x509_lu.c@ 105945

最後變更在這個檔案從105945是 104078,由 vboxsync 提交於 8 月前
openssl-3.1.5: Applied and adjusted our OpenSSL changes to 3.1.4. bugref:10638
檔案大小: 25.8 KB

行
1	/*
2	* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <stdio.h>
11	#include "internal/cryptlib.h"
12	#include "internal/refcount.h"
13	#include <openssl/x509.h>
14	#include "crypto/x509.h"
15	#include <openssl/x509v3.h>
16	#include "x509_local.h"
17
18	X509_LOOKUP X509_LOOKUP_new(X509_LOOKUP_METHOD method)
19	{
20	X509_LOOKUP ret = OPENSSL_zalloc(sizeof(ret));
21
22	if (ret == NULL) {
23	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
24	return NULL;
25	}
26
27	ret->method = method;
28	if (method->new_item != NULL && method->new_item(ret) == 0) {
29	OPENSSL_free(ret);
30	return NULL;
31	}
32	return ret;
33	}
34
35	void X509_LOOKUP_free(X509_LOOKUP *ctx)
36	{
37	if (ctx == NULL)
38	return;
39	if ((ctx->method != NULL) && (ctx->method->free != NULL))
40	(*ctx->method->free) (ctx);
41	OPENSSL_free(ctx);
42	}
43
44	int X509_STORE_lock(X509_STORE *xs)
45	{
46	return CRYPTO_THREAD_write_lock(xs->lock);
47	}
48
49	static int x509_store_read_lock(X509_STORE *xs)
50	{
51	return CRYPTO_THREAD_read_lock(xs->lock);
52	}
53
54	int X509_STORE_unlock(X509_STORE *xs)
55	{
56	return CRYPTO_THREAD_unlock(xs->lock);
57	}
58
59	int X509_LOOKUP_init(X509_LOOKUP *ctx)
60	{
61	if (ctx->method == NULL)
62	return 0;
63	if (ctx->method->init != NULL)
64	return ctx->method->init(ctx);
65	else
66	return 1;
67	}
68
69	int X509_LOOKUP_shutdown(X509_LOOKUP *ctx)
70	{
71	if (ctx->method == NULL)
72	return 0;
73	if (ctx->method->shutdown != NULL)
74	return ctx->method->shutdown(ctx);
75	else
76	return 1;
77	}
78
79	int X509_LOOKUP_ctrl_ex(X509_LOOKUP ctx, int cmd, const char argc, long argl,
80	char *ret, OSSL_LIB_CTX libctx, const char *propq)
81	{
82	if (ctx->method == NULL)
83	return -1;
84	if (ctx->method->ctrl_ex != NULL)
85	return ctx->method->ctrl_ex(ctx, cmd, argc, argl, ret, libctx, propq);
86	if (ctx->method->ctrl != NULL)
87	return ctx->method->ctrl(ctx, cmd, argc, argl, ret);
88	return 1;
89	}
90
91	int X509_LOOKUP_ctrl(X509_LOOKUP ctx, int cmd, const char argc, long argl,
92	char **ret)
93	{
94	return X509_LOOKUP_ctrl_ex(ctx, cmd, argc, argl, ret, NULL, NULL);
95	}
96
97	int X509_LOOKUP_by_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
98	const X509_NAME name, X509_OBJECT ret,
99	OSSL_LIB_CTX libctx, const char propq)
100	{
101	if (ctx->skip
102	\|\| ctx->method == NULL
103	\|\| (ctx->method->get_by_subject == NULL
104	&& ctx->method->get_by_subject_ex == NULL))
105	return 0;
106	if (ctx->method->get_by_subject_ex != NULL)
107	return ctx->method->get_by_subject_ex(ctx, type, name, ret, libctx,
108	propq);
109	else
110	return ctx->method->get_by_subject(ctx, type, name, ret);
111	}
112
113	int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
114	const X509_NAME name, X509_OBJECT ret)
115	{
