_name ( cert ) );
}
}

/** Certificate store initialisation function */
struct init_fn certstore_init_fn __init_fn ( INIT_LATE ) = {
.initialise = certstore_init,
};

/** Additional certificate setting */
static struct setting cert_setting __setting ( SETTING_CRYPTO, cert ) = {
.name = "cert",
.description = "Certificate",
.tag = DHCP_EB_CERT,
.type = &setting_type_hex,
};

/**
* Apply certificate store configuration settings
*
* @ret rc Return status code
*/
static int certstore_apply_settings ( void ) {
static struct x509_certificate *cert = NULL;
struct x509_certificate *old_cert;
void *cert_data;
int len;
int rc;

/* Record any existing additional certificate */
old_cert = cert;
cert = NULL;

/* Add additional certificate, if any */
if ( ( len = fetch_raw_setting_copy ( NULL, &cert_setting,
&cert_data ) ) >= 0 ) {
if ( ( rc = x509_certificate ( cert_data, len, &cert ) ) == 0 ){
DBGC ( &certstore, "CERTSTORE added additional "
"certificate %s\n", x509_name ( cert ) );
} else {
DBGC ( &certstore, "CERTSTORE could not parse "
"additional certificate: %s\n",
strerror ( rc ) );
/* Do not fail; leave as an unusable certificate */
}
free ( cert_data );
}

/* Free old additional certificiate. Do this after reparsing
* the additional certificate; in the common case that the
* certificate has not changed, this will allow the stored
* certificate to be reused.
*/
x509_put ( old_cert );

return 0;
}

/** Certificate store settings applicator */
struct settings_applicator certstore_applicator __settings_applicator = {
.apply = certstore_apply_settings,
};

0 comments on commit bc8ca6b

Please sign in to comment.