1 /* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include "internal/refcount.h" 13 #include <openssl/x509.h> 14 #include "internal/x509_int.h" 15 #include <openssl/x509v3.h> 16 #include "x509_lcl.h" 17 18 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) 19 { 20 X509_LOOKUP *ret = OPENSSL_zalloc(sizeof(*ret)); 21 22 if (ret == NULL) { 23 X509err(X509_F_X509_LOOKUP_NEW, ERR_R_MALLOC_FAILURE); 24 return NULL; 25 } 26 27 ret->method = method; 28 if (method->new_item != NULL && method->new_item(ret) == 0) { 29 OPENSSL_free(ret); 30 return NULL; 31 } 32 return ret; 33 } 34 35 void X509_LOOKUP_free(X509_LOOKUP *ctx) 36 { 37 if (ctx == NULL) 38 return; 39 if ((ctx->method != NULL) && (ctx->method->free != NULL)) 40 (*ctx->method->free) (ctx); 41 OPENSSL_free(ctx); 42 } 43 44 int X509_STORE_lock(X509_STORE *s) 45 { 46 return CRYPTO_THREAD_write_lock(s->lock); 47 } 48 49 int X509_STORE_unlock(X509_STORE *s) 50 { 51 return CRYPTO_THREAD_unlock(s->lock); 52 } 53 54 int X509_LOOKUP_init(X509_LOOKUP *ctx) 55 { 56 if (ctx->method == NULL) 57 return 0; 58 if (ctx->method->init != NULL) 59 return ctx->method->init(ctx); 60 else 61 return 1; 62 } 63 64 int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) 65 { 66 if (ctx->method == NULL) 67 return 0; 68 if (ctx->method->shutdown != NULL) 69 return ctx->method->shutdown(ctx); 70 else 71 return 1; 72 } 73 74 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, 75 char **ret) 76 { 77 if (ctx->method == NULL) 78 return -1; 79 if (ctx->method->ctrl != NULL) 80 return ctx->method->ctrl(ctx, cmd, argc, argl, ret); 81 else 82 return 1; 83 } 84 85 int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 86 X509_NAME *name, X509_OBJECT *ret) 87 { 88 if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL)) 89 return 0; 90 if (ctx->skip) 91 return 0; 92 return ctx->method->get_by_subject(ctx, type, name, ret); 93 } 94 95 int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 96 X509_NAME *name, ASN1_INTEGER *serial, 97 X509_OBJECT *ret) 98 { 99 if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL)) 100 return 0; 101 return ctx->method->get_by_issuer_serial(ctx, type, name, serial, ret); 102 } 103 104 int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 105 const unsigned char *bytes, int len, 106 X509_OBJECT *ret) 107 { 108 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL)) 109 return 0; 110 return ctx->method->get_by_fingerprint(ctx, type, bytes, len, ret); 111 } 112 113 int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 114 const char *str, int len, X509_OBJECT *ret) 115 { 116 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL)) 117 return 0; 118 return ctx->method->get_by_alias(ctx, type, str, len, ret); 119 } 120 121 int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data) 122 { 123 ctx->method_data = data; 124 return 1; 125 } 126 127 void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx) 128 { 129 return ctx->method_data; 130 } 131 132 X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx) 133 { 134 return ctx->store_ctx; 135 } 136 137 138 static int x509_object_cmp(const X509_OBJECT *const *a, 139 const X509_OBJECT *const *b) 140 { 141 int ret; 142 143 ret = ((*a)->type - (*b)->type); 144 if (ret) 145 return ret; 146 switch ((*a)->type) { 147 case X509_LU_X509: 148 ret = X509_subject_name_cmp((*a)->data.x509, (*b)->data.x509); 149 break; 150 case X509_LU_CRL: 151 ret = X509_CRL_cmp((*a)->data.crl, (*b)->data.crl); 152 break; 153 case X509_LU_NONE: 154 /* abort(); */ 155 return 0; 156 } 157 return ret; 158 } 159 160 X509_STORE *X509_STORE_new(void) 161 { 162 X509_STORE *ret = OPENSSL_zalloc(sizeof(*ret)); 163 164 