116	return X509_LOOKUP_by_subject_ex(ctx, type, name, ret, NULL, NULL);
117	}
118
119	int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
120	const X509_NAME *name,
121	const ASN1_INTEGER *serial,
122	X509_OBJECT *ret)
123	{
124	if ((ctx->method == NULL) \|\| (ctx->method->get_by_issuer_serial == NULL))
125	return 0;
126	return ctx->method->get_by_issuer_serial(ctx, type, name, serial, ret);
127	}
128
129	int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
130	const unsigned char *bytes, int len,
131	X509_OBJECT *ret)
132	{
133	if ((ctx->method == NULL) \|\| (ctx->method->get_by_fingerprint == NULL))
134	return 0;
135	return ctx->method->get_by_fingerprint(ctx, type, bytes, len, ret);
136	}
137
138	int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
139	const char str, int len, X509_OBJECT ret)
140	{
141	if ((ctx->method == NULL) \|\| (ctx->method->get_by_alias == NULL))
142	return 0;
143	return ctx->method->get_by_alias(ctx, type, str, len, ret);
144	}
145
146	int X509_LOOKUP_set_method_data(X509_LOOKUP ctx, void data)
147	{
148	ctx->method_data = data;
149	return 1;
150	}
151
152	void X509_LOOKUP_get_method_data(const X509_LOOKUP ctx)
153	{
154	return ctx->method_data;
155	}
156
157	X509_STORE X509_LOOKUP_get_store(const X509_LOOKUP ctx)
158	{
159	return ctx->store_ctx;
160	}
161
162
163	static int x509_object_cmp(const X509_OBJECT const a,
164	const X509_OBJECT const b)
165	{
166	int ret;
167
168	ret = ((a)->type - (b)->type);
169	if (ret)
170	return ret;
171	switch ((*a)->type) {
172	case X509_LU_X509:
173	ret = X509_subject_name_cmp((a)->data.x509, (b)->data.x509);
174	break;
175	case X509_LU_CRL:
176	ret = X509_CRL_cmp((a)->data.crl, (b)->data.crl);
177	break;
178	case X509_LU_NONE:
179	/* abort(); */
180	return 0;
181	}
182	return ret;
183	}
184
185	X509_STORE *X509_STORE_new(void)
186	{
187	X509_STORE ret = OPENSSL_zalloc(sizeof(ret));
188
189	if (ret == NULL) {
190	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
191	return NULL;
192	}
193	if ((ret->objs = sk_X509_OBJECT_new(x509_object_cmp)) == NULL) {
194	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
195	goto err;
196	}
197	ret->cache = 1;
198	if ((ret->get_cert_methods = sk_X509_LOOKUP_new_null()) == NULL) {
199	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
200	goto err;
201	}
202
203	if ((ret->param = X509_VERIFY_PARAM_new()) == NULL) {
204	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
205	goto err;
206	}
207	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) {
208	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
209	goto err;
210	}
211
212	ret->lock = CRYPTO_THREAD_lock_new();
213	if (ret->lock == NULL) {
214	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
215	goto err;
216	}
217	ret->references = 1;
218	return ret;
219
220	err:
221	X509_VERIFY_PARAM_free(ret->param);
222	sk_X509_OBJECT_free(ret->objs);
223	sk_X509_LOOKUP_free(ret->get_cert_methods);
224	OPENSSL_free(ret);
225	return NULL;
226	}
227
228	void X509_STORE_free(X509_STORE *vfy)
229	{
230	int i;
231	STACK_OF(X509_LOOKUP) *sk;
232	X509_LOOKUP *lu;
233
234	if (vfy == NULL)
235	return;
236	CRYPTO_DOWN_REF(&vfy->references, &i, vfy->lock);
237	REF_PRINT_COUNT("X509_STORE", vfy);
238	if (i > 0)
239	return;
240	REF_ASSERT_ISNT(i < 0);
241
242	sk = vfy->get_cert_methods;
243	for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
244	lu = sk_X509_LOOKUP_value(sk, i);
245	X509_LOOKUP_shutdown(lu);
246	X509_LOOKUP_free(lu);
247	}
248	sk_X509_LOOKUP_free(sk);
249	sk_X509_OBJECT_pop_free(vfy->objs, X509_OBJECT_free);
250
251	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
252	X509_VERIFY_PARAM_free(vfy->param);
253	CRYPTO_THREAD_lock_free(vfy->lock);
254	OPENSSL_free(vfy);
255	}
256
257	int X509_STORE_up_ref(X509_STORE *vfy)
258	{
259	int i;
260
261	if (CRYPTO_UP_REF(&vfy->references, &i, vfy->lock) <= 0)
262	return 0;
263
264	REF_PRINT_COUNT("X509_STORE", vfy);
265	REF_ASSERT_ISNT(i < 2);
266	return ((i > 1) ? 1 : 0);
267	}
268
269	X509_LOOKUP X509_STORE_add_lookup(X509_STORE v, X509_LOOKUP_METHOD *m)
270	{
271	int i;
272	STACK_OF(X509_LOOKUP) *sk;
273	X509_LOOKUP *lu;
274
275	sk = v->get_cert_methods;
276	for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) {
277	lu = sk_X509_LOOKUP_value(sk, i);
278	if (m == lu->method) {
279	return lu;
280	}
281	}
282	/* a new one */
283	lu = X509_LOOKUP_new(m);
284	if (lu == NULL) {
285	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
286	return NULL;
287	}
288
289	lu->store_ctx = v;
290	if (sk_X509_LOOKUP_push(v->get_cert_methods, lu))
291	return lu;
292	/* malloc failed */
293	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
294	X509_LOOKUP_free(lu);
295	return NULL;
296	}
297
298	X509_OBJECT X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX vs,
299	X509_LOOKUP_TYPE type,
300	const X509_NAME *name)
301	{
302	X509_OBJECT *ret = X509_OBJECT_new();
303
304	if (ret == NULL)
305	return NULL;
306	if (!X509_STORE_CTX_get_by_subject(vs, type, name, ret)) {
307	X509_OBJECT_free(ret);
308	return NULL;
309	}
310	return ret;
311	}
312
313	/* Also fill the cache with all matching certificates */
314	int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs,
315	X509_LOOKUP_TYPE type,
316	const X509_NAME name, X509_OBJECT ret)
317	{
318	X509_STORE *store = vs->store;
319	X509_LOOKUP *lu;
320	X509_OBJECT stmp, *tmp;
321	int i, j;
322
323	if (store == NULL)
324	return 0;
325
326	stmp.type = X509_LU_NONE;
327	stmp.data.ptr = NULL;
328
329	if (!x509_store_read_lock(store))
330	return 0;
331	/* Should already be sorted...but just in case */
332	if (!sk_X509_OBJECT_is_sorted(store->objs)) {
333	X509_STORE_unlock(store);
334	/* Take a write lock instead of a read lock */
335	X509_STORE_lock(store);
336	/*
337	* Another thread might have sorted it in the meantime. But if so,
338	* sk_X509_OBJECT_sort() exits early.
339	*/
340	sk_X509_OBJECT_sort(store->objs);
341	}
342	tmp = X509_OBJECT_retrieve_by_subject(store->objs, type, name);
343	X509_STORE_unlock(store);
344
345	if (tmp == NULL \|\| type == X509_LU_CRL) {
346	for (i = 0; i < sk_X509_LOOKUP_num(store->get_cert_methods); i++) {
347	lu = sk_X509_LOOKUP_value(store->get_cert_methods, i);
348	j = X509_LOOKUP_by_subject_ex(lu, type, name, &stmp, vs->libctx,
349	vs->propq);
350	if (j) {
351	tmp = &stmp;
352	break;
353	}
354	}
355	if (tmp == NULL)
356	return 0;
357	}
358
359	if (!X509_OBJECT_up_ref_count(tmp))
360	return 0;
361
362	ret->type = tmp->type;
363	ret->data.ptr = tmp->data.ptr;
364
365	return 1;
366	}
367
368	static int x509_store_add(X509_STORE store, void x, int crl) {
369	X509_OBJECT *obj;
370	int ret = 0, added = 0;
371
372	if (x == NULL)
373	return 0;
374	obj = X509_OBJECT_new();
375	if (obj == NULL)
376	return 0;
377
378	if (crl) {
379	obj->type = X509_LU_CRL;
380	obj->data.crl = (X509_CRL *)x;
381	} else {
382	obj->type = X509_LU_X509;
383	obj->data.x509 = (X509 *)x;
384	}
385	if (!X509_OBJECT_up_ref_count(obj)) {
386	obj->type = X509_LU_NONE;
387	X509_OBJECT_free(obj);
388	return 0;
389	}
390
391	if (!X509_STORE_lock(store)) {
392	obj->type = X509_LU_NONE;
393	X509_OBJECT_free(obj);
394	return 0;
395	}
396
397	if (X509_OBJECT_retrieve_match(store->objs, obj)) {
398	ret = 1;
399	} else {
400	added = sk_X509_OBJECT_push(store->objs, obj);
401	ret = added != 0;
402	}
403	X509_STORE_unlock(store);
404
405	if (added == 0) /* obj not pushed */
406	X509_OBJECT_free(obj);
407
408	return ret;
409	}
410
411	int X509_STORE_add_cert(X509_STORE ctx, X509 x)
412	{
413	if (!x509_store_add(ctx, x, 0)) {
414	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
415	return 0;
416	}
417	return 1;
418	}
419
420	int X509_STORE_add_crl(X509_STORE ctx, X509_CRL x)
421	{
422	if (!x509_store_add(ctx, x, 1)) {
423	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
424	return 0;
425	}
426	return 1;
427	}
428
429	int X509_OBJECT_up_ref_count(X509_OBJECT *a)
430	{
431	switch (a->type) {
432	case X509_LU_NONE:
433	break;
434	case X509_LU_X509:
435	return X509_up_ref(a->data.x509);
436	case X509_LU_CRL:
437	return X509_CRL_up_ref(a->data.crl);
438	}
439	return 1;
440	}
441
442	X509 X509_OBJECT_get0_X509(const X509_OBJECT a)
443	{
444	if (a == NULL \|\| a->type != X509_LU_X509)
445	return NULL;
446	return a->data.x509;
447	}
448
449	X509_CRL X509_OBJECT_get0_X509_CRL(const X509_OBJECT a)
450	{
451	if (a == NULL \|\| a->type != X509_LU_CRL)
452	return NULL;
453	return a->data.crl;
454	}
455
456	X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a)
457	{
458	return a->type;
459	}
460
461	X509_OBJECT *X509_OBJECT_new(void)
462	{
463	X509_OBJECT ret = OPENSSL_zalloc(sizeof(ret));
464
465	if (ret == NULL) {
466	ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
467	return NULL;
468	}
469	ret->type = X509_LU_NONE;
470	return ret;
471	}
472
473	static void x509_object_free_internal(X509_OBJECT *a)
474	{
475	if (a == NULL)
476	return;
477	switch (a->type) {
478	case X509_LU_NONE:
479	break;
480	case X509_LU_X509:
481	X509_free(a->data.x509);
482	break;
483	case X509_LU_CRL:
484	X509_CRL_free(a->data.crl);
485	break;
486	}
487	}
488
489	int X509_OBJECT_set1_X509(X509_OBJECT a, X509 obj)
490	{
491	if (a == NULL \|\| !X509_up_ref(obj))
492	return 0;
493
494	x509_object_free_internal(a);
495	a->type = X509_LU_X509;
496	a->data.x509 = obj;
497	return 1;
498	}
499
500	int X509_OBJECT_set1_X509_CRL(X509_OBJECT a, X509_CRL obj)
501	{
502	if (a == NULL \|\| !X509_CRL_up_ref(obj))
503	return 0;
504
505	x509_object_free_internal(a);
506	a->type = X509_LU_CRL;
507	a->data.crl = obj;
508	return 1;
509	}
510
511	void X509_OBJECT_free(X509_OBJECT *a)
512	{
513	x509_object_free_internal(a);
514	OPENSSL_free(a);
515	}
516
517	static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
518	const X509_NAME name, int pnmatch)
519	{
520	X509_OBJECT stmp;
521	X509 x509_s;
522	X509_CRL crl_s;
523
524	stmp.type = type;
525	switch (type) {
526	case X509_LU_X509:
527	stmp.data.x509 = &x509_s;
528	x509_s.cert_info.subject = (X509_NAME )name; / won't modify it */
529	break;
530	case X509_LU_CRL:
531	stmp.data.crl = &crl_s;
532	crl_s.crl.issuer = (X509_NAME )name; / won't modify it */
533	break;
534	case X509_LU_NONE:
535	/* abort(); */
536	return -1;
537	}
538
539	/* Assumes h is locked for read if applicable */
540	return sk_X509_OBJECT_find_all(h, &stmp, pnmatch);
541	}
542
543	/* Assumes h is locked for read if applicable */
544	int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
545	const X509_NAME *name)
546	{
547	return x509_object_idx_cnt(h, type, name, NULL);
548	}
549
550	/* Assumes h is locked for read if applicable */
551	X509_OBJECT X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) h,
552	X509_LOOKUP_TYPE type,
553	const X509_NAME *name)
554	{
555	int idx;
556	idx = X509_OBJECT_idx_by_subject(h, type, name);
557	if (idx == -1)
558	return NULL;
559	return sk_X509_OBJECT_value(h, idx);
560	}
561
562	STACK_OF(X509_OBJECT) X509_STORE_get0_objects(const X509_STORE v)
563	{
564	return v->objs;
565	}
566
567	STACK_OF(X509) X509_STORE_get1_all_certs(X509_STORE store)
568	{
569	STACK_OF(X509) *sk;
570	STACK_OF(X509_OBJECT) *objs;
571	int i;
572
573	if (store == NULL) {
574	ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
575	return NULL;
576	}
577	if ((sk = sk_X509_new_null()) == NULL)
578	return NULL;
579	if (!X509_STORE_lock(store))
580	goto out_free;
581
582	objs = X509_STORE_get0_objects(store);
583	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
584	X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i));
585
586	if (cert != NULL
587	&& !X509_add_cert(sk, cert, X509_ADD_FLAG_UP_REF))
588	goto err;
589	}
590	X509_STORE_unlock(store);
591	return sk;
592
593	err:
594	X509_STORE_unlock(store);
595	out_free:
596	sk_X509_pop_free(sk, X509_free);
597	return NULL;
598	}
599
600	STACK_OF(X509) X509_STORE_CTX_get1_certs(X509_STORE_CTX ctx,
601	const X509_NAME *nm)
602	{
603	int i, idx, cnt;
604	STACK_OF(X509) *sk = NULL;
605	X509 *x;
606	X509_OBJECT *obj;
607	X509_STORE *store = ctx->store;
608
609	if (store == NULL)
610	return NULL;
611
612	if (!X509_STORE_lock(store))
613	return NULL;
614
615	idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt);
616	if (idx < 0) {
617	/*
618	* Nothing found in cache: do lookup to possibly add new objects to
619	* cache
620	*/
621	X509_OBJECT *xobj = X509_OBJECT_new();
622
623	X509_STORE_unlock(store);
624
625	if (xobj == NULL)
626	return NULL;
627	if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, xobj)) {
628	X509_OBJECT_free(xobj);
629	return NULL;
630	}
631	X509_OBJECT_free(xobj);
632	if (!X509_STORE_lock(store))
633	return NULL;
634	idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt);
635	if (idx < 0) {
636	X509_STORE_unlock(store);
637	return NULL;
638	}
639	}
640
641	sk = sk_X509_new_null();
642	for (i = 0; i < cnt; i++, idx++) {
643	obj = sk_X509_OBJECT_value(store->objs, idx);
644	x = obj->data.x509;
645	if (!X509_add_cert(sk, x, X509_ADD_FLAG_UP_REF)) {
646	X509_STORE_unlock(store);
647	sk_X509_pop_free(sk, X509_free);
648	return NULL;
649	}
650	}
651	X509_STORE_unlock(store);
652	return sk;
653	}
654
655	STACK_OF(X509_CRL) X509_STORE_CTX_get1_crls(const X509_STORE_CTX ctx,
656	const X509_NAME *nm)
657	{
658	int i, idx, cnt;
659	STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null();
660	X509_CRL *x;
661	X509_OBJECT obj, xobj = X509_OBJECT_new();
662	X509_STORE *store = ctx->store;
663
664	/* Always do lookup to possibly add new CRLs to cache */
665	if (sk == NULL
666	\|\| xobj == NULL
667	\|\| store == NULL
668	\|\| !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) {
669	X509_OBJECT_free(xobj);
670	sk_X509_CRL_free(sk);
671	return NULL;
672	}
673	X509_OBJECT_free(xobj);
674	if (!X509_STORE_lock(store)) {
675	sk_X509_CRL_free(sk);
676	return NULL;
677	}
678	idx = x509_object_idx_cnt(store->objs, X509_LU_CRL, nm, &cnt);
679	if (idx < 0) {
680	X509_STORE_unlock(store);
681	sk_X509_CRL_free(sk);
682	return NULL;
683	}
684
685	for (i = 0; i < cnt; i++, idx++) {
686	obj = sk_X509_OBJECT_value(store->objs, idx);
687	x = obj->data.crl;
688	if (!X509_CRL_up_ref(x)) {
689	X509_STORE_unlock(store);
690	sk_X509_CRL_pop_free(sk, X509_CRL_free);
691	return NULL;
692	}
693	if (!sk_X509_CRL_push(sk, x)) {
694	X509_STORE_unlock(store);
695	X509_CRL_free(x);
696	sk_X509_CRL_pop_free(sk, X509_CRL_free);
697	return NULL;
698	}
699	}
700	X509_STORE_unlock(store);
701	return sk;
702	}
703
704	X509_OBJECT X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) h,
705	X509_OBJECT *x)
706	{
707	int idx, i, num;
708	X509_OBJECT *obj;
709
710	idx = sk_X509_OBJECT_find(h, x);
711	if (idx < 0)
712	return NULL;
713	if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
714	return sk_X509_OBJECT_value(h, idx);
715	for (i = idx, num = sk_X509_OBJECT_num(h); i < num; i++) {
716	obj = sk_X509_OBJECT_value(h, i);
717	if (x509_object_cmp((const X509_OBJECT **)&obj,
718	(const X509_OBJECT **)&x))
719	return NULL;
720	if (x->type == X509_LU_X509) {
721	if (!X509_cmp(obj->data.x509, x->data.x509))
722	return obj;
723	} else if (x->type == X509_LU_CRL) {
724	if (X509_CRL_match(obj->data.crl, x->data.crl) == 0)
725	return obj;
726	} else
727	return obj;
728	}
729	return NULL;
730	}
731
732	/*-
733	* Try to get issuer cert from \|ctx->store\| matching the subject name of \|x\|.
734	* Prefer the first non-expired one, else take the most recently expired one.
735	*
736	* Return values are:
737	* 1 lookup successful.
738	* 0 certificate not found.
739	* -1 some other error.
740	*/
741	int X509_STORE_CTX_get1_issuer(X509 *issuer, X509_STORE_CTX ctx, X509 *x)
742	{
743	const X509_NAME *xn;
744	X509_OBJECT obj = X509_OBJECT_new(), pobj = NULL;
745	X509_STORE *store = ctx->store;
746	int i, ok, idx, ret, nmatch = 0;
747
748	if (obj == NULL)
749	return -1;
750	*issuer = NULL;
751	xn = X509_get_issuer_name(x);
752	ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj);
753	if (ok != 1) {
754	X509_OBJECT_free(obj);
755	return 0;
756	}
757	/* If certificate matches and is currently valid all OK */
758	if (ctx->check_issued(ctx, x, obj->data.x509)) {
759	if (ossl_x509_check_cert_time(ctx, obj->data.x509, -1)) {
760	*issuer = obj->data.x509;
761	/* \|issuer\| has taken over the cert reference from \|obj\| /
762	obj->type = X509_LU_NONE;
763	X509_OBJECT_free(obj);
764	return 1;
765	}
766	}
767	X509_OBJECT_free(obj);
768
769	/*
770	* Due to limitations of the API this can only retrieve a single cert.
771	* However it will fill the cache with all matching certificates,
772	* so we can examine the cache for all matches.
773	*/
774	if (store == NULL)
775	return 0;
776
777	/* Find index of first currently valid cert accepted by 'check_issued' */
778	ret = 0;
779	if (!X509_STORE_lock(store))
780	return 0;
781
782	idx = x509_object_idx_cnt(store->objs, X509_LU_X509, xn, &nmatch);
783	if (idx != -1) { /* should be true as we've had at least one match */
784	/* Look through all matching certs for suitable issuer */
785	for (i = idx; i < idx + nmatch; i++) {
786	pobj = sk_X509_OBJECT_value(store->objs, i);
787	/* See if we've run past the matches */
788	if (pobj->type != X509_LU_X509)
789	break;
790	if (ctx->check_issued(ctx, x, pobj->data.x509)) {
791	ret = 1;
792	/* If times check fine, exit with match, else keep looking. */
793	if (ossl_x509_check_cert_time(ctx, pobj->data.x509, -1)) {
794	*issuer = pobj->data.x509;
795	break;
796	}
797	/*
798	* Leave the so far most recently expired match in *issuer
799	* so we return nearest match if no certificate time is OK.
800	*/
801	if (*issuer == NULL
802	\|\| ASN1_TIME_compare(X509_get0_notAfter(pobj->data.x509),
803	X509_get0_notAfter(*issuer)) > 0)
804	*issuer = pobj->data.x509;
805	}
806	}
807	}
808	if (issuer != NULL && !X509_up_ref(issuer)) {
809	*issuer = NULL;
810	ret = -1;
811	}
812	X509_STORE_unlock(store);
813	return ret;
814	}
815
816	int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
817	{
818	return X509_VERIFY_PARAM_set_flags(ctx->param, flags);
819	}
820
821	int X509_STORE_set_depth(X509_STORE *ctx, int depth)
822	{
823	X509_VERIFY_PARAM_set_depth(ctx->param, depth);
824	return 1;
825	}
826
827	int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
828	{
829	return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);
830	}
831
832	int X509_STORE_set_trust(X509_STORE *ctx, int trust)
833	{
834	return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
835	}
836
837	int X509_STORE_set1_param(X509_STORE ctx, const X509_VERIFY_PARAM param)
838	{
839	return X509_VERIFY_PARAM_set1(ctx->param, param);
840	}
841
842	X509_VERIFY_PARAM X509_STORE_get0_param(const X509_STORE ctx)
843	{
844	return ctx->param;
845	}
846
847	void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify)
848	{
849	ctx->verify = verify;
850	}
851
852	X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *ctx)
853	{
854	return ctx->verify;
855	}
856
857	void X509_STORE_set_verify_cb(X509_STORE *ctx,
858	X509_STORE_CTX_verify_cb verify_cb)
859	{
860	ctx->verify_cb = verify_cb;
861	}
862
863	X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *ctx)
864	{
865	return ctx->verify_cb;
866	}
867
868	void X509_STORE_set_get_issuer(X509_STORE *ctx,
869	X509_STORE_CTX_get_issuer_fn get_issuer)
870	{
871	ctx->get_issuer = get_issuer;
872	}
873
874	X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *ctx)
875	{
876	return ctx->get_issuer;
877	}
878
879	void X509_STORE_set_check_issued(X509_STORE *ctx,
880	X509_STORE_CTX_check_issued_fn check_issued)
881	{
882	ctx->check_issued = check_issued;
883	}
884
885	X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *ctx)
886	{
887	return ctx->check_issued;
888	}
889
890	void X509_STORE_set_check_revocation(X509_STORE *ctx,
891	X509_STORE_CTX_check_revocation_fn check_revocation)
892	{
893	ctx->check_revocation = check_revocation;
894	}
895
896	X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(const X509_STORE *ctx)
897	{
898	return ctx->check_revocation;
899	}
900
901	void X509_STORE_set_get_crl(X509_STORE *ctx,
902	X509_STORE_CTX_get_crl_fn get_crl)
903	{
904	ctx->get_crl = get_crl;
905	}
906
907	X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *ctx)
908	{
909	return ctx->get_crl;
910	}
911
912	void X509_STORE_set_check_crl(X509_STORE *ctx,
913	X509_STORE_CTX_check_crl_fn check_crl)
914	{
915	ctx->check_crl = check_crl;
916	}
917
918	X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *ctx)
919	{
920	return ctx->check_crl;
921	}
922
923	void X509_STORE_set_cert_crl(X509_STORE *ctx,
924	X509_STORE_CTX_cert_crl_fn cert_crl)
925	{
926	ctx->cert_crl = cert_crl;
927	}
928
929	X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *ctx)
930	{
931	return ctx->cert_crl;
932	}
933
934	void X509_STORE_set_check_policy(X509_STORE *ctx,
935	X509_STORE_CTX_check_policy_fn check_policy)
936	{
937	ctx->check_policy = check_policy;
938	}
939
940	X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *ctx)
941	{
942	return ctx->check_policy;
943	}
944
945	void X509_STORE_set_lookup_certs(X509_STORE *ctx,
946	X509_STORE_CTX_lookup_certs_fn lookup_certs)
947	{
948	ctx->lookup_certs = lookup_certs;
949	}
950
951	X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *ctx)
952	{
953	return ctx->lookup_certs;
954	}
955
956	void X509_STORE_set_lookup_crls(X509_STORE *ctx,
957	X509_STORE_CTX_lookup_crls_fn lookup_crls)
958	{
959	ctx->lookup_crls = lookup_crls;
960	}
961
962	X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *ctx)
963	{
964	return ctx->lookup_crls;
965	}
966
967	void X509_STORE_set_cleanup(X509_STORE *ctx,
968	X509_STORE_CTX_cleanup_fn ctx_cleanup)
969	{
970	ctx->cleanup = ctx_cleanup;
971	}
972
973	X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *ctx)
974	{
975	return ctx->cleanup;
976	}
977
978	int X509_STORE_set_ex_data(X509_STORE ctx, int idx, void data)
979	{
980	return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
981	}
982
983	void X509_STORE_get_ex_data(const X509_STORE ctx, int idx)
984	{
985	return CRYPTO_get_ex_data(&ctx->ex_data, idx);
986	}
987
988	X509_STORE X509_STORE_CTX_get0_store(const X509_STORE_CTX ctx)
989	{
990	return ctx->store;
991	}

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/openssl-3.1.7/crypto/x509/x509_lu.c@ 105945

以其他格式下載: