feat(x509.store) extend verify to support setting flags (#104)

fffonion · Mar 24, 2023 · fa45b6c · fa45b6c
1 parent ba8d05d
commit fa45b6c
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -3924,7 +3924,7 @@ for explanation of each flag.
 
 ### store:verify
 
-**syntax**: *chain, err = store:verify(x509, chain?, return_chain?, properties?, verify_method?)*
+**syntax**: *chain, err = store:verify(x509, chain?, return_chain?, properties?, verify_method?, verify_flags?)*
 
 Verifies a X.509 object with the store. The first argument must be
 [resty.openssl.x509](#restyopensslx509) instance. Optionally accept a validation chain as second
@@ -3942,6 +3942,9 @@ to explictly select provider to fetch algorithms.
 couple of other defaults but **does not** override the parameters set from
 [store:set_purpose](#storeset_purpose).
 
+`verify_flags` paramter is the additional verify flags to be set. See [store:set_flags](#storeset_flags)
+for all available flags.
+
 [Back to TOC](#table-of-contents)
 
 ## resty.openssl.x509.revoked

diff --git a/lib/resty/openssl/include/x509_vfy.lua b/lib/resty/openssl/include/x509_vfy.lua
@@ -36,6 +36,8 @@ ffi.cdef [[
 
   int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
 
+  void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
+
   int X509_PURPOSE_get_by_sname(char *sname);
   X509_PURPOSE *X509_PURPOSE_get0(int idx);
   int X509_PURPOSE_get_id(const X509_PURPOSE *xp);

diff --git a/lib/resty/openssl/x509/store.lua b/lib/resty/openssl/x509/store.lua
@@ -170,7 +170,7 @@ function _M:set_flags(...)
   return true
 end
 
-function _M:verify(x509, chain, return_chain, properties, verify_method)
+function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
   if not x509_lib.istype(x509) then
     return nil, "x509.store:verify: expect a x509 instance at #1"
   elseif chain and not chain_lib.istype(chain) then
@@ -206,6 +206,10 @@ function _M:verify(x509, chain, return_chain, properties, verify_method)
     return nil, "x509.store:verify: invalid verify_method \"" .. verify_method .. "\""
   end
 
+  if flags then
+    C.X509_STORE_CTX_set_flags(ctx, flags)
+  end
+
   local code = C.X509_verify_cert(ctx)
   if code == 1 then -- verified
     if not return_chain then

diff --git a/t/openssl/x509/store.t b/t/openssl/x509/store.t
@@ -381,3 +381,34 @@ truenil
 "
 --- no_error_log
 [error]
+
+=== TEST 13: Set verify time flags
+--- http_config eval: $::HttpConfig
+--- config
+    location =/t {
+        content_by_lua_block {
+            local helper = require "t.openssl.helper"
+            local store = require("resty.openssl.x509.store")
+            local chain = require("resty.openssl.x509.chain")
+
+            local certs, keys = helper.create_cert_chain(5, { type = 'EC', curve = "prime256v1" })
+            local s = myassert(store.new())
+            myassert(s:add(certs[2]))
+            local ch = chain.new()
+            for i=3, #certs-1 do
+                myassert(ch:add(certs[i]))
+            end
+            -- should not be ok, need root CA
+            ngx.say(s:verify(certs[#certs], ch))
+
+            ngx.say(s:verify(certs[#certs], ch, false, nil, nil, s.verify_flags.X509_V_FLAG_PARTIAL_CHAIN))
+        }
+    }
+--- request
+    GET /t
+--- response_body_like eval
+"nilunable to get issuer certificate
+truenil
+"
+--- no_error_log
+[error]