[tls] Display cross-certificate and OCSP status messages
[ipxe.git] / src / net / validator.c
1 /*
2 * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 *
19 * You can also choose to distribute this program under the terms of
20 * the Unmodified Binary Distribution Licence (as given in the file
21 * COPYING.UBDL), provided that you have satisfied its requirements.
22 */
23
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
26 #include <string.h>
27 #include <stdio.h>
28 #include <errno.h>
29 #include <ipxe/refcnt.h>
30 #include <ipxe/malloc.h>
31 #include <ipxe/interface.h>
32 #include <ipxe/xfer.h>
33 #include <ipxe/open.h>
34 #include <ipxe/iobuf.h>
35 #include <ipxe/xferbuf.h>
36 #include <ipxe/process.h>
37 #include <ipxe/x509.h>
38 #include <ipxe/settings.h>
39 #include <ipxe/dhcp.h>
40 #include <ipxe/base64.h>
41 #include <ipxe/crc32.h>
42 #include <ipxe/ocsp.h>
43 #include <ipxe/job.h>
44 #include <ipxe/validator.h>
45 #include <config/crypto.h>
46
47 /** @file
48 *
49 * Certificate validator
50 *
51 */
52
53 struct validator;
54
55 /** A certificate validator action */
56 struct validator_action {
57 /** Name */
58 const char *name;
59 /** Action to take upon completed transfer */
60 int ( * done ) ( struct validator *validator, const void *data,
61 size_t len );
62 };
63
64 /** A certificate validator */
65 struct validator {
66 /** Reference count */
67 struct refcnt refcnt;
68 /** Job control interface */
69 struct interface job;
70 /** Data transfer interface */
71 struct interface xfer;
72
73 /** Process */
74 struct process process;
75
76 /** X.509 certificate chain */
77 struct x509_chain *chain;
78 /** OCSP check */
79 struct ocsp_check *ocsp;
80 /** Data buffer */
81 struct xfer_buffer buffer;
82
83 /** Current action */
84 const struct validator_action *action;
85 /** Current certificate
86 *
87 * This will always be present within the certificate chain
88 * and so this pointer does not hold a reference to the
89 * certificate.
90 */
91 struct x509_certificate *cert;
92 };
93
94 /**
95 * Get validator name (for debug messages)
96 *
97 * @v validator Certificate validator
98 * @ret name Validator name
99 */
100 static const char * validator_name ( struct validator *validator ) {
101
102 /* Use name of first certificate in chain */
103 return x509_name ( x509_first ( validator->chain ) );
104 }
105
106 /**
107 * Free certificate validator
108 *
109 * @v refcnt Reference count
110 */
111 static void validator_free ( struct refcnt *refcnt ) {
112 struct validator *validator =
113 container_of ( refcnt, struct validator, refcnt );
114
115 DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",
116 validator, validator_name ( validator ) );
117 x509_chain_put ( validator->chain );
118 ocsp_put ( validator->ocsp );
119 xferbuf_free ( &validator->buffer );
120 free ( validator );
121 }
122
123 /**
124 * Mark certificate validation as finished
125 *
126 * @v validator Certificate validator
127 * @v rc Reason for finishing
128 */
129 static void validator_finished ( struct validator *validator, int rc ) {
130
131 /* Remove process */
132 process_del ( &validator->process );
133
134 /* Close all interfaces */
135 intf_shutdown ( &validator->xfer, rc );
136 intf_shutdown ( &validator->job, rc );
137 }
138
139 /****************************************************************************
140 *
141 * Job control interface
142 *
143 */
144
145 /**
146 * Report job progress
147 *
148 * @v validator Certificate validator
149 * @v progress Progress report to fill in
150 * @ret ongoing_rc Ongoing job status code (if known)
151 */
152 static int validator_progress ( struct validator *validator,
153 struct job_progress *progress ) {
154
155 /* Report current action, if applicable */
156 if ( validator->action ) {
157 snprintf ( progress->message, sizeof ( progress->message ),
158 "%s %s", validator->action->name,
159 x509_name ( validator->cert ) );
160 }
161
162 return 0;
163 }
164
165 /** Certificate validator job control interface operations */
166 static struct interface_operation validator_job_operations[] = {
167 INTF_OP ( job_progress, struct validator *, validator_progress ),
168 INTF_OP ( intf_close, struct validator *, validator_finished ),
169 };
170
171 /** Certificate validator job control interface descriptor */
172 static struct interface_descriptor validator_job_desc =
173 INTF_DESC ( struct validator, job, validator_job_operations );
174
175 /****************************************************************************
176 *
177 * Cross-signing certificates
178 *
179 */
180
181 /** Cross-signed certificate source setting */
182 const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={
183 .name = "crosscert",
184 .description = "Cross-signed certificate source",
185 .tag = DHCP_EB_CROSS_CERT,
186 .type = &setting_type_string,
187 };
188
189 /** Default cross-signed certificate source */
190 static const char crosscert_default[] = CROSSCERT;
191
192 /**
193 * Append cross-signing certificates to certificate chain
194 *
195 * @v validator Certificate validator
196 * @v data Raw cross-signing certificate data
197 * @v len Length of raw data
