Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

src/openssl.c: enable check for revocation if CRL is added to store #180

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

src/openssl.c: enable check for revocation if CRL is added to store #180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
138 changes: 138 additions & 0 deletions regress/180-store-verify-crl.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
local regress = require "regress"

local x509 = require "openssl.x509"
local store = require "openssl.x509.store"
local chain = require "openssl.x509.chain"
local crl = require "openssl.x509.crl"

-- the cert to be verified
local c = x509.new([[-----BEGIN CERTIFICATE-----
MIIFZTCCA02gAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMQ0wCwYDVQQKDARrb25nMQwwCgYDVQQLDANGVFQxIjAgBgNV
BAMMGXd3dy5pbnRlcm1lZGlhdGUua29uZy5jb20wHhcNMjAwMjI1MTkxNzQ1WhcN
MjEwMjI0MTkxNzQ1WjBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNV
BAcMAlNGMQ0wCwYDVQQKDARrb25nMQwwCgYDVQQLDANGVFQxHDAaBgNVBAMME3d3
dy5zaGFzaGkua29uZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDnJZyax9cmO6M6Iv2wm8FQlpko1+NyOPO2Hz20gYVfKElD66sfqrjL/DJVSxig
XREnJYoXjym+udBWiIQsRDvYVjYuyKU5Nl4jAZcei/IhpGrZpiFNQ4KX3Ed61ZBI
hzNiNuscvQZi9MTnmNbIIMJ/cbkOtqLmTnsZalEh35F62H1A4VPbAMU3UZDD1Hjc
wqKMCvkySg1HnH48571SGMqBvH33xZn5lL/814x75imRxM56LcnLSe8iR02nFJu2
EAWiR7w+i+WWAQZ4IsyIGMJbw6q0YVDKoiw7iKaetQc3Lq0txyWa4cX+VFczrJqD
VmSboh5cwifydauIcpFQE7aTAgMBAAGjggEqMIIBJjAJBgNVHRMEAjAAMBEGCWCG
SAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQg
Q2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBRCTdv48WUjZIJZ5AYplljLA3im
AjAfBgNVHSMEGDAWgBQILuNz6qJ5qT3NyVsxUxkzFwT0ajAOBgNVHQ8BAf8EBAMC
BeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDEGCCsGAQUFBwEBBCUw
IzAhBggrBgEFBQcwAYYVaHR0cDovLzEyNy4wLjAuMToyNTYwMC8GA1UdHwQoMCYw
JKAioCCGHmh0dHA6Ly8xMjcuMC4wLjE6ODA4MC9rb25nLmNybDANBgkqhkiG9w0B
AQsFAAOCAgEAUyZlN2K6WdSQZ+C7dv6nVBfEnsXfr0j24pLoqqjwszXj5fv4YhTO
5mikWbdxyx+wTcRqidEPabm+aF02kn78I5eOhdfxo1WSak7tsUkeFA0v63rABkXl
AsBh39HYwnHVGz8X9pmj7njRr+d/D3MX9f5GTWzrqJuv+H7ig9TszIDNSFBC6HaQ
QUL6TLLwuYqb5QNk3OQQ6INeL1FTD+Gx7h1N+DLwEhM+ftPe1dsNZYs/kVsUC7dA
Vn+OMGAtXyEnISR4VGWUGwOKlTEIWVRDPvFfgUKh83TQUMZw3x6pbvA3uB0RzVKd
Y+gHtYb2wOqeXU9WEzCY8g4cqQSU3evK+hMoUPvki4XuYht5K24DzkDxbXmDNOlv
hs1te7jRv6t6zLYe9R3eq/UPEUk7YPo2MFZ7xmnrSmCLg2DbRCBjgV6ssAfXtz+/
nKiO8DgxWqEp/dibtR58iGLakkFBkxeOsWU9L1aq3ixVYoFNL6qdMiXhfy95gvSf
BgshBXpyMM4HLaZ0u4QdhzJVP0wE8X2VrEd6LhX1v2Ka/kpLITYoJP2sfCAn2uNK
9AQtuWs+oneXl0mGwsEXATirf9sBPjQ1iVr//EYs/fg0B+wCtS1afD+32fM+sy+q
0PfOiXBDPWEdIGZxx+SYBUhE1fmEx/TgeZQIG9rLNHZdVoRwgQspLMI=
-----END CERTIFICATE-----
]])

local s = store.new()
local ch = chain.new()

