1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include "internal/refcount.h" 13 #include <openssl/x509.h> 14 #include "internal/x509_int.h" 15 #include <openssl/x509v3.h> 16 #include "x509_lcl.h" 17 18 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) 19 { 20 X509_LOOKUP *ret = OPENSSL_zalloc(sizeof(*ret)); 21 22 if (ret == NULL) { 23 X509err(X509_F_X509_LOOKUP_NEW, ERR_R_MALLOC_FAILURE); 24 return NULL; 25 } 26 27 ret->method = method; 28 if (method->new_item != NULL && method->new_item(ret) == 0) { 29 OPENSSL_free(ret); 30 return NULL; 31 } 32 return ret; 33 } 34 35 void X509_LOOKUP_free(X509_LOOKUP *ctx) 36 { 37 if (ctx == NULL) 38 return; 39 if ((ctx->method != NULL) && (ctx->method->free != NULL)) 40 (*ctx->method->free) (ctx); 41 OPENSSL_free(ctx); 42 } 43 44 int X509_STORE_lock(X509_STORE *s) 45 { 46 return CRYPTO_THREAD_write_lock(s->lock); 47 } 48 49 int X509_STORE_unlock(X509_STORE *s) 50 { 51 return CRYPTO_THREAD_unlock(s->lock); 52 } 53 54 int X509_LOOKUP_init(X509_LOOKUP *ctx) 55 { 56 if (ctx->method == NULL) 57 return 0; 58 if (ctx->method->init != NULL) 59 return ctx->method->init(ctx); 60 else 61 return 1; 62 } 63 64 int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) 65 { 66 if (ctx->method == NULL) 67 return 0; 68 if (ctx->method->shutdown != NULL) 69 return ctx->method->shutdown(ctx); 70 else 71 return 1; 72 } 73 74 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, 75 char **ret) 76 { 77 if (ctx->method == NULL) 78 return -1; 79 if (ctx->method->ctrl != NULL) 80 return ctx->method->ctrl(ctx, cmd, argc, argl, ret); 81 else 82 return 1; 83 } 84 85 int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 86 X509_NAME *name, X509_OBJECT *ret) 87 { 88 if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL)) 89 return 0; 90 if (ctx->skip) 91 return 0; 92 return ctx->method->get_by_subject(ctx, type, name, ret); 93 } 94 95 int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 96 X509_NAME *name, ASN1_INTEGER *serial, 97 X509_OBJECT *ret) 98 { 99 if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL)) 100 return 0; 101 return ctx->method->get_by_issuer_serial(ctx, type, name, serial, ret); 102 } 103 104 int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 105 const unsigned char *bytes, int len, 106 X509_OBJECT *ret) 107 { 108 if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL)) 109 return 0; 110 return ctx->method->get_by_fingerprint(ctx, type, bytes, len, ret); 111 } 112 113 int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, 114 const char *str, int len, X509_OBJECT *ret) 115 { 116 if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL)) 117 return 0; 118 return ctx->method->get_by_alias(ctx, type, str, len, ret); 119 } 120 121 int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data) 122 { 123 ctx->method_data = data; 124 return 1; 125 } 126 127 void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx) 128 { 129 return ctx->method_data; 130 } 131 132 X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx) 133 { 134 return ctx->store_ctx; 135 } 136 137 138 static int x509_object_cmp(const X509_OBJECT *const *a, 139 const X509_OBJECT *const *b) 140 { 141 int ret; 142 143 ret = ((*a)->type - (*b)->type); 144 if (ret) 145 return ret; 146 switch ((*a)->type) { 147 case X509_LU_X509: 148 ret = X509_subject_name_cmp((*a)->data.x509, (*b)->data.x509); 149 break; 150 case X509_LU_CRL: 151 ret = X509_CRL_cmp((*a)->data.crl, (*b)->data.crl); 152 break; 153 case X509_LU_NONE: 154 /* abort(); */ 155 return 0; 156 } 157 return ret; 158 } 159 160 X509_STORE *X509_STORE_new(void) 161 { 162 X509_STORE *ret = OPENSSL_zalloc(sizeof(*ret)); 163 164 if (ret == NULL) { 165 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 166 return NULL; 167 } 168 if ((ret->objs = sk_X509_OBJECT_new(x509_object_cmp)) == NULL) { 169 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 170 goto err; 171 } 172 ret->cache = 1; 173 if ((ret->get_cert_methods = sk_X509_LOOKUP_new_null()) == NULL) { 174 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 175 goto err; 176 } 177 178 if ((ret->param = X509_VERIFY_PARAM_new()) == NULL) { 179 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 180 goto err; 181 } 182 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) { 183 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 184 goto err; 185 } 186 187 ret->lock = CRYPTO_THREAD_lock_new(); 188 if (ret->lock == NULL) { 189 X509err(X509_F_X509_STORE_NEW, ERR_R_MALLOC_FAILURE); 190 goto err; 191 } 192 193 ret->references = 1; 194 return ret; 195 196 err: 197 X509_VERIFY_PARAM_free(ret->param); 198 sk_X509_OBJECT_free(ret->objs); 199 sk_X509_LOOKUP_free(ret->get_cert_methods); 200 OPENSSL_free(ret); 201 return NULL; 202 } 203 204 void X509_STORE_free(X509_STORE *vfy) 205 { 206 int i; 207 STACK_OF(X509_LOOKUP) *sk; 208 X509_LOOKUP *lu; 209 210 if (vfy == NULL) 211 return; 212 CRYPTO_DOWN_REF(&vfy->references, &i, vfy->lock); 213 REF_PRINT_COUNT("X509_STORE", vfy); 214 if (i > 0) 215 return; 216 REF_ASSERT_ISNT(i < 0); 217 218 sk = vfy->get_cert_methods; 219 for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) { 220 lu = sk_X509_LOOKUP_value(sk, i); 221 X509_LOOKUP_shutdown(lu); 222 X509_LOOKUP_free(lu); 223 } 224 sk_X509_LOOKUP_free(sk); 225 sk_X509_OBJECT_pop_free(vfy->objs, X509_OBJECT_free); 226 227 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data); 228 X509_VERIFY_PARAM_free(vfy->param); 229 CRYPTO_THREAD_lock_free(vfy->lock); 230 OPENSSL_free(vfy); 231 } 232 233 int X509_STORE_up_ref(X509_STORE *vfy) 234 { 235 int i; 236 237 if (CRYPTO_UP_REF(&vfy->references, &i, vfy->lock) <= 0) 238 return 0; 239 240 REF_PRINT_COUNT("X509_STORE", a); 241 REF_ASSERT_ISNT(i < 2); 242 return ((i > 1) ? 1 : 0); 243 } 244 245 X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) 246 { 247 int i; 248 STACK_OF(X509_LOOKUP) *sk; 249 X509_LOOKUP *lu; 250 251 sk = v->get_cert_methods; 252 for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) { 253 lu = sk_X509_LOOKUP_value(sk, i); 254 if (m == lu->method) { 255 return lu; 256 } 257 } 258 /* a new one */ 259 lu = X509_LOOKUP_new(m); 260 if (lu == NULL) { 261 X509err(X509_F_X509_STORE_ADD_LOOKUP, ERR_R_MALLOC_FAILURE); 262 return NULL; 263 } 264 265 lu->store_ctx = v; 266 if (sk_X509_LOOKUP_push(v->get_cert_methods, lu)) 267 return lu; 268 /* malloc failed */ 269 X509err(X509_F_X509_STORE_ADD_LOOKUP, ERR_R_MALLOC_FAILURE); 270 X509_LOOKUP_free(lu); 271 return NULL; 272 } 273 274 X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, 275 X509_LOOKUP_TYPE type, 276 X509_NAME *name) 277 { 278 X509_OBJECT *ret = X509_OBJECT_new(); 279 280 if (ret == NULL) 281 return NULL; 282 if (!X509_STORE_CTX_get_by_subject(vs, type, name, ret)) { 283 X509_OBJECT_free(ret); 284 return NULL; 285 } 286 return ret; 287 } 288 289 int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, 290 X509_NAME *name, X509_OBJECT *ret) 291 { 292 X509_STORE *ctx = vs->ctx; 293 X509_LOOKUP *lu; 294 X509_OBJECT stmp, *tmp; 295 int i, j; 296 297 if (ctx == NULL) 298 return 0; 299 300 CRYPTO_THREAD_write_lock(ctx->lock); 301 tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); 302 CRYPTO_THREAD_unlock(ctx->lock); 303 304 if (tmp == NULL || type == X509_LU_CRL) { 305 for (i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) { 306 lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i); 307 j = X509_LOOKUP_by_subject(lu, type, name, &stmp); 308 if (j) { 309 tmp = &stmp; 310 break; 311 } 312 } 313 if (tmp == NULL) 314 return 0; 315 } 316 317 ret->type = tmp->type; 318 ret->data.ptr = tmp->data.ptr; 319 320 X509_OBJECT_up_ref_count(ret); 321 322 return 1; 323 } 324 325 static int x509_store_add(X509_STORE *ctx, void *x, int crl) { 326 X509_OBJECT *obj; 327 int ret = 0, added = 0; 328 329 if (x == NULL) 330 return 0; 331 obj = X509_OBJECT_new(); 332 if (obj == NULL) 333 return 0; 334 335 if (crl) { 336 obj->type = X509_LU_CRL; 337 obj->data.crl = (X509_CRL *)x; 338 } else { 339 obj->type = X509_LU_X509; 340 obj->data.x509 = (X509 *)x; 341 } 342 X509_OBJECT_up_ref_count(obj); 343 344 CRYPTO_THREAD_write_lock(ctx->lock); 345 346 if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { 347 ret = 1; 348 } else { 349 added = sk_X509_OBJECT_push(ctx->objs, obj); 350 ret = added != 0; 351 } 352 353 CRYPTO_THREAD_unlock(ctx->lock); 354 355 if (added == 0) /* obj not pushed */ 356 X509_OBJECT_free(obj); 357 358 return ret; 359 } 360 361 int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) 362 { 363 if (!x509_store_add(ctx, x, 0)) { 364 X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); 365 return 0; 366 } 367 return 1; 368 } 369 370 int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) 371 { 372 if (!x509_store_add(ctx, x, 1)) { 373 X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE); 374 return 0; 375 } 376 return 1; 377 } 378 379 int X509_OBJECT_up_ref_count(X509_OBJECT *a) 380 { 381 switch (a->type) { 382 case X509_LU_NONE: 383 break; 384 case X509_LU_X509: 385 return X509_up_ref(a->data.x509); 386 case X509_LU_CRL: 387 return X509_CRL_up_ref(a->data.crl); 388 } 389 return 1; 390 } 391 392 X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a) 393 { 394 if (a == NULL || a->type != X509_LU_X509) 395 return NULL; 396 return a->data.x509; 397 } 398 399 X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a) 400 { 401 if (a == NULL || a->type != X509_LU_CRL) 402 return NULL; 403 return a->data.crl; 404 } 405 406 X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a) 407 { 408 return a->type; 409 } 410 411 X509_OBJECT *X509_OBJECT_new(void) 412 { 413 X509_OBJECT *ret = OPENSSL_zalloc(sizeof(*ret)); 414 415 if (ret == NULL) { 416 X509err(X509_F_X509_OBJECT_NEW, ERR_R_MALLOC_FAILURE); 417 return NULL; 418 } 419 ret->type = X509_LU_NONE; 420 return ret; 421 } 422 423 static void x509_object_free_internal(X509_OBJECT *a) 424 { 425 if (a == NULL) 426 return; 427 switch (a->type) { 428 case X509_LU_NONE: 429 break; 430 case X509_LU_X509: 431 X509_free(a->data.x509); 432 break; 433 case X509_LU_CRL: 434 X509_CRL_free(a->data.crl); 435 break; 436 } 437 } 438 439 int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj) 440 { 441 if (a == NULL || !X509_up_ref(obj)) 442 return 0; 443 444 x509_object_free_internal(a); 445 a->type = X509_LU_X509; 446 a->data.x509 = obj; 447 return 1; 448 } 449 450 int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj) 451 { 452 if (a == NULL || !X509_CRL_up_ref(obj)) 453 return 0; 454 455 x509_object_free_internal(a); 456 a->type = X509_LU_CRL; 457 a->data.crl = obj; 458 return 1; 459 } 460 461 void X509_OBJECT_free(X509_OBJECT *a) 462 { 463 x509_object_free_internal(a); 464 OPENSSL_free(a); 465 } 466 467 static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, 468 X509_NAME *name, int *pnmatch) 469 { 470 X509_OBJECT stmp; 471 X509 x509_s; 472 X509_CRL crl_s; 473 int idx; 474 475 stmp.type = type; 476 switch (type) { 477 case X509_LU_X509: 478 stmp.data.x509 = &x509_s; 479 x509_s.cert_info.subject = name; 480 break; 481 case X509_LU_CRL: 482 stmp.data.crl = &crl_s; 483 crl_s.crl.issuer = name; 484 break; 485 case X509_LU_NONE: 486 /* abort(); */ 487 return -1; 488 } 489 490 idx = sk_X509_OBJECT_find(h, &stmp); 491 if (idx >= 0 && pnmatch) { 492 int tidx; 493 const X509_OBJECT *tobj, *pstmp; 494 *pnmatch = 1; 495 pstmp = &stmp; 496 for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) { 497 tobj = sk_X509_OBJECT_value(h, tidx); 498 if (x509_object_cmp(&tobj, &pstmp)) 499 break; 500 (*pnmatch)++; 501 } 502 } 503 return idx; 504 } 505 506 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, 507 X509_NAME *name) 508 { 509 return x509_object_idx_cnt(h, type, name, NULL); 510 } 511 512 X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, 513 X509_LOOKUP_TYPE type, 514 X509_NAME *name) 515 { 516 int idx; 517 idx = X509_OBJECT_idx_by_subject(h, type, name); 518 if (idx == -1) 519 return NULL; 520 return sk_X509_OBJECT_value(h, idx); 521 } 522 523 STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v) 524 { 525 return v->objs; 526 } 527 528 STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) 529 { 530 int i, idx, cnt; 531 STACK_OF(X509) *sk = NULL; 532 X509 *x; 533 X509_OBJECT *obj; 534 535 if (ctx->ctx == NULL) 536 return NULL; 537 538 CRYPTO_THREAD_write_lock(ctx->ctx->lock); 539 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); 540 if (idx < 0) { 541 /* 542 * Nothing found in cache: do lookup to possibly add new objects to 543 * cache 544 */ 545 X509_OBJECT *xobj = X509_OBJECT_new(); 546 547 CRYPTO_THREAD_unlock(ctx->ctx->lock); 548 if (xobj == NULL) 549 return NULL; 550 if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, xobj)) { 551 X509_OBJECT_free(xobj); 552 return NULL; 553 } 554 X509_OBJECT_free(xobj); 555 CRYPTO_THREAD_write_lock(ctx->ctx->lock); 556 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); 557 if (idx < 0) { 558 CRYPTO_THREAD_unlock(ctx->ctx->lock); 559 return NULL; 560 } 561 } 562 563 sk = sk_X509_new_null(); 564 for (i = 0; i < cnt; i++, idx++) { 565 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); 566 x = obj->data.x509; 567 X509_up_ref(x); 568 if (!sk_X509_push(sk, x)) { 569 CRYPTO_THREAD_unlock(ctx->ctx->lock); 570 X509_free(x); 571 sk_X509_pop_free(sk, X509_free); 572 return NULL; 573 } 574 } 575 CRYPTO_THREAD_unlock(ctx->ctx->lock); 576 return sk; 577 } 578 579 STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) 580 { 581 int i, idx, cnt; 582 STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null(); 583 X509_CRL *x; 584 X509_OBJECT *obj, *xobj = X509_OBJECT_new(); 585 586 /* Always do lookup to possibly add new CRLs to cache */ 587 if (sk == NULL 588 || xobj == NULL 589 || ctx->ctx == NULL 590 || !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) { 591 X509_OBJECT_free(xobj); 592 sk_X509_CRL_free(sk); 593 return NULL; 594 } 595 X509_OBJECT_free(xobj); 596 CRYPTO_THREAD_write_lock(ctx->ctx->lock); 597 idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt); 598 if (idx < 0) { 599 CRYPTO_THREAD_unlock(ctx->ctx->lock); 600 sk_X509_CRL_free(sk); 601 return NULL; 602 } 603 604 for (i = 0; i < cnt; i++, idx++) { 605 obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); 606 x = obj->data.crl; 607 X509_CRL_up_ref(x); 608 if (!sk_X509_CRL_push(sk, x)) { 609 CRYPTO_THREAD_unlock(ctx->ctx->lock); 610 X509_CRL_free(x); 611 sk_X509_CRL_pop_free(sk, X509_CRL_free); 612 return NULL; 613 } 614 } 615 CRYPTO_THREAD_unlock(ctx->ctx->lock); 616 return sk; 617 } 618 619 X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, 620 X509_OBJECT *x) 621 { 622 int idx, i, num; 623 X509_OBJECT *obj; 624 625 idx = sk_X509_OBJECT_find(h, x); 626 if (idx < 0) 627 return NULL; 628 if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL)) 629 return sk_X509_OBJECT_value(h, idx); 630 for (i = idx, num = sk_X509_OBJECT_num(h); i < num; i++) { 631 obj = sk_X509_OBJECT_value(h, i); 632 if (x509_object_cmp((const X509_OBJECT **)&obj, 633 (const X509_OBJECT **)&x)) 634 return NULL; 635 if (x->type == X509_LU_X509) { 636 if (!X509_cmp(obj->data.x509, x->data.x509)) 637 return obj; 638 } else if (x->type == X509_LU_CRL) { 639 if (!X509_CRL_match(obj->data.crl, x->data.crl)) 640 return obj; 641 } else 642 return obj; 643 } 644 return NULL; 645 } 646 647 /*- 648 * Try to get issuer certificate from store. Due to limitations 649 * of the API this can only retrieve a single certificate matching 650 * a given subject name. However it will fill the cache with all 651 * matching certificates, so we can examine the cache for all 652 * matches. 653 * 654 * Return values are: 655 * 1 lookup successful. 656 * 0 certificate not found. 657 * -1 some other error. 658 */ 659 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) 660 { 661 X509_NAME *xn; 662 X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL; 663 int i, ok, idx, ret; 664 665 if (obj == NULL) 666 return -1; 667 *issuer = NULL; 668 xn = X509_get_issuer_name(x); 669 ok = X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, obj); 670 if (ok != 1) { 671 X509_OBJECT_free(obj); 672 return 0; 673 } 674 /* If certificate matches all OK */ 675 if (ctx->check_issued(ctx, x, obj->data.x509)) { 676 if (x509_check_cert_time(ctx, obj->data.x509, -1)) { 677 *issuer = obj->data.x509; 678 X509_up_ref(*issuer); 679 X509_OBJECT_free(obj); 680 return 1; 681 } 682 } 683 X509_OBJECT_free(obj); 684 685 if (ctx->ctx == NULL) 686 return 0; 687 688 /* Else find index of first cert accepted by 'check_issued' */ 689 ret = 0; 690 CRYPTO_THREAD_write_lock(ctx->ctx->lock); 691 idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); 692 if (idx != -1) { /* should be true as we've had at least one 693 * match */ 694 /* Look through all matching certs for suitable issuer */ 695 for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) { 696 pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i); 697 /* See if we've run past the matches */ 698 if (pobj->type != X509_LU_X509) 699 break; 700 if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) 701 break; 702 if (ctx->check_issued(ctx, x, pobj->data.x509)) { 703 *issuer = pobj->data.x509; 704 ret = 1; 705 /* 706 * If times check, exit with match, 707 * otherwise keep looking. Leave last 708 * match in issuer so we return nearest 709 * match if no certificate time is OK. 710 */ 711 712 if (x509_check_cert_time(ctx, *issuer, -1)) 713 break; 714 } 715 } 716 } 717 CRYPTO_THREAD_unlock(ctx->ctx->lock); 718 if (*issuer) 719 X509_up_ref(*issuer); 720 return ret; 721 } 722 723 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) 724 { 725 return X509_VERIFY_PARAM_set_flags(ctx->param, flags); 726 } 727 728 int X509_STORE_set_depth(X509_STORE *ctx, int depth) 729 { 730 X509_VERIFY_PARAM_set_depth(ctx->param, depth); 731 return 1; 732 } 733 734 int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) 735 { 736 return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose); 737 } 738 739 int X509_STORE_set_trust(X509_STORE *ctx, int trust) 740 { 741 return X509_VERIFY_PARAM_set_trust(ctx->param, trust); 742 } 743 744 int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) 745 { 746 return X509_VERIFY_PARAM_set1(ctx->param, param); 747 } 748 749 X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx) 750 { 751 return ctx->param; 752 } 753 754 void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify) 755 { 756 ctx->verify = verify; 757 } 758 759 X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx) 760 { 761 return ctx->verify; 762 } 763 764 void X509_STORE_set_verify_cb(X509_STORE *ctx, 765 X509_STORE_CTX_verify_cb verify_cb) 766 { 767 ctx->verify_cb = verify_cb; 768 } 769 770 X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx) 771 { 772 return ctx->verify_cb; 773 } 774 775 void X509_STORE_set_get_issuer(X509_STORE *ctx, 776 X509_STORE_CTX_get_issuer_fn get_issuer) 777 { 778 ctx->get_issuer = get_issuer; 779 } 780 781 X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx) 782 { 783 return ctx->get_issuer; 784 } 785 786 void X509_STORE_set_check_issued(X509_STORE *ctx, 787 X509_STORE_CTX_check_issued_fn check_issued) 788 { 789 ctx->check_issued = check_issued; 790 } 791 792 X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx) 793 { 794 return ctx->check_issued; 795 } 796 797 void X509_STORE_set_check_revocation(X509_STORE *ctx, 798 X509_STORE_CTX_check_revocation_fn check_revocation) 799 { 800 ctx->check_revocation = check_revocation; 801 } 802 803 X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE *ctx) 804 { 805 return ctx->check_revocation; 806 } 807 808 void X509_STORE_set_get_crl(X509_STORE *ctx, 809 X509_STORE_CTX_get_crl_fn get_crl) 810 { 811 ctx->get_crl = get_crl; 812 } 813 814 X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx) 815 { 816 return ctx->get_crl; 817 } 818 819 void X509_STORE_set_check_crl(X509_STORE *ctx, 820 X509_STORE_CTX_check_crl_fn check_crl) 821 { 822 ctx->check_crl = check_crl; 823 } 824 825 X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx) 826 { 827 return ctx->check_crl; 828 } 829 830 void X509_STORE_set_cert_crl(X509_STORE *ctx, 831 X509_STORE_CTX_cert_crl_fn cert_crl) 832 { 833 ctx->cert_crl = cert_crl; 834 } 835 836 X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx) 837 { 838 return ctx->cert_crl; 839 } 840 841 void X509_STORE_set_check_policy(X509_STORE *ctx, 842 X509_STORE_CTX_check_policy_fn check_policy) 843 { 844 ctx->check_policy = check_policy; 845 } 846 847 X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE *ctx) 848 { 849 return ctx->check_policy; 850 } 851 852 void X509_STORE_set_lookup_certs(X509_STORE *ctx, 853 X509_STORE_CTX_lookup_certs_fn lookup_certs) 854 { 855 ctx->lookup_certs = lookup_certs; 856 } 857 858 X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx) 859 { 860 return ctx->lookup_certs; 861 } 862 863 void X509_STORE_set_lookup_crls(X509_STORE *ctx, 864 X509_STORE_CTX_lookup_crls_fn lookup_crls) 865 { 866 ctx->lookup_crls = lookup_crls; 867 } 868 869 X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx) 870 { 871 return ctx->lookup_crls; 872 } 873 874 void X509_STORE_set_cleanup(X509_STORE *ctx, 875 X509_STORE_CTX_cleanup_fn ctx_cleanup) 876 { 877 ctx->cleanup = ctx_cleanup; 878 } 879 880 X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx) 881 { 882 return ctx->cleanup; 883 } 884 885 int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data) 886 { 887 return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); 888 } 889 890 void *X509_STORE_get_ex_data(X509_STORE *ctx, int idx) 891 { 892 return CRYPTO_get_ex_data(&ctx->ex_data, idx); 893 } 894 895 X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx) 896 { 897 return ctx->ctx; 898 } 899