198 * @ret rc Return status code
199 */
200 static int validator_append ( struct validator *validator,
201 const void *data, size_t len ) {
202 struct asn1_cursor cursor;
203 struct x509_chain *certs;
204 struct x509_certificate *cert;
205 struct x509_certificate *last;
206 int rc;
207
208 /* Allocate certificate list */
209 certs = x509_alloc_chain();
210 if ( ! certs ) {
211 rc = -ENOMEM;
212 goto err_alloc_certs;
213 }
214
215 /* Initialise cursor */
216 cursor.data = data;
217 cursor.len = len;
218
219 /* Enter certificateSet */
220 if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
221 DBGC ( validator, "VALIDATOR %p \"%s\" could not enter "
222 "certificateSet: %s\n", validator,
223 validator_name ( validator ), strerror ( rc ) );
224 goto err_certificateset;
225 }
226
227 /* Add each certificate to list */
228 while ( cursor.len ) {
229
230 /* Add certificate to chain */
231 if ( ( rc = x509_append_raw ( certs, cursor.data,
232 cursor.len ) ) != 0 ) {
233 DBGC ( validator, "VALIDATOR %p \"%s\" could not "
234 "append certificate: %s\n", validator,
235 validator_name ( validator ), strerror ( rc) );
236 DBGC_HDA ( validator, 0, cursor.data, cursor.len );
237 return rc;
238 }
239 cert = x509_last ( certs );
240 DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ",
241 validator, validator_name ( validator ) );
242 DBGC ( validator, "%s\n", x509_name ( cert ) );
243
244 /* Move to next certificate */
245 asn1_skip_any ( &cursor );
246 }
247
248 /* Append certificates to chain */
249 last = x509_last ( validator->chain );
250 if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
251 DBGC ( validator, "VALIDATOR %p \"%s\" could not append "
252 "certificates: %s\n", validator,
253 validator_name ( validator ), strerror ( rc ) );
254 goto err_auto_append;
255 }
256
257 /* Check that at least one certificate has been added */
258 if ( last == x509_last ( validator->chain ) ) {
259 DBGC ( validator, "VALIDATOR %p \"%s\" failed to append any "
260 "applicable certificates\n", validator,
261 validator_name ( validator ) );
262 rc = -EACCES;
263 goto err_no_progress;
264 }
265
266 /* Drop reference to certificate list */
267 x509_chain_put ( certs );
268
269 return 0;
270
271 err_no_progress:
272 err_auto_append:
273 err_certificateset:
274 x509_chain_put ( certs );
275 err_alloc_certs:
276 return rc;
277 }
278
279 /** Cross-signing certificate download validator action */
280 static const struct validator_action validator_crosscert = {
281 .name = "XCRT",
282 .done = validator_append,
283 };
284
285 /**
286 * Start download of cross-signing certificate
287 *
288 * @v validator Certificate validator
289 * @v cert X.509 certificate
290 * @ret rc Return status code
291 */
292 static int validator_start_download ( struct validator *validator,
293 struct x509_certificate *cert ) {
294 const struct asn1_cursor *issuer = &cert->issuer.raw;
295 const char *crosscert;
296 char *crosscert_copy;
297 char *uri_string;
298 size_t uri_string_len;
299 uint32_t crc;
300 int len;
301 int rc;
302
303 /* Determine cross-signed certificate source */
304 fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
305 crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
306 if ( ! crosscert[0] ) {
307 rc = -EINVAL;
308 goto err_check_uri_string;
309 }
310
311 /* Allocate URI string */
312 uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
313 + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
314 uri_string = zalloc ( uri_string_len );
315 if ( ! uri_string ) {
316 rc = -ENOMEM;
317 goto err_alloc_uri_string;
318 }
319
320 /* Generate CRC32 */
321 crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
322
323 /* Generate URI string */
324 len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",
325 crosscert, crc );
326 base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
327 ( uri_string_len - len ) );
328 DBGC ( validator, "VALIDATOR %p \"%s\" downloading ",
329 validator, validator_name ( validator ) );
330 DBGC ( validator, "\"%s\" cross-signature from %s\n",
331 x509_name ( cert ), uri_string );
332
333 /* Set completion handler */
334 validator->action = &validator_crosscert;
335 validator->cert = cert;
336
337 /* Open URI */
338 if ( ( rc = xfer_open_uri_string ( &validator->xfer,
339 uri_string ) ) != 0 ) {
340 DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
341 "%s\n", validator, validator_name ( validator ),
342 uri_string, strerror ( rc ) );
343 goto err_open_uri_string;
344 }
345
346 /* Success */
347 rc = 0;
348
349 err_open_uri_string:
350 free ( uri_string );
351 err_alloc_uri_string:
352 err_check_uri_string:
353 free ( crosscert_copy );
354 return rc;
355 }
356
357 /****************************************************************************
358 *
359 * OCSP checks
360 *
361 */
362
363 /**
364 * Validate OCSP response
365 *
366 * @v validator Certificate validator
367 * @v data Raw OCSP response
368 * @v len Length of raw data
369 * @ret rc Return status code
370 */
371 static int validator_ocsp_validate ( struct validator *validator,
372 const void *data, size_t len ) {
373 time_t now;
374 int rc;
375
