feat(x509.store) add set_flags (#77)

fffonion · Oct 14, 2022 · 8f3f16a · 8f3f16a
1 parent cde46ab
commit 8f3f16a
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -246,6 +246,7 @@ Table of Contents
     + [store:load_directory](#storeload_directory)
     + [store:set_purpose](#storeset_purpose)
     + [store:set_depth](#storeset_depth)
+    + [store:set_flags](#storeset_flags)
     + [store:verify](#storeverify)
   * [resty.openssl.x509.revoked](#restyopensslx509revoked)
     + [revoked.new](#revokednew)
@@ -3260,7 +3261,10 @@ Only the following types are decoded, other types are decoded as `"TYPE:<unsuppo
 
 ## resty.openssl.x509.extension
 
-Module to interact with X.509 extensions.
+Module to interact with every X.509 extensions.
+
+This module is particular useful to create extensions not supported by
+`x509.*` modules or custom extensions.
 
 [Back to TOC](#table-of-contents)
 
@@ -3816,6 +3820,51 @@ is not included in the default verify methods.
 
 Set the verify depth.
 
+### store:set_flags
+
+**syntax**: *ok, err = store:set_flags(flag1, flag2, ...)*
+
+Set the verify flags, available via `store.verify_flags` table:
+
+```
+    X509_V_FLAG_CB_ISSUER_CHECK              = 0x0,   -- Deprecated
+    X509_V_FLAG_USE_CHECK_TIME               = 0x2,
+    X509_V_FLAG_CRL_CHECK                    = 0x4,
+    X509_V_FLAG_CRL_CHECK_ALL                = 0x8,
+    X509_V_FLAG_IGNORE_CRITICAL              = 0x10,
+    X509_V_FLAG_X509_STRICT                  = 0x20,
+    X509_V_FLAG_ALLOW_PROXY_CERTS            = 0x40,
+    X509_V_FLAG_POLICY_CHECK                 = 0x80,
+    X509_V_FLAG_EXPLICIT_POLICY              = 0x100,
+    X509_V_FLAG_INHIBIT_ANY                  = 0x200,
+    X509_V_FLAG_INHIBIT_MAP                  = 0x400,
+    X509_V_FLAG_NOTIFY_POLICY                = 0x800,
+    X509_V_FLAG_EXTENDED_CRL_SUPPORT         = 0x1000,
+    X509_V_FLAG_USE_DELTAS                   = 0x2000,
+    X509_V_FLAG_CHECK_SS_SIGNATURE           = 0x4000,
+    X509_V_FLAG_TRUSTED_FIRST                = 0x8000,
+    X509_V_FLAG_SUITEB_128_LOS_ONLY          = 0x10000,
+    X509_V_FLAG_SUITEB_192_LOS               = 0x20000,
+    X509_V_FLAG_SUITEB_128_LOS               = 0x30000,
+    X509_V_FLAG_PARTIAL_CHAIN                = 0x80000,
+    X509_V_FLAG_NO_ALT_CHAINS                = 0x100000,
+    X509_V_FLAG_NO_CHECK_TIME                = 0x200000,
+```
+
+
+```lua
+store:set_flags(store.verify_flags.X509_V_FLAG_PARTIAL_CHAIN)
+
+store:set_flags(store.verify_flags.X509_V_FLAG_PARTIAL_CHAIN,
+                store.verify_flags.X509_V_FLAG_NO_CHECK_TIME)
+
+store:set_flags(store.verify_flags.X509_V_FLAG_PARTIAL_CHAIN +
+                store.verify_flags.X509_V_FLAG_NO_CHECK_TIME)
+```
+
+See [X509_VERIFY_PARAM_set_flags(3)](https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html)
+for explanation of each flag.
+
 [Back to TOC](#table-of-contents)
 
 ### store:verify

diff --git a/lib/resty/openssl/include/x509_vfy.lua b/lib/resty/openssl/include/x509_vfy.lua
@@ -41,7 +41,32 @@ ffi.cdef [[
   int X509_PURPOSE_get_id(const X509_PURPOSE *xp);
 ]]
 
