Skip to content

Commit a9c5e68

Browse files
fffonionfffonion
committed
src/openssl.c: enable check for revocation if CRL is added to store
1 parent 5ad909d commit a9c5e68

File tree

2 files changed

+145
-0
lines changed

2 files changed

+145
-0
lines changed

Diff for: regress/180-store-verify-crl.lua

+138
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,138 @@
1+
local regress = require "regress"
2+
3+
local x509 = require "openssl.x509"
4+
local store = require "openssl.x509.store"
5+
local chain = require "openssl.x509.chain"
6+
local crl = require "openssl.x509.crl"
7+
8+
-- the cert to be verified
9+
local c = x509.new([[-----BEGIN CERTIFICATE-----
10+
MIIFZTCCA02gAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx
11+
CzAJBgNVBAgMAkNBMQ0wCwYDVQQKDARrb25nMQwwCgYDVQQLDANGVFQxIjAgBgNV
12+
BAMMGXd3dy5pbnRlcm1lZGlhdGUua29uZy5jb20wHhcNMjAwMjI1MTkxNzQ1WhcN
13+
MjEwMjI0MTkxNzQ1WjBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNV
14+
BAcMAlNGMQ0wCwYDVQQKDARrb25nMQwwCgYDVQQLDANGVFQxHDAaBgNVBAMME3d3
15+
dy5zaGFzaGkua29uZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
16+
AQDnJZyax9cmO6M6Iv2wm8FQlpko1+NyOPO2Hz20gYVfKElD66sfqrjL/DJVSxig
17+
XREnJYoXjym+udBWiIQsRDvYVjYuyKU5Nl4jAZcei/IhpGrZpiFNQ4KX3Ed61ZBI
18+
hzNiNuscvQZi9MTnmNbIIMJ/cbkOtqLmTnsZalEh35F62H1A4VPbAMU3UZDD1Hjc
19+
wqKMCvkySg1HnH48571SGMqBvH33xZn5lL/814x75imRxM56LcnLSe8iR02nFJu2
20+
EAWiR7w+i+WWAQZ4IsyIGMJbw6q0YVDKoiw7iKaetQc3Lq0txyWa4cX+VFczrJqD
21+
VmSboh5cwifydauIcpFQE7aTAgMBAAGjggEqMIIBJjAJBgNVHRMEAjAAMBEGCWCG
22+
SAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQg
23+
Q2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBRCTdv48WUjZIJZ5AYplljLA3im
24+
AjAfBgNVHSMEGDAWgBQILuNz6qJ5qT3NyVsxUxkzFwT0ajAOBgNVHQ8BAf8EBAMC
25+
BeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDEGCCsGAQUFBwEBBCUw
26+
IzAhBggrBgEFBQcwAYYVaHR0cDovLzEyNy4wLjAuMToyNTYwMC8GA1UdHwQoMCYw
27+
JKAioCCGHmh0dHA6Ly8xMjcuMC4wLjE6ODA4MC9rb25nLmNybDANBgkqhkiG9w0B
28+
AQsFAAOCAgEAUyZlN2K6WdSQZ+C7dv6nVBfEnsXfr0j24pLoqqjwszXj5fv4YhTO
29+
5mikWbdxyx+wTcRqidEPabm+aF02kn78I5eOhdfxo1WSak7tsUkeFA0v63rABkXl
30+
AsBh39HYwnHVGz8X9pmj7njRr+d/D3MX9f5GTWzrqJuv+H7ig9TszIDNSFBC6HaQ
31+
QUL6TLLwuYqb5QNk3OQQ6INeL1FTD+Gx7h1N+DLwEhM+ftPe1dsNZYs/kVsUC7dA
32+
Vn+OMGAtXyEnISR4VGWUGwOKlTEIWVRDPvFfgUKh83TQUMZw3x6pbvA3uB0RzVKd
33+
