src/openssl.c: enable check for revocation if CRL is added store

wahern · Feb 26, 2020 · 21ffac6 · 21ffac6
1 parent 5ad909d
commit 21ffac6
Show file tree

Hide file tree

Showing 3 changed files with 146 additions and 19 deletions.
diff --git a/regress/00-store-verify-crl.lua b/regress/00-store-verify-crl.lua
@@ -0,0 +1,139 @@
+local regress = require "regress"
+
+local x509 = require "openssl.x509"
+local store = require "openssl.x509.store"
+local chain = require "openssl.x509.chain"
+local crl = require "openssl.x509.crl"
+
+-- the cert to be verified
+local c = x509.new([[-----BEGIN CERTIFICATE-----
+MIIFZTCCA02gAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAkNBMQ0wCwYDVQQKDARrb25nMQwwCgYDVQQLDANGVFQxIjAgBgNV
+BAMMGXd3dy5pbnRlcm1lZGlhdGUua29uZy5jb20wHhcNMjAwMjI1MTkxNzQ1WhcN
+MjEwMjI0MTkxNzQ1WjBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNV
+BAcMAlNGMQ0wCwYDVQQKDARrb25nMQwwCgYDVQQLDANGVFQxHDAaBgNVBAMME3d3
+dy5zaGFzaGkua29uZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDnJZyax9cmO6M6Iv2wm8FQlpko1+NyOPO2Hz20gYVfKElD66sfqrjL/DJVSxig
+XREnJYoXjym+udBWiIQsRDvYVjYuyKU5Nl4jAZcei/IhpGrZpiFNQ4KX3Ed61ZBI
+hzNiNuscvQZi9MTnmNbIIMJ/cbkOtqLmTnsZalEh35F62H1A4VPbAMU3UZDD1Hjc
+wqKMCvkySg1HnH48571SGMqBvH33xZn5lL/814x75imRxM56LcnLSe8iR02nFJu2
+EAWiR7w+i+WWAQZ4IsyIGMJbw6q0YVDKoiw7iKaetQc3Lq0txyWa4cX+VFczrJqD
+VmSboh5cwifydauIcpFQE7aTAgMBAAGjggEqMIIBJjAJBgNVHRMEAjAAMBEGCWCG
+SAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQg
+Q2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBRCTdv48WUjZIJZ5AYplljLA3im
+AjAfBgNVHSMEGDAWgBQILuNz6qJ5qT3NyVsxUxkzFwT0ajAOBgNVHQ8BAf8EBAMC
+BeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDEGCCsGAQUFBwEBBCUw
+IzAhBggrBgEFBQcwAYYVaHR0cDovLzEyNy4wLjAuMToyNTYwMC8GA1UdHwQoMCYw
+JKAioCCGHmh0dHA6Ly8xMjcuMC4wLjE6ODA4MC9rb25nLmNybDANBgkqhkiG9w0B
+AQsFAAOCAgEAUyZlN2K6WdSQZ+C7dv6nVBfEnsXfr0j24pLoqqjwszXj5fv4YhTO
+5mikWbdxyx+wTcRqidEPabm+aF02kn78I5eOhdfxo1WSak7tsUkeFA0v63rABkXl
+AsBh39HYwnHVGz8X9pmj7njRr+d/D3MX9f5GTWzrqJuv+H7ig9TszIDNSFBC6HaQ
+QUL6TLLwuYqb5QNk3OQQ6INeL1FTD+Gx7h1N+DLwEhM+ftPe1dsNZYs/kVsUC7dA
+Vn+OMGAtXyEnISR4VGWUGwOKlTEIWVRDPvFfgUKh83TQUMZw3x6pbvA3uB0RzVKd
+Y+gHtYb2wOqeXU9WEzCY8g4cqQSU3evK+hMoUPvki4XuYht5K24DzkDxbXmDNOlv
+hs1te7jRv6t6zLYe9R3eq/UPEUk7YPo2MFZ7xmnrSmCLg2DbRCBjgV6ssAfXtz+/
+nKiO8DgxWqEp/dibtR58iGLakkFBkxeOsWU9L1aq3ixVYoFNL6qdMiXhfy95gvSf
+BgshBXpyMM4HLaZ0u4QdhzJVP0wE8X2VrEd6LhX1v2Ka/kpLITYoJP2sfCAn2uNK
+9AQtuWs+oneXl0mGwsEXATirf9sBPjQ1iVr//EYs/fg0B+wCtS1afD+32fM+sy+q
+0PfOiXBDPWEdIGZxx+SYBUhE1fmEx/TgeZQIG9rLNHZdVoRwgQspLMI=
+-----END CERTIFICATE-----
+]])
+
+local s = store.new()
+local ch = chain.new()
+
+-- intermediate
+ch:add(x509.new([[-----BEGIN CERTIFICATE-----
+MIIFnTCCA4WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjENMAsGA1UECgwEa29uZzEMMAoGA1UE
+CwwDRlRUMRowGAYDVQQDDBF3d3cucm9vdC5rb25nLmNvbTAeFw0yMDAyMjQxODU1
+MTRaFw0zMDAyMjExODU1MTRaMFsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEN
+MAsGA1UECgwEa29uZzEMMAoGA1UECwwDRlRUMSIwIAYDVQQDDBl3d3cuaW50ZXJt
+ZWRpYXRlLmtvbmcuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+z/gq5K3Y9iKPRTm/tp8tbqCCh4UGpXElclJNF56Vt4/bUur3m5N++TcApMta4+pY
+HfhDDszc8OaBc5C6cmbnwW5WEUBOP8GnBu4Tz/2j9neuwaywajrObXP1LuSacVq/
+agud+CQCTqlnJPx4f6q2c4jimQv9apjyLzuzLJ61FZMKmggD0lwAiZacUQ2KDKSE
+e3ZmdXxNjFk3vHOHZcZQvJNFcVcQZRDvlgqkSDcDbDvgncJnxXPLgIM7keJe1xOM
+oHoi3wt6oQS4bAWDN8EGcu6RPkxhfYCGXxGXSL2858nxVdI94FRW+RN6Y/RqsNbc
+g12ZCa+xAZnR7O64pSKqzCwhJcV0tAA48J5o4mbAYEbSfb6MJbD0pSbxjQALjfaA
+5Ezc+lkKu5Gzk7Xfvh5qGxsyWw4xLjLClMRGwcJq27HV3eQ1Kwq+JhtFNZBCzGZK
+F/rEzAb1IZxuNO0DNIEuNZgpJzOREDxgvM2n3cviaYpVtwQmKJcIGPrZ5PsZUuFC
+ShTPPxz0yMMUjCW8Ovla/2yMQ7B7JVmCwXPqxpaOZ/W8kIsr0qyeWxge8BUVQpVx
+kqI0zpSaGMWrkqaZDUMxUY0wJTYBcfm/ttES5XTv+/zZtYWt/Kad70k6jBsRS4h0
+hJdwC7rDg2ELFoF+nDQA/aTo/e8G46iSACUKjEGiML8CAwEAAaNmMGQwHQYDVR0O
+BBYEFAgu43PqonmpPc3JWzFTGTMXBPRqMB8GA1UdIwQYMBaAFHK4L2s3N0aajjVZ
+6EWlyJW6FjVhMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0G
+CSqGSIb3DQEBCwUAA4ICAQDPZ0/GGFTBShlfGXJ6LplU6nSBsv4cFvDgBPnTqe/6
+7W2BkT6OTEN1cA0muBArN4ZGF5kAXI5Rq+mUtKjelGtRfXRGbz1u6ezqqD+SM0x2
+ZEUjyrzDgOoc0++ThIOcmrEFwgcH1tmzC5xiXReSU+9cDrVinDkx5qrcrBNhrm+Q
+jU5HnD9M9x4YKfYZ97YgmmD8P8JUdgFkBfKXn9ec0TsnBO88r7f3uOC/AEjSpT3g
+K/EfzPQXRr3UO62dCLH7CJlc80P7y0haRXXMiPVs/fcHglRgb/lFwLw/BFuAdyNs
+vIqxopwC5TCv8lqo5V4olc599/3VnD6QHj1TuYUFPq+dxSmWDSEwKKRYO2j9xOHw
