/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/x509v3.h>
#include "x509_local.h"
-DEFINE_STACK_OF(X509_LOOKUP)
-DEFINE_STACK_OF(X509_OBJECT)
-DEFINE_STACK_OF(X509_CRL)
-DEFINE_STACK_OF(X509)
-
X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
{
X509_LOOKUP *ret = OPENSSL_zalloc(sizeof(*ret));
- if (ret == NULL) {
- X509err(X509_F_X509_LOOKUP_NEW, ERR_R_MALLOC_FAILURE);
+ if (ret == NULL)
return NULL;
- }
ret->method = method;
if (method->new_item != NULL && method->new_item(ret) == 0) {
OPENSSL_free(ctx);
}
-int X509_STORE_lock(X509_STORE *s)
+int X509_STORE_lock(X509_STORE *xs)
{
- return CRYPTO_THREAD_write_lock(s->lock);
+ return CRYPTO_THREAD_write_lock(xs->lock);
}
-int X509_STORE_unlock(X509_STORE *s)
+static int x509_store_read_lock(X509_STORE *xs)
{
- return CRYPTO_THREAD_unlock(s->lock);
+ return CRYPTO_THREAD_read_lock(xs->lock);
+}
+
+int X509_STORE_unlock(X509_STORE *xs)
+{
+ return CRYPTO_THREAD_unlock(xs->lock);
}
int X509_LOOKUP_init(X509_LOOKUP *ctx)
return 1;
}
-int X509_LOOKUP_ctrl_with_libctx(X509_LOOKUP *ctx, int cmd, const char *argc,
- long argl, char **ret,
- OPENSSL_CTX *libctx, const char *propq)
+int X509_LOOKUP_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
+ char **ret, OSSL_LIB_CTX *libctx, const char *propq)
{
if (ctx->method == NULL)
return -1;
- if (ctx->method->ctrl_with_libctx != NULL)
- return ctx->method->ctrl_with_libctx(ctx, cmd, argc, argl, ret,
- libctx, propq);
+ if (ctx->method->ctrl_ex != NULL)
+ return ctx->method->ctrl_ex(ctx, cmd, argc, argl, ret, libctx, propq);
if (ctx->method->ctrl != NULL)
return ctx->method->ctrl(ctx, cmd, argc, argl, ret);
return 1;
int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
char **ret)
{
- return X509_LOOKUP_ctrl_with_libctx(ctx, cmd, argc, argl, ret, NULL, NULL);
+ return X509_LOOKUP_ctrl_ex(ctx, cmd, argc, argl, ret, NULL, NULL);
}
-int X509_LOOKUP_by_subject_with_libctx(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
- const X509_NAME *name, X509_OBJECT *ret,
- OPENSSL_CTX *libctx, const char *propq)
+int X509_LOOKUP_by_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ const X509_NAME *name, X509_OBJECT *ret,
+ OSSL_LIB_CTX *libctx, const char *propq)
{
if (ctx->skip
|| ctx->method == NULL
|| (ctx->method->get_by_subject == NULL
- && ctx->method->get_by_subject_with_libctx == NULL))
+ && ctx->method->get_by_subject_ex == NULL))
return 0;
- if (ctx->method->get_by_subject_with_libctx != NULL)
- return ctx->method->get_by_subject_with_libctx(ctx, type, name, ret,
- libctx, propq);
+ if (ctx->method->get_by_subject_ex != NULL)
+ return ctx->method->get_by_subject_ex(ctx, type, name, ret, libctx,
+ propq);
else
return ctx->method->get_by_subject(ctx, type, name, ret);
}
int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
const X509_NAME *name, X509_OBJECT *ret)
{
- return X509_LOOKUP_by_subject_with_libctx(ctx, type, name, ret, NULL, NULL);
+ return X509_LOOKUP_by_subject_ex(ctx, type, name, ret, NULL, NULL);
}
int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
return ctx->store_ctx;
}
-
static int x509_object_cmp(const X509_OBJECT *const *a,
const X509_OBJECT *const *b)
{
{
X509_STORE *ret = OPENSSL_zalloc(sizeof(*ret));
- if (ret == NULL) {
- X509err(0, ERR_R_MALLOC_FAILURE);
+ if (ret == NULL)
return NULL;
- }
if ((ret->objs = sk_X509_OBJECT_new(x509_object_cmp)) == NULL) {
- X509err(0, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
goto err;
}
ret->cache = 1;
if ((ret->get_cert_methods = sk_X509_LOOKUP_new_null()) == NULL) {
- X509err(0, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
goto err;
}
if ((ret->param = X509_VERIFY_PARAM_new()) == NULL) {
