1 /*
2 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/safestack.h>
11 #include <openssl/store.h>
12 #include "internal/cryptlib.h"
13 #include "crypto/x509.h"
14 #include "x509_local.h"
15
16 typedef struct cached_store_st {
17 char *uri;
18 OSSL_LIB_CTX *libctx;
19 char *propq;
20 OSSL_STORE_CTX *ctx;
21 } CACHED_STORE;
22
DEFINE_STACK_OF(CACHED_STORE)23 DEFINE_STACK_OF(CACHED_STORE)
24
25 /* Generic object loader, given expected type and criterion */
26 static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
27 const OSSL_STORE_SEARCH *criterion, int depth)
28 {
29 int ok = 0;
30 OSSL_STORE_CTX *ctx = store->ctx;
31 X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
32
33 if (ctx == NULL
34 && (ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq,
35 NULL, NULL, NULL, NULL, NULL)) == NULL)
36 return 0;
37 store->ctx = ctx;
38
39 /*
40 * We try to set the criterion, but don't care if it was valid or not.
41 * For an OSSL_STORE, it merely serves as an optimization, the expectation
42 * being that if the criterion couldn't be used, we will get *everything*
43 * from the container that the URI represents rather than the subset that
44 * the criterion indicates, so the biggest harm is that we cache more
45 * objects certs and CRLs than we may expect, but that's ok.
46 *
47 * Specifically for OpenSSL's own file: scheme, the only workable
48 * criterion is the BY_NAME one, which it can only apply on directories,
49 * but it's possible that the URI is a single file rather than a directory,
50 * and in that case, the BY_NAME criterion is pointless.
51 *
52 * We could very simply not apply any criterion at all here, and just let
53 * the code that selects certs and CRLs from the cached objects do its job,
54 * but it's a nice optimization when it can be applied (such as on an
55 * actual directory with a thousand CA certs).
56 */
57 if (criterion != NULL)
58 OSSL_STORE_find(ctx, criterion);
59
60 for (;;) {
61 OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
62 int infotype;
63
64 /* NULL means error or "end of file". Either way, we break. */
65 if (info == NULL)
66 break;
67
68 infotype = OSSL_STORE_INFO_get_type(info);
69 ok = 0;
70
71 if (infotype == OSSL_STORE_INFO_NAME) {
72 /*
73 * This is an entry in the "directory" represented by the current
74 * uri. if |depth| allows, dive into it.
75 */
76 if (depth > 0) {
77 CACHED_STORE substore;
78
79 substore.uri = (char *)OSSL_STORE_INFO_get0_NAME(info);
80 substore.libctx = store->libctx;
81 substore.propq = store->propq;
82 substore.ctx = NULL;
83 ok = cache_objects(lctx, &substore, criterion, depth - 1);
84 }
85 } else {
86 /*
87 * We know that X509_STORE_add_{cert|crl} increments the object's
88 * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
89 * to get them.
90 */
91 switch (infotype) {
92 case OSSL_STORE_INFO_CERT:
93 ok = X509_STORE_add_cert(xstore,
94 OSSL_STORE_INFO_get0_CERT(info));
95 break;
96 case OSSL_STORE_INFO_CRL:
97 ok = X509_STORE_add_crl(xstore,
98 OSSL_STORE_INFO_get0_CRL(info));
99 break;
100 }
101 }
102
103 OSSL_STORE_INFO_free(info);
104 if (!ok)
105 break;
106 }
107 OSSL_STORE_close(ctx);
108 store->ctx = NULL;
109
110 return ok;
111 }
112
113
free_store(CACHED_STORE * store)114 static void free_store(CACHED_STORE *store)
115 {
116 if (store != NULL) {
117 OSSL_STORE_close(store->ctx);
118 OPENSSL_free(store->uri);
119 OPENSSL_free(store->propq);
120 OPENSSL_free(store);
121 }
122 }
123
by_store_free(X509_LOOKUP * ctx)124 static void by_store_free(X509_LOOKUP *ctx)
125 {
126 STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
127 sk_CACHED_STORE_pop_free(stores, free_store);
128 }
129
by_store_ctrl_ex(X509_LOOKUP * ctx,int cmd,const char * argp,long argl,char ** retp,OSSL_LIB_CTX * libctx,const char * propq)130 static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
131 long argl, char **retp, OSSL_LIB_CTX *libctx,
132 const char *propq)
133 {
134 switch (cmd) {
135 case X509_L_ADD_STORE:
136 if (argp != NULL) {
137 STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
138 CACHED_STORE *store = OPENSSL_zalloc(sizeof(*store));
139
140 if (store == NULL) {
141 return 0;
142 }
143
144 store->uri = OPENSSL_strdup(argp);
