]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/x509/by_store.c
projects / thirdparty / openssl.git / blob
? search:


96bd46d60232bcae3406848ca34aac1deeba1d86
[thirdparty/openssl.git] / crypto / x509 / by_store.c
1 /*
2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/store.h>
11 #include "internal/cryptlib.h"
12 #include "crypto/x509.h"
13 #include "x509_local.h"
14
15 /* Generic object loader, given expected type and criterion */
16 static int cache_objects(X509_LOOKUP *lctx, const char *uri,
17 const OSSL_STORE_SEARCH *criterion,
18 int depth, OSSL_LIB_CTX *libctx, const char *propq)
19 {
20 int ok = 0;
21 OSSL_STORE_CTX *ctx = NULL;
22 X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
23
24 if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL,
25 NULL, NULL)) == NULL)
26 return 0;
27
28 /*
29 * We try to set the criterion, but don't care if it was valid or not.
30 * For a OSSL_STORE, it merely serves as an optimization, the expectation
31 * being that if the criterion couldn't be used, we will get *everything*
32 * from the container that the URI represents rather than the subset that
33 * the criterion indicates, so the biggest harm is that we cache more
34 * objects certs and CRLs than we may expect, but that's ok.
35 *
36 * Specifically for OpenSSL's own file: scheme, the only workable
37 * criterion is the BY_NAME one, which it can only apply on directories,
38 * but it's possible that the URI is a single file rather than a directory,
39 * and in that case, the BY_NAME criterion is pointless.
40 *
41 * We could very simply not apply any criterion at all here, and just let
42 * the code that selects certs and CRLs from the cached objects do its job,
43 * but it's a nice optimization when it can be applied (such as on an
44 * actual directory with a thousand CA certs).
45 */
46 if (criterion != NULL)
47 OSSL_STORE_find(ctx, criterion);
48
49 for (;;) {
50 OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
51 int infotype;
52
53 /* NULL means error or "end of file". Either way, we break. */
54 if (info == NULL)
55 break;
56
57 infotype = OSSL_STORE_INFO_get_type(info);
58 ok = 0;
59
60 if (infotype == OSSL_STORE_INFO_NAME) {
61 /*
62 * This is an entry in the "directory" represented by the current
63 * uri. if |depth| allows, dive into it.
64 */
65 if (depth > 0)
66 ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
67 criterion, depth - 1, libctx, propq);
68 } else {
69 /*
70 * We know that X509_STORE_add_{cert|crl} increments the object's
71 * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
72 * to get them.
73 */
74 switch (infotype) {
75 case OSSL_STORE_INFO_CERT:
76 ok = X509_STORE_add_cert(xstore,
77 OSSL_STORE_INFO_get0_CERT(info));
78 break;
79 case OSSL_STORE_INFO_CRL:
80 ok = X509_STORE_add_crl(xstore,
81 OSSL_STORE_INFO_get0_CRL(info));
82 break;
83 }
84 }
85
86 OSSL_STORE_INFO_free(info);
87 if (!ok)
88 break;
89 }
90 OSSL_STORE_close(ctx);
91
92 return ok;
93 }
94
95
96 /* Because OPENSSL_free is a macro and for C type match */
97 static void free_uri(OPENSSL_STRING data)
98 {
99 OPENSSL_free(data);
100 }
101
102 static void by_store_free(X509_LOOKUP *ctx)
103 {
104 STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
105 sk_OPENSSL_STRING_pop_free(uris, free_uri);
106 }
107
108 static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
109 long argl, char **retp, OSSL_LIB_CTX *libctx,
110 const char *propq)
111 {
112 switch (cmd) {
113 case X509_L_ADD_STORE:
114 /* First try the newer default cert URI envvar. */
115 if (argp == NULL)
116 argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
117
118 /* If not set, see if we have a URI in the older cert dir envvar. */
119 if (argp == NULL)
120 argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
121
122 /* Fallback to default store URI. */
123 if (argp == NULL)
