[crypto] Generalise X.509 cache to a full certificate store

Expand the concept of the X.509 cache to provide the functionality of a certificate store. Certificates in the store will be automatically used to complete certificate chains where applicable. The certificate store may be prepopulated at build time using the CERT=... build command line option. For example: make bin/ipxe.usb CERT=mycert1.crt,mycert2.crt Certificates within the certificate store are not implicitly trusted; the trust list is specified using TRUST=... as before. For example: make bin/ipxe.usb CERT=root.crt TRUST=root.crt This can be used to embed the full trusted root certificate within the iPXE binary, which is potentially useful in an HTTPS-only environment in which there is no HTTP server from which to automatically download cross-signed certificates or other certificate chain fragments. This usage of CERT= extends the existing use of CERT= to specify the client certificate. The client certificate is now identified automatically by checking for a match against the private key. For example: make bin/ipxe.usb CERT=root.crt,client.crt TRUST=root.crt KEY=client.key Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-12-12 14:32:49 +03:00 · 2014-03-28 15:45:10 +00:00
parent 2dd3fffe18
commit bc8ca6b8ce
18 changed files with 640 additions and 398 deletions
--- a/src/tests/cms_test.c
+++ b/src/tests/cms_test.c
@@ -1305,7 +1305,13 @@ static uint8_t root_crt_fingerprint[] =
 		      0x96, 0xe7, 0xa8, 0x6d, 0x63, 0x2d, 0x32, 0x38,
 		      0xaf, 0x00, 0xc4, 0x1a, 0xfc, 0xd8, 0xac, 0xc3 );

-/** Certificate store containing the iPXE self-test root CA */
+/** Empty certificate store */
+static struct x509_chain empty_store = {
+	.refcnt = REF_INIT ( ref_no_free ),
+	.links = LIST_HEAD_INIT ( empty_store.links ),
+};
+
+/** Root certificate list containing the iPXE self-test root CA */
 static struct x509_root test_root = {
 	.digest = &cms_test_algorithm,
 	.count = 1,
@@ -1349,12 +1355,13 @@ static time_t test_expired = 1375573111ULL; /* Sat Aug  3 23:38:31 2013 */
 * @v code		Test signed code
 * @v name		Test verification name
 * @v time		Test verification time
- * @v root		Test root certificate store
+ * @v store		Test certificate store
+ * @v root		Test root certificate list
 */
-#define cms_verify_ok( sgn, code, name, time, root ) do {		\
+#define cms_verify_ok( sgn, code, name, time, store, root ) do {	\
 	x509_invalidate_chain ( (sgn)->sig->certificates );		\
 	ok ( cms_verify ( (sgn)->sig, virt_to_user ( (code)->data ),	\
-			  (code)->len, name, time, root ) == 0 );	\
+			  (code)->len, name, time, store, root ) == 0 );\
 	} while ( 0 )

 /**
@@ -1364,12 +1371,13 @@ static time_t test_expired = 1375573111ULL; /* Sat Aug  3 23:38:31 2013 */
 * @v code		Test signed code
 * @v name		Test verification name
 * @v time		Test verification time
- * @v root		Test root certificate store
+ * @v store		Test certificate store
+ * @v root		Test root certificate list
 */
-#define cms_verify_fail_ok( sgn, code, name, time, root ) do {		\
+#define cms_verify_fail_ok( sgn, code, name, time, store, root ) do {	\
 	x509_invalidate_chain ( (sgn)->sig->certificates );		\
 	ok ( cms_verify ( (sgn)->sig, virt_to_user ( (code)->data ),	\
-			  (code)->len, name, time, root ) != 0 );	\
+			  (code)->len, name, time, store, root ) != 0 );\
 	} while ( 0 )

 /**
@@ -1385,38 +1393,42 @@ static void cms_test_exec ( void ) {
 	cms_signature_ok ( &nonsigned_sig );

 	/* Check good signature */
+	cms_verify_ok ( &codesigned_sig, &test_code, "codesign.test.ipxe.org",
+			test_time, &empty_store, &test_root );
 	cms_verify_ok ( &codesigned_sig, &test_code,
-			"codesign.test.ipxe.org", test_time, &test_root );
-	cms_verify_ok ( &codesigned_sig, &test_code,
-			NULL, test_time, &test_root );
+			NULL, test_time, &empty_store, &test_root );

 	/* Check incorrect signer name */
 	cms_verify_fail_ok ( &codesigned_sig, &test_code,
-			     "wrongname.test.ipxe.org", test_time, &test_root );
+			     "wrongname.test.ipxe.org", test_time,
+			     &empty_store, &test_root );

 	/* Check non-code-signing certificate */
 	cms_verify_fail_ok ( &genericsigned_sig, &test_code,
-			     NULL, test_time, &test_root );
+			     NULL, test_time, &empty_store, &test_root );

 	/* Check non-signing certificate */
 	cms_verify_fail_ok ( &nonsigned_sig, &test_code,
-			     NULL, test_time, &test_root );
+			     NULL, test_time, &empty_store, &test_root );

 	/* Check broken chain */
 	cms_verify_fail_ok ( &brokenchain_sig, &test_code,
-			     NULL, test_time, &test_root );
+			     NULL, test_time, &empty_store, &test_root );

 	/* Check untrusted signature */
 	cms_verify_fail_ok ( &codesigned_sig, &test_code,
-			     NULL, test_time, &dummy_root );
+			     NULL, test_time, &empty_store, &dummy_root );

 	/* Check incorrect signed content */
 	cms_verify_fail_ok ( &codesigned_sig, &bad_code,
-			     NULL, test_time, &test_root );
+			     NULL, test_time, &empty_store, &test_root );

 	/* Check expired signature */
 	cms_verify_fail_ok ( &codesigned_sig, &test_code,
-			     NULL, test_expired, &test_root );
+			     NULL, test_expired, &empty_store, &test_root );
+
+	/* Sanity check */
+	assert ( list_empty ( &empty_store.links ) );

 	/* Drop signature references */
 	cms_put ( nonsigned_sig.sig );