1 | /* |
2 | * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <openssl/store.h> |
11 | #include "internal/cryptlib.h" |
12 | #include "crypto/x509.h" |
13 | #include "x509_local.h" |
14 | |
15 | /* Generic object loader, given expected type and criterion */ |
16 | static int cache_objects(X509_LOOKUP *lctx, const char *uri, |
17 | const OSSL_STORE_SEARCH *criterion, |
18 | int depth) |
19 | { |
20 | int ok = 0; |
21 | OSSL_STORE_CTX *ctx = NULL; |
22 | X509_STORE *xstore = X509_LOOKUP_get_store(lctx); |
23 | |
24 | if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL) |
25 | return 0; |
26 | |
27 | /* |
28 | * We try to set the criterion, but don't care if it was valid or not. |
29 | * For a OSSL_STORE, it merely serves as an optimization, the expectation |
30 | * being that if the criterion couldn't be used, we will get *everything* |
31 | * from the container that the URI represents rather than the subset that |
32 | * the criterion indicates, so the biggest harm is that we cache more |
33 | * objects certs and CRLs than we may expect, but that's ok. |
34 | * |
35 | * Specifically for OpenSSL's own file: scheme, the only workable |
36 | * criterion is the BY_NAME one, which it can only apply on directories, |
37 | * but it's possible that the URI is a single file rather than a directory, |
38 | * and in that case, the BY_NAME criterion is pointless. |
39 | * |
40 | * We could very simply not apply any criterion at all here, and just let |
41 | * the code that selects certs and CRLs from the cached objects do its job, |
42 | * but it's a nice optimization when it can be applied (such as on an |
43 | * actual directory with a thousand CA certs). |
44 | */ |
45 | if (criterion != NULL) |
46 | OSSL_STORE_find(ctx, criterion); |
47 | |
48 | for (;;) { |
49 | OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); |
50 | int infotype; |
51 | |
52 | /* NULL means error or "end of file". Either way, we break. */ |
53 | if (info == NULL) |
54 | break; |
55 | |
56 | infotype = OSSL_STORE_INFO_get_type(info); |
57 | ok = 0; |
58 | |
59 | if (infotype == OSSL_STORE_INFO_NAME) { |
60 | /* |
61 | * This is an entry in the "directory" represented by the current |
62 | * uri. if |depth| allows, dive into it. |
63 | */ |
64 | if (depth > 0) |
65 | ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info), |
66 | criterion, depth - 1); |
67 | } else { |
68 | /* |
69 | * We know that X509_STORE_add_{cert|crl} increments the object's |
70 | * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl} |
71 | * to get them. |
72 | */ |
73 | switch (infotype) { |
74 | case OSSL_STORE_INFO_CERT: |
75 | ok = X509_STORE_add_cert(xstore, |
76 | OSSL_STORE_INFO_get0_CERT(info)); |
77 | break; |
78 | case OSSL_STORE_INFO_CRL: |
79 | ok = X509_STORE_add_crl(xstore, |
80 | OSSL_STORE_INFO_get0_CRL(info)); |
81 | break; |
82 | } |
83 | } |
84 | |
85 | OSSL_STORE_INFO_free(info); |
86 | if (!ok) |
87 | break; |
88 | } |
89 | OSSL_STORE_close(ctx); |
90 | |
91 | return ok; |
92 | } |
93 | |
94 | |
95 | /* Because OPENSSL_free is a macro and for C type match */ |
96 | static void free_uri(OPENSSL_STRING data) |
97 | { |
98 | OPENSSL_free(data); |
99 | } |
100 | |
101 | static void by_store_free(X509_LOOKUP *ctx) |
102 | { |
103 | STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx); |
104 | sk_OPENSSL_STRING_pop_free(uris, free_uri); |
105 | } |
106 | |
107 | static int by_store_ctrl(X509_LOOKUP *ctx, int cmd, |
108 | const char *argp, long argl, |
109 | char **retp) |
110 | { |
111 | switch (cmd) { |
112 | case X509_L_ADD_STORE: |
113 | /* If no URI is given, use the default cert dir as default URI */ |
