2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
17 #include <openssl/crypto.h>
18 #include <openssl/err.h>
19 #include <openssl/trace.h>
20 #include <openssl/store.h>
21 #include "internal/thread_once.h"
22 #include "crypto/store.h"
23 #include "store_local.h"
25 struct ossl_store_ctx_st
{
26 const OSSL_STORE_LOADER
*loader
;
27 OSSL_STORE_LOADER_CTX
*loader_ctx
;
28 const UI_METHOD
*ui_method
;
30 OSSL_STORE_post_process_info_fn post_process
;
31 void *post_process_data
;
34 /* 0 before the first STORE_load(), 1 otherwise */
38 OSSL_STORE_CTX
*OSSL_STORE_open(const char *uri
, const UI_METHOD
*ui_method
,
40 OSSL_STORE_post_process_info_fn post_process
,
41 void *post_process_data
)
43 const OSSL_STORE_LOADER
*loader
= NULL
;
44 OSSL_STORE_LOADER_CTX
*loader_ctx
= NULL
;
45 OSSL_STORE_CTX
*ctx
= NULL
;
46 char scheme_copy
[256], *p
, *schemes
[2];
51 * Put the file scheme first. If the uri does represent an existing file,
52 * possible device name and all, then it should be loaded. Only a failed
53 * attempt at loading a local file should have us try something else.
55 schemes
[schemes_n
++] = "file";
58 * Now, check if we have something that looks like a scheme, and add it
59 * as a second scheme. However, also check if there's an authority start
60 * (://), because that will invalidate the previous file scheme. Also,
61 * check that this isn't actually the file scheme, as there's no point
62 * going through that one twice!
64 OPENSSL_strlcpy(scheme_copy
, uri
, sizeof(scheme_copy
));
65 if ((p
= strchr(scheme_copy
, ':')) != NULL
) {
67 if (strcasecmp(scheme_copy
, "file") != 0) {
68 if (strncmp(p
, "//", 2) == 0)
69 schemes_n
--; /* Invalidate the file scheme */
70 schemes
[schemes_n
++] = scheme_copy
;
76 /* Try each scheme until we find one that could open the URI */
77 for (i
= 0; loader_ctx
== NULL
&& i
< schemes_n
; i
++) {
78 OSSL_TRACE1(STORE
, "Looking up scheme %s\n", schemes
[i
]);
79 if ((loader
= ossl_store_get0_loader_int(schemes
[i
])) != NULL
) {
80 OSSL_TRACE1(STORE
, "Found loader for scheme %s\n", schemes
[i
]);
81 loader_ctx
= loader
->open(loader
, uri
, ui_method
, ui_data
);
82 OSSL_TRACE2(STORE
, "Opened %s => %p\n", uri
, (void *)loader_ctx
);
86 if (loader_ctx
== NULL
)
89 if ((ctx
= OPENSSL_zalloc(sizeof(*ctx
))) == NULL
) {
90 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_OPEN
, ERR_R_MALLOC_FAILURE
);
95 ctx
->loader_ctx
= loader_ctx
;
96 ctx
->ui_method
= ui_method
;
97 ctx
->ui_data
= ui_data
;
98 ctx
->post_process
= post_process
;
99 ctx
->post_process_data
= post_process_data
;
102 * If the attempt to open with the 'file' scheme loader failed and the
103 * other scheme loader succeeded, the failure to open with the 'file'
104 * scheme loader leaves an error on the error stack. Let's remove it.
111 ERR_clear_last_mark();
112 if (loader_ctx
!= NULL
) {
114 * We ignore a returned error because we will return NULL anyway in
115 * this case, so if something goes wrong when closing, that'll simply
116 * just add another entry on the error stack.
118 (void)loader
->close(loader_ctx
);
123 int OSSL_STORE_ctrl(OSSL_STORE_CTX
*ctx
, int cmd
, ...)
