[x509] Record root of trust used when validating a certificate

Record the root of trust used at the point that a certificate is validated, redefine validation as checking a certificate against a specific root of trust, and pass an explicit root of trust when creating a TLS connection. This allows a custom TLS connection to be used with a custom root of trust, without causing any validated certificates to be treated as valid for normal purposes. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-04-16 03:00:10 +03:00 · 2020-12-08 14:58:46 +00:00
parent 6e92d6213d
commit 39f5293492
13 changed files with 60 additions and 33 deletions
@@ -326,6 +326,8 @@ struct tls_connection {
 	/** Verification data */
 	struct tls_verify_data verify;

+	/** Root of trust (or NULL to use default) */
+	struct x509_root *root;
 	/** Server certificate chain */
 	struct x509_chain *chain;
 	/** Certificate validator */
@@ -378,6 +380,7 @@ struct tls_connection {
 /** RX I/O buffer alignment */
 #define TLS_RX_ALIGN 16

-extern int add_tls ( struct interface *xfer, const char *name );
+extern int add_tls ( struct interface *xfer, const char *name,
+		     struct x509_root *root );

 #endif /* _IPXE_TLS_H */
@@ -12,6 +12,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/interface.h>
 #include <ipxe/x509.h>

-extern int create_validator ( struct interface *job, struct x509_chain *chain );
+extern int create_validator ( struct interface *job, struct x509_chain *chain,
+			      struct x509_root *root );

 #endif /* _IPXE_VALIDATOR_H */
@@ -191,6 +191,8 @@ struct x509_certificate {

 	/** Flags */
 	unsigned int flags;
+	/** Root against which certificate has been validated (if any) */
+	struct x509_root *root;
 	/** Maximum number of subsequent certificates in chain */
 	unsigned int path_remaining;

@@ -218,12 +220,10 @@ struct x509_certificate {

 /** X.509 certificate flags */
 enum x509_flags {
-	/** Certificate has been validated */
-	X509_FL_VALIDATED = 0x0001,
 	/** Certificate was added at build time */
-	X509_FL_PERMANENT = 0x0002,
+	X509_FL_PERMANENT = 0x0001,
 	/** Certificate was added explicitly at run time */
-	X509_FL_EXPLICIT = 0x0004,
+	X509_FL_EXPLICIT = 0x0002,
 };

 /**
@@ -355,6 +355,8 @@ extern int x509_parse ( struct x509_certificate *cert,
 			const struct asn1_cursor *raw );
 extern int x509_certificate ( const void *data, size_t len,
 			      struct x509_certificate **cert );
+extern int x509_is_valid ( struct x509_certificate *cert,
+			   struct x509_root *root );
 extern int x509_validate ( struct x509_certificate *cert,
 			   struct x509_certificate *issuer,
 			   time_t time, struct x509_root *root );
@@ -383,22 +385,13 @@ extern int x509_check_root ( struct x509_certificate *cert,
 			     struct x509_root *root );
 extern int x509_check_time ( struct x509_certificate *cert, time_t time );

-/**
- * Check if X.509 certificate is valid
- *
- * @v cert		X.509 certificate
- */
-static inline int x509_is_valid ( struct x509_certificate *cert ) {
-	return ( cert->flags & X509_FL_VALIDATED );
-}
-
 /**
 * Invalidate X.509 certificate
 *
 * @v cert		X.509 certificate
 */
 static inline void x509_invalidate ( struct x509_certificate *cert ) {
-	cert->flags &= ~X509_FL_VALIDATED;
+	cert->root = NULL;
 	cert->path_remaining = 0;
 }