-local _M = {}
+local _M = {
+  verify_flags = {
+    X509_V_FLAG_CB_ISSUER_CHECK              = 0x0,   -- Deprecated
+    X509_V_FLAG_USE_CHECK_TIME               = 0x2,
+    X509_V_FLAG_CRL_CHECK                    = 0x4,
+    X509_V_FLAG_CRL_CHECK_ALL                = 0x8,
+    X509_V_FLAG_IGNORE_CRITICAL              = 0x10,
+    X509_V_FLAG_X509_STRICT                  = 0x20,
+    X509_V_FLAG_ALLOW_PROXY_CERTS            = 0x40,
+    X509_V_FLAG_POLICY_CHECK                 = 0x80,
+    X509_V_FLAG_EXPLICIT_POLICY              = 0x100,
+    X509_V_FLAG_INHIBIT_ANY                  = 0x200,
+    X509_V_FLAG_INHIBIT_MAP                  = 0x400,
+    X509_V_FLAG_NOTIFY_POLICY                = 0x800,
+    X509_V_FLAG_EXTENDED_CRL_SUPPORT         = 0x1000,
+    X509_V_FLAG_USE_DELTAS                   = 0x2000,
+    X509_V_FLAG_CHECK_SS_SIGNATURE           = 0x4000,
+    X509_V_FLAG_TRUSTED_FIRST                = 0x8000,
+    X509_V_FLAG_SUITEB_128_LOS_ONLY          = 0x10000,
+    X509_V_FLAG_SUITEB_192_LOS               = 0x20000,
+    X509_V_FLAG_SUITEB_128_LOS               = 0x30000,
+    X509_V_FLAG_PARTIAL_CHAIN                = 0x80000,
+    X509_V_FLAG_NO_ALT_CHAINS                = 0x100000,
+    X509_V_FLAG_NO_CHECK_TIME                = 0x200000,
+  },
+}
 
 if OPENSSL_10 or BORINGSSL_110 then
   ffi.cdef [[
@@ -78,5 +103,6 @@ else
   _M.X509_STORE_load_locations = function(s, file, dir) return C.X509_STORE_load_locations(s, file, dir) end
 end
 
+
 return _M
 
diff --git a/lib/resty/openssl/x509/store.lua b/lib/resty/openssl/x509/store.lua
@@ -2,6 +2,7 @@ local ffi = require "ffi"
 local C = ffi.C
 local ffi_gc = ffi.gc
 local ffi_str = ffi.string
+local bor = bit.bor
 
 local x509_vfy_macro = require "resty.openssl.include.x509_vfy"
 local x509_lib = require "resty.openssl.x509"
@@ -15,6 +16,8 @@ local OPENSSL_30 = require("resty.openssl.version").OPENSSL_30
 local _M = {}
 local mt = { __index = _M }
 
+_M.verify_flags = x509_vfy_macro.verify_flags
+
 local x509_store_ptr_ct = ffi.typeof('X509_STORE*')
 
 function _M.new()
@@ -72,7 +75,9 @@ function _M:add(item)
     -- enables CRL checking for the certificate chain leaf certificate.
     -- An error occurs if a suitable CRL cannot be found.
     -- Note: this does not check for certificates in the chain.
-    C.X509_STORE_set_flags(self.ctx, 0x4)
+    if C.X509_STORE_set_flags(self.ctx, 0x4) ~= 1 then
+      return false, format_error("x509.store:add: X509_STORE_set_flags")
+    end
     -- decrease the dup ctx ref count immediately to make leak test happy
     C.X509_CRL_free(dup)
   else
@@ -152,6 +157,19 @@ function _M:set_purpose(purpose)
   return true
 end
 
+function _M:set_flags(...)
+  local flag = 0
+  for _, f in ipairs({...}) do
+    flag = bor(flag, f)
+  end
+
+  if C.X509_STORE_set_flags(self.ctx, flag) ~= 1 then
+    return false, format_error("x509.store:set_flags: X509_STORE_set_flags")
+  end
+
+  return true
+end
+
 function _M:verify(x509, chain, return_chain, properties, verify_method)
   if not x509_lib.istype(x509) then
     return nil, "x509.store:verify: expect a x509 instance at #1"

diff --git a/t/openssl/x509/store.t b/t/openssl/x509/store.t
@@ -349,3 +349,35 @@ nilunsupported certificate purpose
 "
 --- no_error_log
 [error]
+
+=== TEST 12: Set flags
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            local helper = require "t.openssl.helper"
+            local store = require("resty.openssl.x509.store")
+            local chain = require("resty.openssl.x509.chain")
+
+            local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
+            local s = myassert(store.new())
+            myassert(s:add(certs[2]))
+            local ch = chain.new()
+            for i=3, #certs-1 do
+                myassert(ch:add(certs[i]))
+            end
+            -- should not be ok, need root CA
+            ngx.say(s:verify(certs[#certs], ch))
+
+            myassert(s:set_flags(s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
+            ngx.say(s:verify(certs[#certs], ch))
+        }
+    }
+--- request
+    GET /t
+--- response_body_like eval
+"nilunable to get issuer certificate
+truenil
+"
+--- no_error_log
+[error]