2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
17 #include <openssl/crypto.h>
18 #include <openssl/err.h>
19 #include <openssl/store.h>
20 #include "internal/thread_once.h"
21 #include "crypto/store.h"
22 #include "store_local.h"
24 struct ossl_store_ctx_st
{
25 const OSSL_STORE_LOADER
*loader
;
26 OSSL_STORE_LOADER_CTX
*loader_ctx
;
27 const UI_METHOD
*ui_method
;
29 OSSL_STORE_post_process_info_fn post_process
;
30 void *post_process_data
;
33 /* 0 before the first STORE_load(), 1 otherwise */
37 OSSL_STORE_CTX
*OSSL_STORE_open(const char *uri
, const UI_METHOD
*ui_method
,
39 OSSL_STORE_post_process_info_fn post_process
,
40 void *post_process_data
)
42 const OSSL_STORE_LOADER
*loader
= NULL
;
43 OSSL_STORE_LOADER_CTX
*loader_ctx
= NULL
;
44 OSSL_STORE_CTX
*ctx
= NULL
;
45 char scheme_copy
[256], *p
, *schemes
[2];
50 * Put the file scheme first. If the uri does represent an existing file,
51 * possible device name and all, then it should be loaded. Only a failed
52 * attempt at loading a local file should have us try something else.
54 schemes
[schemes_n
++] = "file";
57 * Now, check if we have something that looks like a scheme, and add it
58 * as a second scheme. However, also check if there's an authority start
59 * (://), because that will invalidate the previous file scheme. Also,
60 * check that this isn't actually the file scheme, as there's no point
61 * going through that one twice!
63 OPENSSL_strlcpy(scheme_copy
, uri
, sizeof(scheme_copy
));
64 if ((p
= strchr(scheme_copy
, ':')) != NULL
) {
66 if (strcasecmp(scheme_copy
, "file") != 0) {
67 if (strncmp(p
, "//", 2) == 0)
68 schemes_n
--; /* Invalidate the file scheme */
69 schemes
[schemes_n
++] = scheme_copy
;
75 /* Try each scheme until we find one that could open the URI */
76 for (i
= 0; loader_ctx
== NULL
&& i
< schemes_n
; i
++) {
77 if ((loader
= ossl_store_get0_loader_int(schemes
[i
])) != NULL
)
78 loader_ctx
= loader
->open(loader
, uri
, ui_method
, ui_data
);
80 if (loader_ctx
== NULL
)
83 if ((ctx
= OPENSSL_zalloc(sizeof(*ctx
))) == NULL
) {
84 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_OPEN
, ERR_R_MALLOC_FAILURE
);
89 ctx
->loader_ctx
= loader_ctx
;
90 ctx
->ui_method
= ui_method
;
91 ctx
->ui_data
= ui_data
;
92 ctx
->post_process
= post_process
;
93 ctx
->post_process_data
= post_process_data
;
96 * If the attempt to open with the 'file' scheme loader failed and the
97 * other scheme loader succeeded, the failure to open with the 'file'
98 * scheme loader leaves an error on the error stack. Let's remove it.
105 ERR_clear_last_mark();
106 if (loader_ctx
!= NULL
) {
108 * We ignore a returned error because we will return NULL anyway in
109 * this case, so if something goes wrong when closing, that'll simply
110 * just add another entry on the error stack.
112 (void)loader
->close(loader_ctx
);
117 int OSSL_STORE_ctrl(OSSL_STORE_CTX
*ctx
, int cmd
, ...)