129 ret
= OSSL_STORE_vctrl(ctx
, cmd
, args
);
135 int OSSL_STORE_vctrl(OSSL_STORE_CTX
*ctx
, int cmd
, va_list args
)
137 if (ctx
->loader
->ctrl
!= NULL
)
138 return ctx
->loader
->ctrl(ctx
->loader_ctx
, cmd
, args
);
142 int OSSL_STORE_expect(OSSL_STORE_CTX
*ctx
, int expected_type
)
145 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_EXPECT
,
146 OSSL_STORE_R_LOADING_STARTED
);
150 ctx
->expected_type
= expected_type
;
151 if (ctx
->loader
->expect
!= NULL
)
152 return ctx
->loader
->expect(ctx
->loader_ctx
, expected_type
);
156 int OSSL_STORE_find(OSSL_STORE_CTX
*ctx
, const OSSL_STORE_SEARCH
*search
)
159 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND
,
160 OSSL_STORE_R_LOADING_STARTED
);
163 if (ctx
->loader
->find
== NULL
) {
164 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND
,
165 OSSL_STORE_R_UNSUPPORTED_OPERATION
);
169 return ctx
->loader
->find(ctx
->loader_ctx
, search
);
172 OSSL_STORE_INFO
*OSSL_STORE_load(OSSL_STORE_CTX
*ctx
)
174 OSSL_STORE_INFO
*v
= NULL
;
178 if (OSSL_STORE_eof(ctx
))
181 OSSL_TRACE(STORE
, "Loading next object\n");
182 v
= ctx
->loader
->load(ctx
->loader_ctx
, ctx
->ui_method
, ctx
->ui_data
);
184 if (ctx
->post_process
!= NULL
&& v
!= NULL
) {
185 v
= ctx
->post_process(v
, ctx
->post_process_data
);
188 * By returning NULL, the callback decides that this object should
195 if (v
!= NULL
&& ctx
->expected_type
!= 0) {
196 int returned_type
= OSSL_STORE_INFO_get_type(v
);
198 if (returned_type
!= OSSL_STORE_INFO_NAME
&& returned_type
!= 0) {
200 * Soft assert here so those who want to harsly weed out faulty
201 * loaders can do so using a debugging version of libcrypto.
203 if (ctx
->loader
->expect
!= NULL
)
204 assert(ctx
->expected_type
== returned_type
);
206 if (ctx
->expected_type
!= returned_type
) {
207 OSSL_STORE_INFO_free(v
);
214 OSSL_TRACE1(STORE
, "Got a %s\n",
215 OSSL_STORE_INFO_type_string(OSSL_STORE_INFO_get_type(v
)));
220 int OSSL_STORE_error(OSSL_STORE_CTX
*ctx
)
222 return ctx
->loader
->error(ctx
->loader_ctx
);
225 int OSSL_STORE_eof(OSSL_STORE_CTX
*ctx
)
227 return ctx
->loader
->eof(ctx
->loader_ctx
);
230 int OSSL_STORE_close(OSSL_STORE_CTX
*ctx
)
234 OSSL_TRACE1(STORE
, "Closing %p\n", (void *)ctx
->loader_ctx
);
235 loader_ret
= ctx
->loader
->close(ctx
->loader_ctx
);
242 * Functions to generate OSSL_STORE_INFOs, one function for each type we
243 * support having in them as well as a generic constructor.
245 * In all cases, ownership of the object is transferred to the OSSL_STORE_INFO
246 * and will therefore be freed when the OSSL_STORE_INFO is freed.
248 static OSSL_STORE_INFO
*store_info_new(int type
, void *data
)
250 OSSL_STORE_INFO
*info
= OPENSSL_zalloc(sizeof(*info
));
260 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_NAME(char *name
)
262 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_NAME
, NULL
);
265 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_NAME
,
266 ERR_R_MALLOC_FAILURE
);
270 info
->_
.name
.name
= name
;
271 info
->_
.name
.desc
= NULL
;
276 int OSSL_STORE_INFO_set0_NAME_description(OSSL_STORE_INFO
*info
, char *desc
)
278 if (info
->type
!= OSSL_STORE_INFO_NAME
) {
279 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_SET0_NAME_DESCRIPTION
,
280 ERR_R_PASSED_INVALID_ARGUMENT
);
284 info
->_
.name
.desc
= desc
;
288 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_PARAMS(EVP_PKEY
*params
)
290 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_PARAMS
, params
);
293 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_PARAMS
,
294 ERR_R_MALLOC_FAILURE
);
298 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_PKEY(EVP_PKEY
*pkey
)
300 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_PKEY
, pkey
);
303 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_PKEY
,
304 ERR_R_MALLOC_FAILURE
);
308 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_CERT(X509
*x509
)
310 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_CERT
, x509
);
313 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_CERT
,
314 ERR_R_MALLOC_FAILURE
);
318 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_CRL(X509_CRL
*crl
)
320 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_CRL
, crl
);
323 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_CRL
,
324 ERR_R_MALLOC_FAILURE
);
329 * Functions to try to extract data from a OSSL_STORE_INFO.
