2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/lhash.h>
13 #include <openssl/x509.h>
14 #include "internal/x509_int.h"
15 #include <openssl/x509v3.h>
18 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
22 ret = OPENSSL_zalloc(sizeof(*ret));
27 if ((method->new_item != NULL) && !method->new_item(ret)) {
34 void X509_LOOKUP_free(X509_LOOKUP *ctx)
38 if ((ctx->method != NULL) && (ctx->method->free != NULL))
39 (*ctx->method->free) (ctx);
43 int X509_STORE_lock(X509_STORE *s)
45 return CRYPTO_THREAD_write_lock(s->lock);
48 int X509_STORE_unlock(X509_STORE *s)
50 return CRYPTO_THREAD_unlock(s->lock);
53 int X509_LOOKUP_init(X509_LOOKUP *ctx)
55 if (ctx->method == NULL)
57 if (ctx->method->init != NULL)
58 return ctx->method->init(ctx);
63 int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
65 if (ctx->method == NULL)
67 if (ctx->method->shutdown != NULL)
68 return ctx->method->shutdown(ctx);
73 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
76 if (ctx->method == NULL)
78 if (ctx->method->ctrl != NULL)
79 return ctx->method->ctrl(ctx, cmd, argc, argl, ret);
84 int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,
87 if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
91 return ctx->method->get_by_subject(ctx, type, name, ret);
94 int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name,
95 ASN1_INTEGER *serial, X509_OBJECT *ret)
97 if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL))
99 return ctx->method->get_by_issuer_serial(ctx, type, name, serial, ret);
102 int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type,
103 unsigned char *bytes, int len,
106 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL))
108 return ctx->method->get_by_fingerprint(ctx, type, bytes, len, ret);
111 int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len,
114 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL))
116 return ctx->method->get_by_alias(ctx, type, str, len, ret);
119 static int x509_object_cmp(const X509_OBJECT *const *a,
120 const X509_OBJECT *const *b)
124 ret = ((*a)->type - (*b)->type);
127 switch ((*a)->type) {
129 ret = X509_subject_name_cmp((*a)->data.x509, (*b)->data.x509);
132 ret = X509_CRL_cmp((*a)->data.crl, (*b)->data.crl);
141 X509_STORE *X509_STORE_new(void)
145 if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL)
147 if ((ret->objs = sk_X509_OBJECT_new(x509_object_cmp)) == NULL)
150 if ((ret->get_cert_methods = sk_X509_LOOKUP_new_null()) == NULL)
153 if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
156 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
159 ret->lock = CRYPTO_THREAD_lock_new();
160 if (ret->lock == NULL)
167 X509_VERIFY_PARAM_free(ret->param);
168 sk_X509_OBJECT_free(ret->objs);
169 sk_X509_LOOKUP_free(ret->get_cert_methods);
174 static void cleanup(X509_OBJECT *a)
178 if (a->type == X509_LU_X509) {
179 X509_free(a->data.x509);
180 } else if (a->type == X509_LU_CRL) {
181 X509_CRL_free(a->data.crl);
189 void X509_STORE_free(X509_STORE *vfy)
192 STACK_OF(X509_LOOKUP) *sk;
198 CRYPTO_atomic_add(&vfy->references, -1, &i, vfy->lock);
199 REF_PRINT_COUNT("X509_STORE", vfy);
202 REF_ASSERT_ISNT(i < 0);
204 sk = vfy->get_cert_methods;
205 for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
206 lu = sk_X509_LOOKUP_value(sk, i);
207 X509_LOOKUP_shutdown(lu);
208 X509_LOOKUP_free(lu);
210 sk_X509_LOOKUP_free(sk);
211 sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
213 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
214 X509_VERIFY_PARAM_free(vfy->param);
215 CRYPTO_THREAD_lock_free(vfy->lock);
219 int X509_STORE_up_ref(X509_STORE *vfy)
223 if (CRYPTO_atomic_add(&vfy->references, 1, &i, vfy->lock) <= 0)
226 REF_PRINT_COUNT("X509_STORE", a);
227 REF_ASSERT_ISNT(i < 2);
228 return ((i > 1) ? 1 : 0);
231 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
234 STACK_OF(X509_LOOKUP) *sk;
237 sk = v->get_cert_methods;
238 for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
