/src/openssl33/crypto/x509/by_store.c

Source (jump to first uncovered line)
/*
 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/safestack.h>
#include <openssl/store.h>
#include "internal/cryptlib.h"
#include "crypto/x509.h"
#include "x509_local.h"

typedef struct cached_store_st {
    char *uri;
    OSSL_LIB_CTX *libctx;
    char *propq;
} CACHED_STORE;

DEFINE_STACK_OF(CACHED_STORE)

/* Generic object loader, given expected type and criterion */
static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
                         const OSSL_STORE_SEARCH *criterion, int depth)
{
    int ok = 0;
    OSSL_STORE_CTX *ctx;
    X509_STORE *xstore = X509_LOOKUP_get_store(lctx);

    if ((ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq,
                                  NULL, NULL, NULL, NULL, NULL)) == NULL)
        return 0;

    /*
     * We try to set the criterion, but don't care if it was valid or not.
     * For an OSSL_STORE, it merely serves as an optimization, the expectation
     * being that if the criterion couldn't be used, we will get *everything*
     * from the container that the URI represents rather than the subset that
     * the criterion indicates, so the biggest harm is that we cache more
     * objects certs and CRLs than we may expect, but that's ok.
     *
     * Specifically for OpenSSL's own file: scheme, the only workable
     * criterion is the BY_NAME one, which it can only apply on directories,
     * but it's possible that the URI is a single file rather than a directory,
     * and in that case, the BY_NAME criterion is pointless.
     *
     * We could very simply not apply any criterion at all here, and just let
     * the code that selects certs and CRLs from the cached objects do its job,
     * but it's a nice optimization when it can be applied (such as on an
     * actual directory with a thousand CA certs).
     */
    if (criterion != NULL)
        OSSL_STORE_find(ctx, criterion);

    for (;;) {
        OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
        int infotype;

        /* NULL means error or "end of file".  Either way, we break. */
        if (info == NULL)
            break;

        infotype = OSSL_STORE_INFO_get_type(info);
        ok = 0;

        if (infotype == OSSL_STORE_INFO_NAME) {
            /*
             * This is an entry in the "directory" represented by the current
             * uri.  if |depth| allows, dive into it.
             */
            if (depth > 0) {
                CACHED_STORE substore;

                substore.uri = (char *)OSSL_STORE_INFO_get0_NAME(info);
                substore.libctx = store->libctx;
                substore.propq = store->propq;
                ok = cache_objects(lctx, &substore, criterion, depth - 1);
            }
        } else {
            /*
             * We know that X509_STORE_add_{cert|crl} increments the object's
             * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
             * to get them.
             */
            switch (infotype) {
            case OSSL_STORE_INFO_CERT:
                ok = X509_STORE_add_cert(xstore,
                                         OSSL_STORE_INFO_get0_CERT(info));
                break;
            case OSSL_STORE_INFO_CRL:
                ok = X509_STORE_add_crl(xstore,
                                        OSSL_STORE_INFO_get0_CRL(info));
                break;
            }
        }

        OSSL_STORE_INFO_free(info);
        if (!ok)
            break;
    }
    OSSL_STORE_close(ctx);

    return ok;
}


static void free_store(CACHED_STORE *store)
{
    if (store != NULL) {
        OPENSSL_free(store->uri);
        OPENSSL_free(store->propq);
        OPENSSL_free(store);
    }
}

static void by_store_free(X509_LOOKUP *ctx)
{
    STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
    sk_CACHED_STORE_pop_free(stores, free_store);
}

static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
                            long argl, char **retp, OSSL_LIB_CTX *libctx,
                            const char *propq)
{
    /*
     * In some cases below, failing to use the defaults shouldn't result in
     * an error.  |use_default| is used as the return code in those cases.
     */
    int use_default = argp == NULL;

    switch (cmd) {
    case X509_L_ADD_STORE:
        /* If no URI is given, use the default cert dir as default URI */
        if (argp == NULL)
            argp = ossl_safe_getenv(X509_get_default_cert_dir_env());

        if (argp == NULL)
            argp = X509_get_default_cert_dir();

        {
            STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
            CACHED_STORE *store = OPENSSL_zalloc(sizeof(*store));
            OSSL_STORE_CTX *sctx;

            if (store == NULL) {
                return 0;
            }

            store->uri = OPENSSL_strdup(argp);
            store->libctx = libctx;
            if (propq != NULL)
                store->propq = OPENSSL_strdup(propq);
            /*
             * We open this to check for errors now - so we can report those
             * errors early.
             */
            sctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL,
                                      NULL, NULL, NULL);
            if (sctx == NULL
                || (propq != NULL && store->propq == NULL)
                || store->uri == NULL) {
                OSSL_STORE_close(sctx);
                free_store(store);
                return use_default;
            }
            OSSL_STORE_close(sctx);

            if (stores == NULL) {
                stores = sk_CACHED_STORE_new_null();
                if (stores != NULL)
                    X509_LOOKUP_set_method_data(ctx, stores);
            }
            if (stores == NULL || sk_CACHED_STORE_push(stores, store) <= 0) {
                free_store(store);
                return 0;
            }
            return 1;
        }
    case X509_L_LOAD_STORE: {
        /* This is a shortcut for quick loading of specific containers */
        CACHED_STORE store;

        store.uri = (char *)argp;
        store.libctx = libctx;
        store.propq = (char *)propq;
        return cache_objects(ctx, &store, NULL, 0);
    }
    default:
        /* Unsupported command */
        return 0;
    }

    return 0;
}

static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
                         const char *argp, long argl, char **retp)
{
    return by_store_ctrl_ex(ctx, cmd, argp, argl, retp, NULL, NULL);
}

static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
                    const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
{
    STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
    int i;
    int ok = 0;

    for (i = 0; i < sk_CACHED_STORE_num(stores); i++) {
        ok = cache_objects(ctx, sk_CACHED_STORE_value(stores, i), criterion,
                           1 /* depth */);

        if (ok)
            break;
    }
    return ok;
}

static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
                            const X509_NAME *name, X509_OBJECT *ret)
{
    OSSL_STORE_SEARCH *criterion =
        OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
    int ok = by_store(ctx, type, criterion, ret);
    STACK_OF(X509_OBJECT) *store_objects =
        X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
    X509_OBJECT *tmp = NULL;

    OSSL_STORE_SEARCH_free(criterion);

    if (ok) {
        X509_STORE *store = X509_LOOKUP_get_store(ctx);

        if (!ossl_x509_store_read_lock(store))
            return 0;
        tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
        X509_STORE_unlock(store);
    }

    ok = 0;
    if (tmp != NULL) {
        /*
         * This could also be done like this:
         *
         *     if (tmp != NULL) {
         *         *ret = *tmp;
         *         ok = 1;
         *     }
         *
         * However, we want to exercise the documented API to the max, so
         * we do it the hard way.
         *
         * To be noted is that X509_OBJECT_set1_* increment the refcount,
         * but so does X509_STORE_CTX_get_by_subject upon return of this
         * function, so we must ensure the refcount is decremented
         * before we return, or we will get a refcount leak.  We cannot do
         * this with X509_OBJECT_free(), though, as that will free a bit
         * too much.
         */
        switch (type) {
        case X509_LU_X509:
            ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
            if (ok)
                X509_free(tmp->data.x509);
            break;
        case X509_LU_CRL:
            ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
            if (ok)
                X509_CRL_free(tmp->data.crl);
            break;
        case X509_LU_NONE:
            break;
        }
    }
    return ok;
}

/*
 * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
 * and get_by_alias.  There's simply not enough support in the X509_LOOKUP
 * or X509_STORE APIs.
 */

static X509_LOOKUP_METHOD x509_store_lookup = {
    "Load certs from STORE URIs",
    NULL,                        /* new_item */
    by_store_free,               /* free */
    NULL,                        /* init */
    NULL,                        /* shutdown */
    by_store_ctrl,               /* ctrl */
    by_store_subject,            /* get_by_subject */
    NULL,                        /* get_by_issuer_serial */
    NULL,                        /* get_by_fingerprint */
    NULL,                        /* get_by_alias */
    NULL,                        /* get_by_subject_ex */
    by_store_ctrl_ex
};

X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
{
    return &x509_store_lookup;
}

Coverage Report

Created: 2025-08-28 07:07

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <openssl/safestack.h>
11		#include <openssl/store.h>
12		#include "internal/cryptlib.h"
13		#include "crypto/x509.h"
14		#include "x509_local.h"
15
16		typedef struct cached_store_st {
17		char *uri;
18		OSSL_LIB_CTX *libctx;
19		char *propq;
20		} CACHED_STORE;
21
22		DEFINE_STACK_OF(CACHED_STORE)
23
24		/* Generic object loader, given expected type and criterion */
25		static int cache_objects(X509_LOOKUP lctx, CACHED_STORE store,
26		const OSSL_STORE_SEARCH *criterion, int depth)
27	0	{
28	0	int ok = 0;
29	0	OSSL_STORE_CTX *ctx;
30	0	X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
31
32	0	if ((ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq,
33	0	NULL, NULL, NULL, NULL, NULL)) == NULL)
34	0	return 0;
35
36		/*
37		* We try to set the criterion, but don't care if it was valid or not.
38		* For an OSSL_STORE, it merely serves as an optimization, the expectation
39		* being that if the criterion couldn't be used, we will get everything
40		* from the container that the URI represents rather than the subset that
41		* the criterion indicates, so the biggest harm is that we cache more
42		* objects certs and CRLs than we may expect, but that's ok.
43		*
44		* Specifically for OpenSSL's own file: scheme, the only workable
45		* criterion is the BY_NAME one, which it can only apply on directories,
46		* but it's possible that the URI is a single file rather than a directory,
47		* and in that case, the BY_NAME criterion is pointless.
48		*
49		* We could very simply not apply any criterion at all here, and just let
50		* the code that selects certs and CRLs from the cached objects do its job,
51		* but it's a nice optimization when it can be applied (such as on an
52		* actual directory with a thousand CA certs).
53		*/
54	0	if (criterion != NULL)
55	0	OSSL_STORE_find(ctx, criterion);
56
57	0	for (;;) {
58	0	OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
59	0	int infotype;
60
61		/* NULL means error or "end of file". Either way, we break. */
62	0	if (info == NULL)
63	0	break;
64
65	0	infotype = OSSL_STORE_INFO_get_type(info);
66	0	ok = 0;
67
68	0	if (infotype == OSSL_STORE_INFO_NAME) {
69		/*
70		* This is an entry in the "directory" represented by the current
71		* uri. if \|depth\| allows, dive into it.
72		*/
73	0	if (depth > 0) {
74	0	CACHED_STORE substore;
75
76	0	substore.uri = (char *)OSSL_STORE_INFO_get0_NAME(info);
77	0	substore.libctx = store->libctx;
78	0	substore.propq = store->propq;
79	0	ok = cache_objects(lctx, &substore, criterion, depth - 1);
80	0	}
81	0	} else {
82		/*
83		* We know that X509_STORE_add_{cert\|crl} increments the object's
84		* refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
85		* to get them.
86		*/
87	0	switch (infotype) {
88	0	case OSSL_STORE_INFO_CERT:
89	0	ok = X509_STORE_add_cert(xstore,
90	0	OSSL_STORE_INFO_get0_CERT(info));
91	0	break;
92	0	case OSSL_STORE_INFO_CRL:
93	0	ok = X509_STORE_add_crl(xstore,
94	0	OSSL_STORE_INFO_get0_CRL(info));
95	0	break;
96	0	}
97	0	}
98
99	0	OSSL_STORE_INFO_free(info);
100	0	if (!ok)
101	0	break;
102	0	}
103	0	OSSL_STORE_close(ctx);
104
105	0	return ok;
106	0	}
107
108
109		static void free_store(CACHED_STORE *store)
110	0	{
111	0	if (store != NULL) {
112	0	OPENSSL_free(store->uri);
113	0	OPENSSL_free(store->propq);
114	0	OPENSSL_free(store);
115	0	}
116	0	}
117
118		static void by_store_free(X509_LOOKUP *ctx)
119	0	{
120	0	STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
121	0	sk_CACHED_STORE_pop_free(stores, free_store);
122	0	}
123
124		static int by_store_ctrl_ex(X509_LOOKUP ctx, int cmd, const char argp,
125		long argl, char *retp, OSSL_LIB_CTX libctx,
126		const char *propq)
127	0	{
128		/*
129		* In some cases below, failing to use the defaults shouldn't result in
130		* an error. \|use_default\| is used as the return code in those cases.
131		*/
132	0	int use_default = argp == NULL;
133
134	0	switch (cmd) {
135	0	case X509_L_ADD_STORE:
136		/* If no URI is given, use the default cert dir as default URI */
137	0	if (argp == NULL)
138	0	argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
139
140	0	if (argp == NULL)
141	0	argp = X509_get_default_cert_dir();
142
143	0	{
144	0	STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
145	0	CACHED_STORE store = OPENSSL_zalloc(sizeof(store));
146	0	OSSL_STORE_CTX *sctx;
147
148	0	if (store == NULL) {
149	0	return 0;
150	0	}
151
152	0	store->uri = OPENSSL_strdup(argp);
153	0	store->libctx = libctx;
154	0	if (propq != NULL)
155	0	store->propq = OPENSSL_strdup(propq);
156		/*
157		* We open this to check for errors now - so we can report those
158		* errors early.
159		*/
160	0	sctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL,
161	0	NULL, NULL, NULL);
162	0	if (sctx == NULL
163	0	\|\| (propq != NULL && store->propq == NULL)
164	0	\|\| store->uri == NULL) {
165	0	OSSL_STORE_close(sctx);
166	0	free_store(store);
167	0	return use_default;
168	0	}
169	0	OSSL_STORE_close(sctx);
170
171	0	if (stores == NULL) {
172	0	stores = sk_CACHED_STORE_new_null();
173	0	if (stores != NULL)
174	0	X509_LOOKUP_set_method_data(ctx, stores);
175	0	}
176	0	if (stores == NULL \|\| sk_CACHED_STORE_push(stores, store) <= 0) {
177	0	free_store(store);
178	0	return 0;
179	0	}
180	0	return 1;
181	0	}
182	0	case X509_L_LOAD_STORE: {
183		/* This is a shortcut for quick loading of specific containers */
184	0	CACHED_STORE store;
185
186	0	store.uri = (char *)argp;
187	0	store.libctx = libctx;
188	0	store.propq = (char *)propq;
189	0	return cache_objects(ctx, &store, NULL, 0);
190	0	}
191	0	default:
192		/* Unsupported command */
193	0	return 0;
194	0	}
195
196	0	return 0;
197	0	}
198
199		static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
200		const char argp, long argl, char *retp)
201	0	{
202	0	return by_store_ctrl_ex(ctx, cmd, argp, argl, retp, NULL, NULL);
203	0	}
204
205		static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
206		const OSSL_STORE_SEARCH criterion, X509_OBJECT ret)
207	0	{
208	0	STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
209	0	int i;
210	0	int ok = 0;
211
212	0	for (i = 0; i < sk_CACHED_STORE_num(stores); i++) {
213	0	ok = cache_objects(ctx, sk_CACHED_STORE_value(stores, i), criterion,
214	0	1 /* depth */);
215
216	0	if (ok)
217	0	break;
218	0	}
219	0	return ok;
220	0	}
221
222		static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
223		const X509_NAME name, X509_OBJECT ret)
224	0	{
225	0	OSSL_STORE_SEARCH *criterion =
226	0	OSSL_STORE_SEARCH_by_name((X509_NAME )name); / won't modify it */
227	0	int ok = by_store(ctx, type, criterion, ret);
228	0	STACK_OF(X509_OBJECT) *store_objects =
229	0	X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
230	0	X509_OBJECT *tmp = NULL;
231
232	0	OSSL_STORE_SEARCH_free(criterion);
233
234	0	if (ok) {
235	0	X509_STORE *store = X509_LOOKUP_get_store(ctx);
236
237	0	if (!ossl_x509_store_read_lock(store))
238	0	return 0;
239	0	tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
240	0	X509_STORE_unlock(store);
241	0	}
242
243	0	ok = 0;
244	0	if (tmp != NULL) {
245		/*
246		* This could also be done like this:
247		*
248		* if (tmp != NULL) {
249		* ret = tmp;
250		* ok = 1;
251		* }
252		*
253		* However, we want to exercise the documented API to the max, so
254		* we do it the hard way.
255		*
256		* To be noted is that X509_OBJECT_set1_* increment the refcount,
257		* but so does X509_STORE_CTX_get_by_subject upon return of this
258		* function, so we must ensure the refcount is decremented
259		* before we return, or we will get a refcount leak. We cannot do
260		* this with X509_OBJECT_free(), though, as that will free a bit
261		* too much.
262		*/
263	0	switch (type) {
264	0	case X509_LU_X509:
265	0	ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
266	0	if (ok)
267	0	X509_free(tmp->data.x509);
268	0	break;
269	0	case X509_LU_CRL:
270	0	ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
271	0	if (ok)
272	0	X509_CRL_free(tmp->data.crl);
273	0	break;
274	0	case X509_LU_NONE:
275	0	break;
276	0	}
277	0	}
278	0	return ok;
279	0	}
280
281		/*
282		* We lack the implementations for get_by_issuer_serial, get_by_fingerprint
283		* and get_by_alias. There's simply not enough support in the X509_LOOKUP
284		* or X509_STORE APIs.
285		*/
286
287		static X509_LOOKUP_METHOD x509_store_lookup = {
288		"Load certs from STORE URIs",
289		NULL, /* new_item */
290		by_store_free, /* free */
291		NULL, /* init */
292		NULL, /* shutdown */
293		by_store_ctrl, /* ctrl */
294		by_store_subject, /* get_by_subject */
295		NULL, /* get_by_issuer_serial */
296		NULL, /* get_by_fingerprint */
297		NULL, /* get_by_alias */
298		NULL, /* get_by_subject_ex */
299		by_store_ctrl_ex
300		};
301
302		X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
303	0	{
304	0	return &x509_store_lookup;
305	0	}