Y+gHtYb2wOqeXU9WEzCY8g4cqQSU3evK+hMoUPvki4XuYht5K24DzkDxbXmDNOlv
34+
hs1te7jRv6t6zLYe9R3eq/UPEUk7YPo2MFZ7xmnrSmCLg2DbRCBjgV6ssAfXtz+/
35+
nKiO8DgxWqEp/dibtR58iGLakkFBkxeOsWU9L1aq3ixVYoFNL6qdMiXhfy95gvSf
36+
BgshBXpyMM4HLaZ0u4QdhzJVP0wE8X2VrEd6LhX1v2Ka/kpLITYoJP2sfCAn2uNK
37+
9AQtuWs+oneXl0mGwsEXATirf9sBPjQ1iVr//EYs/fg0B+wCtS1afD+32fM+sy+q
38+
0PfOiXBDPWEdIGZxx+SYBUhE1fmEx/TgeZQIG9rLNHZdVoRwgQspLMI=
39+
-----END CERTIFICATE-----
40+
]])
41+
42+
local s = store.new()
43+
local ch = chain.new()
44+
45+
-- intermediate
46+
ch:add(x509.new([[-----BEGIN CERTIFICATE-----
47+
MIIFnTCCA4WgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCVVMx
48+
CzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjENMAsGA1UECgwEa29uZzEMMAoGA1UE
49+
CwwDRlRUMRowGAYDVQQDDBF3d3cucm9vdC5rb25nLmNvbTAeFw0yMDAyMjQxODU1
50+
MTRaFw0zMDAyMjExODU1MTRaMFsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEN
51+
MAsGA1UECgwEa29uZzEMMAoGA1UECwwDRlRUMSIwIAYDVQQDDBl3d3cuaW50ZXJt
52+
ZWRpYXRlLmtvbmcuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
53+
z/gq5K3Y9iKPRTm/tp8tbqCCh4UGpXElclJNF56Vt4/bUur3m5N++TcApMta4+pY
54+
HfhDDszc8OaBc5C6cmbnwW5WEUBOP8GnBu4Tz/2j9neuwaywajrObXP1LuSacVq/
55+
agud+CQCTqlnJPx4f6q2c4jimQv9apjyLzuzLJ61FZMKmggD0lwAiZacUQ2KDKSE
56+
e3ZmdXxNjFk3vHOHZcZQvJNFcVcQZRDvlgqkSDcDbDvgncJnxXPLgIM7keJe1xOM
57+
oHoi3wt6oQS4bAWDN8EGcu6RPkxhfYCGXxGXSL2858nxVdI94FRW+RN6Y/RqsNbc
58+
g12ZCa+xAZnR7O64pSKqzCwhJcV0tAA48J5o4mbAYEbSfb6MJbD0pSbxjQALjfaA
59+
5Ezc+lkKu5Gzk7Xfvh5qGxsyWw4xLjLClMRGwcJq27HV3eQ1Kwq+JhtFNZBCzGZK
60+
F/rEzAb1IZxuNO0DNIEuNZgpJzOREDxgvM2n3cviaYpVtwQmKJcIGPrZ5PsZUuFC
61+
ShTPPxz0yMMUjCW8Ovla/2yMQ7B7JVmCwXPqxpaOZ/W8kIsr0qyeWxge8BUVQpVx
62+
kqI0zpSaGMWrkqaZDUMxUY0wJTYBcfm/ttES5XTv+/zZtYWt/Kad70k6jBsRS4h0
63+
hJdwC7rDg2ELFoF+nDQA/aTo/e8G46iSACUKjEGiML8CAwEAAaNmMGQwHQYDVR0O
64+
BBYEFAgu43PqonmpPc3JWzFTGTMXBPRqMB8GA1UdIwQYMBaAFHK4L2s3N0aajjVZ
65+
6EWlyJW6FjVhMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0G
66+
CSqGSIb3DQEBCwUAA4ICAQDPZ0/GGFTBShlfGXJ6LplU6nSBsv4cFvDgBPnTqe/6
67+
7W2BkT6OTEN1cA0muBArN4ZGF5kAXI5Rq+mUtKjelGtRfXRGbz1u6ezqqD+SM0x2
68+
ZEUjyrzDgOoc0++ThIOcmrEFwgcH1tmzC5xiXReSU+9cDrVinDkx5qrcrBNhrm+Q
69+
jU5HnD9M9x4YKfYZ97YgmmD8P8JUdgFkBfKXn9ec0TsnBO88r7f3uOC/AEjSpT3g
70+
K/EfzPQXRr3UO62dCLH7CJlc80P7y0haRXXMiPVs/fcHglRgb/lFwLw/BFuAdyNs
71+
vIqxopwC5TCv8lqo5V4olc599/3VnD6QHj1TuYUFPq+dxSmWDSEwKKRYO2j9xOHw
72+
KOeOOhQnCKhXq+1pVuT3cHfL8D3aOhA+ouBxf2opdFVo2YpvhqHCIX7uLfOvSt0f
73+
8sAMSU+Vaxbg2z9vNwsuaPSeGm1Nx9IJn7ggoaR71gqK4eihHgEaBD6RrDDDgtSg
74+
bIoxHH/rJNzDPeGpOard3jezYkxLpA/M1TvzBy2aly6+6Xlu/t+oERWeF2Av32Si
75+
xH7FPTzd6SsL462A5uX04psUmgeQ9OGHpSDKS/JLralFoB+amVDl0S4slHBNhTg9
76+
u21gtUdre8KBMsRni3uvaW++DjGpXiSqBvAejO8zq1x+VppCap9OWRcwkklpSzuK
77+
dA==
78+
-----END CERTIFICATE-----
79+
]]))
80+
81+
-- CA
82+
s:add(x509.new([[-----BEGIN CERTIFICATE-----
83+
MIIFsTCCA5mgAwIBAgIUGwM+/eUddS57Nb6ve6PGVyvrnvswDQYJKoZIhvcNAQEL
84+
BQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjENMAsG
85+
A1UECgwEa29uZzEMMAoGA1UECwwDRlRUMRowGAYDVQQDDBF3d3cucm9vdC5rb25n
86+
LmNvbTAeFw0yMDAyMjQxODU1MTRaFw0zMDAyMjExODU1MTRaMGAxCzAJBgNVBAYT
87+
AlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDTALBgNVBAoMBGtvbmcxDDAK
88+
BgNVBAsMA0ZUVDEaMBgGA1UEAwwRd3d3LnJvb3Qua29uZy5jb20wggIiMA0GCSqG
89+
SIb3DQEBAQUAA4ICDwAwggIKAoICAQDmZLUv5+fzzw8WZAo+0fg+ZuD50JY+BugO
90+
WW/vfvNr55K4pzYhVB2KdLeLswHtAx//BSs1wvtASkWBG0rB8xIICNersKAtaykY
91+
DTGwbzzWq6xF2qhCGeN/9rwdlQw1y8m07J/AGIPsTuW0uX4WxJsS+Z1AIZBQnQGI
92+
mKW1k0lVCyWLjCqFF7wtSfLpEC6e43YBov0Fb6DZHBAulVkt0bAlKOq+VrFec9EL
93+
B0xZQdWGI8Q0XlJ7Ub8Vn1ISvBLnPaM+gNVmDm1QHe0NqMVEaI4zYzMkP768Mkld
94+
OVBOh8LOMtA1Lp19Lz9j06nUX7JQIo9e6SA3tHF3iVo7vOUZmBUNJmQtGSI+nVPy
95+
0LUGMXyUlpFWFzQr9KFeOf7huezQYPhlzybpfv5N8HllxjFNhl/dp33GuJ8DQCSt
96+
qGUn6azRXQQ2lSX0P/JsfKZc1EM3tRmqS1pAj1w23gIwocsuQvbgdc4LYNk0BPhx
97+
MUvWj6vWYZjXiSgLTUAkDrqTFKDIMaOKbf8jFUJyAXtUxuhZkuxm5J7dbji+UWjY
98+
UzN4sArGwk2pj4MElXXvRHIvcrVwtwWIZ/MqMsc5J+sOZhu1uuKmcx6rmiJRqUnM
99+
IO8hUBLFY1HMGB7VokdqfQPsY65y++d307Gz/3onidlyGG8Uz4qCOc1B2dVM68K3
100+
LrXFGN5dxwIDAQABo2MwYTAdBgNVHQ4EFgQUcrgvazc3RpqONVnoRaXIlboWNWEw
101+
HwYDVR0jBBgwFoAUcrgvazc3RpqONVnoRaXIlboWNWEwDwYDVR0TAQH/BAUwAwEB
102+
/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFzE9SZa1UpvmVzj
103+
ZYlPRCt+B2OfsZ57kfZXMw4jBs+Bid1CLP3Hq2+Xr9TwYDRjaP8fm5nMoXOeFjhg
104+
qIF+lmIJf85hdVvz1ratB9Jvj9bpGx6vUS6x8tg5yji3D9RxKBrmXE4RmmKyV+7T
105+
mg3BJtwAwa944nULoebqg031ovcnSMwHle9pvfQ4k4HkQL1gGFUd84t45A3oVnqx
106+
a+DVre/KaR92E/NlaAb9Re9mNG+euh2s8RKxRpuAeDlzuQTi1Ck9IE0Iwamfn/6B
107+
3fZyQ41VEZuW/jqXMcTrDYwmnI8bWygUFyQjKdZDGbU2pbKqGLPdCRgQOEO06RLd
108+
DasUk+71GHNe7n8wj781LOdqjGpXXwvfBxZgge4TwsrnxMvtfk6wJh9qHYbE+ElS