239 lu = sk_X509_LOOKUP_value(sk, i);
240 if (m == lu->method) {
245 lu = X509_LOOKUP_new(m);
250 if (sk_X509_LOOKUP_push(v->get_cert_methods, lu))
253 X509_LOOKUP_free(lu);
259 X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, int type,
262 X509_OBJECT *ret = X509_OBJECT_new();
266 if (!X509_STORE_CTX_get_by_subject(vs, type, name, ret)) {
267 X509_OBJECT_free(ret);
273 int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
274 X509_NAME *name, X509_OBJECT *ret)
276 X509_STORE *ctx = vs->ctx;
278 X509_OBJECT stmp, *tmp;
281 CRYPTO_THREAD_write_lock(ctx->lock);
282 tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
283 CRYPTO_THREAD_unlock(ctx->lock);
285 if (tmp == NULL || type == X509_LU_CRL) {
286 for (i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {
287 lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i);
288 j = X509_LOOKUP_by_subject(lu, type, name, &stmp);
298 ret->type = tmp->type;
299 ret->data.ptr = tmp->data.ptr;
301 X509_OBJECT_up_ref_count(ret);
306 int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
309 int ret = 1, added = 1;
313 obj = X509_OBJECT_new();
316 obj->type = X509_LU_X509;
318 X509_OBJECT_up_ref_count(obj);
320 CRYPTO_THREAD_write_lock(ctx->lock);
322 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
323 X509err(X509_F_X509_STORE_ADD_CERT,
324 X509_R_CERT_ALREADY_IN_HASH_TABLE);
327 added = sk_X509_OBJECT_push(ctx->objs, obj);
331 CRYPTO_THREAD_unlock(ctx->lock);
333 if (!ret) /* obj not pushed */
334 X509_OBJECT_free(obj);
335 if (!added) /* on push failure */
336 X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE);
341 int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
344 int ret = 1, added = 1;
348 obj = X509_OBJECT_new();
351 obj->type = X509_LU_CRL;
353 X509_OBJECT_up_ref_count(obj);
355 CRYPTO_THREAD_write_lock(ctx->lock);
357 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) {
358 X509err(X509_F_X509_STORE_ADD_CRL, X509_R_CERT_ALREADY_IN_HASH_TABLE);
361 added = sk_X509_OBJECT_push(ctx->objs, obj);
365 CRYPTO_THREAD_unlock(ctx->lock);
367 if (!ret) /* obj not pushed */
368 X509_OBJECT_free(obj);
369 if (!added) /* on push failure */
370 X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE);
375 int X509_OBJECT_up_ref_count(X509_OBJECT *a)
381 return X509_up_ref(a->data.x509);
383 return X509_CRL_up_ref(a->data.crl);
388 X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
390 if (a == NULL || a->type != X509_LU_X509)
395 X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a)
397 if (a == NULL || a->type != X509_LU_CRL)
402 int X509_OBJECT_get_type(const X509_OBJECT *a)
407 X509_OBJECT *X509_OBJECT_new()
409 X509_OBJECT *ret = OPENSSL_zalloc(sizeof(*ret));
412 X509err(X509_F_X509_OBJECT_NEW, ERR_R_MALLOC_FAILURE);
415 ret->type = X509_LU_FAIL;
420 void X509_OBJECT_free(X509_OBJECT *a)
428 X509_free(a->data.x509);
431 X509_CRL_free(a->data.crl);
437 static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,
438 X509_NAME *name, int *pnmatch)
448 stmp.data.x509 = &x509_s;
449 x509_s.cert_info.subject = name;
452 stmp.data.crl = &crl_s;
453 crl_s.crl.issuer = name;
460 idx = sk_X509_OBJECT_find(h, &stmp);
461 if (idx >= 0 && pnmatch) {
463 const X509_OBJECT *tobj, *pstmp;
466 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) {
467 tobj = sk_X509_OBJECT_value(h, tidx);
468 if (x509_object_cmp(&tobj, &pstmp))
476 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
479 return x509_object_idx_cnt(h, type, name, NULL);
482 X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
483 int type, X509_NAME *name)
486 idx = X509_OBJECT_idx_by_subject(h, type, name);
489 return sk_X509_OBJECT_value(h, idx);
492 STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v)
497 STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
500 STACK_OF(X509) *sk = NULL;
504 CRYPTO_THREAD_write_lock(ctx->ctx->lock);
505 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
