[thirdparty/openssl.git] / crypto / x509 / by_store.c

/*
 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/store.h>
#include "internal/cryptlib.h"
#include "crypto/x509.h"
#include "x509_local.h"

/* Generic object loader, given expected type and criterion */
static int cache_objects(X509_LOOKUP *lctx, const char *uri,
                         const OSSL_STORE_SEARCH *criterion,
                         int depth)
{
    int ok = 0;
    OSSL_STORE_CTX *ctx = NULL;
    X509_STORE *xstore = X509_LOOKUP_get_store(lctx);

    if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
        return 0;

    /*
     * We try to set the criterion, but don't care if it was valid or not.
     * For a OSSL_STORE, it merely serves as an optimization, the expectation
     * being that if the criterion couldn't be used, we will get *everything*
     * from the container that the URI represents rather than the subset that
     * the criterion indicates, so the biggest harm is that we cache more
     * objects certs and CRLs than we may expect, but that's ok.
     *
     * Specifically for OpenSSL's own file: scheme, the only workable
     * criterion is the BY_NAME one, which it can only apply on directories,
     * but it's possible that the URI is a single file rather than a directory,
     * and in that case, the BY_NAME criterion is pointless.
     *
     * We could very simply not apply any criterion at all here, and just let
     * the code that selects certs and CRLs from the cached objects do its job,
     * but it's a nice optimization when it can be applied (such as on an
     * actual directory with a thousand CA certs).
     */
    if (criterion != NULL)
        OSSL_STORE_find(ctx, criterion);

    for (;;) {
        OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
        int infotype;

        /* NULL means error or "end of file".  Either way, we break. */
        if (info == NULL)
            break;

        infotype = OSSL_STORE_INFO_get_type(info);
        ok = 0;

        if (infotype == OSSL_STORE_INFO_NAME) {
            /*
             * This is an entry in the "directory" represented by the current
             * uri.  if |depth| allows, dive into it.
             */
            if (depth > 0)
                ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
                                   criterion, depth - 1);
        } else {
            /*
             * We know that X509_STORE_add_{cert|crl} increments the object's
             * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
             * to get them.
             */
            switch (infotype) {
            case OSSL_STORE_INFO_CERT:
                ok = X509_STORE_add_cert(xstore,
                                         OSSL_STORE_INFO_get0_CERT(info));
                break;
            case OSSL_STORE_INFO_CRL:
                ok = X509_STORE_add_crl(xstore,
                                        OSSL_STORE_INFO_get0_CRL(info));
                break;
            }
        }

        OSSL_STORE_INFO_free(info);
        if (!ok)
            break;
    }
    OSSL_STORE_close(ctx);

    return ok;
}


/* Because OPENSSL_free is a macro and for C type match */
static void free_uri(OPENSSL_STRING data)
{
    OPENSSL_free(data);
}

static void by_store_free(X509_LOOKUP *ctx)
{
    STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
    sk_OPENSSL_STRING_pop_free(uris, free_uri);
}

static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
                         const char *argp, long argl,
                         char **retp)
{
    switch (cmd) {
    case X509_L_ADD_STORE:
        /* If no URI is given, use the default cert dir as default URI */
        if (argp == NULL)
            argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
        if (argp == NULL)
            argp = X509_get_default_cert_dir();

        {
            STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);

            if (uris == NULL) {
                uris = sk_OPENSSL_STRING_new_null();
                X509_LOOKUP_set_method_data(ctx, uris);
            }
            return sk_OPENSSL_STRING_push(uris, OPENSSL_strdup(argp)) > 0;
        }
    case X509_L_LOAD_STORE:
        /* This is a shortcut for quick loading of specific containers */
        return cache_objects(ctx, argp, NULL, 0);
    }

    return 0;
}

static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
                    const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
{
    STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
    int i;
    int ok = 0;

    for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
        ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
                           1 /* depth */);

        if (ok)
            break;
    }
    return ok;
}

static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
                            X509_NAME *name, X509_OBJECT *ret)
{
    OSSL_STORE_SEARCH *criterion = OSSL_STORE_SEARCH_by_name(name);
    int ok = by_store(ctx, type, criterion, ret);
    STACK_OF(X509_OBJECT) *store_objects =
        X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
    X509_OBJECT *tmp = NULL;