- X509err(0, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
goto err;
}
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) {
- X509err(0, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
goto err;
}
ret->lock = CRYPTO_THREAD_lock_new();
if (ret->lock == NULL) {
- X509err(0, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
goto err;
}
- ret->references = 1;
+
+ if (!CRYPTO_NEW_REF(&ret->references, 1))
+ goto err;
return ret;
err:
X509_VERIFY_PARAM_free(ret->param);
sk_X509_OBJECT_free(ret->objs);
sk_X509_LOOKUP_free(ret->get_cert_methods);
+ CRYPTO_THREAD_lock_free(ret->lock);
OPENSSL_free(ret);
return NULL;
}
-void X509_STORE_free(X509_STORE *vfy)
+void X509_STORE_free(X509_STORE *xs)
{
int i;
STACK_OF(X509_LOOKUP) *sk;
X509_LOOKUP *lu;
- if (vfy == NULL)
+ if (xs == NULL)
return;
- CRYPTO_DOWN_REF(&vfy->references, &i, vfy->lock);
- REF_PRINT_COUNT("X509_STORE", vfy);
+ CRYPTO_DOWN_REF(&xs->references, &i);
+ REF_PRINT_COUNT("X509_STORE", xs);
if (i > 0)
return;
REF_ASSERT_ISNT(i < 0);
- sk = vfy->get_cert_methods;
+ sk = xs->get_cert_methods;
for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
lu = sk_X509_LOOKUP_value(sk, i);
X509_LOOKUP_shutdown(lu);
X509_LOOKUP_free(lu);
}
sk_X509_LOOKUP_free(sk);
- sk_X509_OBJECT_pop_free(vfy->objs, X509_OBJECT_free);
+ sk_X509_OBJECT_pop_free(xs->objs, X509_OBJECT_free);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
- X509_VERIFY_PARAM_free(vfy->param);
- CRYPTO_THREAD_lock_free(vfy->lock);
- OPENSSL_free(vfy);
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, xs, &xs->ex_data);
+ X509_VERIFY_PARAM_free(xs->param);
+ CRYPTO_THREAD_lock_free(xs->lock);
+ CRYPTO_FREE_REF(&xs->references);
+ OPENSSL_free(xs);
}
-int X509_STORE_up_ref(X509_STORE *vfy)
+int X509_STORE_up_ref(X509_STORE *xs)
{
int i;
- if (CRYPTO_UP_REF(&vfy->references, &i, vfy->lock) <= 0)
+ if (CRYPTO_UP_REF(&xs->references, &i) <= 0)
return 0;
- REF_PRINT_COUNT("X509_STORE", vfy);
+ REF_PRINT_COUNT("X509_STORE", xs);
REF_ASSERT_ISNT(i < 2);
- return ((i > 1) ? 1 : 0);
+ return i > 1 ? 1 : 0;
}
-X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
+X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *xs, X509_LOOKUP_METHOD *m)
{
int i;
STACK_OF(X509_LOOKUP) *sk;
X509_LOOKUP *lu;
- sk = v->get_cert_methods;
+ sk = xs->get_cert_methods;
for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
lu = sk_X509_LOOKUP_value(sk, i);
if (m == lu->method) {
/* a new one */
lu = X509_LOOKUP_new(m);
if (lu == NULL) {
- X509err(X509_F_X509_STORE_ADD_LOOKUP, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
return NULL;
}
- lu->store_ctx = v;
- if (sk_X509_LOOKUP_push(v->get_cert_methods, lu))
+ lu->store_ctx = xs;
+ if (sk_X509_LOOKUP_push(xs->get_cert_methods, lu))
return lu;
- /* malloc failed */
- X509err(X509_F_X509_STORE_ADD_LOOKUP, ERR_R_MALLOC_FAILURE);
+ /* sk_X509_LOOKUP_push() failed */
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
X509_LOOKUP_free(lu);
return NULL;
}
-X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
+/* Also fill the cache (ctx->store->objs) with all matching certificates. */
+X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *ctx,
X509_LOOKUP_TYPE type,
const X509_NAME *name)
{
if (ret == NULL)
return NULL;
- if (!X509_STORE_CTX_get_by_subject(vs, type, name, ret)) {
+ if (!X509_STORE_CTX_get_by_subject(ctx, type, name, ret)) {
X509_OBJECT_free(ret);
return NULL;
}
return ret;
}
-int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs,
- X509_LOOKUP_TYPE type,
- const X509_NAME *name, X509_OBJECT *ret)
+/*
+ * May be called with |ret| == NULL just for the side effect of
+ * caching all certs matching the given subject DN in |ctx->store->objs|.