-- intermediate
ch:add(x509.new([[-----BEGIN CERTIFICATE-----
MIIFnTCCA4WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjENMAsGA1UECgwEa29uZzEMMAoGA1UE
CwwDRlRUMRowGAYDVQQDDBF3d3cucm9vdC5rb25nLmNvbTAeFw0yMDAyMjQxODU1
MTRaFw0zMDAyMjExODU1MTRaMFsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEN
MAsGA1UECgwEa29uZzEMMAoGA1UECwwDRlRUMSIwIAYDVQQDDBl3d3cuaW50ZXJt
ZWRpYXRlLmtvbmcuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
z/gq5K3Y9iKPRTm/tp8tbqCCh4UGpXElclJNF56Vt4/bUur3m5N++TcApMta4+pY
HfhDDszc8OaBc5C6cmbnwW5WEUBOP8GnBu4Tz/2j9neuwaywajrObXP1LuSacVq/
agud+CQCTqlnJPx4f6q2c4jimQv9apjyLzuzLJ61FZMKmggD0lwAiZacUQ2KDKSE
e3ZmdXxNjFk3vHOHZcZQvJNFcVcQZRDvlgqkSDcDbDvgncJnxXPLgIM7keJe1xOM
oHoi3wt6oQS4bAWDN8EGcu6RPkxhfYCGXxGXSL2858nxVdI94FRW+RN6Y/RqsNbc
g12ZCa+xAZnR7O64pSKqzCwhJcV0tAA48J5o4mbAYEbSfb6MJbD0pSbxjQALjfaA
5Ezc+lkKu5Gzk7Xfvh5qGxsyWw4xLjLClMRGwcJq27HV3eQ1Kwq+JhtFNZBCzGZK
F/rEzAb1IZxuNO0DNIEuNZgpJzOREDxgvM2n3cviaYpVtwQmKJcIGPrZ5PsZUuFC
ShTPPxz0yMMUjCW8Ovla/2yMQ7B7JVmCwXPqxpaOZ/W8kIsr0qyeWxge8BUVQpVx
kqI0zpSaGMWrkqaZDUMxUY0wJTYBcfm/ttES5XTv+/zZtYWt/Kad70k6jBsRS4h0
hJdwC7rDg2ELFoF+nDQA/aTo/e8G46iSACUKjEGiML8CAwEAAaNmMGQwHQYDVR0O
BBYEFAgu43PqonmpPc3JWzFTGTMXBPRqMB8GA1UdIwQYMBaAFHK4L2s3N0aajjVZ
6EWlyJW6FjVhMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0G
CSqGSIb3DQEBCwUAA4ICAQDPZ0/GGFTBShlfGXJ6LplU6nSBsv4cFvDgBPnTqe/6
7W2BkT6OTEN1cA0muBArN4ZGF5kAXI5Rq+mUtKjelGtRfXRGbz1u6ezqqD+SM0x2
ZEUjyrzDgOoc0++ThIOcmrEFwgcH1tmzC5xiXReSU+9cDrVinDkx5qrcrBNhrm+Q
jU5HnD9M9x4YKfYZ97YgmmD8P8JUdgFkBfKXn9ec0TsnBO88r7f3uOC/AEjSpT3g
K/EfzPQXRr3UO62dCLH7CJlc80P7y0haRXXMiPVs/fcHglRgb/lFwLw/BFuAdyNs
vIqxopwC5TCv8lqo5V4olc599/3VnD6QHj1TuYUFPq+dxSmWDSEwKKRYO2j9xOHw
KOeOOhQnCKhXq+1pVuT3cHfL8D3aOhA+ouBxf2opdFVo2YpvhqHCIX7uLfOvSt0f
8sAMSU+Vaxbg2z9vNwsuaPSeGm1Nx9IJn7ggoaR71gqK4eihHgEaBD6RrDDDgtSg
bIoxHH/rJNzDPeGpOard3jezYkxLpA/M1TvzBy2aly6+6Xlu/t+oERWeF2Av32Si
xH7FPTzd6SsL462A5uX04psUmgeQ9OGHpSDKS/JLralFoB+amVDl0S4slHBNhTg9
u21gtUdre8KBMsRni3uvaW++DjGpXiSqBvAejO8zq1x+VppCap9OWRcwkklpSzuK
dA==
-----END CERTIFICATE-----
]]))