331 int OSSL_STORE_INFO_get_type(const OSSL_STORE_INFO
*info
)
336 const char *OSSL_STORE_INFO_get0_NAME(const OSSL_STORE_INFO
*info
)
338 if (info
->type
== OSSL_STORE_INFO_NAME
)
339 return info
->_
.name
.name
;
343 char *OSSL_STORE_INFO_get1_NAME(const OSSL_STORE_INFO
*info
)
345 if (info
->type
== OSSL_STORE_INFO_NAME
) {
346 char *ret
= OPENSSL_strdup(info
->_
.name
.name
);
349 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME
,
350 ERR_R_MALLOC_FAILURE
);
353 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME
,
354 OSSL_STORE_R_NOT_A_NAME
);
358 const char *OSSL_STORE_INFO_get0_NAME_description(const OSSL_STORE_INFO
*info
)
360 if (info
->type
== OSSL_STORE_INFO_NAME
)
361 return info
->_
.name
.desc
;
365 char *OSSL_STORE_INFO_get1_NAME_description(const OSSL_STORE_INFO
*info
)
367 if (info
->type
== OSSL_STORE_INFO_NAME
) {
368 char *ret
= OPENSSL_strdup(info
->_
.name
.desc
369 ? info
->_
.name
.desc
: "");
372 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME_DESCRIPTION
,
373 ERR_R_MALLOC_FAILURE
);
376 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME_DESCRIPTION
,
377 OSSL_STORE_R_NOT_A_NAME
);
381 EVP_PKEY
*OSSL_STORE_INFO_get0_PARAMS(const OSSL_STORE_INFO
*info
)
383 if (info
->type
== OSSL_STORE_INFO_PARAMS
)
384 return info
->_
.params
;
388 EVP_PKEY
*OSSL_STORE_INFO_get1_PARAMS(const OSSL_STORE_INFO
*info
)
390 if (info
->type
== OSSL_STORE_INFO_PARAMS
) {
391 EVP_PKEY_up_ref(info
->_
.params
);
392 return info
->_
.params
;
394 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_PARAMS
,
395 OSSL_STORE_R_NOT_PARAMETERS
);
399 EVP_PKEY
*OSSL_STORE_INFO_get0_PKEY(const OSSL_STORE_INFO
*info
)
401 if (info
->type
== OSSL_STORE_INFO_PKEY
)
406 EVP_PKEY
*OSSL_STORE_INFO_get1_PKEY(const OSSL_STORE_INFO
*info
)
408 if (info
->type
== OSSL_STORE_INFO_PKEY
) {
409 EVP_PKEY_up_ref(info
->_
.pkey
);
412 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_PKEY
,
413 OSSL_STORE_R_NOT_A_KEY
);
417 X509
*OSSL_STORE_INFO_get0_CERT(const OSSL_STORE_INFO
*info
)
419 if (info
->type
== OSSL_STORE_INFO_CERT
)
424 X509
*OSSL_STORE_INFO_get1_CERT(const OSSL_STORE_INFO
*info
)
426 if (info
->type
== OSSL_STORE_INFO_CERT
) {
427 X509_up_ref(info
->_
.x509
);
430 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_CERT
,
431 OSSL_STORE_R_NOT_A_CERTIFICATE
);
435 X509_CRL
*OSSL_STORE_INFO_get0_CRL(const OSSL_STORE_INFO
*info
)
437 if (info
->type
== OSSL_STORE_INFO_CRL
)
442 X509_CRL
*OSSL_STORE_INFO_get1_CRL(const OSSL_STORE_INFO
*info
)
444 if (info
->type
== OSSL_STORE_INFO_CRL
) {
445 X509_CRL_up_ref(info
->_
.crl
);
448 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_CRL
,
449 OSSL_STORE_R_NOT_A_CRL
);
454 * Free the OSSL_STORE_INFO
456 void OSSL_STORE_INFO_free(OSSL_STORE_INFO
*info
)
459 switch (info
->type