123 ret
= OSSL_STORE_vctrl(ctx
, cmd
, args
);
129 int OSSL_STORE_vctrl(OSSL_STORE_CTX
*ctx
, int cmd
, va_list args
)
131 if (ctx
->loader
->ctrl
!= NULL
)
132 return ctx
->loader
->ctrl(ctx
->loader_ctx
, cmd
, args
);
136 int OSSL_STORE_expect(OSSL_STORE_CTX
*ctx
, int expected_type
)
139 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_EXPECT
,
140 OSSL_STORE_R_LOADING_STARTED
);
144 ctx
->expected_type
= expected_type
;
145 if (ctx
->loader
->expect
!= NULL
)
146 return ctx
->loader
->expect(ctx
->loader_ctx
, expected_type
);
150 int OSSL_STORE_find(OSSL_STORE_CTX
*ctx
, OSSL_STORE_SEARCH
*search
)
153 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND
,
154 OSSL_STORE_R_LOADING_STARTED
);
157 if (ctx
->loader
->find
== NULL
) {
158 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND
,
159 OSSL_STORE_R_UNSUPPORTED_OPERATION
);
163 return ctx
->loader
->find(ctx
->loader_ctx
, search
);
166 OSSL_STORE_INFO
*OSSL_STORE_load(OSSL_STORE_CTX
*ctx
)
168 OSSL_STORE_INFO
*v
= NULL
;
172 if (OSSL_STORE_eof(ctx
))
175 v
= ctx
->loader
->load(ctx
->loader_ctx
, ctx
->ui_method
, ctx
->ui_data
);
177 if (ctx
->post_process
!= NULL
&& v
!= NULL
) {
178 v
= ctx
->post_process(v
, ctx
->post_process_data
);
181 * By returning NULL, the callback decides that this object should
188 if (v
!= NULL
&& ctx
->expected_type
!= 0) {
189 int returned_type
= OSSL_STORE_INFO_get_type(v
);
191 if (returned_type
!= OSSL_STORE_INFO_NAME
&& returned_type
!= 0) {
193 * Soft assert here so those who want to harsly weed out faulty
194 * loaders can do so using a debugging version of libcrypto.
196 if (ctx
->loader
->expect
!= NULL
)
197 assert(ctx
->expected_type
== returned_type
);
199 if (ctx
->expected_type
!= returned_type
) {
200 OSSL_STORE_INFO_free(v
);
209 int OSSL_STORE_error(OSSL_STORE_CTX
*ctx
)
211 return ctx
->loader
->error(ctx
->loader_ctx
);
214 int OSSL_STORE_eof(OSSL_STORE_CTX
*ctx
)
216 return ctx
->loader
->eof(ctx
->loader_ctx
);
219 int OSSL_STORE_close(OSSL_STORE_CTX
*ctx
)
221 int loader_ret
= ctx
->loader
->close(ctx
->loader_ctx
);
228 * Functions to generate OSSL_STORE_INFOs, one function for each type we
229 * support having in them as well as a generic constructor.
231 * In all cases, ownership of the object is transferred to the OSSL_STORE_INFO
232 * and will therefore be freed when the OSSL_STORE_INFO is freed.
234 static OSSL_STORE_INFO
*store_info_new(int type
, void *data
)
236 OSSL_STORE_INFO
*info
= OPENSSL_zalloc(sizeof(*info
));
246 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_NAME(char *name
)
248 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_NAME
, NULL
);
251 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_NAME
,
252 ERR_R_MALLOC_FAILURE
);
256 info
->_
.name
.name
= name
;
257 info
->_
.name
.desc
= NULL
;
262 int OSSL_STORE_INFO_set0_NAME_description(OSSL_STORE_INFO
*info
, char *desc
)
264 if (info
->type
!= OSSL_STORE_INFO_NAME
) {
265 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_SET0_NAME_DESCRIPTION
,
266 ERR_R_PASSED_INVALID_ARGUMENT
);
270 info
->_
.name
.desc
= desc
;
274 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_PARAMS(EVP_PKEY
*params
)
276 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_PARAMS
, params
);
279 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_PARAMS
,
280 ERR_R_MALLOC_FAILURE
);
284 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_PKEY(EVP_PKEY
*pkey
)
286 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_PKEY
, pkey
);
289 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_PKEY
,
290 ERR_R_MALLOC_FAILURE
);
294 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_CERT(X509
*x509
)
296 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_CERT
, x509
);
299 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_CERT
,
300 ERR_R_MALLOC_FAILURE
);
304 OSSL_STORE_INFO
*OSSL_STORE_INFO_new_CRL(X509_CRL
*crl
)
306 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_CRL
, crl
);
309 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_CRL
,
310 ERR_R_MALLOC_FAILURE
);
315 * Functions to try to extract data from a OSSL_STORE_INFO.
