2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
17 #include <openssl/crypto.h>
18 #include <openssl/err.h>
19 #include <openssl/trace.h>
20 #include <openssl/store.h>
21 #include "internal/thread_once.h"
22 #include "crypto/store.h"
23 #include "store_local.h"
25 struct ossl_store_ctx_st {
26 const OSSL_STORE_LOADER *loader;
27 OSSL_STORE_LOADER_CTX *loader_ctx;
28 const UI_METHOD *ui_method;
30 OSSL_STORE_post_process_info_fn post_process;
31 void *post_process_data;
34 /* 0 before the first STORE_load(), 1 otherwise */
38 OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method,
40 OSSL_STORE_post_process_info_fn post_process,
41 void *post_process_data)
43 const OSSL_STORE_LOADER *loader = NULL;
44 OSSL_STORE_LOADER_CTX *loader_ctx = NULL;
45 OSSL_STORE_CTX *ctx = NULL;
46 char scheme_copy[256], *p, *schemes[2];
51 * Put the file scheme first. If the uri does represent an existing file,
52 * possible device name and all, then it should be loaded. Only a failed
53 * attempt at loading a local file should have us try something else.
55 schemes[schemes_n++] = "file";
58 * Now, check if we have something that looks like a scheme, and add it
59 * as a second scheme. However, also check if there's an authority start
60 * (://), because that will invalidate the previous file scheme. Also,
61 * check that this isn't actually the file scheme, as there's no point
62 * going through that one twice!
64 OPENSSL_strlcpy(scheme_copy, uri, sizeof(scheme_copy));
65 if ((p = strchr(scheme_copy, ':')) != NULL) {
67 if (strcasecmp(scheme_copy, "file") != 0) {
68 if (strncmp(p, "//", 2) == 0)
69 schemes_n--; /* Invalidate the file scheme */
70 schemes[schemes_n++] = scheme_copy;
76 /* Try each scheme until we find one that could open the URI */
77 for (i = 0; loader_ctx == NULL && i < schemes_n; i++) {
78 OSSL_TRACE1(STORE, "Looking up scheme %s\n", schemes[i]);
79 if ((loader = ossl_store_get0_loader_int(schemes[i])) != NULL) {
80 OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]);
81 loader_ctx = loader->open(loader, uri, ui_method, ui_data);
82 OSSL_TRACE2(STORE, "Opened %s => %p\n", uri, (void *)loader_ctx);
86 if (loader_ctx == NULL)
89 if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
90 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_OPEN, ERR_R_MALLOC_FAILURE);
95 ctx->loader_ctx = loader_ctx;
96 ctx->ui_method = ui_method;
97 ctx->ui_data = ui_data;
98 ctx->post_process = post_process;
99 ctx->post_process_data = post_process_data;
102 * If the attempt to open with the 'file' scheme loader failed and the
103 * other scheme loader succeeded, the failure to open with the 'file'
104 * scheme loader leaves an error on the error stack. Let's remove it.
111 ERR_clear_last_mark();
112 if (loader_ctx != NULL) {
114 * We ignore a returned error because we will return NULL anyway in
115 * this case, so if something goes wrong when closing, that'll simply
116 * just add another entry on the error stack.
118 (void)loader->close(loader_ctx);
123 int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ...)
129 ret = OSSL_STORE_vctrl(ctx, cmd, args);
135 int OSSL_STORE_vctrl(OSSL_STORE_CTX *ctx, int cmd, va_list args)
137 if (ctx->loader->ctrl != NULL)
138 return ctx->loader->ctrl(ctx->loader_ctx, cmd, args);
142 int OSSL_STORE_expect(OSSL_STORE_CTX *ctx, int expected_type)
145 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_EXPECT,
146 OSSL_STORE_R_LOADING_STARTED);
150 ctx->expected_type = expected_type;
151 if (ctx->loader->expect != NULL)
152 return ctx->loader->expect(ctx->loader_ctx, expected_type);
156 int OSSL_STORE_find(OSSL_STORE_CTX *ctx, const OSSL_STORE_SEARCH *search)
159 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND,
160 OSSL_STORE_R_LOADING_STARTED);
163 if (ctx->loader->find == NULL) {
164 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND,
165 OSSL_STORE_R_UNSUPPORTED_OPERATION);
169 return ctx->loader->find(ctx->loader_ctx, search);
172 OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)
174 OSSL_STORE_INFO *v = NULL;
178 if (OSSL_STORE_eof(ctx))
181 OSSL_TRACE(STORE, "Loading next object\n");
182 v = ctx->loader->load(ctx->loader_ctx, ctx->ui_method, ctx->ui_data);
184 if (ctx->post_process != NULL && v != NULL) {
185 v = ctx->post_process(v, ctx->post_process_data);
188 * By returning NULL, the callback decides that this object should
195 if (v != NULL && ctx->expected_type != 0) {
196 int returned_type = OSSL_STORE_INFO_get_type(v);
198 if (returned_type != OSSL_STORE_INFO_NAME && returned_type != 0) {
200 * Soft assert here so those who want to harsly weed out faulty
201 * loaders can do so using a debugging version of libcrypto.
