crypto/x509/by_store.c

   1 /*
   2  * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/store.h>
  11 #include "internal/cryptlib.h"
  12 #include "crypto/x509.h"
  13 #include "x509_local.h"
  14
  15 DEFINE_STACK_OF_STRING()
  16
  17 /* Generic object loader, given expected type and criterion */
  18 static int cache_objects(X509_LOOKUP *lctx, const char *uri,
  19                          const OSSL_STORE_SEARCH *criterion,
  20                          int depth)
  21 {
  22     int ok = 0;
  23     OSSL_STORE_CTX *ctx = NULL;
  24     X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
  25
  26     if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
  27         return 0;
  28
  29     /*
  30      * We try to set the criterion, but don't care if it was valid or not.
  31      * For a OSSL_STORE, it merely serves as an optimization, the expectation
  32      * being that if the criterion couldn't be used, we will get *everything*
  33      * from the container that the URI represents rather than the subset that
  34      * the criterion indicates, so the biggest harm is that we cache more
  35      * objects certs and CRLs than we may expect, but that's ok.
  36      *
  37      * Specifically for OpenSSL's own file: scheme, the only workable
  38      * criterion is the BY_NAME one, which it can only apply on directories,
  39      * but it's possible that the URI is a single file rather than a directory,
  40      * and in that case, the BY_NAME criterion is pointless.
  41      *
  42      * We could very simply not apply any criterion at all here, and just let
  43      * the code that selects certs and CRLs from the cached objects do its job,
  44      * but it's a nice optimization when it can be applied (such as on an
  45      * actual directory with a thousand CA certs).
  46      */
  47     if (criterion != NULL)
  48         OSSL_STORE_find(ctx, criterion);
  49
  50     for (;;) {
  51         OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
  52         int infotype;
  53
  54         /* NULL means error or "end of file".  Either way, we break. */
  55         if (info == NULL)
  56             break;
  57
  58         infotype = OSSL_STORE_INFO_get_type(info);
  59         ok = 0;
  60
  61         if (infotype == OSSL_STORE_INFO_NAME) {
  62             /*
  63              * This is an entry in the "directory" represented by the current
  64              * uri.  if |depth| allows, dive into it.
  65              */
  66             if (depth > 0)
  67                 ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
  68                                    criterion, depth - 1);
  69         } else {
  70             /*
  71              * We know that X509_STORE_add_{cert|crl} increments the object's
  72              * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
  73              * to get them.
  74              */
  75             switch (infotype) {
  76             case OSSL_STORE_INFO_CERT:
  77                 ok = X509_STORE_add_cert(xstore,
  78                                          OSSL_STORE_INFO_get0_CERT(info));
  79                 break;
  80             case OSSL_STORE_INFO_CRL:
  81                 ok = X509_STORE_add_crl(xstore,
  82                                         OSSL_STORE_INFO_get0_CRL(info));
  83                 break;
  84             }
  85         }
  86
  87         OSSL_STORE_INFO_free(info);
  88         if (!ok)
  89             break;
  90     }
  91     OSSL_STORE_close(ctx);
  92
  93     return ok;
  94 }
  95
  96
  97 /* Because OPENSSL_free is a macro and for C type match */
  98 static void free_uri(OPENSSL_STRING data)
  99 {
 100     OPENSSL_free(data);
 101 }
 102
 103 static void by_store_free(X509_LOOKUP *ctx)
 104 {
 105     STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
 106     sk_OPENSSL_STRING_pop_free(uris, free_uri);
 107 }
 108
 109 static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
 110                          const char *argp, long argl,
 111                          char **retp)
 112 {
 113     switch (cmd) {
 114     case X509_L_ADD_STORE:
 115         /* If no URI is given, use the default cert dir as default URI */
 116         if (argp == NULL)
 117             argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
 118         if (argp == NULL)
 119             argp = X509_get_default_cert_dir();
 120
 121         {
 122             STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
 123
 124             if (uris == NULL) {
 125                 uris = sk_OPENSSL_STRING_new_null();
 126                 X509_LOOKUP_set_method_data(ctx, uris);
 127             }
 128             return sk_OPENSSL_STRING_push(uris, OPENSSL_strdup(argp)) > 0;
 129         }
 130     case X509_L_LOAD_STORE:
 131         /* This is a shortcut for quick loading of specific containers */
 132         return cache_objects(ctx, argp, NULL, 0);
 133     }
 134
 135     return 0;
 136 }
 137
 138 static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 139                     const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
 140 {
 141     STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
 142     int i;
 143     int ok = 0;
 144
 145     for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
 146         ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
 147                            1 /* depth */);
 148
 149         if (ok)
 150             break;
 151     }
 152     return ok;
 153 }
 154
 155 static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 156                             const X509_NAME *name, X509_OBJECT *ret)
 157 {
 158     OSSL_STORE_SEARCH *criterion =
 159         OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
 160     int ok = by_store(ctx, type, criterion, ret);
 161     STACK_OF(X509_OBJECT) *store_objects =
 162         X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
 163     X509_OBJECT *tmp = NULL;
 164
 165     OSSL_STORE_SEARCH_free(criterion);
 166
 167     if (ok)
 168         tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
 169
 170     ok = 0;
 171     if (tmp != NULL) {
 172         /*
 173          * This could also be done like this:
 174          *
 175          *     if (tmp != NULL) {
 176          *         *ret = *tmp;
 177          *         ok = 1;
 178          *     }
 179          *
 180          * However, we want to exercise the documented API to the max, so
 181          * we do it the hard way.
 182          *
 183          * To be noted is that X509_OBJECT_set1_* increment the refcount,
 184          * but so does X509_STORE_CTX_get_by_subject upon return of this
 185          * function, so we must ensure the the refcount is decremented
 186          * before we return, or we will get a refcount leak.  We cannot do
 187          * this with X509_OBJECT_free(), though, as that will free a bit
 188          * too much.
 189          */
 190         switch (type) {
 191         case X509_LU_X509:
 192             ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
 193             if (ok)
 194                 X509_free(tmp->data.x509);
 195             break;
 196         case X509_LU_CRL:
 197             ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
 198             if (ok)
 199                 X509_CRL_free(tmp->data.crl);
 200             break;
 201         case X509_LU_NONE:
 202             break;
 203         }
 204     }
 205     return ok;
 206 }
 207
 208 /*
 209  * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
 210  * and get_by_alias.  There's simply not enough support in the X509_LOOKUP
 211  * or X509_STORE APIs.
 212  */
 213
 214 static X509_LOOKUP_METHOD x509_store_lookup = {
 215     "Load certs from STORE URIs",
 216     NULL,                        /* new_item */
 217     by_store_free,               /* free */
 218     NULL,                        /* init */
 219     NULL,                        /* shutdown */
 220     by_store_ctrl,               /* ctrl */
 221     by_store_subject,            /* get_by_subject */
 222     NULL,                        /* get_by_issuer_serial */
 223     NULL,                        /* get_by_fingerprint */
 224     NULL,                        /* get_by_alias */
 225 };
 226
 227 X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
 228 {
 229     return &x509_store_lookup;
 230 }