) {
460 case OSSL_STORE_INFO_EMBEDDED
:
461 BUF_MEM_free(info
->_
.embedded
.blob
);
462 OPENSSL_free(info
->_
.embedded
.pem_name
);
464 case OSSL_STORE_INFO_NAME
:
465 OPENSSL_free(info
->_
.name
.name
);
466 OPENSSL_free(info
->_
.name
.desc
);
468 case OSSL_STORE_INFO_PARAMS
:
469 EVP_PKEY_free(info
->_
.params
);
471 case OSSL_STORE_INFO_PKEY
:
472 EVP_PKEY_free(info
->_
.pkey
);
474 case OSSL_STORE_INFO_CERT
:
475 X509_free(info
->_
.x509
);
477 case OSSL_STORE_INFO_CRL
:
478 X509_CRL_free(info
->_
.crl
);
485 int OSSL_STORE_supports_search(OSSL_STORE_CTX
*ctx
, int search_type
)
487 OSSL_STORE_SEARCH tmp_search
;
489 if (ctx
->loader
->find
== NULL
)
491 tmp_search
.search_type
= search_type
;
492 return ctx
->loader
->find(NULL
, &tmp_search
);
495 /* Search term constructors */
496 OSSL_STORE_SEARCH
*OSSL_STORE_SEARCH_by_name(X509_NAME
*name
)
498 OSSL_STORE_SEARCH
*search
= OPENSSL_zalloc(sizeof(*search
));
500 if (search
== NULL
) {
501 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_NAME
,
502 ERR_R_MALLOC_FAILURE
);
506 search
->search_type
= OSSL_STORE_SEARCH_BY_NAME
;
511 OSSL_STORE_SEARCH
*OSSL_STORE_SEARCH_by_issuer_serial(X509_NAME
*name
,
512 const ASN1_INTEGER
*serial
)
514 OSSL_STORE_SEARCH
*search
= OPENSSL_zalloc(sizeof(*search
));
516 if (search
== NULL
) {
517 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ISSUER_SERIAL
,
518 ERR_R_MALLOC_FAILURE
);
522 search
->search_type
= OSSL_STORE_SEARCH_BY_ISSUER_SERIAL
;
524 search
->serial
= serial
;
528 OSSL_STORE_SEARCH
*OSSL_STORE_SEARCH_by_key_fingerprint(const EVP_MD
*digest
,
532 OSSL_STORE_SEARCH
*search
= OPENSSL_zalloc(sizeof(*search
));
534 if (search
== NULL
) {
535 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT
,
536 ERR_R_MALLOC_FAILURE
);
540 if (digest
!= NULL
&& len
!= (size_t)EVP_MD_size(digest
)) {
541 char buf1
[20], buf2
[20];
543 BIO_snprintf(buf1
, sizeof(buf1
), "%d", EVP_MD_size(digest
));
544 BIO_snprintf(buf2
, sizeof(buf2
), "%zu", len
);
545 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT
,
546 OSSL_STORE_R_FINGERPRINT_SIZE_DOES_NOT_MATCH_DIGEST
);
547 ERR_add_error_data(5, EVP_MD_name(digest
), " size is ", buf1
,
548 ", fingerprint size is ", buf2
);
551 search
->search_type
= OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT
;
552 search
->digest
= digest
;
553 search
->string
= bytes
;
554 search
->stringlength
= len
;
558 OSSL_STORE_SEARCH
*OSSL_STORE_SEARCH_by_alias(const char *alias
)
560 OSSL_STORE_SEARCH
*search
= OPENSSL_zalloc(sizeof(*search
));
562 if (search
== NULL
) {
563 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ALIAS
,
564 ERR_R_MALLOC_FAILURE
);
568 search
->search_type
= OSSL_STORE_SEARCH_BY_ALIAS
;
569 search
->string
= (const unsigned char *)alias
;
570 search
->stringlength