124 argp = X509_get_default_cert_uri();
125
126 /* No point adding an empty URI. */
127 if (!*argp)
128 return 1;
129
130 {
131 STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
132 char *data = OPENSSL_strdup(argp);
133
134 if (data == NULL) {
135 return 0;
136 }
137 if (uris == NULL) {
138 uris = sk_OPENSSL_STRING_new_null();
139 X509_LOOKUP_set_method_data(ctx, uris);
140 }
141 return sk_OPENSSL_STRING_push(uris, data) > 0;
142 }
143 case X509_L_LOAD_STORE:
144 /* This is a shortcut for quick loading of specific containers */
145 return cache_objects(ctx, argp, NULL, 0, libctx, propq);
146 }
147
148 return 0;
149 }
150
151 static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
152 const char *argp, long argl, char **retp)
153 {
154 return by_store_ctrl_ex(ctx, cmd, argp, argl, retp, NULL, NULL);
155 }
156
157 static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
158 const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret,
159 OSSL_LIB_CTX *libctx, const char *propq)
160 {
161 STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
162 int i;
163 int ok = 0;
164
165 for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
166 ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
167 1 /* depth */, libctx, propq);
168
169 if (ok)
170 break;
171 }
172 return ok;
173 }
174
175 static int by_store_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
176 const X509_NAME *name, X509_OBJECT *ret,
177 OSSL_LIB_CTX *libctx, const char *propq)
178 {
179 OSSL_STORE_SEARCH *criterion =
180 OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
181 int ok = by_store(ctx, type, criterion, ret, libctx, propq);
182 STACK_OF(X509_OBJECT) *store_objects =
183 X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
184 X509_OBJECT *tmp = NULL;
185
186 OSSL_STORE_SEARCH_free(criterion);
187
188 if (ok)
189 tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
190
191 ok = 0;
192 if (tmp != NULL) {
193 /*
194 * This could also be done like this:
195 *
196 * if (tmp != NULL) {
197 * *ret = *tmp;
198 * ok = 1;
199 * }
200 *
201 * However, we want to exercise the documented API to the max, so
202 * we do it the hard way.
203 *
204 * To be noted is that X509_OBJECT_set1_* increment the refcount,
205 * but so does X509_STORE_CTX_get_by_subject upon return of this
206 * function, so we must ensure the refcount is decremented
207 * before we return, or we will get a refcount leak. We cannot do
208 * this with X509_OBJECT_free(), though, as that will free a bit
209 * too much.
210 */
211 switch (type) {
212 case X509_LU_X509:
213 ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
214 if (ok)
215 X509_free(tmp->data.x509);
216 break;
217 case X509_LU_CRL:
218 ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
219 if (ok)
220 X509_CRL_free(tmp->data.crl);
221 break;
222 case X509_LU_NONE:
223 break;
224 }
225 }
226 return ok;
227 }
228
229 static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
230 const X509_NAME *name, X509_OBJECT *ret)
231 {
232 return by_store_subject_ex(ctx, type, name, ret, NULL, NULL);
233 }
234
235 /*
236 * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
237 * and get_by_alias. There's simply not enough support in the X509_LOOKUP
238 * or X509_STORE APIs.
239 */
240
241 static X509_LOOKUP_METHOD x509_store_lookup = {
242 "Load certs from STORE URIs",
243 NULL, /* new_item */
244 by_store_free, /* free */
245 NULL, /* init */
246 NULL, /* shutdown */
247 by_store_ctrl, /* ctrl */
248 by_store_subject, /* get_by_subject */
249 NULL, /* get_by_issuer_serial */
250 NULL, /* get_by_fingerprint */
251 NULL, /* get_by_alias */
252 by_store_subject_ex,
253 by_store_ctrl_ex
254 };
255
256 X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
257 {
258 return &x509_store_lookup;
259 }
A mirror of the official openssl repository