[crypto] Generalise X.509 "valid" field to a "flags" field

Signed-off-by: Michael Brown <mcb30@ipxe.org>
ipxe · Aug 25, 2016 · ff28b22 · ff28b22
1 parent e564a4e
commit ff28b22
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 10 deletions.
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
@@ -282,7 +282,7 @@ int ocsp_check ( struct x509_certificate *cert,
 	/* Sanity checks */
 	assert ( cert != NULL );
 	assert ( issuer != NULL );
-	assert ( issuer->valid );
+	assert ( x509_is_valid ( issuer ) );
 
 	/* Allocate and initialise check */
 	*ocsp = zalloc ( sizeof ( **ocsp ) );

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
@@ -1320,7 +1320,7 @@ int x509_validate ( struct x509_certificate *cert,
 		root = &root_certificates;
 
 	/* Return success if certificate has already been validated */
-	if ( cert->valid )
+	if ( x509_is_valid ( cert ) )
 		return 0;
 
 	/* Fail if certificate is invalid at specified time */
@@ -1329,7 +1329,7 @@ int x509_validate ( struct x509_certificate *cert,
 
 	/* Succeed if certificate is a trusted root certificate */
 	if ( x509_check_root ( cert, root ) == 0 ) {
-		cert->valid = 1;
+		cert->flags |= X509_FL_VALIDATED;
 		cert->path_remaining = ( cert->extensions.basic.path_len + 1 );
 		return 0;
 	}
@@ -1342,7 +1342,7 @@ int x509_validate ( struct x509_certificate *cert,
 	}
 
 	/* Fail unless issuer has already been validated */
-	if ( ! issuer->valid ) {
+	if ( ! x509_is_valid ( issuer ) ) {
 		DBGC ( cert, "X509 %p \"%s\" ", cert, x509_name ( cert ) );
 		DBGC ( cert, "issuer %p \"%s\" has not yet been validated\n",
 		       issuer, x509_name ( issuer ) );
@@ -1376,7 +1376,7 @@ int x509_validate ( struct x509_certificate *cert,
 		cert->path_remaining = max_path_remaining;
 
 	/* Mark certificate as valid */
-	cert->valid = 1;
+	cert->flags |= X509_FL_VALIDATED;
 
 	DBGC ( cert, "X509 %p \"%s\" successfully validated using ",
 	       cert, x509_name ( cert ) );

diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
@@ -189,8 +189,8 @@ struct x509_certificate {
 	/** Link in certificate store */
 	struct x509_link store;
 
-	/** Certificate has been validated */
-	int valid;
+	/** Flags */
+	unsigned int flags;
 	/** Maximum number of subsequent certificates in chain */
 	unsigned int path_remaining;
 
@@ -216,6 +216,12 @@ struct x509_certificate {
 	struct x509_extensions extensions;
 };
 
+/** X.509 certificate flags */
+enum x509_flags {
+	/** Certificate has been validated */
+	X509_FL_VALIDATED = 0x0001,
+};
+
 /**
  * Get reference to X.509 certificate
  *
@@ -373,13 +379,22 @@ extern int x509_check_root ( struct x509_certificate *cert,
 			     struct x509_root *root );
 extern int x509_check_time ( struct x509_certificate *cert, time_t time );
 
+/**
+ * Check if X.509 certificate is valid
+ *
+ * @v cert		X.509 certificate
+ */
+static inline int x509_is_valid ( struct x509_certificate *cert ) {
+	return ( cert->flags & X509_FL_VALIDATED );
+}
+
 /**
  * Invalidate X.509 certificate
  *
  * @v cert		X.509 certificate
  */
 static inline void x509_invalidate ( struct x509_certificate *cert ) {
-	cert->valid = 0;
+	cert->flags &= ~X509_FL_VALIDATED;
 	cert->path_remaining = 0;
 }
 

diff --git a/src/net/validator.c b/src/net/validator.c
@@ -478,7 +478,7 @@ static void validator_step ( struct validator *validator ) {
 		issuer = link->cert;
 		if ( ! cert )
 			continue;
-		if ( ! issuer->valid )
+		if ( ! x509_is_valid ( issuer ) )
 			continue;
 		/* The issuer is valid, but this certificate is not
 		 * yet valid.  If OCSP is applicable, start it.

diff --git a/src/tests/ocsp_test.c b/src/tests/ocsp_test.c
@@ -110,7 +110,7 @@ static void ocsp_prepare_test ( struct ocsp_test *test ) {
 	x509_invalidate ( cert );
 
 	/* Force-validate issuer certificate */
-	issuer->valid = 1;
+	issuer->flags |= X509_FL_VALIDATED;
 	issuer->path_remaining = ( issuer->extensions.basic.path_len + 1 );
 }