376 /* Record OCSP response */
377 if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
378 DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP "
379 "response: %s\n", validator,
380 validator_name ( validator ),strerror ( rc ) );
381 return rc;
382 }
383
384 /* Validate OCSP response */
385 now = time ( NULL );
386 if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
387 DBGC ( validator, "VALIDATOR %p \"%s\" could not validate "
388 "OCSP response: %s\n", validator,
389 validator_name ( validator ), strerror ( rc ) );
390 return rc;
391 }
392
393 /* Drop reference to OCSP check */
394 ocsp_put ( validator->ocsp );
395 validator->ocsp = NULL;
396
397 return 0;
398 }
399
400 /** OCSP validator action */
401 static const struct validator_action validator_ocsp = {
402 .name = "OCSP",
403 .done = validator_ocsp_validate,
404 };
405
406 /**
407 * Start OCSP check
408 *
409 * @v validator Certificate validator
410 * @v cert Certificate to check
411 * @v issuer Issuing certificate
412 * @ret rc Return status code
413 */
414 static int validator_start_ocsp ( struct validator *validator,
415 struct x509_certificate *cert,
416 struct x509_certificate *issuer ) {
417 const char *uri_string;
418 int rc;
419
420 /* Create OCSP check */
421 assert ( validator->ocsp == NULL );
422 if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
423 DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP "
424 "check: %s\n", validator, validator_name ( validator ),
425 strerror ( rc ) );
426 return rc;
427 }
428
429 /* Set completion handler */
430 validator->action = &validator_ocsp;
431 validator->cert = cert;
432
433 /* Open URI */
434 uri_string = validator->ocsp->uri_string;
435 DBGC ( validator, "VALIDATOR %p \"%s\" checking ",
436 validator, validator_name ( validator ) );
437 DBGC ( validator, "\"%s\" via %s\n",
438 x509_name ( cert ), uri_string );
439 if ( ( rc = xfer_open_uri_string ( &validator->xfer,
440 uri_string ) ) != 0 ) {
441 DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
442 "%s\n", validator, validator_name ( validator ),
443 uri_string, strerror ( rc ) );
444 return rc;
445 }
446
447 return 0;
448 }
449
450 /****************************************************************************
451 *
452 * Data transfer interface
453 *
454 */
455
456 /**
457 * Close data transfer interface
458 *
459 * @v validator Certificate validator
460 * @v rc Reason for close
461 */
462 static void validator_xfer_close ( struct validator *validator, int rc ) {
463
464 /* Close data transfer interface */
465 intf_restart ( &validator->xfer, rc );
466
467 /* Check for errors */
468 if ( rc != 0 ) {
469 DBGC ( validator, "VALIDATOR %p \"%s\" transfer failed: %s\n",
470 validator, validator_name ( validator ),
471 strerror ( rc ) );
472 goto err_transfer;
473 }
474 DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n",
475 validator, validator_name ( validator ) );
476
477 /* Process completed download */
478 assert ( validator->action != NULL );
479 if ( ( rc = validator->action->done ( validator, validator->buffer.data,
480 validator->buffer.len ) ) != 0 )
481 goto err_append;
482
483 /* Free downloaded data */
484 xferbuf_free ( &validator->buffer );
485
486 /* Resume validation process */
487 process_add ( &validator->process );
488
489 return;
490
491 err_append:
492 err_transfer:
493 validator_finished ( validator, rc );
494 }
495
496 /**
497 * Receive data
498 *
499 * @v validator Certificate validator
500 * @v iobuf I/O buffer
501 * @v meta Data transfer metadata
502 * @ret rc Return status code
503 */
504 static int validator_xfer_deliver ( struct validator *validator,
505 struct io_buffer *iobuf,
506 struct xfer_metadata *meta ) {
507 int rc;
508
509 /* Add data to buffer */
510 if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
511 meta ) ) != 0 ) {
512 DBGC ( validator, "VALIDATOR %p \"%s\" could not receive "
513 "data: %s\n", validator, validator_name ( validator ),
514 strerror ( rc ) );
515 validator_finished ( validator, rc );
516 return rc;
517 }
518
519 return 0;
520 }
521
522 /** Certificate validator data transfer interface operations */
523 static struct interface_operation validator_xfer_operations[] = {
524 INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
525 INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
526 };
527
528 /** Certificate validator data transfer interface descriptor */
529 static struct interface_descriptor validator_xfer_desc =
530 INTF_DESC ( struct validator, xfer, validator_xfer_operations );
531
532 /****************************************************************************
533 *
534 * Validation process
535 *
536 */
537
538 /**
539 * Certificate validation process
540 *
541 * @v validator Certificate validator
542 */
543 static void validator_step ( struct validator *validator ) {
544 struct x509_link *link;
545 struct x509_certificate *cert;
546 struct x509_certificate *issuer = NULL;
547 struct x509_certificate *last;
548 time_t now;
549 int rc;
550
551 /* Try validating chain. Try even if the chain is incomplete,
552 * since certificates may already have been validated
553 * previously.
