Commit 2cf540fd authored by KOVACS Krisztian's avatar KOVACS Krisztian
Browse files

Add X509_STORE_set_flags() 

This makes it possible to properly set verification flags (like CRL
check) for the store.
parent 7a9d6d5b

openssl-sys/src/x509_vfy.rs

+1 −0
Original line number Diff line number Diff line
@@ -183,6 +183,7 @@ extern "C" { 
    ) -> *mut X509_LOOKUP;



    pub fn X509_STORE_set_default_paths(store: *mut X509_STORE) -> c_int;

    pub fn X509_STORE_set_flags(store: *mut X509_STORE, flags: c_ulong) -> c_int;



    pub fn X509_STORE_CTX_get_ex_data(ctx: *mut X509_STORE_CTX, idx: c_int) -> *mut c_void;

    pub fn X509_STORE_CTX_get_error(ctx: *mut X509_STORE_CTX) -> c_int;

openssl/src/x509/store.rs

+12 −0
Original line number Diff line number Diff line
@@ -41,6 +41,8 @@ use std::mem; 


use crate::error::ErrorStack;

use crate::stack::StackRef;

#[cfg(any(ossl102, libressl261))]

use crate::x509::verify::X509VerifyFlags;

use crate::x509::{X509Object, X509};

use crate::{cvt, cvt_p};
@@ -102,6 +104,16 @@ impl X509StoreBuilderRef { 
        let lookup = unsafe { ffi::X509_STORE_add_lookup(self.as_ptr(), method.as_ptr()) };

        cvt_p(lookup).map(|ptr| unsafe { X509LookupRef::from_ptr_mut(ptr) })

    }



    /// Sets certificate chain validation related flags.

    ///

    /// This corresponds to [`X509_STORE_set_flags`].

    ///

    /// [`X509_STORE_set_flags`]: https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_set_flags.html

    #[cfg(any(ossl102, libressl261))]

    pub fn set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {

        unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).map(|_| ()) }

    }

}



generic_foreign_type_and_impl_send_sync! {

openssl/src/x509/tests.rs

+29 −0
Original line number Diff line number Diff line
@@ -10,6 +10,8 @@ use crate::x509::extension::{ 
    SubjectKeyIdentifier,

};

use crate::x509::store::X509StoreBuilder;

#[cfg(any(ossl102, libressl261))]

use crate::x509::verify::X509VerifyFlags;

#[cfg(ossl110)]

use crate::x509::X509Builder;

use crate::x509::{X509Name, X509Req, X509StoreContext, X509VerifyResult, X509};
@@ -398,6 +400,33 @@ fn test_verify_fails() { 
        .unwrap());

}



#[test]

#[cfg(any(ossl102, libressl261))]

fn test_verify_fails_with_crl_flag_set_and_no_crl() {

    let cert = include_bytes!("../../test/cert.pem");

    let cert = X509::from_pem(cert).unwrap();

    let ca = include_bytes!("../../test/root-ca.pem");

    let ca = X509::from_pem(ca).unwrap();

    let chain = Stack::new().unwrap();



    let mut store_bldr = X509StoreBuilder::new().unwrap();

    store_bldr.add_cert(ca).unwrap();

    store_bldr.set_flags(X509VerifyFlags::CRL_CHECK).unwrap();

    let store = store_bldr.build();



    let mut context = X509StoreContext::new().unwrap();

    assert_eq!(

        context

            .init(&store, &cert, &chain, |c| {

                c.verify_cert()?;

                Ok(c.error())

            })

            .unwrap()

            .error_string(),

        "unable to get certificate CRL"

    )

}



#[cfg(ossl110)]

#[test]

fn x509_ref_version() {