203 if (ctx->loader->expect != NULL)
204 assert(ctx->expected_type == returned_type);
206 if (ctx->expected_type != returned_type) {
207 OSSL_STORE_INFO_free(v);
214 OSSL_TRACE1(STORE, "Got a %s\n",
215 OSSL_STORE_INFO_type_string(OSSL_STORE_INFO_get_type(v)));
220 int OSSL_STORE_error(OSSL_STORE_CTX *ctx)
222 return ctx->loader->error(ctx->loader_ctx);
225 int OSSL_STORE_eof(OSSL_STORE_CTX *ctx)
227 return ctx->loader->eof(ctx->loader_ctx);
230 int OSSL_STORE_close(OSSL_STORE_CTX *ctx)
236 OSSL_TRACE1(STORE, "Closing %p\n", (void *)ctx->loader_ctx);
237 loader_ret = ctx->loader->close(ctx->loader_ctx);
244 * Functions to generate OSSL_STORE_INFOs, one function for each type we
245 * support having in them as well as a generic constructor.
247 * In all cases, ownership of the object is transferred to the OSSL_STORE_INFO
248 * and will therefore be freed when the OSSL_STORE_INFO is freed.
250 static OSSL_STORE_INFO *store_info_new(int type, void *data)
252 OSSL_STORE_INFO *info = OPENSSL_zalloc(sizeof(*info));
262 OSSL_STORE_INFO *OSSL_STORE_INFO_new_NAME(char *name)
264 OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_NAME, NULL);
267 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_NAME,
268 ERR_R_MALLOC_FAILURE);
272 info->_.name.name = name;
273 info->_.name.desc = NULL;
278 int OSSL_STORE_INFO_set0_NAME_description(OSSL_STORE_INFO *info, char *desc)
280 if (info->type != OSSL_STORE_INFO_NAME) {
281 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_SET0_NAME_DESCRIPTION,
282 ERR_R_PASSED_INVALID_ARGUMENT);
286 info->_.name.desc = desc;
290 OSSL_STORE_INFO *OSSL_STORE_INFO_new_PARAMS(EVP_PKEY *params)
292 OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_PARAMS, params);
295 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_PARAMS,
296 ERR_R_MALLOC_FAILURE);
300 OSSL_STORE_INFO *OSSL_STORE_INFO_new_PKEY(EVP_PKEY *pkey)
302 OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_PKEY, pkey);
305 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_PKEY,
306 ERR_R_MALLOC_FAILURE);
310 OSSL_STORE_INFO *OSSL_STORE_INFO_new_CERT(X509 *x509)
312 OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_CERT, x509);
315 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_CERT,
316 ERR_R_MALLOC_FAILURE);
320 OSSL_STORE_INFO *OSSL_STORE_INFO_new_CRL(X509_CRL *crl)
322 OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_CRL, crl);
325 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_CRL,
326 ERR_R_MALLOC_FAILURE);
331 * Functions to try to extract data from a OSSL_STORE_INFO.
333 int OSSL_STORE_INFO_get_type(const OSSL_STORE_INFO *info)
338 const char *OSSL_STORE_INFO_get0_NAME(const OSSL_STORE_INFO *info)
340 if (info->type == OSSL_STORE_INFO_NAME)
341 return info->_.name.name;
345 char *OSSL_STORE_INFO_get1_NAME(const OSSL_STORE_INFO *info)
347 if (info->type == OSSL_STORE_INFO_NAME) {
348 char *ret = OPENSSL_strdup(info->_.name.name);
351 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME,
352 ERR_R_MALLOC_FAILURE);
355 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME,
356 OSSL_STORE_R_NOT_A_NAME);
360 const char *OSSL_STORE_INFO_get0_NAME_description(const OSSL_STORE_INFO *info)
362 if (info->type == OSSL_STORE_INFO_NAME)
363 return info->_.name.desc;
367 char *OSSL_STORE_INFO_get1_NAME_description(const OSSL_STORE_INFO *info)
369 if (info->type == OSSL_STORE_INFO_NAME) {
370 char *ret = OPENSSL_strdup(info->_.name.desc
371 ? info->_.name.desc : "");
374 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME_DESCRIPTION,
375 ERR_R_MALLOC_FAILURE);
378 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_NAME_DESCRIPTION,
379 OSSL_STORE_R_NOT_A_NAME);
383 EVP_PKEY *OSSL_STORE_INFO_get0_PARAMS(const OSSL_STORE_INFO *info)
385 if (info->type == OSSL_STORE_INFO_PARAMS)
386 return info->_.params;
390 EVP_PKEY *OSSL_STORE_INFO_get1_PARAMS(const OSSL_STORE_INFO *info)
392 if (info->type == OSSL_STORE_INFO_PARAMS) {
393 EVP_PKEY_up_ref(info->_.params);
394 return info->_.params;
396 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_PARAMS,
397 OSSL_STORE_R_NOT_PARAMETERS);
401 EVP_PKEY *OSSL_STORE_INFO_get0_PKEY(const OSSL_STORE_INFO *info)
403 if (info->type == OSSL_STORE_INFO_PKEY)
408 EVP_PKEY *OSSL_STORE_INFO_get1_PKEY(const OSSL_STORE_INFO *info)
410 if (info->type == OSSL_STORE_INFO_PKEY) {
411 EVP_PKEY_up_ref(info->_.pkey);
414 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_PKEY,
415 OSSL_STORE_R_NOT_A_KEY);
419 X509 *OSSL_STORE_INFO_get0_CERT(const OSSL_STORE_INFO *info)
421 if (info->type == OSSL_STORE_INFO_CERT)
426 X509 *OSSL_STORE_INFO_get1_CERT(const OSSL_STORE_INFO *info)
428 if (info->type == OSSL_STORE_INFO_CERT) {
429 X509_up_ref(info->_.x509);
432 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_CERT,
433 OSSL_STORE_R_NOT_A_CERTIFICATE);
437 X509_CRL *OSSL_STORE_INFO_get0_CRL(const OSSL_STORE_INFO *info)
439 if (info->type == OSSL_STORE_INFO_CRL)
444 X509_CRL *OSSL_STORE_INFO_get1_CRL(const OSSL_STORE_INFO *info)
446 if (info->type == OSSL_STORE_INFO_CRL) {
447 X509_CRL_up_ref(info->_.crl);
450 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_GET1_CRL,
451 OSSL_STORE_R_NOT_A_CRL);
456 * Free the OSSL_STORE_INFO
458 void OSSL_STORE_INFO_free(OSSL_STORE_INFO *info)
461 switch (info->type) {
462 case OSSL_STORE_INFO_EMBEDDED:
463 BUF_MEM_free(info->_.embedded.blob);
464 OPENSSL_free(info->_.embedded.pem_name);
466 case OSSL_STORE_INFO_NAME:
467 OPENSSL_free(info->_.name.name);
468 OPENSSL_free(info->_.name.desc);
470 case OSSL_STORE_INFO_PARAMS:
471 EVP_PKEY_free(info->_.params);
473 case OSSL_STORE_INFO_PKEY:
474 EVP_PKEY_free(info->_.pkey);
476 case OSSL_STORE_INFO_CERT:
477 X509_free(info->_.x509);
479 case OSSL_STORE_INFO_CRL:
480 X509_CRL_free(info->_.crl);
487 int OSSL_STORE_supports_search(OSSL_STORE_CTX *ctx, int search_type)
489 OSSL_STORE_SEARCH tmp_search;
491 if (ctx->loader->find == NULL)
493 tmp_search.search_type = search_type;
494 return ctx->loader->find(NULL, &tmp_search);
497 /* Search term constructors */
498 OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_name(X509_NAME *name)
500 OSSL_STORE_SEARCH *search = OPENSSL_zalloc(sizeof(*search));
502 if (search == NULL) {
503 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_NAME,
504 ERR_R_MALLOC_FAILURE);
508 search->search_type = OSSL_STORE_SEARCH_BY_NAME;
513 OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_issuer_serial(X509_NAME *name,
514 const ASN1_INTEGER *serial)
516 OSSL_STORE_SEARCH *search = OPENSSL_zalloc(sizeof(*search));
518 if (search == NULL) {
519 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ISSUER_SERIAL,
520 ERR_R_MALLOC_FAILURE);
524 search->search_type = OSSL_STORE_SEARCH_BY_ISSUER_SERIAL;
526 search->serial = serial;
530 OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_key_fingerprint(const EVP_MD *digest,
534 OSSL_STORE_SEARCH *search = OPENSSL_zalloc(sizeof(*search));
536 if (search == NULL) {
537 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT,
538 ERR_R_MALLOC_FAILURE);
542 if (digest != NULL && len != (size_t)EVP_MD_size(digest)) {
543 char buf1[20], buf2[20];
545 BIO_snprintf(buf1, sizeof(buf1), "%d", EVP_MD_size(digest));
546 BIO_snprintf(buf2, sizeof(buf2), "%zu", len);
547 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT,
548 OSSL_STORE_R_FINGERPRINT_SIZE_DOES_NOT_MATCH_DIGEST);
549 ERR_add_error_data(5, EVP_MD_name(digest), " size is ", buf1,
550 ", fingerprint size is ", buf2);
553 search->search_type = OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT;
554 search->digest = digest;
555 search->string = bytes;
556 search->stringlength = len;
560 OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_alias(const char *alias)
562 OSSL_STORE_SEARCH *search = OPENSSL_zalloc(sizeof(*search));
564 if (search == NULL) {
565 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_SEARCH_BY_ALIAS,
566 ERR_R_MALLOC_FAILURE);
570 search->search_type = OSSL_STORE_SEARCH_BY_ALIAS;
571 search->string = (const unsigned char *)alias;
572 search->stringlength = strlen(alias);
576 /* Search term destructor */
577 void OSSL_STORE_SEARCH_free(OSSL_STORE_SEARCH *search)
579 OPENSSL_free(search);
582 /* Search term accessors */
583 int OSSL_STORE_SEARCH_get_type(const OSSL_STORE_SEARCH *criterion)
585 return criterion->search_type;
588 X509_NAME *OSSL_STORE_SEARCH_get0_name(const OSSL_STORE_SEARCH *criterion)
590 return criterion->name;
593 const ASN1_INTEGER *OSSL_STORE_SEARCH_get0_serial(const OSSL_STORE_SEARCH
596 return criterion->serial;
599 const unsigned char *OSSL_STORE_SEARCH_get0_bytes(const OSSL_STORE_SEARCH
600 *criterion, size_t *length)
602 *length = criterion->stringlength;
603 return criterion->string;
606 const char *OSSL_STORE_SEARCH_get0_string(const OSSL_STORE_SEARCH *criterion)
608 return (const char *)criterion->string;
611 const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH *criterion)
613 return criterion->digest;
616 /* Internal functions */
617 OSSL_STORE_INFO *ossl_store_info_new_EMBEDDED(const char *new_pem_name,
620 OSSL_STORE_INFO *info = store_info_new(OSSL_STORE_INFO_EMBEDDED, NULL);
623 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_EMBEDDED,
624 ERR_R_MALLOC_FAILURE);
628 info->_.embedded.blob = embedded;
629 info->_.embedded.pem_name =
630 new_pem_name == NULL ? NULL : OPENSSL_strdup(new_pem_name);
632 if (new_pem_name != NULL && info->_.embedded.pem_name == NULL) {
633 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_INFO_NEW_EMBEDDED,
634 ERR_R_MALLOC_FAILURE);
635 OSSL_STORE_INFO_free(info);
642 BUF_MEM *ossl_store_info_get0_EMBEDDED_buffer(OSSL_STORE_INFO *info)
644 if (info->type == OSSL_STORE_INFO_EMBEDDED)
645 return info->_.embedded.blob;
649 char *ossl_store_info_get0_EMBEDDED_pem_name(OSSL_STORE_INFO *info)
651 if (info->type == OSSL_STORE_INFO_EMBEDDED)
652 return info->_.embedded.pem_name;
656 OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, OPENSSL_CTX *libctx,
657 const char *scheme, const char *propq,
658 const UI_METHOD *ui_method, void *ui_data,
659 OSSL_STORE_post_process_info_fn post_process,
660 void *post_process_data)
662 OSSL_STORE_CTX *ctx = NULL;
663 const OSSL_STORE_LOADER *loader = NULL;
664 OSSL_STORE_LOADER_CTX *loader_ctx = NULL;
667 ossl_store_get0_loader_int(scheme != NULL ? scheme : "file")) == NULL
668 || (loader_ctx = loader->attach(loader, bp, libctx, propq,
669 ui_method, ui_data)) == NULL)
672 if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
673 OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_ATTACH, ERR_R_MALLOC_FAILURE);
677 ctx->loader = loader;
678 ctx->loader_ctx = loader_ctx;
679 ctx->ui_method = ui_method;
680 ctx->ui_data = ui_data;
681 ctx->post_process = post_process;
682 ctx->post_process_data = post_process_data;