-- CA
s:add(x509.new([[-----BEGIN CERTIFICATE-----
MIIFsTCCA5mgAwIBAgIUGwM+/eUddS57Nb6ve6PGVyvrnvswDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjENMAsG
A1UECgwEa29uZzEMMAoGA1UECwwDRlRUMRowGAYDVQQDDBF3d3cucm9vdC5rb25n
LmNvbTAeFw0yMDAyMjQxODU1MTRaFw0zMDAyMjExODU1MTRaMGAxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDTALBgNVBAoMBGtvbmcxDDAK
BgNVBAsMA0ZUVDEaMBgGA1UEAwwRd3d3LnJvb3Qua29uZy5jb20wggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDmZLUv5+fzzw8WZAo+0fg+ZuD50JY+BugO
WW/vfvNr55K4pzYhVB2KdLeLswHtAx//BSs1wvtASkWBG0rB8xIICNersKAtaykY
DTGwbzzWq6xF2qhCGeN/9rwdlQw1y8m07J/AGIPsTuW0uX4WxJsS+Z1AIZBQnQGI
mKW1k0lVCyWLjCqFF7wtSfLpEC6e43YBov0Fb6DZHBAulVkt0bAlKOq+VrFec9EL
B0xZQdWGI8Q0XlJ7Ub8Vn1ISvBLnPaM+gNVmDm1QHe0NqMVEaI4zYzMkP768Mkld
OVBOh8LOMtA1Lp19Lz9j06nUX7JQIo9e6SA3tHF3iVo7vOUZmBUNJmQtGSI+nVPy
0LUGMXyUlpFWFzQr9KFeOf7huezQYPhlzybpfv5N8HllxjFNhl/dp33GuJ8DQCSt
qGUn6azRXQQ2lSX0P/JsfKZc1EM3tRmqS1pAj1w23gIwocsuQvbgdc4LYNk0BPhx
MUvWj6vWYZjXiSgLTUAkDrqTFKDIMaOKbf8jFUJyAXtUxuhZkuxm5J7dbji+UWjY
UzN4sArGwk2pj4MElXXvRHIvcrVwtwWIZ/MqMsc5J+sOZhu1uuKmcx6rmiJRqUnM
IO8hUBLFY1HMGB7VokdqfQPsY65y++d307Gz/3onidlyGG8Uz4qCOc1B2dVM68K3
LrXFGN5dxwIDAQABo2MwYTAdBgNVHQ4EFgQUcrgvazc3RpqONVnoRaXIlboWNWEw
HwYDVR0jBBgwFoAUcrgvazc3RpqONVnoRaXIlboWNWEwDwYDVR0TAQH/BAUwAwEB
/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFzE9SZa1UpvmVzj
ZYlPRCt+B2OfsZ57kfZXMw4jBs+Bid1CLP3Hq2+Xr9TwYDRjaP8fm5nMoXOeFjhg
qIF+lmIJf85hdVvz1ratB9Jvj9bpGx6vUS6x8tg5yji3D9RxKBrmXE4RmmKyV+7T
mg3BJtwAwa944nULoebqg031ovcnSMwHle9pvfQ4k4HkQL1gGFUd84t45A3oVnqx
a+DVre/KaR92E/NlaAb9Re9mNG+euh2s8RKxRpuAeDlzuQTi1Ck9IE0Iwamfn/6B
3fZyQ41VEZuW/jqXMcTrDYwmnI8bWygUFyQjKdZDGbU2pbKqGLPdCRgQOEO06RLd
DasUk+71GHNe7n8wj781LOdqjGpXXwvfBxZgge4TwsrnxMvtfk6wJh9qHYbE+ElS
SmB2ggtwgPyq3nK97VdhzCVWUR5m3uKO7P82E6JBW5N38DPUFoNXnH30J2EuB4rx
4NhG+uqTft3YQwyUxZNkOMnJ5KRLm7uFdgayLDSO1xc1Sxa0EegzJH75jGq8WdAq
CCpSk7i3ZFcGtAJyrbTofL1UTPvZtUuMBpIlhe+LGXKKATVDXH4R7KmRranjbggo
D8EAGv74WfAVyV0PZsJlfQDkqOmfoA2kf4FwHGaR1fj8zN80hLU0Ne59MC4j02Xd
fHkHWlcFxuEgWRqCXKtlBK9M9C39
-----END CERTIFICATE-----
]]))