114 | if (argp == NULL) |
115 | argp = ossl_safe_getenv(X509_get_default_cert_dir_env()); |
116 | if (argp == NULL) |
117 | argp = X509_get_default_cert_dir(); |
118 | |
119 | { |
120 | STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx); |
121 | |
122 | if (uris == NULL) { |
123 | uris = sk_OPENSSL_STRING_new_null(); |
124 | X509_LOOKUP_set_method_data(ctx, uris); |
125 | } |
126 | return sk_OPENSSL_STRING_push(uris, OPENSSL_strdup(argp)) > 0; |
127 | } |
128 | case X509_L_LOAD_STORE: |
129 | /* This is a shortcut for quick loading of specific containers */ |
130 | return cache_objects(ctx, argp, NULL, 0); |
131 | } |
132 | |
133 | return 0; |
134 | } |
135 | |
136 | static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, |
137 | const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret) |
138 | { |
139 | STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx); |
140 | int i; |
141 | int ok = 0; |
142 | |
143 | for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) { |
144 | ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion, |
145 | 1 /* depth */); |
146 | |
147 | if (ok) |
148 | break; |
149 | } |
150 | return ok; |
151 | } |
152 | |
153 | static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, |
154 | X509_NAME *name, X509_OBJECT *ret) |
155 | { |
156 | OSSL_STORE_SEARCH *criterion = OSSL_STORE_SEARCH_by_name(name); |
157 | int ok = by_store(ctx, type, criterion, ret); |
158 | STACK_OF(X509_OBJECT) *store_objects = |
159 | X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx)); |
160 | X509_OBJECT *tmp = NULL; |
161 | |
162 | OSSL_STORE_SEARCH_free(criterion); |
163 | |
164 | if (ok) |
165 | tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name); |
166 | |
167 | ok = 0; |
168 | if (tmp != NULL) { |
169 | /* |
170 | * This could also be done like this: |
171 | * |
172 | * if (tmp != NULL) { |
173 | * *ret = *tmp; |
174 | * ok = 1; |
175 | * } |
176 | * |
177 | * However, we want to exercise the documented API to the max, so |
178 | * we do it the hard way. |
179 | * |
180 | * To be noted is that X509_OBJECT_set1_* increment the refcount, |
181 | * but so does X509_STORE_CTX_get_by_subject upon return of this |
182 | * function, so we must ensure the the refcount is decremented |
183 | * before we return, or we will get a refcount leak. We cannot do |
184 | * this with X509_OBJECT_free(), though, as that will free a bit |
185 | * too much. |
186 | */ |
187 | switch (type) { |
188 | case X509_LU_X509: |
189 | ok = X509_OBJECT_set1_X509(ret, tmp->data.x509); |
190 | if (ok) |
191 | X509_free(tmp->data.x509); |
192 | break; |
193 | case X509_LU_CRL: |
194 | ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl); |
195 | if (ok) |
196 | X509_CRL_free(tmp->data.crl); |
197 | break; |
198 | case X509_LU_NONE: |
199 | break; |
200 | } |
201 | } |
202 | return ok; |
203 | } |
204 | |
205 | /* |
206 | * We lack the implementations for get_by_issuer_serial, get_by_fingerprint |
207 | * and get_by_alias. There's simply not enough support in the X509_LOOKUP |
208 | * or X509_STORE APIs. |
209 | */ |
210 | |
211 | static X509_LOOKUP_METHOD x509_store_lookup = { |
212 | "Load certs from STORE URIs" , |
213 | NULL, /* new_item */ |
214 | by_store_free, /* free */ |
215 | NULL, /* init */ |
216 | NULL, /* shutdown */ |
217 | by_store_ctrl, /* ctrl */ |
218 | by_store_subject, /* get_by_subject */ |
219 | NULL, /* get_by_issuer_serial */ |
220 | NULL, /* get_by_fingerprint */ |
221 | NULL, /* get_by_alias */ |
222 | }; |
223 | |
224 | X509_LOOKUP_METHOD *X509_LOOKUP_store(void) |
225 | { |
226 | return &x509_store_lookup; |
227 | } |
228 | |