554 */
555 now = time ( NULL );
556 if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
557 NULL ) ) == 0 ) {
558 DBGC ( validator, "VALIDATOR %p \"%s\" validated\n",
559 validator, validator_name ( validator ) );
560 validator_finished ( validator, 0 );
561 return;
562 }
563
564 /* If there is a certificate that could be validated using
565 * OCSP, try it.
566 */
567 list_for_each_entry ( link, &validator->chain->links, list ) {
568 cert = issuer;
569 issuer = link->cert;
570 if ( ! cert )
571 continue;
572 if ( ! x509_is_valid ( issuer ) )
573 continue;
574 /* The issuer is valid, but this certificate is not
575 * yet valid. If OCSP is applicable, start it.
576 */
577 if ( ocsp_required ( cert ) ) {
578 /* Start OCSP */
579 if ( ( rc = validator_start_ocsp ( validator, cert,
580 issuer ) ) != 0 ) {
581 validator_finished ( validator, rc );
582 return;
583 }
584 return;
585 }
586 /* Otherwise, this is a permanent failure */
587 validator_finished ( validator, rc );
588 return;
589 }
590
591 /* If chain ends with a self-issued certificate, then there is
592 * nothing more to do.
593 */
594 last = x509_last ( validator->chain );
595 if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {
596 validator_finished ( validator, rc );
597 return;
598 }
599
600 /* Otherwise, try to download a suitable cross-signing
601 * certificate.
602 */
603 if ( ( rc = validator_start_download ( validator, last ) ) != 0 ) {
604 validator_finished ( validator, rc );
605 return;
606 }
607 }
608
609 /** Certificate validator process descriptor */
610 static struct process_descriptor validator_process_desc =
611 PROC_DESC_ONCE ( struct validator, process, validator_step );
612
613 /****************************************************************************
614 *
615 * Instantiator
616 *
617 */
618
619 /**
620 * Instantiate a certificate validator
621 *
622 * @v job Job control interface
623 * @v chain X.509 certificate chain
624 * @ret rc Return status code
625 */
626 int create_validator ( struct interface *job, struct x509_chain *chain ) {
627 struct validator *validator;
628 int rc;
629
630 /* Sanity check */
631 if ( ! chain ) {
632 rc = -EINVAL;
633 goto err_sanity;
634 }
635
636 /* Allocate and initialise structure */
637 validator = zalloc ( sizeof ( *validator ) );
638 if ( ! validator ) {
639 rc = -ENOMEM;
640 goto err_alloc;
641 }
642 ref_init ( &validator->refcnt, validator_free );
643 intf_init ( &validator->job, &validator_job_desc,
644 &validator->refcnt );
645 intf_init ( &validator->xfer, &validator_xfer_desc,
646 &validator->refcnt );
647 process_init ( &validator->process, &validator_process_desc,
648 &validator->refcnt );
649 validator->chain = x509_chain_get ( chain );
650 xferbuf_malloc_init ( &validator->buffer );
651
652 /* Attach parent interface, mortalise self, and return */
653 intf_plug_plug ( &validator->job, job );
654 ref_put ( &validator->refcnt );
655 DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n",
656 validator, validator_name ( validator ), validator->chain );
657 return 0;
658
659 validator_finished ( validator, rc );
660 ref_put ( &validator->refcnt );
661 err_alloc:
662 err_sanity:
663 return rc;
664 }