+ * Returns 1 if successful,
+ * 0 if not found or X509_LOOKUP_by_subject_ex() returns an error,
+ * -1 on failure
+ */
+static int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *ctx,
+ X509_LOOKUP_TYPE type,
+ const X509_NAME *name,
+ X509_OBJECT *ret)
{
- X509_STORE *store = vs->store;
+ X509_STORE *store = ctx->store;
X509_LOOKUP *lu;
X509_OBJECT stmp, *tmp;
int i, j;
stmp.type = X509_LU_NONE;
stmp.data.ptr = NULL;
-
- X509_STORE_lock(store);
+ if (!x509_store_read_lock(store))
+ return 0;
+ /* Should already be sorted...but just in case */
+ if (!sk_X509_OBJECT_is_sorted(store->objs)) {
+ X509_STORE_unlock(store);
+ /* Take a write lock instead of a read lock */
+ if (!X509_STORE_lock(store))
+ return 0;
+ /*
+ * Another thread might have sorted it in the meantime. But if so,
+ * sk_X509_OBJECT_sort() exits early.
+ */
+ sk_X509_OBJECT_sort(store->objs);
+ }
tmp = X509_OBJECT_retrieve_by_subject(store->objs, type, name);
X509_STORE_unlock(store);
if (tmp == NULL || type == X509_LU_CRL) {
for (i = 0; i < sk_X509_LOOKUP_num(store->get_cert_methods); i++) {
lu = sk_X509_LOOKUP_value(store->get_cert_methods, i);
- j = X509_LOOKUP_by_subject_with_libctx(lu, type, name, &stmp,
- vs->libctx, vs->propq);
- if (j) {
+ if (lu->skip)
+ continue;
+ if (lu->method == NULL)
+ return -1;
+ j = X509_LOOKUP_by_subject_ex(lu, type, name, &stmp,
+ ctx->libctx, ctx->propq);
+ if (j != 0) { /* non-zero value is considered success here */
tmp = &stmp;
break;
}
if (tmp == NULL)
return 0;
}
-
if (!X509_OBJECT_up_ref_count(tmp))
- return 0;
+ return -1;
ret->type = tmp->type;
ret->data.ptr = tmp->data.ptr;
-
return 1;
}
-static int x509_store_add(X509_STORE *store, void *x, int crl) {
+/* Also fill the cache |ctx->store->objs| with all matching certificates. */
+int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *ctx,
+ X509_LOOKUP_TYPE type,
+ const X509_NAME *name, X509_OBJECT *ret)
+{
+ return ossl_x509_store_ctx_get_by_subject(ctx, type, name, ret) > 0;
+}
+
+static int x509_store_add(X509_STORE *store, void *x, int crl)
+{
X509_OBJECT *obj;
int ret = 0, added = 0;
return 0;
}
- X509_STORE_lock(store);
+ if (!X509_STORE_lock(store)) {
+ obj->type = X509_LU_NONE;
+ X509_OBJECT_free(obj);
+ return 0;
+ }
+
if (X509_OBJECT_retrieve_match(store->objs, obj)) {
ret = 1;
} else {
return ret;
}
-int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
+int X509_STORE_add_cert(X509_STORE *xs, X509 *x)
{
- if (!x509_store_add(ctx, x, 0)) {
- X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE);
+ if (!x509_store_add(xs, x, 0)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
return 0;
}
return 1;
}
-int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x)
+int X509_STORE_add_crl(X509_STORE *xs, X509_CRL *x)
{
- if (!x509_store_add(ctx, x, 1)) {
- X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE);
+ if (!x509_store_add(xs, x, 1)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
return 0;
}
return 1;
{
X509_OBJECT *ret = OPENSSL_zalloc(sizeof(*ret));
- if (ret == NULL) {
- X509err(X509_F_X509_OBJECT_NEW, ERR_R_MALLOC_FAILURE);
+ if (ret == NULL)
return NULL;
- }
ret->type = X509_LU_NONE;
return ret;
}
OPENSSL_free(a);
}
+/* Returns -1 if not found, but also on error */