508 * Nothing found in cache: do lookup to possibly add new objects to
511 X509_OBJECT *xobj = X509_OBJECT_new();
513 CRYPTO_THREAD_unlock(ctx->ctx->lock);
516 if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, xobj)) {
517 X509_OBJECT_free(xobj);
520 X509_OBJECT_free(xobj);
521 CRYPTO_THREAD_write_lock(ctx->ctx->lock);
522 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
524 CRYPTO_THREAD_unlock(ctx->ctx->lock);
529 sk = sk_X509_new_null();
530 for (i = 0; i < cnt; i++, idx++) {
531 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
534 if (!sk_X509_push(sk, x)) {
535 CRYPTO_THREAD_unlock(ctx->ctx->lock);
537 sk_X509_pop_free(sk, X509_free);
541 CRYPTO_THREAD_unlock(ctx->ctx->lock);
545 STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
548 STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null();
550 X509_OBJECT *obj, *xobj = X509_OBJECT_new();
552 /* Always do lookup to possibly add new CRLs to cache */
553 if (sk == NULL || xobj == NULL ||
554 !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) {
555 X509_OBJECT_free(xobj);
556 sk_X509_CRL_free(sk);
559 X509_OBJECT_free(xobj);
560 CRYPTO_THREAD_write_lock(ctx->ctx->lock);
561 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
563 CRYPTO_THREAD_unlock(ctx->ctx->lock);
564 sk_X509_CRL_free(sk);
568 for (i = 0; i < cnt; i++, idx++) {
569 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
572 if (!sk_X509_CRL_push(sk, x)) {
573 CRYPTO_THREAD_unlock(ctx->ctx->lock);
575 sk_X509_CRL_pop_free(sk, X509_CRL_free);
579 CRYPTO_THREAD_unlock(ctx->ctx->lock);
583 X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
588 idx = sk_X509_OBJECT_find(h, x);
591 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
592 return sk_X509_OBJECT_value(h, idx);
593 for (i = idx; i < sk_X509_OBJECT_num(h); i++) {
594 obj = sk_X509_OBJECT_value(h, i);
596 ((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
598 if (x->type == X509_LU_X509) {
599 if (!X509_cmp(obj->data.x509, x->data.x509))
601 } else if (x->type == X509_LU_CRL) {
602 if (!X509_CRL_match(obj->data.crl, x->data.crl))
611 * Try to get issuer certificate from store. Due to limitations
612 * of the API this can only retrieve a single certificate matching
613 * a given subject name. However it will fill the cache with all
614 * matching certificates, so we can examine the cache for all
618 * 1 lookup successful.
619 * 0 certificate not found.
620 * -1 some other error.
622 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
625 X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL;
631 xn = X509_get_issuer_name(x);
632 ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj);
633 if (ok != X509_LU_X509) {
634 X509_OBJECT_free(obj);
635 if (ok == X509_LU_RETRY) {
636 X509err(X509_F_X509_STORE_CTX_GET1_ISSUER, X509_R_SHOULD_RETRY);
639 if (ok != X509_LU_FAIL) {
640 /* not good :-(, break anyway */
645 /* If certificate matches all OK */
646 if (ctx->check_issued(ctx, x, obj->data.x509)) {
647 if (x509_check_cert_time(ctx, obj->data.x509, -1)) {
648 *issuer = obj->data.x509;
649 X509_up_ref(*issuer);
650 X509_OBJECT_free(obj);
654 X509_OBJECT_free(obj);
656 /* Else find index of first cert accepted by 'check_issued' */
658 CRYPTO_THREAD_write_lock(ctx->ctx->lock);
659 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
660 if (idx != -1) { /* should be true as we've had at least one
662 /* Look through all matching certs for suitable issuer */
663 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
664 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
665 /* See if we've run past the matches */
666 if (pobj->type != X509_LU_X509)
668 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
670 if (ctx->check_issued(ctx, x, pobj->data.x509)) {
671 *issuer = pobj->data.x509;
674 * If times check, exit with match,
675 * otherwise keep looking. Leave last
676 * match in issuer so we return nearest
677 * match if no certificate time is OK.