    OSSL_STORE_SEARCH_free(criterion);

    if (ok)
        tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);

    ok = 0;
    if (tmp != NULL) {
        /*
         * This could also be done like this:
         *
         *     if (tmp != NULL) {
         *         *ret = *tmp;
         *         ok = 1;
         *     }
         *
         * However, we want to exercise the documented API to the max, so
         * we do it the hard way.
         *
         * To be noted is that X509_OBJECT_set1_* increment the refcount,
         * but so does X509_STORE_CTX_get_by_subject upon return of this
         * function, so we must ensure the the refcount is decremented
         * before we return, or we will get a refcount leak.  We cannot do
         * this with X509_OBJECT_free(), though, as that will free a bit
         * too much.
         */
        switch (type) {
        case X509_LU_X509:
            ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
            if (ok)
                X509_free(tmp->data.x509);
            break;
        case X509_LU_CRL:
            ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
            if (ok)
                X509_CRL_free(tmp->data.crl);
            break;
        case X509_LU_NONE:
            break;
        }
    }
    return ok;
}

/*
 * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
 * and get_by_alias.  There's simply not enough support in the X509_LOOKUP
 * or X509_STORE APIs.
 */

static X509_LOOKUP_METHOD x509_store_lookup = {
    "Load certs from STORE URIs",
    NULL,                        /* new_item */
    by_store_free,               /* free */
    NULL,                        /* init */
    NULL,                        /* shutdown */
    by_store_ctrl,               /* ctrl */
    by_store_subject,            /* get_by_subject */
    NULL,                        /* get_by_issuer_serial */
    NULL,                        /* get_by_fingerprint */
    NULL,                        /* get_by_alias */
};