static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
const X509_NAME *name, int *pnmatch)
{
X509_OBJECT stmp;
X509 x509_s;
X509_CRL crl_s;
- int idx;
stmp.type = type;
switch (type) {
crl_s.crl.issuer = (X509_NAME *)name; /* won't modify it */
break;
case X509_LU_NONE:
+ default:
/* abort(); */
return -1;
}
- idx = sk_X509_OBJECT_find(h, &stmp);
- if (idx >= 0 && pnmatch) {
- int tidx;
- const X509_OBJECT *tobj, *pstmp;
- *pnmatch = 1;
- pstmp = &stmp;
- for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) {
- tobj = sk_X509_OBJECT_value(h, tidx);
- if (x509_object_cmp(&tobj, &pstmp))
- break;
- (*pnmatch)++;
- }
- }
- return idx;
+ /* Assumes h is locked for read if applicable */
+ return sk_X509_OBJECT_find_all(h, &stmp, pnmatch);
}
+/* Assumes h is locked for read if applicable */
int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
const X509_NAME *name)
{
return x509_object_idx_cnt(h, type, name, NULL);
}
+/* Assumes h is locked for read if applicable */
X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
X509_LOOKUP_TYPE type,
const X509_NAME *name)
{
- int idx;
- idx = X509_OBJECT_idx_by_subject(h, type, name);
+ int idx = X509_OBJECT_idx_by_subject(h, type, name);
+
if (idx == -1)
return NULL;
return sk_X509_OBJECT_value(h, idx);
}
-STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *v)
+STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *xs)
{
- return v->objs;
+ return xs->objs;
}
-/* TODO param type could be constified as change to lock is intermittent */
STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store)
{
STACK_OF(X509) *sk;
int i;
if (store == NULL) {
- X509err(0, ERR_R_PASSED_NULL_PARAMETER);
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
if ((sk = sk_X509_new_null()) == NULL)
return NULL;
- X509_STORE_lock(store);
+ if (!X509_STORE_lock(store))
+ goto out_free;
+
+ sk_X509_OBJECT_sort(store->objs);
objs = X509_STORE_get0_objects(store);
for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i));
err:
X509_STORE_unlock(store);
- sk_X509_pop_free(sk, X509_free);
+ out_free:
+ OSSL_STACK_OF_X509_free(sk);
return NULL;
}
+/* Returns NULL on internal/fatal error, empty stack if not found */
STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx,
const X509_NAME *nm)
{
X509_STORE *store = ctx->store;
if (store == NULL)
+ return sk_X509_new_null();
+
+ if (!X509_STORE_lock(store))
return NULL;
- X509_STORE_lock(store);
+ sk_X509_OBJECT_sort(store->objs);
idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt);
if (idx < 0) {
/*
X509_OBJECT *xobj = X509_OBJECT_new();
X509_STORE_unlock(store);
-
if (xobj == NULL)
return NULL;
- if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, xobj)) {
+ i = ossl_x509_store_ctx_get_by_subject(ctx, X509_LU_X509, nm, xobj);
+ if (i <= 0) {
X509_OBJECT_free(xobj);
- return NULL;
+ return i < 0 ? NULL : sk_X509_new_null();
}
X509_OBJECT_free(xobj);
- X509_STORE_lock(store);
+ if (!X509_STORE_lock(store))
+ return NULL;
+ sk_X509_OBJECT_sort(store->objs);
idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt);
if (idx < 0) {
- X509_STORE_unlock(store);
- return NULL;
+ sk = sk_X509_new_null();
+ goto end;
}
}
sk = sk_X509_new_null();
+ if (sk == NULL)
+ goto end;