= strlen(alias
);
574 /* Search term destructor */
575 void OSSL_STORE_SEARCH_free(OSSL_STORE_SEARCH
*search
)
577 OPENSSL_free(search
);
580 /* Search term accessors */
581 int OSSL_STORE_SEARCH_get_type(const OSSL_STORE_SEARCH
*criterion
)
583 return criterion
->search_type
;
586 X509_NAME
*OSSL_STORE_SEARCH_get0_name(const OSSL_STORE_SEARCH
*criterion
)
588 return criterion
->name
;
591 const ASN1_INTEGER
*OSSL_STORE_SEARCH_get0_serial(const OSSL_STORE_SEARCH
594 return criterion
->serial
;
597 const unsigned char *OSSL_STORE_SEARCH_get0_bytes(const OSSL_STORE_SEARCH
598 *criterion
, size_t *length
)
600 *length
= criterion
->stringlength
;
601 return criterion
->string
;
604 const char *OSSL_STORE_SEARCH_get0_string(const OSSL_STORE_SEARCH
*criterion
)
606 return (const char *)criterion
->string
;
609 const EVP_MD
*OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH
*criterion
)
611 return criterion
->digest
;
614 /* Internal functions */
615 OSSL_STORE_INFO
*ossl_store_info_new_EMBEDDED(const char *new_pem_name
,
618 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_EMBEDDED
, NULL
);
621 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_EMBEDDED
,
622 ERR_R_MALLOC_FAILURE
);
626 info
->_
.embedded
.blob
= embedded
;
627 info
->_
.embedded
.pem_name
=
628 new_pem_name
== NULL
? NULL
: OPENSSL_strdup(new_pem_name
);
630 if (new_pem_name
!= NULL
&& info
->_
.embedded
.pem_name
== NULL
) {
631 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_EMBEDDED
,
632 ERR_R_MALLOC_FAILURE
);
633 OSSL_STORE_INFO_free(info
);
640 BUF_MEM
*ossl_store_info_get0_EMBEDDED_buffer(OSSL_STORE_INFO
*info
)
642 if (info
->type
== OSSL_STORE_INFO_EMBEDDED
)
643 return info
->_
.embedded
.blob
;
647 char *ossl_store_info_get0_EMBEDDED_pem_name(OSSL_STORE_INFO
*info
)
649 if (info
->type
== OSSL_STORE_INFO_EMBEDDED
)
650 return info
->_
.embedded
.pem_name
;
654 OSSL_STORE_CTX
*OSSL_STORE_attach(BIO
*bp
, OPENSSL_CTX
*libctx
,
655 const char *scheme
, const char *propq
,
656 const UI_METHOD
*ui_method
, void *ui_data
,
657 OSSL_STORE_post_process_info_fn post_process
,
658 void *post_process_data
)
660 OSSL_STORE_CTX
*ctx
= NULL
;
661 const OSSL_STORE_LOADER
*loader
= NULL
;
662 OSSL_STORE_LOADER_CTX
*loader_ctx
= NULL
;
665 ossl_store_get0_loader_int(scheme
!= NULL
? scheme
: "file")) == NULL
666 || (loader_ctx
= loader
->attach(loader
, bp
, libctx
, propq
,
667 ui_method
, ui_data
)) == NULL
)
670 if ((ctx
= OPENSSL_zalloc(sizeof(*ctx
))) == NULL
) {
671 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_ATTACH
, ERR_R_MALLOC_FAILURE
);
675 ctx
->loader
= loader
;
676 ctx
->loader_ctx
= loader_ctx
;
677 ctx
->ui_method
= ui_method
;
678 ctx
->ui_data
= ui_data
;
679 ctx
->post_process
= post_process
;
680 ctx
->post_process_data
= post_process_data
;