src/crypto/x509.c

   1 /*
   2  * Copyright (C) 2007 Michael Brown <mbrown@fensystems.co.uk>.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License as
   6  * published by the Free Software Foundation; either version 2 of the
   7  * License, or any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful, but
  10  * WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  12  * General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, write to the Free Software
  16  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  17  */
  18
  19 #include <stdlib.h>
  20 #include <string.h>
  21 #include <errno.h>
  22 #include <gpxe/asn1.h>
  23 #include <gpxe/x509.h>
  24
  25 /** @file
  26  *
  27  * X.509 certificates
  28  *
  29  * The structure of X.509v3 certificates is concisely documented in
  30  * RFC5280 section 4.1.  The structure of RSA public keys is
  31  * documented in RFC2313.
  32  */
  33
  34 /** Object Identifier for "rsaEncryption" (1.2.840.113549.1.1.1) */
  35 static const uint8_t oid_rsa_encryption[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
  36                                               0x0d, 0x01, 0x01, 0x01 };
  37
  38 /**
  39  * Identify X.509 certificate public key
  40  *
  41  * @v certificate       Certificate
  42  * @v algorithm         Public key algorithm to fill in
  43  * @v pubkey            Public key value to fill in
  44  * @ret rc              Return status code
  45  */
  46 static int x509_public_key ( const struct asn1_cursor *certificate,
  47                              struct asn1_cursor *algorithm,
  48                              struct asn1_cursor *pubkey ) {
  49         struct asn1_cursor cursor;
  50         int rc;
  51
  52         /* Locate subjectPublicKeyInfo */
  53         memcpy ( &cursor, certificate, sizeof ( cursor ) );
  54         rc = ( asn1_enter ( &cursor, ASN1_SEQUENCE ), /* Certificate */
  55                asn1_enter ( &cursor, ASN1_SEQUENCE ), /* tbsCertificate */
  56                asn1_skip ( &cursor, ASN1_EXPLICIT_TAG ), /* version */
  57                asn1_skip ( &cursor, ASN1_INTEGER ), /* serialNumber */
  58                asn1_skip ( &cursor, ASN1_SEQUENCE ), /* signature */
  59                asn1_skip ( &cursor, ASN1_SEQUENCE ), /* issuer */
  60                asn1_skip ( &cursor, ASN1_SEQUENCE ), /* validity */
  61                asn1_skip ( &cursor, ASN1_SEQUENCE ), /* name */
  62                asn1_enter ( &cursor, ASN1_SEQUENCE )/* subjectPublicKeyInfo*/);
  63         if ( rc != 0 ) {
  64                 DBG ( "Cannot locate subjectPublicKeyInfo in:\n" );
  65                 DBG_HDA ( 0, certificate->data, certificate->len );
  66                 return rc;
  67         }
  68
  69         /* Locate algorithm */
  70         memcpy ( algorithm, &cursor, sizeof ( *algorithm ) );
  71         rc = ( asn1_enter ( algorithm, ASN1_SEQUENCE ) /* algorithm */ );
  72         if ( rc != 0 ) {
  73                 DBG ( "Cannot locate algorithm in:\n" );
  74                 DBG_HDA ( 0, certificate->data, certificate->len );
  75                 return rc;
  76         }
  77
  78         /* Locate subjectPublicKey */
  79         memcpy ( pubkey, &cursor, sizeof ( *pubkey ) );
  80         rc = ( asn1_skip ( pubkey, ASN1_SEQUENCE ), /* algorithm */
  81                asn1_enter ( pubkey, ASN1_BIT_STRING ) /* subjectPublicKey*/ );
  82         if ( rc != 0 ) {
  83                 DBG ( "Cannot locate subjectPublicKey in:\n" );
  84                 DBG_HDA ( 0, certificate->data, certificate->len );
  85                 return rc;
  86         }
  87
  88         return 0;
  89 }
  90
  91 /**
  92  * Identify X.509 certificate RSA modulus and public exponent
  93  *
  94  * @v certificate       Certificate
  95  * @v rsa               RSA public key to fill in
  96  * @ret rc              Return status code
  97  *
  98  * The caller is responsible for eventually calling
  99  * x509_free_rsa_public_key() to free the storage allocated to hold
 100  * the RSA modulus and exponent.