+KOeOOhQnCKhXq+1pVuT3cHfL8D3aOhA+ouBxf2opdFVo2YpvhqHCIX7uLfOvSt0f
+8sAMSU+Vaxbg2z9vNwsuaPSeGm1Nx9IJn7ggoaR71gqK4eihHgEaBD6RrDDDgtSg
+bIoxHH/rJNzDPeGpOard3jezYkxLpA/M1TvzBy2aly6+6Xlu/t+oERWeF2Av32Si
+xH7FPTzd6SsL462A5uX04psUmgeQ9OGHpSDKS/JLralFoB+amVDl0S4slHBNhTg9
+u21gtUdre8KBMsRni3uvaW++DjGpXiSqBvAejO8zq1x+VppCap9OWRcwkklpSzuK
+dA==
+-----END CERTIFICATE-----
+]]))
+
+-- CA
+s:add(x509.new([[-----BEGIN CERTIFICATE-----
+MIIFsTCCA5mgAwIBAgIUGwM+/eUddS57Nb6ve6PGVyvrnvswDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjENMAsG
+A1UECgwEa29uZzEMMAoGA1UECwwDRlRUMRowGAYDVQQDDBF3d3cucm9vdC5rb25n
+LmNvbTAeFw0yMDAyMjQxODU1MTRaFw0zMDAyMjExODU1MTRaMGAxCzAJBgNVBAYT
+AlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDTALBgNVBAoMBGtvbmcxDDAK
+BgNVBAsMA0ZUVDEaMBgGA1UEAwwRd3d3LnJvb3Qua29uZy5jb20wggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQDmZLUv5+fzzw8WZAo+0fg+ZuD50JY+BugO
+WW/vfvNr55K4pzYhVB2KdLeLswHtAx//BSs1wvtASkWBG0rB8xIICNersKAtaykY
+DTGwbzzWq6xF2qhCGeN/9rwdlQw1y8m07J/AGIPsTuW0uX4WxJsS+Z1AIZBQnQGI
+mKW1k0lVCyWLjCqFF7wtSfLpEC6e43YBov0Fb6DZHBAulVkt0bAlKOq+VrFec9EL
+B0xZQdWGI8Q0XlJ7Ub8Vn1ISvBLnPaM+gNVmDm1QHe0NqMVEaI4zYzMkP768Mkld
+OVBOh8LOMtA1Lp19Lz9j06nUX7JQIo9e6SA3tHF3iVo7vOUZmBUNJmQtGSI+nVPy
+0LUGMXyUlpFWFzQr9KFeOf7huezQYPhlzybpfv5N8HllxjFNhl/dp33GuJ8DQCSt
+qGUn6azRXQQ2lSX0P/JsfKZc1EM3tRmqS1pAj1w23gIwocsuQvbgdc4LYNk0BPhx
+MUvWj6vWYZjXiSgLTUAkDrqTFKDIMaOKbf8jFUJyAXtUxuhZkuxm5J7dbji+UWjY
+UzN4sArGwk2pj4MElXXvRHIvcrVwtwWIZ/MqMsc5J+sOZhu1uuKmcx6rmiJRqUnM
+IO8hUBLFY1HMGB7VokdqfQPsY65y++d307Gz/3onidlyGG8Uz4qCOc1B2dVM68K3
+LrXFGN5dxwIDAQABo2MwYTAdBgNVHQ4EFgQUcrgvazc3RpqONVnoRaXIlboWNWEw
+HwYDVR0jBBgwFoAUcrgvazc3RpqONVnoRaXIlboWNWEwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFzE9SZa1UpvmVzj
+ZYlPRCt+B2OfsZ57kfZXMw4jBs+Bid1CLP3Hq2+Xr9TwYDRjaP8fm5nMoXOeFjhg
+qIF+lmIJf85hdVvz1ratB9Jvj9bpGx6vUS6x8tg5yji3D9RxKBrmXE4RmmKyV+7T
+mg3BJtwAwa944nULoebqg031ovcnSMwHle9pvfQ4k4HkQL1gGFUd84t45A3oVnqx
+a+DVre/KaR92E/NlaAb9Re9mNG+euh2s8RKxRpuAeDlzuQTi1Ck9IE0Iwamfn/6B
+3fZyQ41VEZuW/jqXMcTrDYwmnI8bWygUFyQjKdZDGbU2pbKqGLPdCRgQOEO06RLd
+DasUk+71GHNe7n8wj781LOdqjGpXXwvfBxZgge4TwsrnxMvtfk6wJh9qHYbE+ElS