for (i = 0; i < cnt; i++, idx++) {
obj = sk_X509_OBJECT_value(store->objs, idx);
x = obj->data.x509;
if (!X509_add_cert(sk, x, X509_ADD_FLAG_UP_REF)) {
X509_STORE_unlock(store);
- sk_X509_pop_free(sk, X509_free);
+ OSSL_STACK_OF_X509_free(sk);
return NULL;
}
}
+ end:
X509_STORE_unlock(store);
return sk;
}
+/* Returns NULL on internal/fatal error, empty stack if not found */
STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *ctx,
const X509_NAME *nm)
{
- int i, idx, cnt;
+ int i = 1, idx, cnt;
STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null();
X509_CRL *x;
X509_OBJECT *obj, *xobj = X509_OBJECT_new();
/* Always do lookup to possibly add new CRLs to cache */
if (sk == NULL
- || xobj == NULL
- || store == NULL
- || !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) {
+ || xobj == NULL
+ || (i = ossl_x509_store_ctx_get_by_subject(ctx, X509_LU_CRL,
+ nm, xobj)) < 0) {
X509_OBJECT_free(xobj);
sk_X509_CRL_free(sk);
return NULL;
}
X509_OBJECT_free(xobj);
- X509_STORE_lock(store);
+ if (i == 0)
+ return sk;
+ if (!X509_STORE_lock(store)) {
+ sk_X509_CRL_free(sk);
+ return NULL;
+ }
+ sk_X509_OBJECT_sort(store->objs);
idx = x509_object_idx_cnt(store->objs, X509_LU_CRL, nm, &cnt);
if (idx < 0) {
X509_STORE_unlock(store);
- sk_X509_CRL_free(sk);
- return NULL;
+ return sk;
}
for (i = 0; i < cnt; i++, idx++) {
if (!X509_cmp(obj->data.x509, x->data.x509))
return obj;
} else if (x->type == X509_LU_CRL) {
- if (!X509_CRL_match(obj->data.crl, x->data.crl))
+ if (X509_CRL_match(obj->data.crl, x->data.crl) == 0)
return obj;
- } else
+ } else {
return obj;
+ }
}
return NULL;
}
/*-
- * Try to get issuer certificate from store. Due to limitations
- * of the API this can only retrieve a single certificate matching
- * a given subject name. However it will fill the cache with all
- * matching certificates, so we can examine the cache for all
- * matches.
+ * Try to get issuer cert from |ctx->store| matching the subject name of |x|.
+ * Prefer the first non-expired one, else take the most recently expired one.
*
* Return values are:
* 1 lookup successful.
const X509_NAME *xn;
X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL;
X509_STORE *store = ctx->store;
- int i, ok, idx, ret;
+ int i, ok, idx, ret, nmatch = 0;
if (obj == NULL)
return -1;
*issuer = NULL;
xn = X509_get_issuer_name(x);
- ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj);
+ ok = ossl_x509_store_ctx_get_by_subject(ctx, X509_LU_X509, xn, obj);
if (ok != 1) {
X509_OBJECT_free(obj);
- return 0;
+ return ok;
}
- /* If certificate matches all OK */
+ /* If certificate matches and is currently valid all OK */
if (ctx->check_issued(ctx, x, obj->data.x509)) {
- if (x509_check_cert_time(ctx, obj->data.x509, -1)) {
+ if (ossl_x509_check_cert_time(ctx, obj->data.x509, -1)) {
*issuer = obj->data.x509;
- if (!X509_up_ref(*issuer)) {
- *issuer = NULL;
- ok = -1;
- }
+ /* |*issuer| has taken over the cert reference from |obj| */
+ obj->type = X509_LU_NONE;
X509_OBJECT_free(obj);
- return ok;
+ return 1;
}
}
X509_OBJECT_free(obj);
+ /*
+ * Due to limitations of the API this can only retrieve a single cert.
+ * However it will fill the cache with all matching certificates,
+ * so we can examine the cache for all matches.
