crypto/x509/by_store.c

   1 /*
   2  * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/store.h>
  11 #include "internal/cryptlib.h"
  12 #include "crypto/x509.h"
  13 #include "x509_local.h"
  14
  15 /* Generic object loader, given expected type and criterion */
  16 static int cache_objects(X509_LOOKUP *lctx, const char *uri,
  17                          const OSSL_STORE_SEARCH *criterion,
  18                          int depth, OSSL_LIB_CTX *libctx, const char *propq)
  19 {
  20     int ok = 0;
  21     OSSL_STORE_CTX *ctx = NULL;
  22     X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
  23
  24     if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL,
  25                                   NULL, NULL)) == NULL)
  26         return 0;
  27
  28     /*
  29      * We try to set the criterion, but don't care if it was valid or not.
  30      * For a OSSL_STORE, it merely serves as an optimization, the expectation
  31      * being that if the criterion couldn't be used, we will get *everything*
  32      * from the container that the URI represents rather than the subset that
  33      * the criterion indicates, so the biggest harm is that we cache more
  34      * objects certs and CRLs than we may expect, but that's ok.
  35      *
  36      * Specifically for OpenSSL's own file: scheme, the only workable
  37      * criterion is the BY_NAME one, which it can only apply on directories,
  38      * but it's possible that the URI is a single file rather than a directory,
  39      * and in that case, the BY_NAME criterion is pointless.
  40      *
  41      * We could very simply not apply any criterion at all here, and just let
  42      * the code that selects certs and CRLs from the cached objects do its job,
  43      * but it's a nice optimization when it can be applied (such as on an
  44      * actual directory with a thousand CA certs).
  45      */
  46     if (criterion != NULL)
  47         OSSL_STORE_find(ctx, criterion);
  48
  49     for (;;) {
  50         OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
  51         int infotype;
  52
  53         /* NULL means error or "end of file".  Either way, we break. */
  54         if (info == NULL)
  55             break;
  56
  57         infotype = OSSL_STORE_INFO_get_type(info);
  58         ok = 0;
  59
  60         if (infotype == OSSL_STORE_INFO_NAME) {
  61             /*
  62              * This is an entry in the "directory" represented by the current
  63              * uri.  if |depth| allows, dive into it.
  64              */
  65             if (depth > 0)
  66                 ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
  67                                    criterion, depth - 1, libctx, propq);
  68         } else {
  69             /*
  70              * We know that X509_STORE_add_{cert|crl} increments the object's
  71              * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
  72              * to get them.
  73              */
  74             switch (infotype) {
  75             case OSSL_STORE_INFO_CERT:
  76                 ok = X509_STORE_add_cert(xstore,
  77                                          OSSL_STORE_INFO_get0_CERT(info));
  78                 break;
  79             case OSSL_STORE_INFO_CRL:
  80                 ok = X509_STORE_add_crl(xstore,
  81                                         OSSL_STORE_INFO_get0_CRL(info));
  82                 break;
  83             }
  84         }
  85
  86         OSSL_STORE_INFO_free(info);
  87         if (!ok)
  88             break;
  89     }
  90     OSSL_STORE_close(ctx);
  91
  92     return ok;
  93 }
  94
  95
  96 /* Because OPENSSL_free is a macro and for C type match */
  97 static void free_uri(OPENSSL_STRING data)
  98 {
  99     OPENSSL_free(data);
 100 }
 101
 102 static void by_store_free(X509_LOOKUP *ctx)
 103 {
 104     STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
 105     sk_OPENSSL_STRING_pop_free(uris, free_uri);
 106 }
 107
 108 static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
 109                             long argl, char **retp, OSSL_LIB_CTX *libctx,
 110                             const char *propq)
 111 {
 112     switch (cmd) {
 113     case X509_L_ADD_STORE:
 114         /* First try the newer default cert URI envvar. */
 115         if (argp == NULL)
 116             argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
 117
 118         /* If not set, see if we have a URI in the older cert dir envvar. */
 119         if (argp == NULL) {
 120             argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
 121             if (argp != NULL && !ossl_is_uri(argp))
 122                 argp = NULL;
 123         }
 124
 125         /* Fallback to default store URI. */
 126         if (argp == NULL)
 127             argp = X509_get_default_cert_uri();
 128
 129         /* No point adding an empty URI. */