109+
SmB2ggtwgPyq3nK97VdhzCVWUR5m3uKO7P82E6JBW5N38DPUFoNXnH30J2EuB4rx
110+
4NhG+uqTft3YQwyUxZNkOMnJ5KRLm7uFdgayLDSO1xc1Sxa0EegzJH75jGq8WdAq
111+
CCpSk7i3ZFcGtAJyrbTofL1UTPvZtUuMBpIlhe+LGXKKATVDXH4R7KmRranjbggo
112+
D8EAGv74WfAVyV0PZsJlfQDkqOmfoA2kf4FwHGaR1fj8zN80hLU0Ne59MC4j02Xd
113+
fHkHWlcFxuEgWRqCXKtlBK9M9C39
114+
-----END CERTIFICATE-----
115+
]]))
116+
117+
local crrr = crl.new([[-----BEGIN X509 CRL-----
118+
MIIC7TCB1gIBATANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJVUzELMAkGA1UE
119+
CAwCQ0ExDTALBgNVBAoMBGtvbmcxDDAKBgNVBAsMA0ZUVDEiMCAGA1UEAwwZd3d3
120+
LmludGVybWVkaWF0ZS5rb25nLmNvbRcNMjAwMjI2MTgyNzQ5WhcNMjAwMzI3MTgy
121+
NzQ5WjAVMBMCAhABFw0yMDAyMjYxODE2NDFaoDAwLjAfBgNVHSMEGDAWgBQILuNz
122+
6qJ5qT3NyVsxUxkzFwT0ajALBgNVHRQEBAICEAEwDQYJKoZIhvcNAQELBQADggIB
123+
AMawanOynHVLn45dFoAhANLU5LWbPZIEMHjeH4QxglLocbcYF80Iv5kV/YiZkmm9
124+
6gvEEienoeWQqmtrF0TzOk90N3CywPHICwlDreTXCuLxHlJyiLTGgggtAr0oEQ05
125+
XqIOaTlzaU7spE213qSNdyMdKrRFidouVARtVYmfRaJ4XWwmp/HhDqL1QtcpwWXw
126+
+5ogmrfuS7q614nUpm8Ae6AfUZ6nVSoidImFvQVALpTkbFSmRH8xhyFFo0zK/7t/
127+
anJPvboqSND680J7bGJZZI3T60B+uQIxaYIOONwx3HtoFHs/HMjcQc2J80NKpiFR
128+
FGc981T2caVGfDOke/NLRurzfpKmamNVLdYVkePivM+aB7HFnjZLN82EEIXJTC89
129+
BlIkuW5d4N++eGXU4KibmtyVMualLp3vcinde8ZDxkW8f033ed5nuttlccD0mpo1
130+
BimgELq5cNMsSHGjdYKCMnBF8nS+Pof/eMM2oNtuciHaWyY9xlmRdt5hxO4f+L7n
131+
pjHc6QRYWMl2aMJ4BCjOns6bNDMqcmmSPy7XJuxWS3M11ILZQHDrFq1uIeWyH3ZA
132+
Fl+0XJFdLpNGCaE0bas5L1y1Di3lHINSapbFJeG4TddHw+bfTkrGarndPR1MbJIq
133+
epS2sIgEJDLNwEXo002Lw1kQ/DlZrjQmoznzXZEf1MDj
134+
-----END X509 CRL-----]])
135+
s:add(crrr)
136+
137+
-- should fail
138+
regress.check(not s:verify(c, ch))

Diff for: src/openssl.c

+7
Original file line numberDiff line numberDiff line change
@@ -8726,6 +8726,13 @@ static int xs_add(lua_State *L) {
87268726
X509_CRL_free(crl_dup);
87278727
return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
87288728
}
8729+
8730+
/* enable check revocation of chain leaf certificate if CRL is added to store*/
8731+
if (!X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK)) {
8732+
X509_CRL_free(crl_dup);
8733+
return auxL_error(L, auxL_EOPENSSL, "x509.store:add");
8734+
}
8735+
87298736
} else {
87308737
const char *path = luaL_checkstring(L, i);
87318738
struct stat st;

0 commit comments

Comments
 (0)