by_store.c 8.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259
  1. /*
  2. * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/store.h>
  10. #include "internal/cryptlib.h"
  11. #include "crypto/x509.h"
  12. #include "x509_local.h"
  13. /* Generic object loader, given expected type and criterion */
  14. static int cache_objects(X509_LOOKUP *lctx, const char *uri,
  15. const OSSL_STORE_SEARCH *criterion,
  16. int depth, OSSL_LIB_CTX *libctx, const char *propq)
  17. {
  18. int ok = 0;
  19. OSSL_STORE_CTX *ctx = NULL;
  20. X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
  21. if ((ctx = OSSL_STORE_open_ex(uri, libctx, propq, NULL, NULL, NULL,
  22. NULL, NULL)) == NULL)
  23. return 0;
  24. /*
  25. * We try to set the criterion, but don't care if it was valid or not.
  26. * For an OSSL_STORE, it merely serves as an optimization, the expectation
  27. * being that if the criterion couldn't be used, we will get *everything*
  28. * from the container that the URI represents rather than the subset that
  29. * the criterion indicates, so the biggest harm is that we cache more
  30. * objects certs and CRLs than we may expect, but that's ok.
  31. *
  32. * Specifically for OpenSSL's own file: scheme, the only workable
  33. * criterion is the BY_NAME one, which it can only apply on directories,
  34. * but it's possible that the URI is a single file rather than a directory,
  35. * and in that case, the BY_NAME criterion is pointless.
  36. *
  37. * We could very simply not apply any criterion at all here, and just let
  38. * the code that selects certs and CRLs from the cached objects do its job,
  39. * but it's a nice optimization when it can be applied (such as on an
  40. * actual directory with a thousand CA certs).
  41. */
  42. if (criterion != NULL)
  43. OSSL_STORE_find(ctx, criterion);
  44. for (;;) {
  45. OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
  46. int infotype;
  47. /* NULL means error or "end of file". Either way, we break. */
  48. if (info == NULL)
  49. break;
  50. infotype = OSSL_STORE_INFO_get_type(info);
  51. ok = 0;
  52. if (infotype == OSSL_STORE_INFO_NAME) {
  53. /*
  54. * This is an entry in the "directory" represented by the current
  55. * uri. if |depth| allows, dive into it.
  56. */
  57. if (depth > 0)
  58. ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
  59. criterion, depth - 1, libctx, propq);
  60. } else {
  61. /*
  62. * We know that X509_STORE_add_{cert|crl} increments the object's
  63. * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
  64. * to get them.
  65. */
  66. switch (infotype) {
  67. case OSSL_STORE_INFO_CERT:
  68. ok = X509_STORE_add_cert(xstore,
  69. OSSL_STORE_INFO_get0_CERT(info));
  70. break;
  71. case OSSL_STORE_INFO_CRL:
  72. ok = X509_STORE_add_crl(xstore,
  73. OSSL_STORE_INFO_get0_CRL(info));
  74. break;
  75. }
  76. }
  77. OSSL_STORE_INFO_free(info);
  78. if (!ok)
  79. break;
  80. }
  81. OSSL_STORE_close(ctx);
  82. return ok;
  83. }
  84. /* Because OPENSSL_free is a macro and for C type match */
  85. static void free_uri(OPENSSL_STRING data)
  86. {
  87. OPENSSL_free(data);
  88. }
  89. static void by_store_free(X509_LOOKUP *ctx)
  90. {
  91. STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
  92. sk_OPENSSL_STRING_pop_free(uris, free_uri);
  93. }
  94. static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
  95. long argl, char **retp, OSSL_LIB_CTX *libctx,
  96. const char *propq)
  97. {
  98. switch (cmd) {
  99. case X509_L_ADD_STORE:
  100. /* First try the newer default cert URI envvar. */
  101. if (argp == NULL)
  102. argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
  103. /* If not set, see if we have a URI in the older cert dir envvar. */
  104. if (argp == NULL)
  105. argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
  106. /* Fallback to default store URI. */
  107. if (argp == NULL)
  108. argp = X509_get_default_cert_uri();
  109. /* No point adding an empty URI. */
  110. if (!*argp)
  111. return 1;
  112. {
  113. STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
  114. char *data = OPENSSL_strdup(argp);
  115. if (data == NULL) {
  116. return 0;
  117. }
  118. if (uris == NULL) {
  119. uris = sk_OPENSSL_STRING_new_null();
  120. X509_LOOKUP_set_method_data(ctx, uris);
  121. }
  122. return sk_OPENSSL_STRING_push(uris, data) > 0;
  123. }
  124. case X509_L_LOAD_STORE:
  125. /* This is a shortcut for quick loading of specific containers */
  126. return cache_objects(ctx, argp, NULL, 0, libctx, propq);
  127. }
  128. return 0;
  129. }
  130. static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
  131. const char *argp, long argl, char **retp)
  132. {
  133. return by_store_ctrl_ex(ctx, cmd, argp, argl, retp, NULL, NULL);
  134. }
  135. static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
  136. const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret,
  137. OSSL_LIB_CTX *libctx, const char *propq)
  138. {
  139. STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
  140. int i;
  141. int ok = 0;
  142. for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
  143. ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
  144. 1 /* depth */, libctx, propq);
  145. if (ok)
  146. break;
  147. }
  148. return ok;
  149. }
  150. static int by_store_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
  151. const X509_NAME *name, X509_OBJECT *ret,
  152. OSSL_LIB_CTX *libctx, const char *propq)
  153. {
  154. OSSL_STORE_SEARCH *criterion =
  155. OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
  156. int ok = by_store(ctx, type, criterion, ret, libctx, propq);
  157. STACK_OF(X509_OBJECT) *store_objects =
  158. X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
  159. X509_OBJECT *tmp = NULL;
  160. OSSL_STORE_SEARCH_free(criterion);
  161. if (ok)
  162. tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
  163. ok = 0;
  164. if (tmp != NULL) {
  165. /*
  166. * This could also be done like this:
  167. *
  168. * if (tmp != NULL) {
  169. * *ret = *tmp;
  170. * ok = 1;
  171. * }
  172. *
  173. * However, we want to exercise the documented API to the max, so
  174. * we do it the hard way.
  175. *
  176. * To be noted is that X509_OBJECT_set1_* increment the refcount,
  177. * but so does X509_STORE_CTX_get_by_subject upon return of this
  178. * function, so we must ensure the refcount is decremented
  179. * before we return, or we will get a refcount leak. We cannot do
  180. * this with X509_OBJECT_free(), though, as that will free a bit
  181. * too much.
  182. */
  183. switch (type) {
  184. case X509_LU_X509:
  185. ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
  186. if (ok)
  187. X509_free(tmp->data.x509);
  188. break;
  189. case X509_LU_CRL:
  190. ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
  191. if (ok)
  192. X509_CRL_free(tmp->data.crl);
  193. break;
  194. case X509_LU_NONE:
  195. break;
  196. }
  197. }
  198. return ok;
  199. }
  200. static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
  201. const X509_NAME *name, X509_OBJECT *ret)
  202. {
  203. return by_store_subject_ex(ctx, type, name, ret, NULL, NULL);
  204. }
  205. /*
  206. * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
  207. * and get_by_alias. There's simply not enough support in the X509_LOOKUP
  208. * or X509_STORE APIs.
  209. */
  210. static X509_LOOKUP_METHOD x509_store_lookup = {
  211. "Load certs from STORE URIs",
  212. NULL, /* new_item */
  213. by_store_free, /* free */
  214. NULL, /* init */
  215. NULL, /* shutdown */
  216. by_store_ctrl, /* ctrl */
  217. by_store_subject, /* get_by_subject */
  218. NULL, /* get_by_issuer_serial */
  219. NULL, /* get_by_fingerprint */
  220. NULL, /* get_by_alias */
  221. by_store_subject_ex,
  222. by_store_ctrl_ex
  223. };
  224. X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
  225. {
  226. return &x509_store_lookup;
  227. }