145 store->libctx = libctx;
146 if (propq != NULL)
147 store->propq = OPENSSL_strdup(propq);
148 store->ctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL,
149 NULL, NULL, NULL);
150 if (store->ctx == NULL
151 || (propq != NULL && store->propq == NULL)
152 || store->uri == NULL) {
153 free_store(store);
154 return 0;
155 }
156
157 if (stores == NULL) {
158 stores = sk_CACHED_STORE_new_null();
159 if (stores != NULL)
160 X509_LOOKUP_set_method_data(ctx, stores);
161 }
162 if (stores == NULL || sk_CACHED_STORE_push(stores, store) <= 0) {
163 free_store(store);
164 return 0;
165 }
166 return 1;
167 }
168 /* NOP if no URI is given. */
169 return 1;
170 case X509_L_LOAD_STORE: {
171 /* This is a shortcut for quick loading of specific containers */
172 CACHED_STORE store;
173
174 store.uri = (char *)argp;
175 store.libctx = libctx;
176 store.propq = (char *)propq;
177 store.ctx = NULL;
178 return cache_objects(ctx, &store, NULL, 0);
179 }
180 default:
181 /* Unsupported command */
182 return 0;
183 }
184 }
185
by_store_ctrl(X509_LOOKUP * ctx,int cmd,const char * argp,long argl,char ** retp)186 static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
187 const char *argp, long argl, char **retp)
188 {
189 return by_store_ctrl_ex(ctx, cmd, argp, argl, retp, NULL, NULL);
190 }
191
by_store(X509_LOOKUP * ctx,X509_LOOKUP_TYPE type,const OSSL_STORE_SEARCH * criterion,X509_OBJECT * ret)192 static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
193 const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
194 {
195 STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
196 int i;
197 int ok = 0;
198
199 for (i = 0; i < sk_CACHED_STORE_num(stores); i++) {
200 ok = cache_objects(ctx, sk_CACHED_STORE_value(stores, i), criterion,
201 1 /* depth */);
202
203 if (ok)
204 break;
205 }
206 return ok;
207 }
208
by_store_subject(X509_LOOKUP * ctx,X509_LOOKUP_TYPE type,const X509_NAME * name,X509_OBJECT * ret)209 static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
210 const X509_NAME *name, X509_OBJECT *ret)
211 {
212 OSSL_STORE_SEARCH *criterion =
213 OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
214 int ok = by_store(ctx, type, criterion, ret);
215 STACK_OF(X509_OBJECT) *store_objects =
216 X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
217 X509_OBJECT *tmp = NULL;
218
219 OSSL_STORE_SEARCH_free(criterion);
220
221 if (ok)
222 tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
223
224 ok = 0;
225 if (tmp != NULL) {
226 /*
227 * This could also be done like this:
228 *
229 * if (tmp != NULL) {
230 * *ret = *tmp;
231 * ok = 1;
232 * }
233 *
234 * However, we want to exercise the documented API to the max, so
235 * we do it the hard way.
236 *
237 * To be noted is that X509_OBJECT_set1_* increment the refcount,
238 * but so does X509_STORE_CTX_get_by_subject upon return of this
239 * function, so we must ensure the refcount is decremented
240 * before we return, or we will get a refcount leak. We cannot do
241 * this with X509_OBJECT_free(), though, as that will free a bit
242 * too much.
243 */
244 switch (type) {
245 case X509_LU_X509:
246 ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
247 if (ok)
248 X509_free(tmp->data.x509);
249 break;
250 case X509_LU_CRL:
251 ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
252 if (ok)
253 X509_CRL_free(tmp->data.crl);
254 break;
255 case X509_LU_NONE:
256 break;
257 }
258 }
259 return ok;
260 }
261
262 /*
263 * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
264 * and get_by_alias. There's simply not enough support in the X509_LOOKUP
265 * or X509_STORE APIs.
266 */
267
268 static X509_LOOKUP_METHOD x509_store_lookup = {
269 "Load certs from STORE URIs",
270 NULL, /* new_item */
271 by_store_free, /* free */
272 NULL, /* init */
273 NULL, /* shutdown */
274 by_store_ctrl, /* ctrl */
275 by_store_subject, /* get_by_subject */
276 NULL, /* get_by_issuer_serial */
277 NULL, /* get_by_fingerprint */
278 NULL, /* get_by_alias */
279 NULL, /* get_by_subject_ex */
280 by_store_ctrl_ex
281 };
282
X509_LOOKUP_store(void)283 X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
284 {
285 return &x509_store_lookup;
286 }
287