X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
{
    return &x509_store_lookup;
}
Commit	Line	Data
6dcb100f RL	1	/*
	2	* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <openssl/store.h>
	11	#include "internal/cryptlib.h"
	12	#include "crypto/x509.h"
	13	#include "x509_local.h"
	14
	15	/* Generic object loader, given expected type and criterion */
	16	static int cache_objects(X509_LOOKUP lctx, const char uri,
	17	const OSSL_STORE_SEARCH *criterion,
	18	int depth)
	19	{
	20	int ok = 0;
	21	OSSL_STORE_CTX *ctx = NULL;
	22	X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
	23
	24	if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
	25	return 0;
	26
	27	/*
	28	* We try to set the criterion, but don't care if it was valid or not.
	29	* For a OSSL_STORE, it merely serves as an optimization, the expectation
	30	* being that if the criterion couldn't be used, we will get everything
	31	* from the container that the URI represents rather than the subset that
	32	* the criterion indicates, so the biggest harm is that we cache more
	33	* objects certs and CRLs than we may expect, but that's ok.
	34	*
	35	* Specifically for OpenSSL's own file: scheme, the only workable
	36	* criterion is the BY_NAME one, which it can only apply on directories,
	37	* but it's possible that the URI is a single file rather than a directory,
	38	* and in that case, the BY_NAME criterion is pointless.
	39	*
	40	* We could very simply not apply any criterion at all here, and just let
	41	* the code that selects certs and CRLs from the cached objects do its job,
	42	* but it's a nice optimization when it can be applied (such as on an
	43	* actual directory with a thousand CA certs).
	44	*/
	45	if (criterion != NULL)
	46	OSSL_STORE_find(ctx, criterion);
	47
	48	for (;;) {
	49	OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
	50	int infotype;
	51
	52	/* NULL means error or "end of file". Either way, we break. */
	53	if (info == NULL)
	54	break;
	55
	56	infotype = OSSL_STORE_INFO_get_type(info);
	57	ok = 0;
	58
	59	if (infotype == OSSL_STORE_INFO_NAME) {
	60	/*
	61	* This is an entry in the "directory" represented by the current
	62	* uri. if \|depth\| allows, dive into it.
	63	*/
	64	if (depth > 0)
65	ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
66	criterion, depth - 1);
67	} else {
68	/*
69	* We know that X509_STORE_add_{cert\|crl} increments the object's
70	* refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
71	* to get them.
72	*/
73	switch (infotype) {
74	case OSSL_STORE_INFO_CERT:
75	ok = X509_STORE_add_cert(xstore,
76	OSSL_STORE_INFO_get0_CERT(info));
77	break;
78	case OSSL_STORE_INFO_CRL:
79	ok = X509_STORE_add_crl(xstore,
80	OSSL_STORE_INFO_get0_CRL(info));
81	break;
82	}
83	}
84
85	OSSL_STORE_INFO_free(info);
86	if (!ok)
87	break;
88	}
89	OSSL_STORE_close(ctx);
90
91	return ok;
92	}
93
94
95	/* Because OPENSSL_free is a macro and for C type match */
96	static void free_uri(OPENSSL_STRING data)
97	{
98	OPENSSL_free(data);
99	}
100
101	static void by_store_free(X509_LOOKUP *ctx)
102	{
103	STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
104	sk_OPENSSL_STRING_pop_free(uris, free_uri);
105	}
106
107	static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
108	const char *argp, long argl,
109	char **retp)
110	{
111	switch (cmd) {
112	case X509_L_ADD_STORE:
113	/* If no URI is given, use the default cert dir as default URI */
114	if (argp == NULL)
115	argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
116	if (argp == NULL)
117	argp = X509_get_default_cert_dir();
118
119	{
120	STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
121
122	if (uris == NULL) {
123	uris = sk_OPENSSL_STRING_new_null();
124	X509_LOOKUP_set_method_data(ctx, uris);
125	}
126	return sk_OPENSSL_STRING_push(uris, OPENSSL_strdup(argp)) > 0;
127	}
128	case X509_L_LOAD_STORE:
129	/* This is a shortcut for quick loading of specific containers */
130	return cache_objects(ctx, argp, NULL, 0);
131	}
132
133	return 0;
134	}
135
136	static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
137	const OSSL_STORE_SEARCH criterion, X509_OBJECT ret)
138	{
139	STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
140	int i;
141	int ok = 0;
142
143	for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
144	ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
145	1 /* depth */);
146
147	if (ok)
148	break;
149	}
150	return ok;
151	}
152
153	static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
154	X509_NAME name, X509_OBJECT ret)
155	{
156	OSSL_STORE_SEARCH *criterion = OSSL_STORE_SEARCH_by_name(name);
157	int ok = by_store(ctx, type, criterion, ret);
158	STACK_OF(X509_OBJECT) *store_objects =
159	X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
160	X509_OBJECT *tmp = NULL;
161
162	OSSL_STORE_SEARCH_free(criterion);
163
164	if (ok)
165	tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
166
167	ok = 0;
168	if (tmp != NULL) {
169	/*
170	* This could also be done like this:
171	*
172	* if (tmp != NULL) {
173	* ret = tmp;
174	* ok = 1;
175	* }
176	*
177	* However, we want to exercise the documented API to the max, so
178	* we do it the hard way.
179	*
180	* To be noted is that X509_OBJECT_set1_* increment the refcount,
181	* but so does X509_STORE_CTX_get_by_subject upon return of this
182	* function, so we must ensure the the refcount is decremented
183	* before we return, or we will get a refcount leak. We cannot do
184	* this with X509_OBJECT_free(), though, as that will free a bit
185	* too much.
186	*/
187	switch (type) {
188	case X509_LU_X509:
189	ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
190	if (ok)
191	X509_free(tmp->data.x509);
192	break;
193	case X509_LU_CRL:
194	ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
195	if (ok)
196	X509_CRL_free(tmp->data.crl);
197	break;
198	case X509_LU_NONE:
199	break;
200	}
201	}
202	return ok;
203	}
204
205	/*
206	* We lack the implementations for get_by_issuer_serial, get_by_fingerprint
207	* and get_by_alias. There's simply not enough support in the X509_LOOKUP
208	* or X509_STORE APIs.
209	*/
210
211	static X509_LOOKUP_METHOD x509_store_lookup = {
212	"Load certs from STORE URIs",
213	NULL, /* new_item */
214	by_store_free, /* free */
215	NULL, /* init */
216	NULL, /* shutdown */
217	by_store_ctrl, /* ctrl */
218	by_store_subject, /* get_by_subject */
219	NULL, /* get_by_issuer_serial */
220	NULL, /* get_by_fingerprint */
221	NULL, /* get_by_alias */
222	};
223
224	X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
225	{
226	return &x509_store_lookup;
227	}