317 int OSSL_STORE_INFO_get_type(const OSSL_STORE_INFO
*info
)
322 const char *OSSL_STORE_INFO_get0_NAME(const OSSL_STORE_INFO
*info
)
324 if (info
->type
== OSSL_STORE_INFO_NAME
)
325 return info
->_
.name
.name
;
329 char *OSSL_STORE_INFO_get1_NAME(const OSSL_STORE_INFO
*info
)
331 if (info
->type
== OSSL_STORE_INFO_NAME
) {
332 char *ret
= OPENSSL_strdup(info
->_
.name
.name
);
335 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME
,
336 ERR_R_MALLOC_FAILURE
);
339 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME
,
340 OSSL_STORE_R_NOT_A_NAME
);
344 const char *OSSL_STORE_INFO_get0_NAME_description(const OSSL_STORE_INFO
*info
)
346 if (info
->type
== OSSL_STORE_INFO_NAME
)
347 return info
->_
.name
.desc
;
351 char *OSSL_STORE_INFO_get1_NAME_description(const OSSL_STORE_INFO
*info
)
353 if (info
->type
== OSSL_STORE_INFO_NAME
) {
354 char *ret
= OPENSSL_strdup(info
->_
.name
.desc
355 ? info
->_
.name
.desc
: "");
358 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME_DESCRIPTION
,
359 ERR_R_MALLOC_FAILURE
);
362 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME_DESCRIPTION
,
363 OSSL_STORE_R_NOT_A_NAME
);
367 EVP_PKEY
*OSSL_STORE_INFO_get0_PARAMS(const OSSL_STORE_INFO
*info
)
369 if (info
->type
== OSSL_STORE_INFO_PARAMS
)
370 return info
->_
.params
;
374 EVP_PKEY
*OSSL_STORE_INFO_get1_PARAMS(const OSSL_STORE_INFO
*info
)
376 if (info
->type
== OSSL_STORE_INFO_PARAMS
) {
377 EVP_PKEY_up_ref(info
->_
.params
);
378 return info
->_
.params
;
380 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_PARAMS
,
381 OSSL_STORE_R_NOT_PARAMETERS
);
385 EVP_PKEY
*OSSL_STORE_INFO_get0_PKEY(const OSSL_STORE_INFO
*info
)
387 if (info
->type
== OSSL_STORE_INFO_PKEY
)
392 EVP_PKEY
*OSSL_STORE_INFO_get1_PKEY(const OSSL_STORE_INFO
*info
)
394 if (info
->type
== OSSL_STORE_INFO_PKEY
) {
395 EVP_PKEY_up_ref(info
->_
.pkey
);
398 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_PKEY
,
399 OSSL_STORE_R_NOT_A_KEY
);
403 X509
*OSSL_STORE_INFO_get0_CERT(const OSSL_STORE_INFO
*info
)
405 if (info
->type
== OSSL_STORE_INFO_CERT
)
410 X509
*OSSL_STORE_INFO_get1_CERT(const OSSL_STORE_INFO
*info
)
412 if (info
->type
== OSSL_STORE_INFO_CERT
) {
413 X509_up_ref(info
->_
.x509
);
416 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_CERT
,
417 OSSL_STORE_R_NOT_A_CERTIFICATE
);
421 X509_CRL
*OSSL_STORE_INFO_get0_CRL(const OSSL_STORE_INFO
*info
)
423 if (info
->type
== OSSL_STORE_INFO_CRL
)
428 X509_CRL
*OSSL_STORE_INFO_get1_CRL(const OSSL_STORE_INFO
*info
)
430 if (info
->type
== OSSL_STORE_INFO_CRL
) {
431 X509_CRL_up_ref(info
->_
.crl
);
434 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_CRL
,
435 OSSL_STORE_R_NOT_A_CRL
);
440 * Free the OSSL_STORE_INFO
442 void OSSL_STORE_INFO_free(OSSL_STORE_INFO
*info
)
445 switch (info
->type
) {
446 case OSSL_STORE_INFO_EMBEDDED
:
447 BUF_MEM_free(info