680 if (x509_check_cert_time(ctx, *issuer, -1))
685 CRYPTO_THREAD_unlock(ctx->ctx->lock);
687 X509_up_ref(*issuer);
691 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
693 return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
696 int X509_STORE_set_depth(X509_STORE *ctx, int depth)
698 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
702 int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
704 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
707 int X509_STORE_set_trust(X509_STORE *ctx, int trust)
709 return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
712 int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
714 return X509_VERIFY_PARAM_set1(ctx->param, param);
717 X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx)
722 void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify)
724 ctx->verify = verify;
727 X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx)
732 void X509_STORE_set_verify_cb(X509_STORE *ctx,
733 X509_STORE_CTX_verify_cb verify_cb)
735 ctx->verify_cb = verify_cb;
738 X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx)
740 return ctx->verify_cb;
743 void X509_STORE_set_get_issuer(X509_STORE *ctx,
744 X509_STORE_CTX_get_issuer_fn get_issuer)
746 ctx->get_issuer = get_issuer;
749 X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx)
751 return ctx->get_issuer;
754 void X509_STORE_set_check_issued(X509_STORE *ctx,
755 X509_STORE_CTX_check_issued_fn check_issued)
757 ctx->check_issued = check_issued;
760 X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx)
762 return ctx->check_issued;
765 void X509_STORE_set_check_revocation(X509_STORE *ctx,
766 X509_STORE_CTX_check_revocation_fn check_revocation)
768 ctx->check_revocation = check_revocation;
771 X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE *ctx)
773 return ctx->check_revocation;
776 void X509_STORE_set_get_crl(X509_STORE *ctx,
777 X509_STORE_CTX_get_crl_fn get_crl)
779 ctx->get_crl = get_crl;
782 X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx)
787 void X509_STORE_set_check_crl(X509_STORE *ctx,
788 X509_STORE_CTX_check_crl_fn check_crl)
790 ctx->check_crl = check_crl;
793 X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx)
795 return ctx->check_crl;
798 void X509_STORE_set_cert_crl(X509_STORE *ctx,
799 X509_STORE_CTX_cert_crl_fn cert_crl)
801 ctx->cert_crl = cert_crl;
804 X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx)
806 return ctx->cert_crl;
809 void X509_STORE_set_check_policy(X509_STORE *ctx,
810 X509_STORE_CTX_check_policy_fn check_policy)
812 ctx->check_policy = check_policy;
815 X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE *ctx)
817 return ctx->check_policy;
820 void X509_STORE_set_lookup_certs(X509_STORE *ctx,
821 X509_STORE_CTX_lookup_certs_fn lookup_certs)
823 ctx->lookup_certs = lookup_certs;
826 X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx)
828 return ctx->lookup_certs;
831 void X509_STORE_set_lookup_crls(X509_STORE *ctx,
832 X509_STORE_CTX_lookup_crls_fn lookup_crls)
834 ctx->lookup_crls = lookup_crls;
837 X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx)
839 return ctx->lookup_crls;
842 void X509_STORE_set_cleanup(X509_STORE *ctx,
843 X509_STORE_CTX_cleanup_fn ctx_cleanup)
845 ctx->cleanup = ctx_cleanup;
848 X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx)
853 int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data)
855 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
858 void *X509_STORE_get_ex_data(X509_STORE *ctx, int idx)
860 return CRYPTO_get_ex_data(&ctx->ex_data, idx);
863 X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx)