2 * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/store.h>
11 #include "internal/cryptlib.h"
12 #include "crypto/x509.h"
13 #include "x509_local.h"
15 DEFINE_STACK_OF_STRING()
17 /* Generic object loader, given expected type and criterion */
18 static int cache_objects(X509_LOOKUP *lctx, const char *uri,
19 const OSSL_STORE_SEARCH *criterion,
23 OSSL_STORE_CTX *ctx = NULL;
24 X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
26 if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
30 * We try to set the criterion, but don't care if it was valid or not.
31 * For a OSSL_STORE, it merely serves as an optimization, the expectation
32 * being that if the criterion couldn't be used, we will get *everything*
33 * from the container that the URI represents rather than the subset that
34 * the criterion indicates, so the biggest harm is that we cache more
35 * objects certs and CRLs than we may expect, but that's ok.
37 * Specifically for OpenSSL's own file: scheme, the only workable
38 * criterion is the BY_NAME one, which it can only apply on directories,
39 * but it's possible that the URI is a single file rather than a directory,
40 * and in that case, the BY_NAME criterion is pointless.
42 * We could very simply not apply any criterion at all here, and just let
43 * the code that selects certs and CRLs from the cached objects do its job,
44 * but it's a nice optimization when it can be applied (such as on an
45 * actual directory with a thousand CA certs).
47 if (criterion != NULL)
48 OSSL_STORE_find(ctx, criterion);
51 OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
54 /* NULL means error or "end of file". Either way, we break. */
58 infotype = OSSL_STORE_INFO_get_type(info);
61 if (infotype == OSSL_STORE_INFO_NAME) {
63 * This is an entry in the "directory" represented by the current
64 * uri. if |depth| allows, dive into it.
67 ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
68 criterion, depth - 1);
71 * We know that X509_STORE_add_{cert|crl} increments the object's
72 * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
76 case OSSL_STORE_INFO_CERT:
77 ok = X509_STORE_add_cert(xstore,
78 OSSL_STORE_INFO_get0_CERT(info));
80 case OSSL_STORE_INFO_CRL:
81 ok = X509_STORE_add_crl(xstore,
82 OSSL_STORE_INFO_get0_CRL(info));
87 OSSL_STORE_INFO_free(info);
91 OSSL_STORE_close(ctx);
97 /* Because OPENSSL_free is a macro and for C type match */
98 static void free_uri(OPENSSL_STRING data)
103 static void by_store_free(X509_LOOKUP *ctx)
105 STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
106 sk_OPENSSL_STRING_pop_free(uris, free_uri);
109 static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
110 const char *argp, long argl,
114 case X509_L_ADD_STORE:
115 /* If no URI is given, use the default cert dir as default URI */
117 argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
119 argp = X509_get_default_cert_dir();
122 STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
125 uris = sk_OPENSSL_STRING_new_null();
126 X509_LOOKUP_set_method_data(ctx, uris);
128 return sk_OPENSSL_STRING_push(uris, OPENSSL_strdup(argp)) > 0;
130 case X509_L_LOAD_STORE:
131 /* This is a shortcut for quick loading of specific containers */
132 return cache_objects(ctx, argp, NULL, 0);
138 static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
139 const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
141 STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
145 for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
146 ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
155 static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
156 const X509_NAME *name, X509_OBJECT *ret)
158 OSSL_STORE_SEARCH *criterion =
159 OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
160 int ok = by_store(ctx, type, criterion, ret);
161 STACK_OF(X509_OBJECT) *store_objects =
162 X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
163 X509_OBJECT *tmp = NULL;
165 OSSL_STORE_SEARCH_free(criterion);
168 tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
173 * This could also be done like this:
180 * However, we want to exercise the documented API to the max, so
181 * we do it the hard way.
183 * To be noted is that X509_OBJECT_set1_* increment the refcount,
184 * but so does X509_STORE_CTX_get_by_subject upon return of this
185 * function, so we must ensure the the refcount is decremented
186 * before we return, or we will get a refcount leak. We cannot do
187 * this with X509_OBJECT_free(), though, as that will free a bit
192 ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
194 X509_free(tmp->data.x509);
197 ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
199 X509_CRL_free(tmp->data.crl);
209 * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
210 * and get_by_alias. There's simply not enough support in the X509_LOOKUP
211 * or X509_STORE APIs.
214 static X509_LOOKUP_METHOD x509_store_lookup = {
215 "Load certs from STORE URIs",
217 by_store_free, /* free */
220 by_store_ctrl, /* ctrl */
221 by_store_subject, /* get_by_subject */
222 NULL, /* get_by_issuer_serial */
223 NULL, /* get_by_fingerprint */
224 NULL, /* get_by_alias */
227 X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
229 return &x509_store_lookup;