 130         if (!*argp)
 131             return 1;
 132
 133         {
 134             STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
 135             char *data = OPENSSL_strdup(argp);
 136
 137             if (data == NULL) {
 138                 return 0;
 139             }
 140             if (uris == NULL) {
 141                 uris = sk_OPENSSL_STRING_new_null();
 142                 X509_LOOKUP_set_method_data(ctx, uris);
 143             }
 144             return sk_OPENSSL_STRING_push(uris, data) > 0;
 145         }
 146     case X509_L_LOAD_STORE:
 147         /* This is a shortcut for quick loading of specific containers */
 148         return cache_objects(ctx, argp, NULL, 0, libctx, propq);
 149     }
 150
 151     return 0;
 152 }
 153
 154 static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
 155                          const char *argp, long argl, char **retp)
 156 {
 157     return by_store_ctrl_ex(ctx, cmd, argp, argl, retp, NULL, NULL);
 158 }
 159
 160 static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 161                     const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret,
 162                     OSSL_LIB_CTX *libctx, const char *propq)
 163 {
 164     STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
 165     int i;
 166     int ok = 0;
 167
 168     for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
 169         ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
 170                            1 /* depth */, libctx, propq);
 171
 172         if (ok)
 173             break;
 174     }
 175     return ok;
 176 }
 177
 178 static int by_store_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 179                                const X509_NAME *name, X509_OBJECT *ret,
 180                                OSSL_LIB_CTX *libctx, const char *propq)
 181 {
 182     OSSL_STORE_SEARCH *criterion =
 183         OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
 184     int ok = by_store(ctx, type, criterion, ret, libctx, propq);
 185     STACK_OF(X509_OBJECT) *store_objects =
 186         X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
 187     X509_OBJECT *tmp = NULL;
 188
 189     OSSL_STORE_SEARCH_free(criterion);
 190
 191     if (ok)
 192         tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
 193
 194     ok = 0;
 195     if (tmp != NULL) {
 196         /*
 197          * This could also be done like this:
 198          *
 199          *     if (tmp != NULL) {
 200          *         *ret = *tmp;
 201          *         ok = 1;
 202          *     }
 203          *
 204          * However, we want to exercise the documented API to the max, so
 205          * we do it the hard way.
 206          *
 207          * To be noted is that X509_OBJECT_set1_* increment the refcount,
 208          * but so does X509_STORE_CTX_get_by_subject upon return of this
 209          * function, so we must ensure the refcount is decremented
 210          * before we return, or we will get a refcount leak.  We cannot do
 211          * this with X509_OBJECT_free(), though, as that will free a bit
 212          * too much.
 213          */
 214         switch (type) {
 215         case X509_LU_X509:
 216             ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
 217             if (ok)
 218                 X509_free(tmp->data.x509);
 219             break;
 220         case X509_LU_CRL:
 221             ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
 222             if (ok)
 223                 X509_CRL_free(tmp->data.crl);
 224             break;
 225         case X509_LU_NONE:
 226             break;
 227         }
 228     }
 229     return ok;
 230 }
 231
 232 static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 233                             const X509_NAME *name, X509_OBJECT *ret)
 234 {
 235     return by_store_subject_ex(ctx, type, name, ret, NULL, NULL);
 236 }
 237
 238 /*
 239  * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
 240  * and get_by_alias.  There's simply not enough support in the X509_LOOKUP
 241  * or X509_STORE APIs.
 242  */
 243
 244 static X509_LOOKUP_METHOD x509_store_lookup = {
 245     "Load certs from STORE URIs",
 246     NULL,                        /* new_item */
 247     by_store_free,               /* free */
 248     NULL,                        /* init */
 249     NULL,                        /* shutdown */
 250     by_store_ctrl,               /* ctrl */
 251     by_store_subject,            /* get_by_subject */
 252     NULL,                        /* get_by_issuer_serial */
 253     NULL,                        /* get_by_fingerprint */
 254     NULL,                        /* get_by_alias */
 255     by_store_subject_ex,
 256     by_store_ctrl_ex
 257 };
 258
 259 X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
 260 {
 261     return &x509_store_lookup;
 262 }