Fixes #18068.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18070)
*Hugo Landau*
+ * The `SSL_CERT_URI` environment variable has been added, which can be used
+ to specify a default URI for certificate stores. Previously, the
+ `SSL_CERT_DIR` environment variable was used for this purpose, and could
+ accept either a URI or a delimiter-separated list of paths. This usage is now
+ deprecated; to specify a delimiter-separated list of paths, use
+ `SSL_CERT_DIR`, and to specify a URI, use `SSL_CERT_URI`.
+
+ *Hugo Landau*
+
OpenSSL 3.0
-----------
if (argl == X509_FILETYPE_DEFAULT) {
const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
- if (dir)
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
- else
- ret = add_cert_dir(ld, X509_get_default_cert_dir(),
- X509_FILETYPE_PEM);
+ /*
+ * If SSL_CERT_DIR seems to specify a URI, don't process it as a
+ * directory.
+ */
+ if (dir != NULL && ossl_is_uri(dir))
+ return 0;
+
+ if (dir == NULL)
+ dir = X509_get_default_cert_dir();
+
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
if (!ret) {
ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
}
{
switch (cmd) {
case X509_L_ADD_STORE:
- /* If no URI is given, use the default cert dir as default URI */
+ /* First try the newer default cert URI envvar. */
if (argp == NULL)
+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
+
+ /* If not set, see if we have a URI in the older cert dir envvar. */
+ if (argp == NULL) {
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
+ if (argp != NULL && !ossl_is_uri(argp))
+ argp = NULL;
+ }
+
+ /* Fallback to default store URI. */
if (argp == NULL)
- argp = X509_get_default_cert_dir();
+ argp = X509_get_default_cert_uri();
+
+ /* No point adding an empty URI. */
+ if (!*argp)
+ return 1;
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
return X509_CERT_AREA;
}
+const char *X509_get_default_cert_uri(void)
+{
+ return X509_CERT_URI;
+}
+
const char *X509_get_default_cert_dir(void)
{
return X509_CERT_DIR;
return X509_CERT_FILE;
}
+const char *X509_get_default_cert_uri_env(void)
+{
+ return X509_CERT_URI_EVP;
+}
+
const char *X509_get_default_cert_dir_env(void)
{
return X509_CERT_DIR_EVP;
# include <stdlib.h>
# include <string.h>
-
-# include "internal/e_os.h" /* ossl_inline in many files */
+# include "internal/e_os.h" /* To get strncasecmp() on Windows */
# include "internal/nelem.h"
#ifdef NDEBUG
# define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf"
# endif
+#define X509_CERT_URI ""
+
+# define X509_CERT_URI_EVP "SSL_CERT_URI"
# define X509_CERT_DIR_EVP "SSL_CERT_DIR"
# define X509_CERT_FILE_EVP "SSL_CERT_FILE"
# define CTLOG_FILE_EVP "CTLOG_FILE"
return path[0] == '/';
}
+static ossl_inline int ossl_is_uri(const char *s)
+{
+ const char *x;
+ for (x=s; ossl_isalnum(*x); ++x);
+#ifdef _WIN32
+ if (x-s <= 1)
+ return 0;
+#endif
+ return x > s && HAS_PREFIX(x, "://");
+}
+
#endif
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
const char *X509_get_default_cert_area(void);
+const char *X509_get_default_cert_uri(void);
const char *X509_get_default_cert_dir(void);
const char *X509_get_default_cert_file(void);
+const char *X509_get_default_cert_uri_env(void);
const char *X509_get_default_cert_dir_env(void);
const char *X509_get_default_cert_file_env(void);
const char *X509_get_default_private_dir(void);