->_
.embedded
.blob
);
448 OPENSSL_free(info
->_
.embedded
.pem_name
);
450 case OSSL_STORE_INFO_NAME
:
451 OPENSSL_free(info
->_
.name
.name
);
452 OPENSSL_free(info
->_
.name
.desc
);
454 case OSSL_STORE_INFO_PARAMS
:
455 EVP_PKEY_free(info
->_
.params
);
457 case OSSL_STORE_INFO_PKEY
:
458 EVP_PKEY_free(info
->_
.pkey
);
460 case OSSL_STORE_INFO_CERT
:
461 X509_free(info
->_
.x509
);
463 case OSSL_STORE_INFO_CRL
:
464 X509_CRL_free(info
->_
.crl
);
471 int OSSL_STORE_supports_search(OSSL_STORE_CTX
*ctx
, int search_type
)
473 OSSL_STORE_SEARCH tmp_search
;
475 if (ctx
->loader
->find
== NULL
)
477 tmp_search
.search_type
= search_type
;
478 return ctx
->loader
->find(NULL
, &tmp_search
);
481 /* Search term constructors */
482 OSSL_STORE_SEARCH
*OSSL_STORE_SEARCH_by_name(X509_NAME
*name
)
484 OSSL_STORE_SEARCH
*search
= OPENSSL_zalloc(sizeof(*search
));
486 if (search
== NULL
) {
487 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_NAME
,
488 ERR_R_MALLOC_FAILURE
);
492 search
->search_type
= OSSL_STORE_SEARCH_BY_NAME
;
497 OSSL_STORE_SEARCH
*OSSL_STORE_SEARCH_by_issuer_serial(X509_NAME
*name
,
498 const ASN1_INTEGER
*serial
)
500 OSSL_STORE_SEARCH
*search
= OPENSSL_zalloc(sizeof(*search
));
502 if (search
== NULL
) {
503 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ISSUER_SERIAL
,
504 ERR_R_MALLOC_FAILURE
);
508 search
->search_type
= OSSL_STORE_SEARCH_BY_ISSUER_SERIAL
;
510 search
->serial
= serial
;
514 OSSL_STORE_SEARCH
*OSSL_STORE_SEARCH_by_key_fingerprint(const EVP_MD
*digest
,
518 OSSL_STORE_SEARCH
*search
= OPENSSL_zalloc(sizeof(*search
));
520 if (search
== NULL
) {
521 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT
,
522 ERR_R_MALLOC_FAILURE
);
526 if (digest
!= NULL
&& len
!= (size_t)EVP_MD_size(digest
)) {
527 char buf1
[20], buf2
[20];
529 BIO_snprintf(buf1
, sizeof(buf1
), "%d", EVP_MD_size(digest
));
530 BIO_snprintf(buf2
, sizeof(buf2
), "%zu", len
);
531 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT
,
532 OSSL_STORE_R_FINGERPRINT_SIZE_DOES_NOT_MATCH_DIGEST
);
533 ERR_add_error_data(5, EVP_MD_name(digest
), " size is ", buf1
,
534 ", fingerprint size is ", buf2
);
537 search
->search_type
= OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT
;
538 search
->digest
= digest
;
539 search
->string
= bytes
;
540 search
->stringlength
= len
;
544 OSSL_STORE_SEARCH
*OSSL_STORE_SEARCH_by_alias(const char *alias
)
546 OSSL_STORE_SEARCH
*search
= OPENSSL_zalloc(sizeof(*search
));
548 if (search
== NULL
) {
549 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ALIAS
,
550 ERR_R_MALLOC_FAILURE
);
554 search
->search_type
= OSSL_STORE_SEARCH_BY_ALIAS
;
555 search
->string
= (const unsigned char *)alias
;
556 search
->stringlength
= strlen(alias
);
560 /* Search term destructor */
561 void OSSL_STORE_SEARCH_free(OSSL_STORE_SEARCH
*search
)
563 OPENSSL_free(search
);
566 /* Search term accessors */
567 int OSSL_STORE_SEARCH_get_type(const OSSL_STORE_SEARCH
*criterion
)
569 return criterion
->search_type
;
572 X509_NAME
*OSSL_STORE_SEARCH_get0_name(OSSL_STORE_SEARCH
*criterion
)
574 return criterion
->name
;
577 const ASN1_INTEGER
*OSSL_STORE_SEARCH_get0_serial(const OSSL_STORE_SEARCH
580 return criterion
->serial
;
583 const unsigned char *OSSL_STORE_SEARCH_get0_bytes(const OSSL_STORE_SEARCH
584 *criterion
, size_t *length
)
586 *length
= criterion
->stringlength
;
587 return criterion
->string
;
590 const char *OSSL_STORE_SEARCH_get0_string(const OSSL_STORE_SEARCH
*criterion
)
592 return (const char *)criterion
->string
;
595 const EVP_MD
*OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH
*criterion
)
597 return criterion
->digest
;
600 /* Internal functions */
601 OSSL_STORE_INFO
*ossl_store_info_new_EMBEDDED(const char *new_pem_name
,
604 OSSL_STORE_INFO
*info
= store_info_new(OSSL_STORE_INFO_EMBEDDED
, NULL
);
607 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_EMBEDDED
,
608 ERR_R_MALLOC_FAILURE
);
612 info
->_
.embedded
.blob
= embedded
;
613 info
->_
.embedded
.pem_name
=
614 new_pem_name
== NULL
? NULL
: OPENSSL_strdup(new_pem_name
);
616 if (new_pem_name
!= NULL
&& info
->_
.embedded
.pem_name
== NULL
) {
617 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_EMBEDDED
,
618 ERR_R_MALLOC_FAILURE
);
619 OSSL_STORE_INFO_free(info
);
626 BUF_MEM
*ossl_store_info_get0_EMBEDDED_buffer(OSSL_STORE_INFO
*info
)
628 if (info
->type
== OSSL_STORE_INFO_EMBEDDED
)
629 return info
->_
.embedded
.blob
;
633 char *ossl_store_info_get0_EMBEDDED_pem_name(OSSL_STORE_INFO
*info
)
635 if (info
->type
== OSSL_STORE_INFO_EMBEDDED
)
636 return info
->_
.embedded
.pem_name
;
640 OSSL_STORE_CTX
*ossl_store_attach_pem_bio(BIO
*bp
, const UI_METHOD
*ui_method
,
643 OSSL_STORE_CTX
*ctx
= NULL
;
644 const OSSL_STORE_LOADER
*loader
= NULL
;
645 OSSL_STORE_LOADER_CTX
*loader_ctx
= NULL
;
647 if ((loader
= ossl_store_get0_loader_int("file")) == NULL
648 || ((loader_ctx
= ossl_store_file_attach_pem_bio_int(bp
)) == NULL
))
650 if ((ctx
= OPENSSL_zalloc(sizeof(*ctx
))) == NULL
) {
651 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_ATTACH_PEM_BIO
,
652 ERR_R_MALLOC_FAILURE
);
656 ctx
->loader
= loader
;
657 ctx
->loader_ctx
= loader_ctx
;
659 ctx
->ui_method
= ui_method
;
660 ctx
->ui_data
= ui_data
;
661 ctx
->post_process
= NULL
;
662 ctx
->post_process_data
= NULL
;
665 if (loader_ctx
!= NULL
)
667 * We ignore a returned error because we will return NULL anyway in
668 * this case, so if something goes wrong when closing, that'll simply
669 * just add another entry on the error stack.
671 (void)loader
->close(loader_ctx
);
675 int ossl_store_detach_pem_bio(OSSL_STORE_CTX
*ctx
)
677 int loader_ret
= ossl_store_file_detach_pem_bio_int(ctx
->loader_ctx
);