x509storeissuer: provide the initial infrstructure for nonce configuration

esyr · esyr · commit 2137125f015f · 2025-10-22T16:50:50.000+02:00
Signed-off-by: Eugene Syromiatnikov &lt;esyr@openssl.org&gt;
diff --git a/source/x509storeissuer.c b/source/x509storeissuer.c
@@ -7,8 +7,9 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include <stdlib.h>
+#include <stdbool.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #ifndef _WIN32
 # include <libgen.h>
@@ -24,23 +25,116 @@
 #include "perflib/perflib.h"
 
 #define RUN_TIME 5
+#define NONCE_CFG "file:servercert.pem"
+
+enum nonce_type {
+    NONCE_PATH,
+};
+
+struct nonce_cfg {
+    enum nonce_type type;
+    const char *path;
+    char **dirs;
+    size_t num_dirs;
+};
 
 static int error = 0;
 static X509_STORE *store = NULL;
-static X509 *x509 = NULL;
+static X509 *x509_nonce = NULL;
 
 static int threadcount;
 
 size_t *counts;
 OSSL_TIME max_time;
 
+static X509 *
+load_nonce_from_file(const char *path)
+{
+    BIO *bio = BIO_new_file(path, "rb");
+    X509 *x509_nonce = NULL;
+
+    if (bio == NULL) {
+        warnx("Unable to create BIO for reading \"%s\"", path);
+        return NULL;
+    }
+
+    x509_nonce = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+    if (x509_nonce == NULL)
+        warnx("Failed to read certificate \"%s\"", path);
+
+    BIO_free(bio);
+
+    return x509_nonce;
+}
+
+static bool
+is_abs_path(const char *path)
+{
+    if (path == NULL)
+        return false;
+
+#if defined(_WIN32)
+    /*
+     * So, we don't try to concatenate the provided path with the directory
+     * paths if the path start with the following:
+     *  - volume character and a colon ("C:"):  it is either absolute path
+     *    (if followed by a backslash), or a relative path to a current
+     *    directory of that volume (and we don't want to implement any logic
+     *    that handles that);
+     *  - backslash ("\"):  it is an "absolute path" on the "current" drive,
+     *    or (if there are two backslashes in the beginning) an UNC path.
+     */
+    return (isalpha(path[0]) && path[1] == ':') || path[0] == '\\';
+#else /* !_WIN32 */
+    return path[0] == '/';
+#endif
+}
+
+static X509 *
+load_nonce_from_path(struct nonce_cfg *cfg)
+{
+    if (is_abs_path(cfg->path))
+        return load_nonce_from_file(cfg->path);
+
+    for (size_t i = 0; i < cfg->num_dirs; i++) {
+        char *cert;
+        X509 *ret;
+
+        cert = perflib_mk_file_path(cfg->dirs[i], cfg->path);
+        if (cert == NULL) {
+            warnx("Failed to allocate file path for directory \"%s\""
+                  " and path \"%s\"", cfg->dirs[i], cfg->path);
+            continue;
+        }
+
+        ret = load_nonce_from_file(cert);
+        OPENSSL_free(cert);
+
+        if (ret != NULL)
+            return ret;
+    }
+
+    return NULL;
+}
+
+static X509 *
+make_nonce(struct nonce_cfg *cfg)
+{
+    switch (cfg->type) {
+    case NONCE_PATH:
+        return load_nonce_from_path(cfg);
+    default:
+        errx(EXIT_FAILURE, "Unknown nonce type: %lld", (long long) cfg->type);
+    }
+}
+
 static void do_x509storeissuer(size_t num)
 {
     X509_STORE_CTX *ctx = X509_STORE_CTX_new();
     X509 *issuer = NULL;
     OSSL_TIME time;
 
