From 4e46a7afa843cea44ee81bf7d40d146029358879 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 31 Jan 2020 15:35:46 +0100 Subject: [PATCH] DOC: Add documentation related to X509_LOOKUPs Most of all, the base X509_LOOKUP functionality is now documented. Furthermore, the names X509_LOOKUP_METHOD and X509_STORE are added for reference. Some functions were moved from X509_LOOKUP_meth_new.pod Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/10986) --- doc/man3/X509_LOOKUP.pod | 191 ++++++++++++++++++++++++++++++ doc/man3/X509_LOOKUP_meth_new.pod | 21 ++-- doc/man3/X509_STORE_add_cert.pod | 15 +++ util/missingcrypto.txt | 10 -- util/missingmacro.txt | 4 - util/other.syms | 8 ++ 6 files changed, 223 insertions(+), 26 deletions(-) create mode 100644 doc/man3/X509_LOOKUP.pod diff --git a/doc/man3/X509_LOOKUP.pod b/doc/man3/X509_LOOKUP.pod new file mode 100644 index 0000000000..f29aceb000 --- /dev/null +++ b/doc/man3/X509_LOOKUP.pod @@ -0,0 +1,191 @@ +=pod + +=head1 NAME + +X509_LOOKUP, X509_LOOKUP_TYPE, +X509_LOOKUP_new, X509_LOOKUP_free, X509_LOOKUP_init, +X509_LOOKUP_shutdown, +X509_LOOKUP_set_method_data, X509_LOOKUP_get_method_data, +X509_LOOKUP_ctrl, +X509_LOOKUP_load_file, X509_LOOKUP_add_dir, X509_LOOKUP_add_store, +X509_LOOKUP_load_store, +X509_LOOKUP_get_store, X509_LOOKUP_by_subject, +X509_LOOKUP_by_issuer_serial, X509_LOOKUP_by_fingerprint, +X509_LOOKUP_by_alias +- OpenSSL certificate lookup mechanisms + +=head1 SYNOPSIS + + #include + + typedef x509_lookup_st X509_LOOKUP; + + typedef enum X509_LOOKUP_TYPE; + + X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); + int X509_LOOKUP_init(X509_LOOKUP *ctx); + int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); + void X509_LOOKUP_free(X509_LOOKUP *ctx); + + int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data); + void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx); + + int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, + long argl, char **ret); + int X509_LOOKUP_load_file(X509_LOOKUP *ctx, char *name, long type); + int X509_LOOKUP_add_dir(X509_LOOKUP *ctx, char *name, long type); + int X509_LOOKUP_add_store(X509_LOOKUP *ctx, char *uri); + int X509_LOOKUP_load_store(X509_LOOKUP *ctx, char *uri); + + X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx); + + int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, + X509_NAME *name, X509_OBJECT *ret); + int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, + X509_NAME *name, ASN1_INTEGER *serial, + X509_OBJECT *ret); + int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, + const unsigned char *bytes, int len, + X509_OBJECT *ret); + int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, + const char *str, int len, X509_OBJECT *ret); + +=head1 DESCRIPTION + +The B structure holds the information needed to look up +certificates and CRLs according to an associated L. +Multiple B instances can be added to an L +to enable lookup in that store. + +X509_LOOKUP_new() creates a new B using the given lookup +I. +It can also be created by calling L, which +will associate a B with the lookup mechanism. + +X509_LOOKUP_init() initializes the internal state and resources as +needed by the given B to do its work. + +X509_LOOKUP_shutdown() tears down the internal state and resources of +the given B. + +X509_LOOKUP_free() destructs the given B. + +X509_LOOKUP_set_method_data() and X509_LOOKUP_get_method_data() +associates and retrieves a pointer to application data to and from the +given B, respectively. + +X509_LOOKUP_ctrl() is