local crrr = crl.new([[-----BEGIN X509 CRL-----
MIIC7TCB1gIBATANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExDTALBgNVBAoMBGtvbmcxDDAKBgNVBAsMA0ZUVDEiMCAGA1UEAwwZd3d3
LmludGVybWVkaWF0ZS5rb25nLmNvbRcNMjAwMjI2MTgyNzQ5WhcNMjAwMzI3MTgy
NzQ5WjAVMBMCAhABFw0yMDAyMjYxODE2NDFaoDAwLjAfBgNVHSMEGDAWgBQILuNz
6qJ5qT3NyVsxUxkzFwT0ajALBgNVHRQEBAICEAEwDQYJKoZIhvcNAQELBQADggIB
AMawanOynHVLn45dFoAhANLU5LWbPZIEMHjeH4QxglLocbcYF80Iv5kV/YiZkmm9
6gvEEienoeWQqmtrF0TzOk90N3CywPHICwlDreTXCuLxHlJyiLTGgggtAr0oEQ05
XqIOaTlzaU7spE213qSNdyMdKrRFidouVARtVYmfRaJ4XWwmp/HhDqL1QtcpwWXw
+5ogmrfuS7q614nUpm8Ae6AfUZ6nVSoidImFvQVALpTkbFSmRH8xhyFFo0zK/7t/
anJPvboqSND680J7bGJZZI3T60B+uQIxaYIOONwx3HtoFHs/HMjcQc2J80NKpiFR
FGc981T2caVGfDOke/NLRurzfpKmamNVLdYVkePivM+aB7HFnjZLN82EEIXJTC89
BlIkuW5d4N++eGXU4KibmtyVMualLp3vcinde8ZDxkW8f033ed5nuttlccD0mpo1
BimgELq5cNMsSHGjdYKCMnBF8nS+Pof/eMM2oNtuciHaWyY9xlmRdt5hxO4f+L7n
pjHc6QRYWMl2aMJ4BCjOns6bNDMqcmmSPy7XJuxWS3M11ILZQHDrFq1uIeWyH3ZA
Fl+0XJFdLpNGCaE0bas5L1y1Di3lHINSapbFJeG4TddHw+bfTkrGarndPR1MbJIq
epS2sIgEJDLNwEXo002Lw1kQ/DlZrjQmoznzXZEf1MDj
-----END X509 CRL-----]])
s:add(crrr)

-- should fail
regress.check(not s:verify(c, ch))
7 changes: 7 additions & 0 deletions src/openssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8726,6 +8726,13 @@ static int xs_add(lua_State *L) {
X509_CRL_free(crl_dup);
return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
}

/* enable check revocation of chain leaf certificate if CRL is added to store */
if (!X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK)) {
X509_CRL_free(crl_dup);
return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
}

} else {
const char *path = luaL_checkstring(L, i);
struct stat st;
Expand Down