-    if (ctx == NULL || !X509_STORE_CTX_init(ctx, store, x509, NULL)) {
+    if (ctx == NULL || !X509_STORE_CTX_init(ctx, store, x509_nonce, NULL)) {
         warnx("Failed to initialise X509_STORE_CTX");
         error = 1;
         goto err;
@@ -54,7 +148,7 @@ static void do_x509storeissuer(size_t num)
          * certificates inside our store. We're just testing calling this
          * against an empty store.
          */
-        if (X509_STORE_CTX_get1_issuer(&issuer, ctx, x509) != 0) {
+        if (X509_STORE_CTX_get1_issuer(&issuer, ctx, x509_nonce) != 0) {
             warnx("Unexpected result from X509_STORE_CTX_get1_issuer");
             error = 1;
             X509_free(issuer);
@@ -73,9 +167,32 @@ static void
 usage(char * const argv[])
 {
     fprintf(stderr,
-            "Usage: %s [-t] certsdir threadcount\n"
-            "-t - terse output\n",
-            basename(argv[0]));
+            "Usage: %s [-t] [-n nonce_type:type_args] certsdir threadcount\n"
+            "\t-t\tTerse output\n"
+            "\t-n\tNonce configuration, supported options:\n"
+            "\t\t\tfile:PATH - load nonce certificate from PATH;\n"
+            "\t\t\tif PATH is relative, the provided certsdir's are searched.\n"
+            "\t\tDefault: " NONCE_CFG "\n"
+            , basename(argv[0]));
+}
+
+/**
+ * Parse nonce configuration string. Currently supported formats:
+ *  * "file:PATH" - where PATH is either a relative path (that will be then
+ *                  checked against the list of directories provided),
+ *                  or an absolute one.
+ */
+static void
+parse_nonce_cfg(const char * const optarg, struct nonce_cfg *cfg)
+{
+    static const char file_pfx[] = "file:";
+
+    if (strncmp(optarg, file_pfx, sizeof(file_pfx) - 1) == 0) {
+        cfg->type = NONCE_PATH;
+        cfg->path = optarg + sizeof(file_pfx) - 1;
+    } else {
+        errx(EXIT_FAILURE, "incorrect nonce configuration: \"%s\"", optarg);
+    }
 }
 
 static long long
@@ -106,12 +223,19 @@ int main(int argc, char *argv[])
     int ret = EXIT_FAILURE;
     BIO *bio = NULL;
     int opt;
+    int dirs_start;
+    struct nonce_cfg nonce_cfg;
 
-    while ((opt = getopt(argc, argv, "t")) != -1) {
+    parse_nonce_cfg(NONCE_CFG, &nonce_cfg);
+
+    while ((opt = getopt(argc, argv, "tn:")) != -1) {
         switch (opt) {
         case 't':
             terse = 1;
             break;
+        case 'n': /* nonce */
+            parse_nonce_cfg(optarg, &nonce_cfg);
+            break;
         default:
             usage(argv);
             return EXIT_FAILURE;
@@ -121,11 +245,14 @@ int main(int argc, char *argv[])
     if (argv[optind] == NULL)
         errx(EXIT_FAILURE, "certsdir is missing");
 
-    cert = perflib_mk_file_path(argv[optind], "servercert.pem");
-    if (cert == NULL)
-        errx(EXIT_FAILURE, "Failed to allocate cert path");
+    dirs_start = optind++;
 
-    optind++;
+    /*
+     * Store the part of argv containing directories to nonce_cfg so
+     * load_nonce_from_path can use it later.
+     */
+    nonce_cfg.dirs = argv + dirs_start;
+    nonce_cfg.num_dirs = 1;
 
     if (argv[optind] == NULL)
         errx(EXIT_FAILURE, "threadcount is missing");
@@ -136,21 +263,14 @@ int main(int argc, char *argv[])
     if (store == NULL || !X509_STORE_set_default_paths(store))
         errx(EXIT_FAILURE, "Failed to create X509_STORE");
 
-    bio = BIO_new_file(cert, "rb");
-    if (bio == NULL)
-        errx(EXIT_FAILURE, "Unable to load certificate\n");
-
-    x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
-    if (x509 == NULL)
-        errx(EXIT_FAILURE, "Failed to read certificate");
-
-    BIO_free(bio);
-    bio = NULL;
-
     counts = OPENSSL_malloc(sizeof(size_t) * threadcount);
     if (counts == NULL)
         errx(EXIT_FAILURE, "Failed to create counts array");
 
+    x509_nonce = make_nonce(&nonce_cfg);
+    if (x509_nonce == NULL)
+        errx(EXIT_FAILURE, "Unable to create the nonce X509 object");
+
     max_time = ossl_time_add(ossl_time_now(), ossl_seconds2time(RUN_TIME));
 
     if (!perflib_run_multi_thread_test(do_x509storeissuer, threadcount, &duration))
@@ -173,8 +293,8 @@ int main(int argc, char *argv[])
     ret = EXIT_SUCCESS;
 
  err:
+    X509_free(x509_nonce);
     X509_STORE_free(store);
-    X509_free(x509);
     BIO_free(bio);
     OPENSSL_free(cert);
     OPENSSL_free(counts);