if (ret == NULL) { 165 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 166 return NULL; 167 } 168 if ((ret->objs = sk_X509_OBJECT_new(x509_object_cmp)) == NULL) { 169 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 170 goto err; 171 } 172 ret->cache = 1; 173 if ((ret->get_cert_methods = sk_X509_LOOKUP_new_null()) == NULL) { 174 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 175 goto err; 176 } 177 178 if ((ret->param = X509_VERIFY_PARAM_new()) == NULL) { 179 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 180 goto err; 181 } 182 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) { 183 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 184 goto err; 185 } 186 187 ret->lock = CRYPTO_THREAD_lock_new(); 188 if (ret->lock == NULL) { 189 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 190 goto err; 191 } 192 193 ret->references = 1; 194 return ret; 195 196 err: 197 X509_VERIFY_PARAM_free(ret->param); 198 sk_X509_OBJECT_free(ret->objs); 199 sk_X509_LOOKUP_free(ret->get_cert_methods); 200 OPENSSL_free(ret); 201 return NULL; 202 } 203 204 void X509_STORE_free(X509_STORE *vfy) 205 { 206 int i; 207 STACK_OF(X509_LOOKUP) *sk; 208 X509_LOOKUP *lu; 209 210 if (vfy == NULL) 211 return; 212 CRYPTO_DOWN_REF(&vfy->references, &i, vfy->lock); 213 REF_PRINT_COUNT("X509_STORE", vfy); 214 if (i > 0) 215 return; 216 REF_ASSERT_ISNT(i < 0); 217 218 sk = vfy->get_cert_methods; 219 for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) { 220 lu = sk_X509_LOOKUP_value(sk, i); 221 X509_LOOKUP_shutdown(lu); 222 X509_LOOKUP_free(lu); 223 } 224 sk_X509_LOOKUP_free(sk); 225 sk_X509_OBJECT_pop_free(vfy->objs, X509_OBJECT_free); 226 227 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data); 228 X509_VERIFY_PARAM_free(vfy->param); 229 CRYPTO_THREAD_lock_free(vfy->lock); 230 OPENSSL_free(vfy); 231 } 232 233 int X509_STORE_up_ref(X509_STORE *vfy) 234 { 235 int i; 236 237 if (CRYPTO_UP_REF(&vfy->references, &i, vfy->lock) <= 0) 238 return 0; 239 240 REF_PRINT_COUNT("X509_STORE", a); 241 REF_ASSERT_ISNT(i < 2); 242 return ((i > 1) ? 1 : 0); 243 } 244 245 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) 246 { 247 int i; 248 STACK_OF(X509_LOOKUP) *sk; 249 X509_LOOKUP *lu; 250 251 sk = v->get_cert_methods; 252 for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) { 253 lu = sk_X509_LOOKUP_value(sk, i); 254 if (m == lu->method) { 255 return lu; 256 } 257 } 258 /* a new one */ 259 lu = X509_LOOKUP_new(m); 260 if (lu == NULL) { 261 X509err(X509_F_X509_STORE_ADD_LOOKUP, ERR_R_MALLOC_FAILURE); 262 return NULL; 263 } 264 265 lu->store_ctx = v; 266 if (sk_X509_LOOKUP_push(v->get_cert_methods, lu)) 267 return lu; 268 /* malloc failed */ 269 X509err(X509_F_X509_STORE_ADD_LOOKUP, ERR_R_MALLOC_FAILURE); 270 X509_LOOKUP_free(lu); 271 return NULL; 272 } 273 274 X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, 275 X509_LOOKUP_TYPE type, 276 X509_NAME *name) 277 { 278 X509_OBJECT *ret = X509_OBJECT_new(); 279 280 if (ret == NULL) 281 return NULL; 282 if (!X509_STORE_CTX_get_by_subject(vs, type, name, ret)) { 283 X509_OBJECT_free(ret); 284 return NULL; 285 } 286 return ret; 287 } 288 289 int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, 290 X509_NAME *name, X509_OBJECT *ret) 291 { 292 X509_STORE *store = vs->ctx; 293 X509_LOOKUP *lu; 294 X509_OBJECT stmp, *tmp; 295 int i, j; 296 297 if (store == NULL) 298 return 0; 299 300 stmp.type = X509_LU_NONE; 301 stmp.data.ptr = NULL; 302 303 304 X509_STORE_lock(store); 305 tmp = X509_OBJECT_retrieve_by_subject(store->objs, type, name); 306 X509_STORE_unlock(store); 307 308 if (tmp == NULL || type == X509_LU_CRL) { 309 for (i = 0; i < sk_X509_LOOKUP_num(store->get_cert_methods); i++) { 310 lu = sk_X509_LOOKUP_value(store->get_cert_methods, i); 311 j = X509_LOOKUP_by_subject(lu, type, name, &stmp); 312 if (j) { 313 tmp = &stmp; 314 break; 315 } 316 } 317 if (tmp == NULL) 318 return 0; 319 } 320 321 if (!X509_OBJECT_up_ref_count(tmp)) 322 return 0; 323 324 ret->type = tmp->type; 325 ret->data.ptr = tmp->data.ptr; 326 327 return 1; 328 } 329 330 static int x509_store_add(X509_STORE *store, void *x, int crl) { 331 X509_OBJECT *obj; 332 int ret = 0, added = 0; 333 334 if (x == NULL) 335 return 0; 336 obj = X509_OBJECT_new(); 337 if (obj == NULL) 338 return 0; 339 340 if (crl) { 341 obj->type = X509_LU_CRL; 342 obj->data.crl = (X509_CRL *)x; 343 } else { 344 obj->type = X509_LU_X509; 345 obj->data.x509 = (X509 *)x; 346 } 347 if (!X509_OBJECT_up_ref_count(obj)) { 348 obj->type = X509_LU_NONE; 349 X509_OBJECT_free(obj); 350 return 0; 351 } 352 353 X509_STORE_lock(store); 354 if (X509_OBJECT_retrieve_match(store->objs, obj)) { 355 ret = 1; 356 } else { 357 added = sk_X509_OBJECT_push(store->objs, obj); 358 ret = added != 0; 359 } 360 X509_STORE_unlock(store); 361 362 if (added == 0) /* obj not pushed */ 363 X509_OBJECT_free(obj); 364 365 return ret; 366 } 367 368 int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) 369 { 370 if (!x509_store_add(ctx, x, 0)) { 371 X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); 372 return 0; 373 } 374 return 1; 375 } 376 377 int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) 378 { 379 if (!x509_store_add(ctx, x, 1)) { 380 X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE); 381 return 0; 382 } 383 return 1; 384 } 385 386 int X509_OBJECT_up_ref_count(X509_OBJECT *a) 387 { 388 switch (a->type) { 389 case X509_LU_NONE: 390 break; 391 case X509_LU_X509: 392 return X509_up_ref(a->data.x509); 393 case X509_LU_CRL: 394 return X509_CRL_up_ref(a->data.crl); 395 } 396 return 1; 397 } 398 399 X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a) 400 { 401 if (a == NULL || a->type != X509_LU_X509) 402 return NULL; 403 return a->data.x509; 404 } 405 406 X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a) 407 { 408 if (a == NULL || a->type != X509_LU_CRL) 409 return NULL; 410 return a->data.crl; 411 } 412 413 X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a) 414 { 415 return a->type; 416 } 417 418 X509_OBJECT *X509_OBJECT_new(void) 419 { 420 X509_OBJECT *ret = OPENSSL_zalloc(sizeof(*ret)); 421 422 if (ret == NULL) { 423 X509err(X509_F_X509_OBJECT_NEW, ERR_R_MALLOC_FAILURE); 424 return NULL; 425 } 426 ret->type = X509_LU_NONE; 427 return ret; 428 } 429 430 static void x509_object_free_internal(X509_OBJECT *a) 431 { 432 if (a == NULL) 433 return; 434 switch (a->type) { 435 case X509_LU_NONE: 436 break; 437 case X509_LU_X509: 438 X509_free(a->data.x509); 439 break; 440 case X509_LU_CRL: 441 X509_CRL_free(a->data.crl); 442 break; 443 } 444 } 445 446 int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj) 447 { 448 if (a == NULL || !X509_up_ref(obj)) 449 return 0; 450 451 x509_object_free_internal(a); 452 a->type = X509_LU_X509; 453 a->data.x509 = obj; 454 return 1; 455 } 456 457 int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj) 458 { 459 if (a == NULL || !X509_CRL_up_ref(obj)) 460 return 0; 461 462 x509_object_free_internal(a); 463 a->type = X509_LU_CRL; 464 a->data.crl = obj; 465 return 1; 466 } 467 468 void X509_OBJECT_free(X509_OBJECT *a) 469 { 470 x509_object_free_internal(a); 471 OPENSSL_free(a); 472 } 473 474 static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, 475 X509_NAME *name, int *pnmatch) 476 { 477 X509_OBJECT stmp; 478 X509 x509_s; 479 X509_CRL crl_s; 480 int idx; 481 482 stmp.type = type; 483 switch (type) { 484 case X509_LU_X509: 485 stmp.data.x509 = &x509_s; 486 x509_s.cert_info.subject = name; 487 break; 488 case X509_LU_CRL: 489 stmp.data.crl = &crl_s; 490 crl_s.crl.issuer = name; 491 break; 492 case X509_LU_NONE: 493 /* abort(); */ 494 return -1; 495 } 496 497 idx = sk_X509_OBJECT_find(h, &stmp); 498 if (idx >= 0 && pnmatch) { 499 int tidx; 500 const X509_OBJECT *tobj, *pstmp; 501 *pnmatch = 1; 502 pstmp = &stmp; 503 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) { 504 tobj = sk_X509_OBJECT_value(h, tidx); 505 if (x509_object_cmp(&tobj, &pstmp)) 506 break; 507 (*pnmatch)++; 508 } 509 } 510 return idx; 511 } 512 513 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, 514 X509_NAME *name) 515 { 516 return x509_object_idx_cnt(h, type, name, NULL); 517 } 518 519 X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, 520 X509_LOOKUP_TYPE type, 521 X509_NAME *name) 522 { 523 int idx; 524 idx = X509_OBJECT_idx_by_subject(h, type, name); 525 if (idx == -1) 526 return NULL; 527 return sk_X509_OBJECT_value(h, idx); 528 } 529 530 STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v) 531 { 532 return v->objs; 533 } 534 535 STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) 536 { 537 int i, idx, cnt; 538 STACK_OF(X509) *sk = NULL; 539 X509 *x; 540 X509_OBJECT *obj; 541 X509_STORE *store = ctx->ctx; 542 543 if (store == NULL) 544 return NULL; 545 546 X509_STORE_lock(store); 547 idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt); 548 if (idx < 0) { 549 /* 550 * Nothing found in cache: do lookup to possibly add new objects to 551 * cache 552 */ 553 X509_OBJECT *xobj = X509_OBJECT_new(); 554 555 X509_STORE_unlock(store); 556 557 if (xobj == NULL) 558 return NULL; 559 if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, xobj)) { 560 X509_OBJECT_free(xobj); 561 return NULL; 562 } 563 X509_OBJECT_free(xobj); 564 X509_STORE_lock(store); 565 idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, &cnt); 566 if (idx < 0) { 567 X509_STORE_unlock(store); 568 return NULL; 569 } 570 } 571 572 sk = sk_X509_new_null(); 573 for (i = 0; i < cnt; i++, idx++) { 574 obj = sk_X509_OBJECT_value(store->objs, idx); 575 x = obj->data.x509; 576 if (!X509_up_ref(x)) { 577 X509_STORE_unlock(store); 578 sk_X509_pop_free(sk, X509_free); 579 return NULL; 580 } 581 if (!sk_X509_push(sk, x)) { 582 X509_STORE_unlock(store); 583 X509_free(x); 584 sk_X509_pop_free(sk, X509_free); 585 return NULL; 586 } 587 } 588 X509_STORE_unlock(store); 589 return sk; 590 } 591 592 STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) 593 { 594 int i, idx, cnt; 595 STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null(); 596 X509_CRL *x; 597 X509_OBJECT *obj, *xobj = X509_OBJECT_new(); 598 X509_STORE *store = ctx->ctx; 599 600 /* Always do lookup to possibly add new CRLs to cache */ 601 if (sk == NULL 602 || xobj == NULL 603 || store == NULL 604 || !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) { 605 X509_OBJECT_free(xobj); 606 sk_X509_CRL_free(sk); 607 return NULL; 608 } 609 X509_OBJECT_free(xobj); 610 X509_STORE_lock(store); 611 idx = x509_object_idx_cnt(store->objs, X509_LU_CRL, nm, &cnt); 612 if (idx < 0) { 613 X509_STORE_unlock(store); 614 sk_X509_CRL_free(sk); 615 return NULL; 616 } 617 618 for (i = 0; i < cnt; i++, idx++) { 619 obj = sk_X509_OBJECT_value(store->objs, idx); 620 x = obj->data.crl; 621 if (!X509_CRL_up_ref(x)) { 622 X509_STORE_unlock(store); 623 sk_X509_CRL_pop_free(sk, X509_CRL_free); 624 return NULL; 625 } 626 if (!sk_X509_CRL_push(sk, x)) { 627 X509_STORE_unlock(store); 628 X509_CRL_free(x); 629 sk_X509_CRL_pop_free(sk, X509_CRL_free); 630 return NULL; 631 } 632 } 633 X509_STORE_unlock(store); 634 return sk; 635 } 636 637 X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, 638 X509_OBJECT *x) 639 { 640 int idx, i, num; 641 X509_OBJECT *obj; 642 643 idx = sk_X509_OBJECT_find(h, x); 644 if (idx < 0) 645 return NULL; 646 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL)) 647 return sk_X509_OBJECT_value(h, idx); 648 for (i = idx, num = sk_X509_OBJECT_num(h); i < num; i++) { 649 obj = sk_X509_OBJECT_value(h, i); 650 if (x509_object_cmp((const X509_OBJECT **)&obj, 651 (const X509_OBJECT **)&x)) 652 return NULL; 653 if (x->type == X509_LU_X509) { 654 if (!X509_cmp(obj->data.x509, x->data.x509)) 655 return obj; 656 } else if (x->type == X509_LU_CRL) { 657 if (!X509_CRL_match(obj->data.crl, x->data.crl)) 658 return obj; 659 } else 660 return obj; 661 } 662 return NULL; 663 } 664 665 /*- 666 * Try to get issuer certificate from store. Due to limitations 667 * of the API this can only retrieve a single certificate matching 668 * a given subject name. However it will fill the cache with all 669 * matching certificates, so we can examine the cache for all 670 * matches. 671 * 672 * Return values are: 673 * 1 lookup successful. 674 * 0 certificate not found. 675 * -1 some other error. 676 */ 677 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 678 { 679 X509_NAME *xn; 680 X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL; 681 X509_STORE *store = ctx->ctx; 682 int i, ok, idx, ret; 683 684 if (obj == NULL) 685 return -1; 686 *issuer = NULL; 687 xn = X509_get_issuer_name(x); 688 ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj); 689 if (ok != 1) { 690 X509_OBJECT_free(obj); 691 return 0; 692 } 693 /* If certificate matches all OK */ 694 if (ctx->check_issued(ctx, x, obj->data.x509)) { 695 if (x509_check_cert_time(ctx, obj->data.x509, -1)) { 696 *issuer = obj->data.x509; 697 if (!X509_up_ref(*issuer)) { 698 *issuer = NULL; 699 ok = -1; 700 } 701 X509_OBJECT_free(obj); 702 return ok; 703 } 704 } 705 X509_OBJECT_free(obj); 706 707 if (store == NULL) 708 return 0; 709 710 /* Else find index of first cert accepted by 'check_issued' */ 711 ret = 0; 712 X509_STORE_lock(store); 713 idx = X509_OBJECT_idx_by_subject(store->objs, X509_LU_X509, xn); 714 if (idx != -1) { /* should be true as we've had at least one 715 * match */ 716 /* Look through all matching certs for suitable issuer */ 717 for (i = idx; i < sk_X509_OBJECT_num(store->objs); i++) { 718 pobj = sk_X509_OBJECT_value(store->objs, i); 719 /* See if we've run past the matches */ 720 if (pobj->type != X509_LU_X509) 721 break; 722 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) 723 break; 724 if (ctx->check_issued(ctx, x, pobj->data.x509)) { 725 *issuer = pobj->data.x509; 726 ret = 1; 727 /* 728 * If times check, exit with match, 729 * otherwise keep looking. Leave last 730 * match in issuer so we return nearest 731 * match if no certificate time is OK. 732 */ 733 734 if (x509_check_cert_time(ctx, *issuer, -1)) 735 break; 736 } 737 } 738 } 739 if (*issuer && !X509_up_ref(*issuer)) { 740 *issuer = NULL; 741 ret = -1; 742 } 743 X509_STORE_unlock(store); 744 return ret; 745 } 746 747 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) 748 { 749 return X509_VERIFY_PARAM_set_flags(ctx->param, flags); 750 } 751 752 int X509_STORE_set_depth(X509_STORE *ctx, int depth) 753 { 754 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 755 return 1; 756 } 757 758 int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) 759 { 760 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose); 761 } 762 763 int X509_STORE_set_trust(X509_STORE *ctx, int trust) 764 { 765 return X509_VERIFY_PARAM_set_trust(ctx->param, trust); 766 } 767 768 int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) 769 { 770 return X509_VERIFY_PARAM_set1(ctx->param, param); 771 } 772 773 X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx) 774 { 775 return ctx->param; 776 } 777 778 void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify) 779 { 780 ctx->verify = verify; 781 } 782 783 X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx) 784 { 785 return ctx->verify; 786 } 787 788 void X509_STORE_set_verify_cb(X509_STORE *ctx, 789 X509_STORE_CTX_verify_cb verify_cb) 790 { 791 ctx->verify_cb = verify_cb; 792 } 793 794 X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx) 795 { 796 return ctx->verify_cb; 797 } 798 799 void X509_STORE_set_get_issuer(X509_STORE *ctx, 800 X509_STORE_CTX_get_issuer_fn get_issuer) 801 { 802 ctx->get_issuer = get_issuer; 803 } 804 805 X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx) 806 { 807 return ctx->get_issuer; 808 } 809 810 void X509_STORE_set_check_issued(X509_STORE *ctx, 811 X509_STORE_CTX_check_issued_fn check_issued) 812 { 813 ctx->check_issued = check_issued; 814 } 815 816 X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx) 817 { 818 return ctx->check_issued; 819 } 820 821 void X509_STORE_set_check_revocation(X509_STORE *ctx, 822 X509_STORE_CTX_check_revocation_fn check_revocation) 823 { 824 ctx->check_revocation = check_revocation; 825 } 826 827 X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE *ctx) 828 { 829 return ctx->check_revocation; 830 } 831 832 void X509_STORE_set_get_crl(X509_STORE *ctx, 833 X509_STORE_CTX_get_crl_fn get_crl) 834 { 835 ctx->get_crl = get_crl; 836 } 837 838 X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx) 839 { 840 return ctx->get_crl; 841 } 842 843 void X509_STORE_set_check_crl(X509_STORE *ctx, 844 X509_STORE_CTX_check_crl_fn check_crl) 845 { 846 ctx->check_crl = check_crl; 847 } 848 849 X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx) 850 { 851 return ctx->check_crl; 852 } 853 854 void X509_STORE_set_cert_crl(X509_STORE *ctx, 855 X509_STORE_CTX_cert_crl_fn cert_crl) 856 { 857 ctx->cert_crl = cert_crl; 858 } 859 860 X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx) 861 { 862 return ctx->cert_crl; 863 } 864 865 void X509_STORE_set_check_policy(X509_STORE *ctx, 866 X509_STORE_CTX_check_policy_fn check_policy) 867 { 868 ctx->check_policy = check_policy; 869 } 870 871 X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE *ctx) 872 { 873 return ctx->check_policy; 874 } 875 876 void X509_STORE_set_lookup_certs(X509_STORE *ctx, 877 X509_STORE_CTX_lookup_certs_fn lookup_certs) 878 { 879 ctx->lookup_certs = lookup_certs; 880 } 881 882 X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx) 883 { 884 return ctx->lookup_certs; 885 } 886 887 void X509_STORE_set_lookup_crls(X509_STORE *ctx, 888 X509_STORE_CTX_lookup_crls_fn lookup_crls) 889 { 890 ctx->lookup_crls = lookup_crls; 891 } 892 893 X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx) 894 { 895 return ctx->lookup_crls; 896 } 897 898 void X509_STORE_set_cleanup(X509_STORE *ctx, 899 X509_STORE_CTX_cleanup_fn ctx_cleanup) 900 { 901 ctx->cleanup = ctx_cleanup; 902 } 903 904 X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx) 905 { 906 return ctx->cleanup; 907 } 908 909 int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data) 910 { 911 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); 912 } 913 914 void *X509_STORE_get_ex_data(X509_STORE *ctx, int idx) 915 { 916 return CRYPTO_get_ex_data(&ctx->ex_data, idx); 917 } 918 919 X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx) 920 { 921 return ctx->ctx; 922 } 923