used to set or get additional data to or from a +B structure or its associated L. +The arguments of the control command are passed via I and I, +its return value via I<*ret>. +The meaning of the arguments depends on the I number of the +control command. In general, this function is not called directly, but +wrapped by a macro call, see below. +The control Is known to OpenSSL are discussed in more depth +in L. + +X509_LOOKUP_load_file() passes a filename to be loaded immediately +into the associated B. +I indicates what type of object is expected. +This can only be used with a lookup using the implementation +L. + +X509_LOOKUP_add_dir() passes a directory specification from which +certificates and CRLs are loaded on demand into the associated +B. +I indicates what type of object is expected. +This can only be used with a lookup using the implementation +L. + +X509_LOOKUP_add_store() passes a URI for a directory-like structure +from which containers with certificates and CRLs are loaded on demand +into the associated B. +X509_LOOKUP_load_store() passes a URI for a single container from +which certificates and CRLs are immediately loaded into the associated +B. +These functions can only be used with a lookup using the +implementation L. + +X509_LOOKUP_load_file(), X509_LOOKUP_add_dir(), +X509_LOOKUP_add_store(), and X509_LOOKUP_load_store() are implemented +as macros that use X509_LOOKUP_ctrl(). + +X509_LOOKUP_by_subject(), X509_LOOKUP_by_issuer_serial(), +X509_LOOKUP_by_fingerprint(), and X509_LOOKUP_by_alias() look up +certificates and CRLs in the L associated with the +B using different criteria, where the looked up object is +stored in I. +Some of the underlying Bs will also cache objects +matching the criteria in the associated B, which makes it +possible to handle cases where the criteria have more than one hit. + +=head2 Control Commands + +The Bs built into OpenSSL recognise the following +X509_LOOKUP_ctrl() Is: + +=over 4 + +=item B + +This is the command that X509_LOOKUP_load_file() uses. +The filename is passed in I, and the type in I. + +=item B + +This is the command that X509_LOOKUP_add_dir() uses. +The directory specification is passed in I, and the type in +I. + +=item B + +This is the command that X509_LOOKUP_add_store() uses. +The URI is passed in I. + +=item B + +This is the command that X509_LOOKUP_load_store() uses. +The URI is passed in I. + +=back + +=head1 RETURN VALUES + +X509_LOOKUP_new() returns a B pointer when successful, +or NULL on error. + +X509_LOOKUP_init() and X509_LOOKUP_shutdown() return 1 on success, or +0 on error. + +X509_LOOKUP_ctrl() returns -1 if the B doesn't have an +associated B, or 1 if the X<509_LOOKUP_METHOD> +doesn't have a control function. +Otherwise, it returns what the control function in the +B returns, which is usually 1 on success and 0 in +error. + +X509_LOOKUP_get_store() returns a B pointer if there is +one, otherwise NULL. + +X509_LOOKUP_by_subject(), X509_LOOKUP_by_issuer_serial(), +X509_LOOKUP_by_fingerprint(), and X509_LOOKUP_by_alias() all return 0 +if there is no B or that method doesn't implement +the corresponding function. +Otherwise, it returns what the corresponding function in the +B returns, which is usually 1 on success and 0 in +error. + +=head1 SEE ALSO + +L, L + +=head1 COPYRIGHT + +Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/X509_LOOKUP_meth_new.pod b/doc/man3/X509_LOOKUP_meth_new.pod index 11a7a0df55..7a0dab7e69 100644 --- a/doc/man3/X509_LOOKUP_meth_new.pod +++ b/doc/man3/X509_LOOKUP_meth_new.pod @@ -2,6 +2,7 @@ =head1 NAME +X509_LOOKUP_METHOD, X509_LOOKUP_meth_new, X509_LOOKUP_meth_free, X509_LOOKUP_meth_set_new_item, X509_LOOKUP_meth_get_new_item, X509_LOOKUP_meth_set_free, X509_LOOKUP_meth_get_free, X509_LOOKUP_meth_set_init, @@ -16,14 +17,15 @@ X509_LOOKUP_get_by_fingerprint_fn, X509_LOOKUP_meth_set_get_by_fingerprint, X509_LOOKUP_meth_get_get_by_fingerprint, X509_LOOKUP_get_by_alias_fn, X509_LOOKUP_meth_set_get_by_alias, X509_LOOKUP_meth_get_get_by_alias, -X509_LOOKUP_set_method_data, X509_LOOKUP_get_method_data, -X509_LOOKUP_get_store, X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL +X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL - Routines to build up X509_LOOKUP methods =head1 SYNOPSIS #include + typedef x509_lookup_method_st X509_LOOKUP_METHOD; + X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name); void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method); @@ -92,11 +94,6 @@ X509_LOOKUP_get_store, X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( const X509_LOOKUP_METHOD *method); - int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data); - void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx); - - X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx); - int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj); int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj); @@ -118,7 +115,7 @@ X509_LOOKUP_get_new_item() and X509_LOOKUP_set_new_item() get and set the function that is called when an B object is created with X509_LOOKUP_new(). If an X509_LOOKUP_METHOD requires any per-X509_LOOKUP specific data, the supplied new_item function should allocate this data and -invoke X509_LOOKUP_set_method_data(). +invoke L. X509_LOOKUP_get_free() and X509_LOOKUP_set_free() get and set the function that is used to free any method data that was allocated and set from within @@ -126,7 +123,7 @@ new_item function. X509_LOOKUP_meth_get_init() and X509_LOOKUP_meth_set_init() get and set the function that is used to initialize the method data that was set with -X509_LOOKUP_set_method_data() as part of the new_item routine. +L as part of the new_item routine. X509_LOOKUP_meth_get_shutdown() and X509_LOOKUP_meth_set_shutdown() get and set the function that is used to shut down the method data whose state was @@ -164,9 +161,9 @@ increments the result's reference count. Any method data that was created as a result of the new_item function set by X509_LOOKUP_meth_set_new_item() can be accessed with -X509_LOOKUP_get_method_data(). The B object that owns the -X509_LOOKUP may be accessed with X509_LOOKUP_get_store(). Successful lookups -should return 1, and unsuccessful lookups should return 0. +L. The B object that owns the +X509_LOOKUP may be accessed with L. Successful +lookups should return 1, and unsuccessful lookups should return 0. X509_LOOKUP_get_get_by_subject(), X509_LOOKUP_get_get_by_issuer_serial(), X509_LOOKUP_get_get_by_fingerprint(), X509_LOOKUP_get_get_by_alias() retrieve diff --git a/doc/man3/X509_STORE_add_cert.pod b/doc/man3/X509_STORE_add_cert.pod index dd3d389e22..f447d2b34a 100644 --- a/doc/man3/X509_STORE_add_cert.pod +++ b/doc/man3/X509_STORE_add_cert.pod @@ -2,8 +2,10 @@ =head1 NAME +X509_STORE, X509_STORE_add_cert, X509_STORE_add_crl, X509_STORE_set_depth, X509_STORE_set_flags, X509_STORE_set_purpose, X509_STORE_set_trust, +X509_STORE_add_lookup, X509_STORE_load_file, X509_STORE_load_path, X509_STORE_load_store, X509_STORE_set_default_paths, X509_STORE_load_locations @@ -13,6 +15,8 @@ X509_STORE_load_locations #include + typedef x509_store_st X509_STORE; + int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); int X509_STORE_set_depth(X509_STORE *store, int depth); @@ -20,6 +24,9 @@ X509_STORE_load_locations int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); int X509_STORE_set_trust(X509_STORE *ctx, int trust); + X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *store, + X509_LOOKUP_METHOD *meth); + int X509_STORE_set_default_paths(X509_STORE *ctx); int X509_STORE_load_file(X509_STORE *ctx, const char *file); int X509_STORE_load_path(X509_STORE *ctx, const char *dir); @@ -72,6 +79,11 @@ for the corresponding values used in certificate chain validation. Their behavior is documented in the corresponding B manual pages, e.g., L. +X509_STORE_add_lookup() finds or creates a L with the +L I and adds it to the B +I. This also associates the B with the lookup, so +B functions can look up objects in that store. + X509_STORE_load_file() loads trusted certificate(s) into an B from a given file. @@ -102,6 +114,9 @@ X509_STORE_load_path(), X509_STORE_load_store(), X509_STORE_load_locations(), and X509_STORE_set_default_paths() return 1 on success or 0 on failure. +X509_STORE_add_lookup() returns the found or created +L, or NULL on error. + =head1 SEE ALSO L. diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 95d300eda3..64ac6845dc 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -1326,15 +1326,6 @@ X509_EXTENSIONS_it(3) X509_EXTENSION_it(3) X509_INFO_free(3) X509_INFO_new(3) -X509_LOOKUP_by_alias(3) -X509_LOOKUP_by_fingerprint(3) -X509_LOOKUP_by_issuer_serial(3) -X509_LOOKUP_by_subject(3) -X509_LOOKUP_ctrl(3) -X509_LOOKUP_free(3) -X509_LOOKUP_init(3) -X509_LOOKUP_new(3) -X509_LOOKUP_shutdown(3) X509_NAME_ENTRY_it(3) X509_NAME_ENTRY_set(3) X509_NAME_hash(3) @@ -1407,7 +1398,6 @@ X509_STORE_CTX_set_flags(3) X509_STORE_CTX_set_purpose(3) X509_STORE_CTX_set_time(3) X509_STORE_CTX_set_trust(3) -X509_STORE_add_lookup(3) X509_STORE_get_verify(3) X509_TRUST_add(3) X509_TRUST_cleanup(3) diff --git a/util/missingmacro.txt b/util/missingmacro.txt index 8738c87d9f..ed0f61056f 100644 --- a/util/missingmacro.txt +++ b/util/missingmacro.txt @@ -166,10 +166,6 @@ SSL_CTX_set_tlsext_ticket_keys(3) X509_extract_key(3) X509_REQ_extract_key(3) X509_name_cmp(3) -X509_LOOKUP_load_file(3) -X509_LOOKUP_load_store(3) -X509_LOOKUP_add_dir(3) -X509_LOOKUP_add_store(3) X509V3_conf_err(3) X509V3_set_ctx_test(3) X509V3_set_ctx_nodb(3) diff --git a/util/other.syms b/util/other.syms index 27e9a92374..4996dd874b 100644 --- a/util/other.syms +++ b/util/other.syms @@ -95,11 +95,15 @@ X509_STORE_CTX_lookup_crls_fn datatype X509_STORE_CTX_verify_cb datatype X509_STORE_CTX_verify_fn datatype X509_STORE_set_verify_cb_func datatype +X509_LOOKUP datatype +X509_LOOKUP_METHOD datatype +X509_LOOKUP_TYPE datatype X509_LOOKUP_get_by_alias_fn datatype X509_LOOKUP_get_by_subject_fn datatype X509_LOOKUP_get_by_fingerprint_fn datatype X509_LOOKUP_ctrl_fn datatype X509_LOOKUP_get_by_issuer_serial_fn datatype +X509_STORE datatype bio_info_cb datatype BIO_info_cb datatype custom_ext_add_cb datatype @@ -544,6 +548,10 @@ SSLv23_server_method define TLS_DEFAULT_CIPHERSUITES define deprecated 3.0.0 X509_CRL_http_nbio define X509_http_nbio define +X509_LOOKUP_add_dir define +X509_LOOKUP_add_store define +X509_LOOKUP_load_file define +X509_LOOKUP_load_store define X509_STORE_set_lookup_crls_cb define X509_STORE_set_verify_func define EVP_PKEY_CTX_set1_id define -- 2.25.1