2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/store.h>
11 #include "internal/cryptlib.h"
12 #include "crypto/x509.h"
13 #include "x509_local.h"
15 /* Generic object loader, given expected type and criterion */
16 static int cache_objects(X509_LOOKUP
*lctx
, const char *uri
,
17 const OSSL_STORE_SEARCH
*criterion
,
18 int depth
, OSSL_LIB_CTX
*libctx
, const char *propq
)
21 OSSL_STORE_CTX
*ctx
= NULL
;
22 X509_STORE
*xstore
= X509_LOOKUP_get_store(lctx
);
24 if ((ctx
= OSSL_STORE_open_ex(uri
, libctx
, propq
, NULL
, NULL
, NULL
,
29 * We try to set the criterion, but don't care if it was valid or not.
30 * For a OSSL_STORE, it merely serves as an optimization, the expectation
31 * being that if the criterion couldn't be used, we will get *everything*
32 * from the container that the URI represents rather than the subset that
33 * the criterion indicates, so the biggest harm is that we cache more
34 * objects certs and CRLs than we may expect, but that's ok.
36 * Specifically for OpenSSL's own file: scheme, the only workable
37 * criterion is the BY_NAME one, which it can only apply on directories,
38 * but it's possible that the URI is a single file rather than a directory,
39 * and in that case, the BY_NAME criterion is pointless.
41 * We could very simply not apply any criterion at all here, and just let
42 * the code that selects certs and CRLs from the cached objects do its job,
43 * but it's a nice optimization when it can be applied (such as on an
44 * actual directory with a thousand CA certs).
46 if (criterion
!= NULL
)
47 OSSL_STORE_find(ctx
, criterion
);
50 OSSL_STORE_INFO
*info
= OSSL_STORE_load(ctx
);
53 /* NULL means error or "end of file". Either way, we break. */
57 infotype
= OSSL_STORE_INFO_get_type(info
);
60 if (infotype
== OSSL_STORE_INFO_NAME
) {
62 * This is an entry in the "directory" represented by the current
63 * uri. if |depth| allows, dive into it.
66 ok
= cache_objects(lctx
, OSSL_STORE_INFO_get0_NAME(info
),
67 criterion
, depth
- 1, libctx
, propq
);
70 * We know that X509_STORE_add_{cert|crl} increments the object's
71 * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
75 case OSSL_STORE_INFO_CERT
:
76 ok
= X509_STORE_add_cert(xstore
,
77 OSSL_STORE_INFO_get0_CERT(info
));
79 case OSSL_STORE_INFO_CRL
:
80 ok
= X509_STORE_add_crl(xstore
,
81 OSSL_STORE_INFO_get0_CRL(info
));
86 OSSL_STORE_INFO_free(info
);
90 OSSL_STORE_close(ctx
);
96 /* Because OPENSSL_free is a macro and for C type match */
97 static void free_uri(OPENSSL_STRING data
)
102 static void by_store_free(X509_LOOKUP
*ctx
)
104 STACK_OF(OPENSSL_STRING
) *uris
= X509_LOOKUP_get_method_data(ctx
);
105 sk_OPENSSL_STRING_pop_free(uris
, free_uri
);
108 static int by_store_ctrl_ex(X509_LOOKUP
*ctx
, int cmd
, const char *argp
,
109 long argl
, char **retp
, OSSL_LIB_CTX
*libctx
,
113 case X509_L_ADD_STORE
:
114 /* First try the newer default cert URI envvar. */
116 argp
= ossl_safe_getenv(X509_get_default_cert_uri_env());
118 /* If not set, see if we have a URI in the older cert dir envvar. */
120 argp
= ossl_safe_getenv(X509_get_default_cert_dir_env());
121 if (argp
!= NULL
&& !ossl_is_uri(argp
))
125 /* Fallback to default store URI. */
127 argp
= X509_get_default_cert_uri();
129 /* No point adding an empty URI. */
134 STACK_OF(OPENSSL_STRING
) *uris
= X509_LOOKUP_get_method_data(ctx
);
135 char *data
= OPENSSL_strdup(argp
);
141 uris
= sk_OPENSSL_STRING_new_null();
142 X509_LOOKUP_set_method_data(ctx
, uris
);
144 return sk_OPENSSL_STRING_push(uris
, data
) > 0;
146 case X509_L_LOAD_STORE
:
147 /* This is a shortcut for quick loading of specific containers */
148 return cache_objects(ctx
, argp
, NULL
, 0, libctx
, propq
);
154 static int by_store_ctrl(X509_LOOKUP
*ctx
, int cmd
,
155 const char *argp
, long argl
, char **retp
)
157 return by_store_ctrl_ex(ctx
, cmd
, argp
, argl
, retp
, NULL
, NULL
);
160 static int by_store(X509_LOOKUP
*ctx
, X509_LOOKUP_TYPE type
,
161 const OSSL_STORE_SEARCH
*criterion
, X509_OBJECT
*ret
,
162 OSSL_LIB_CTX
*libctx
, const char *propq
)
164 STACK_OF(OPENSSL_STRING
) *uris
= X509_LOOKUP_get_method_data(ctx
);
168 for (i
= 0; i
< sk_OPENSSL_STRING_num(uris
); i
++) {
169 ok
= cache_objects(ctx
, sk_OPENSSL_STRING_value(uris
, i
), criterion
,
170 1 /* depth */, libctx
, propq
);
178 static int by_store_subject_ex(X509_LOOKUP
*ctx
, X509_LOOKUP_TYPE type
,
179 const X509_NAME
*name
, X509_OBJECT
*ret
,
180 OSSL_LIB_CTX
*libctx
, const char *propq
)
182 OSSL_STORE_SEARCH
*criterion
=
183 OSSL_STORE_SEARCH_by_name((X509_NAME
*)name
); /* won't modify it */
184 int ok
= by_store(ctx
, type
, criterion
, ret
, libctx
, propq
);
185 STACK_OF(X509_OBJECT
) *store_objects
=
186 X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx
));
187 X509_OBJECT
*tmp
= NULL
;
189 OSSL_STORE_SEARCH_free(criterion
);
192 tmp
= X509_OBJECT_retrieve_by_subject(store_objects
, type
, name
);
197 * This could also be done like this:
204 * However, we want to exercise the documented API to the max, so
205 * we do it the hard way.
207 * To be noted is that X509_OBJECT_set1_* increment the refcount,
208 * but so does X509_STORE_CTX_get_by_subject upon return of this
209 * function, so we must ensure the refcount is decremented
210 * before we return, or we will get a refcount leak. We cannot do
211 * this with X509_OBJECT_free(), though, as that will free a bit
216 ok
= X509_OBJECT_set1_X509(ret
, tmp
->data
.x509
);
218 X509_free(tmp
->data
.x509
);
221 ok
= X509_OBJECT_set1_X509_CRL(ret
, tmp
->data
.crl
);
223 X509_CRL_free(tmp
->data
.crl
);
232 static int by_store_subject(X509_LOOKUP
*ctx
, X509_LOOKUP_TYPE type
,
233 const X509_NAME
*name
, X509_OBJECT
*ret
)
235 return by_store_subject_ex(ctx
, type
, name
, ret
, NULL
, NULL
);
239 * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
240 * and get_by_alias. There's simply not enough support in the X509_LOOKUP
241 * or X509_STORE APIs.
244 static X509_LOOKUP_METHOD x509_store_lookup
= {
245 "Load certs from STORE URIs",
247 by_store_free
, /* free */
250 by_store_ctrl
, /* ctrl */
251 by_store_subject
, /* get_by_subject */
252 NULL
, /* get_by_issuer_serial */
253 NULL
, /* get_by_fingerprint */
254 NULL
, /* get_by_alias */
259 X509_LOOKUP_METHOD
*X509_LOOKUP_store(void)
261 return &x509_store_lookup
;