+ */
if (store == NULL)
return 0;
- /* Else find index of first cert accepted by 'check_issued' */
+ /* Find index of first currently valid cert accepted by 'check_issued' */
ret = 0;
- X509_STORE_lock(store);
- idx = X509_OBJECT_idx_by_subject(store->objs, X509_LU_X509, xn);
- if (idx != -1) { /* should be true as we've had at least one
- * match */
+ if (!X509_STORE_lock(store))
+ return 0;
+
+ sk_X509_OBJECT_sort(store->objs);
+ idx = x509_object_idx_cnt(store->objs, X509_LU_X509, xn, &nmatch);
+ if (idx != -1) { /* should be true as we've had at least one match */
/* Look through all matching certs for suitable issuer */
- for (i = idx; i < sk_X509_OBJECT_num(store->objs); i++) {
+ for (i = idx; i < idx + nmatch; i++) {
pobj = sk_X509_OBJECT_value(store->objs, i);
/* See if we've run past the matches */
if (pobj->type != X509_LU_X509)
break;
- if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
- break;
if (ctx->check_issued(ctx, x, pobj->data.x509)) {
- *issuer = pobj->data.x509;
ret = 1;
+ /* If times check fine, exit with match, else keep looking. */
+ if (ossl_x509_check_cert_time(ctx, pobj->data.x509, -1)) {
+ *issuer = pobj->data.x509;
+ break;
+ }
/*
- * If times check, exit with match,
- * otherwise keep looking. Leave last
- * match in issuer so we return nearest
- * match if no certificate time is OK.
+ * Leave the so far most recently expired match in *issuer
+ * so we return nearest match if no certificate time is OK.
*/
-
- if (x509_check_cert_time(ctx, *issuer, -1))
- break;
+ if (*issuer == NULL
+ || ASN1_TIME_compare(X509_get0_notAfter(pobj->data.x509),
+ X509_get0_notAfter(*issuer)) > 0)
+ *issuer = pobj->data.x509;
}
}
}
- if (*issuer && !X509_up_ref(*issuer)) {
+ if (*issuer != NULL && !X509_up_ref(*issuer)) {
*issuer = NULL;
ret = -1;
}
return ret;
}
-int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
+int X509_STORE_set_flags(X509_STORE *xs, unsigned long flags)
{
- return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
+ return X509_VERIFY_PARAM_set_flags(xs->param, flags);
}
-int X509_STORE_set_depth(X509_STORE *ctx, int depth)
+int X509_STORE_set_depth(X509_STORE *xs, int depth)
{
- X509_VERIFY_PARAM_set_depth(ctx->param, depth);
+ X509_VERIFY_PARAM_set_depth(xs->param, depth);
return 1;
}
-int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
+int X509_STORE_set_purpose(X509_STORE *xs, int purpose)
{
- return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
+ return X509_VERIFY_PARAM_set_purpose(xs->param, purpose);
}
-int X509_STORE_set_trust(X509_STORE *ctx, int trust)
+int X509_STORE_set_trust(X509_STORE *xs, int trust)
{
- return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
+ return X509_VERIFY_PARAM_set_trust(xs->param, trust);
}
-int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *param)
+int X509_STORE_set1_param(X509_STORE *xs, const X509_VERIFY_PARAM *param)
{
- return X509_VERIFY_PARAM_set1(ctx->param, param);
+ return X509_VERIFY_PARAM_set1(xs->param, param);
}
-X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *ctx)
+X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *xs)
{
- return ctx->param;
+ return xs->param;
}
-void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify)
+void X509_STORE_set_verify(X509_STORE *xs, X509_STORE_CTX_verify_fn verify)
{
- ctx->verify = verify;
+ xs->verify = verify;
}
-X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *ctx)
+X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *xs)
{
- return ctx->verify;
+ return xs->verify;
}
-void X509_STORE_set_verify_cb(X509_STORE *ctx,
+void X509_STORE_set_verify_cb(X509_STORE *xs,
X509_STORE_CTX_verify_cb verify_cb)
{
- ctx->verify_cb = verify_cb;
+ xs->verify_cb = verify_cb;
}
-X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *ctx)
+X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *xs)
{
- return ctx->verify_cb;
+ return xs->verify_cb;
}
-void X509_STORE_set_get_issuer(X509_STORE *ctx,
+void X509_STORE_set_get_issuer(X509_STORE *xs,
X509_STORE_CTX_get_issuer_fn get_issuer)
{
- ctx->get_issuer = get_issuer;
+ xs->get_issuer = get_issuer;
}
-X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *ctx)
+X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *xs)