+SmB2ggtwgPyq3nK97VdhzCVWUR5m3uKO7P82E6JBW5N38DPUFoNXnH30J2EuB4rx
+4NhG+uqTft3YQwyUxZNkOMnJ5KRLm7uFdgayLDSO1xc1Sxa0EegzJH75jGq8WdAq
+CCpSk7i3ZFcGtAJyrbTofL1UTPvZtUuMBpIlhe+LGXKKATVDXH4R7KmRranjbggo
+D8EAGv74WfAVyV0PZsJlfQDkqOmfoA2kf4FwHGaR1fj8zN80hLU0Ne59MC4j02Xd
+fHkHWlcFxuEgWRqCXKtlBK9M9C39
+-----END CERTIFICATE-----
+]]))
+
+local crrr = crl.new([[-----BEGIN X509 CRL-----
+MIIC7TCB1gIBATANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCQ0ExDTALBgNVBAoMBGtvbmcxDDAKBgNVBAsMA0ZUVDEiMCAGA1UEAwwZd3d3
+LmludGVybWVkaWF0ZS5rb25nLmNvbRcNMjAwMjI2MTgyNzQ5WhcNMjAwMzI3MTgy
+NzQ5WjAVMBMCAhABFw0yMDAyMjYxODE2NDFaoDAwLjAfBgNVHSMEGDAWgBQILuNz
+6qJ5qT3NyVsxUxkzFwT0ajALBgNVHRQEBAICEAEwDQYJKoZIhvcNAQELBQADggIB
+AMawanOynHVLn45dFoAhANLU5LWbPZIEMHjeH4QxglLocbcYF80Iv5kV/YiZkmm9
+6gvEEienoeWQqmtrF0TzOk90N3CywPHICwlDreTXCuLxHlJyiLTGgggtAr0oEQ05
+XqIOaTlzaU7spE213qSNdyMdKrRFidouVARtVYmfRaJ4XWwmp/HhDqL1QtcpwWXw
++5ogmrfuS7q614nUpm8Ae6AfUZ6nVSoidImFvQVALpTkbFSmRH8xhyFFo0zK/7t/
+anJPvboqSND680J7bGJZZI3T60B+uQIxaYIOONwx3HtoFHs/HMjcQc2J80NKpiFR
+FGc981T2caVGfDOke/NLRurzfpKmamNVLdYVkePivM+aB7HFnjZLN82EEIXJTC89
+BlIkuW5d4N++eGXU4KibmtyVMualLp3vcinde8ZDxkW8f033ed5nuttlccD0mpo1
+BimgELq5cNMsSHGjdYKCMnBF8nS+Pof/eMM2oNtuciHaWyY9xlmRdt5hxO4f+L7n
+pjHc6QRYWMl2aMJ4BCjOns6bNDMqcmmSPy7XJuxWS3M11ILZQHDrFq1uIeWyH3ZA
+Fl+0XJFdLpNGCaE0bas5L1y1Di3lHINSapbFJeG4TddHw+bfTkrGarndPR1MbJIq
+epS2sIgEJDLNwEXo002Lw1kQ/DlZrjQmoznzXZEf1MDj
+-----END X509 CRL-----]])
+s:add(crrr)
+
+-- should fail
+regress.check(not s:verify(c, ch),
+"CRL check failed")
diff --git a/regress/00-store-verify.lua b/regress/00-store-verify.lua
diff --git a/src/openssl.c b/src/openssl.c
@@ -8726,6 +8726,13 @@ static int xs_add(lua_State *L) {
 				X509_CRL_free(crl_dup);
 				return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
 			}
+
+			/* enable check revocation of chain leaf certificate if CRL is added to store*/
+			if (!X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK)) {
+				X509_CRL_free(crl_dup);
+				return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
+			}
+
 		} else {
 			const char *path = luaL_checkstring(L, i);
 			struct stat st;