fix(store) set X509_V_FLAG_CRL_CHECK flag if a crl is added

fffonion · fffonion · commit 88574d5ecef0 · 2020-02-27T05:37:03.000+08:00
diff --git a/lib/resty/openssl/include/x509_vfy.lua b/lib/resty/openssl/include/x509_vfy.lua
@@ -28,6 +28,8 @@ ffi.cdef [[
                         X509 *x509, OPENSSL_STACK *chain);
 
   int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
+
+  int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
 ]]
 
 local _M = {}
diff --git a/lib/resty/openssl/x509/store.lua b/lib/resty/openssl/x509/store.lua
@@ -64,6 +64,12 @@ function _M:add(item)
     if C.X509_STORE_add_crl(self.ctx, dup) ~= 1 then
       err = format_error("store:add: X509_STORE_add_crl")
     end
+
+    -- define X509_V_FLAG_CRL_CHECK                   0x4
+    -- enables CRL checking for the certificate chain leaf certificate.
+    -- An error occurs if a suitable CRL cannot be found.
+    -- Note: this does not check for certificates in the chain.
+    C.X509_STORE_set_flags(self.ctx, 0x4)
     -- decrease the dup ctx ref count immediately to make leak test happy
     C.X509_CRL_free(dup)
   else