{
- return ctx->get_issuer;
+ return xs->get_issuer;
}
-void X509_STORE_set_check_issued(X509_STORE *ctx,
+void X509_STORE_set_check_issued(X509_STORE *xs,
X509_STORE_CTX_check_issued_fn check_issued)
{
- ctx->check_issued = check_issued;
+ xs->check_issued = check_issued;
}
-X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *ctx)
+X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *xs)
{
- return ctx->check_issued;
+ return xs->check_issued;
}
-void X509_STORE_set_check_revocation(X509_STORE *ctx,
- X509_STORE_CTX_check_revocation_fn check_revocation)
+void X509_STORE_set_check_revocation(X509_STORE *xs,
+ X509_STORE_CTX_check_revocation_fn cb)
{
- ctx->check_revocation = check_revocation;
+ xs->check_revocation = cb;
}
-X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(const X509_STORE *ctx)
+X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(const X509_STORE *xs)
{
- return ctx->check_revocation;
+ return xs->check_revocation;
}
-void X509_STORE_set_get_crl(X509_STORE *ctx,
+void X509_STORE_set_get_crl(X509_STORE *xs,
X509_STORE_CTX_get_crl_fn get_crl)
{
- ctx->get_crl = get_crl;
+ xs->get_crl = get_crl;
}
-X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *ctx)
+X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *xs)
{
- return ctx->get_crl;
+ return xs->get_crl;
}
-void X509_STORE_set_check_crl(X509_STORE *ctx,
+void X509_STORE_set_check_crl(X509_STORE *xs,
X509_STORE_CTX_check_crl_fn check_crl)
{
- ctx->check_crl = check_crl;
+ xs->check_crl = check_crl;
}
-X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *ctx)
+X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *xs)
{
- return ctx->check_crl;
+ return xs->check_crl;
}
-void X509_STORE_set_cert_crl(X509_STORE *ctx,
+void X509_STORE_set_cert_crl(X509_STORE *xs,
X509_STORE_CTX_cert_crl_fn cert_crl)
{
- ctx->cert_crl = cert_crl;
+ xs->cert_crl = cert_crl;
}
-X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *ctx)
+X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *xs)
{
- return ctx->cert_crl;
+ return xs->cert_crl;
}
-void X509_STORE_set_check_policy(X509_STORE *ctx,
+void X509_STORE_set_check_policy(X509_STORE *xs,
X509_STORE_CTX_check_policy_fn check_policy)
{
- ctx->check_policy = check_policy;
+ xs->check_policy = check_policy;
}
-X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *ctx)
+X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *xs)
{
- return ctx->check_policy;
+ return xs->check_policy;
}
-void X509_STORE_set_lookup_certs(X509_STORE *ctx,
+void X509_STORE_set_lookup_certs(X509_STORE *xs,
X509_STORE_CTX_lookup_certs_fn lookup_certs)
{
- ctx->lookup_certs = lookup_certs;
+ xs->lookup_certs = lookup_certs;
}
-X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *ctx)
+X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *xs)
{
- return ctx->lookup_certs;
+ return xs->lookup_certs;
}
-void X509_STORE_set_lookup_crls(X509_STORE *ctx,
+void X509_STORE_set_lookup_crls(X509_STORE *xs,
X509_STORE_CTX_lookup_crls_fn lookup_crls)
{
- ctx->lookup_crls = lookup_crls;
+ xs->lookup_crls = lookup_crls;
}
-X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *ctx)
+X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *xs)
{
- return ctx->lookup_crls;
+ return xs->lookup_crls;
}
-void X509_STORE_set_cleanup(X509_STORE *ctx,
- X509_STORE_CTX_cleanup_fn ctx_cleanup)
+void X509_STORE_set_cleanup(X509_STORE *xs,
+ X509_STORE_CTX_cleanup_fn cleanup)
{
- ctx->cleanup = ctx_cleanup;
+ xs->cleanup = cleanup;
}
-X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *ctx)
+X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *xs)
{
- return ctx->cleanup;
+ return xs->cleanup;
}
-int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data)
+int X509_STORE_set_ex_data(X509_STORE *xs, int idx, void *data)
{
- return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
+ return CRYPTO_set_ex_data(&xs->ex_data, idx, data);
}
-void *X509_STORE_get_ex_data(const X509_STORE *ctx, int idx)
+void *X509_STORE_get_ex_data(const X509_STORE *xs, int idx)
{
- return CRYPTO_get_ex_data(&ctx->ex_data, idx);
+ return CRYPTO_get_ex_data(&xs->ex_data, idx);
}
X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx)