1/*
2 * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/store.h>
11#include "internal/cryptlib.h"
12#include "crypto/x509.h"
13#include "x509_local.h"
14
15/* Generic object loader, given expected type and criterion */
16static int cache_objects(X509_LOOKUP *lctx, const char *uri,
17 const OSSL_STORE_SEARCH *criterion,
18 int depth)
19{
20 int ok = 0;
21 OSSL_STORE_CTX *ctx = NULL;
22 X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
23
24 if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
25 return 0;
26
27 /*
28 * We try to set the criterion, but don't care if it was valid or not.
29 * For a OSSL_STORE, it merely serves as an optimization, the expectation
30 * being that if the criterion couldn't be used, we will get *everything*
31 * from the container that the URI represents rather than the subset that
32 * the criterion indicates, so the biggest harm is that we cache more
33 * objects certs and CRLs than we may expect, but that's ok.
34 *
35 * Specifically for OpenSSL's own file: scheme, the only workable
36 * criterion is the BY_NAME one, which it can only apply on directories,
37 * but it's possible that the URI is a single file rather than a directory,
38 * and in that case, the BY_NAME criterion is pointless.
39 *
40 * We could very simply not apply any criterion at all here, and just let
41 * the code that selects certs and CRLs from the cached objects do its job,
42 * but it's a nice optimization when it can be applied (such as on an
43 * actual directory with a thousand CA certs).
44 */
45 if (criterion != NULL)
46 OSSL_STORE_find(ctx, criterion);
47
48 for (;;) {
49 OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
50 int infotype;
51
52 /* NULL means error or "end of file". Either way, we break. */
53 if (info == NULL)
54 break;
55
56 infotype = OSSL_STORE_INFO_get_type(info);
57 ok = 0;
58
59 if (infotype == OSSL_STORE_INFO_NAME) {
60 /*
61 * This is an entry in the "directory" represented by the current
62 * uri. if |depth| allows, dive into it.
63 */
64 if (depth > 0)
65 ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
66 criterion, depth - 1);
67 } else {
68 /*
69 * We know that X509_STORE_add_{cert|crl} increments the object's
70 * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
71 * to get them.
72 */
73 switch (infotype) {
74 case OSSL_STORE_INFO_CERT:
75 ok = X509_STORE_add_cert(xstore,
76 OSSL_STORE_INFO_get0_CERT(info));
77 break;
78 case OSSL_STORE_INFO_CRL:
79 ok = X509_STORE_add_crl(xstore,
80 OSSL_STORE_INFO_get0_CRL(info));
81 break;
82 }
83 }
84
85 OSSL_STORE_INFO_free(info);
86 if (!ok)
87 break;
88 }
89 OSSL_STORE_close(ctx);
90
91 return ok;
92}
93
94
95/* Because OPENSSL_free is a macro and for C type match */
96static void free_uri(OPENSSL_STRING data)
97{
98 OPENSSL_free(data);
99}
100
101static void by_store_free(X509_LOOKUP *ctx)
102{
103 STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
104 sk_OPENSSL_STRING_pop_free(uris, free_uri);
105}
106
107static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
108 const char *argp, long argl,
109 char **retp)
110{
111 switch (cmd) {
112 case X509_L_ADD_STORE:
113 /* If no URI is given, use the default cert dir as default URI */
114 if (argp == NULL)
115 argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
116 if (argp == NULL)
117 argp = X509_get_default_cert_dir();
118
119 {
120 STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
121
122 if (uris == NULL) {
123 uris = sk_OPENSSL_STRING_new_null();
124 X509_LOOKUP_set_method_data(ctx, uris);
125 }
126 return sk_OPENSSL_STRING_push(uris, OPENSSL_strdup(argp)) > 0;
127 }
128 case X509_L_LOAD_STORE:
129 /* This is a shortcut for quick loading of specific containers */
130 return cache_objects(ctx, argp, NULL, 0);
131 }
132
133 return 0;
134}
135
136static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
137 const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
138{
139 STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
140 int i;
141 int ok = 0;
142
143 for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
144 ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
145 1 /* depth */);
146
147 if (ok)
148 break;
149 }
150 return ok;
151}
152
153static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
154 X509_NAME *name, X509_OBJECT *ret)
155{
156 OSSL_STORE_SEARCH *criterion = OSSL_STORE_SEARCH_by_name(name);
157 int ok = by_store(ctx, type, criterion, ret);
158 STACK_OF(X509_OBJECT) *store_objects =
159 X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
160 X509_OBJECT *tmp = NULL;
161
162 OSSL_STORE_SEARCH_free(criterion);
163
164 if (ok)
165 tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
166
167 ok = 0;
168 if (tmp != NULL) {
169 /*
170 * This could also be done like this:
171 *
172 * if (tmp != NULL) {
173 * *ret = *tmp;
174 * ok = 1;
175 * }
176 *
177 * However, we want to exercise the documented API to the max, so
178 * we do it the hard way.
179 *
180 * To be noted is that X509_OBJECT_set1_* increment the refcount,
181 * but so does X509_STORE_CTX_get_by_subject upon return of this
182 * function, so we must ensure the the refcount is decremented
183 * before we return, or we will get a refcount leak. We cannot do
184 * this with X509_OBJECT_free(), though, as that will free a bit
185 * too much.
186 */
187 switch (type) {
188 case X509_LU_X509:
189 ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
190 if (ok)
191 X509_free(tmp->data.x509);
192 break;
193 case X509_LU_CRL:
194 ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
195 if (ok)
196 X509_CRL_free(tmp->data.crl);
197 break;
198 case X509_LU_NONE:
199 break;
200 }
201 }
202 return ok;
203}
204
205/*
206 * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
207 * and get_by_alias. There's simply not enough support in the X509_LOOKUP
208 * or X509_STORE APIs.
209 */
210
211static X509_LOOKUP_METHOD x509_store_lookup = {
212 "Load certs from STORE URIs",
213 NULL, /* new_item */
214 by_store_free, /* free */
215 NULL, /* init */
216 NULL, /* shutdown */
217 by_store_ctrl, /* ctrl */
218 by_store_subject, /* get_by_subject */
219 NULL, /* get_by_issuer_serial */
220 NULL, /* get_by_fingerprint */
221 NULL, /* get_by_alias */
222};
223
224X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
225{
226 return &x509_store_lookup;
227}
228