 101  */
 102 int x509_rsa_public_key ( const struct asn1_cursor *certificate,
 103                           struct x509_rsa_public_key *rsa_pubkey ) {
 104         struct asn1_cursor algorithm;
 105         struct asn1_cursor pubkey;
 106         struct asn1_cursor modulus;
 107         struct asn1_cursor exponent;
 108         int rc;
 109
 110         /* First, extract the public key algorithm and key data */
 111         if ( ( rc = x509_public_key ( certificate, &algorithm,
 112                                       &pubkey ) ) != 0 )
 113                 return rc;
 114
 115         /* Check that algorithm is RSA */
 116         rc = ( asn1_enter ( &algorithm, ASN1_OID ) /* algorithm */ );
 117         if ( rc != 0 ) {
 118                 DBG ( "Cannot locate algorithm:\n" );
 119                 DBG_HDA ( 0, certificate->data, certificate->len );
 120         return rc;
 121         }
 122         if ( ( algorithm.len != sizeof ( oid_rsa_encryption ) ) ||
 123              ( memcmp ( algorithm.data, &oid_rsa_encryption,
 124                         sizeof ( oid_rsa_encryption ) ) != 0 ) ) {
 125                 DBG ( "algorithm is not rsaEncryption in:\n" );
 126                 DBG_HDA ( 0, certificate->data, certificate->len );
 127                 return -ENOTSUP;
 128         }
 129
 130         /* Check that public key is a byte string, i.e. that the
 131          * "unused bits" byte contains zero.
 132          */
 133         if ( ( pubkey.len < 1 ) ||
 134              ( ( *( uint8_t * ) pubkey.data ) != 0 ) ) {
 135                 DBG ( "subjectPublicKey is not a byte string in:\n" );
 136                 DBG_HDA ( 0, certificate->data, certificate->len );
 137                 return -ENOTSUP;
 138         }
 139         pubkey.data++;
 140         pubkey.len--;
 141
 142         /* Pick out the modulus and exponent */
 143         rc = ( asn1_enter ( &pubkey, ASN1_SEQUENCE ) /* RSAPublicKey */ );
 144         if ( rc != 0 ) {
 145                 DBG ( "Cannot locate RSAPublicKey in:\n" );
 146                 DBG_HDA ( 0, certificate->data, certificate->len );
 147                 return -ENOTSUP;
 148         }
 149         memcpy ( &modulus, &pubkey, sizeof ( modulus ) );
 150         rc = ( asn1_enter ( &modulus, ASN1_INTEGER ) /* modulus */ );
 151         if ( rc != 0 ) {
 152                 DBG ( "Cannot locate modulus in:\n" );
 153                 DBG_HDA ( 0, certificate->data, certificate->len );
 154                 return -ENOTSUP;
 155         }
 156         memcpy ( &exponent, &pubkey, sizeof ( exponent ) );
 157         rc = ( asn1_skip ( &exponent, ASN1_INTEGER ), /* modulus */
 158                asn1_enter ( &exponent, ASN1_INTEGER ) /* publicExponent */ );
 159         if ( rc != 0 ) {
 160                 DBG ( "Cannot locate publicExponent in:\n" );
 161                 DBG_HDA ( 0, certificate->data, certificate->len );
 162                 return -ENOTSUP;
 163         }
 164
 165         /* Allocate space and copy out modulus and exponent */
 166         rsa_pubkey->modulus = malloc ( modulus.len + exponent.len );
 167         if ( ! rsa_pubkey->modulus )
 168                 return -ENOMEM;
 169         rsa_pubkey->exponent = ( rsa_pubkey->modulus + modulus.len );
 170         memcpy ( rsa_pubkey->modulus, modulus.data, modulus.len );
 171         rsa_pubkey->modulus_len = modulus.len;
 172         memcpy ( rsa_pubkey->exponent, exponent.data, exponent.len );
 173         rsa_pubkey->exponent_len = exponent.len;
 174
 175         DBG2 ( "RSA modulus:\n" );
 176         DBG2_HDA ( 0, rsa_pubkey->modulus, rsa_pubkey->modulus_len );
 177         DBG2 ( "RSA exponent:\n" );
 178         DBG2_HDA ( 0, rsa_pubkey->exponent, rsa_pubkey->exponent_len );
 179
 180         return 0;
 181 }