From 6869810b4ec0c7241404ab5f7bb080417871d16e Mon Sep 17 00:00:00 2001
From: daurnimator <quae@daurnimator.com>
Date: Fri, 7 Jun 2019 18:09:54 +1000
Subject: src/openssl.c: Add cert:verify() to verify a certificate without a
 store

---
 regress/167-verify-cert.lua | 47 +++++++++++++++++++++++++++++++++++++++++++++
 regress/regress.lua         |  2 ++
 2 files changed, 49 insertions(+)
 create mode 100755 regress/167-verify-cert.lua

(limited to 'regress')

diff --git a/regress/167-verify-cert.lua b/regress/167-verify-cert.lua
new file mode 100755
index 0000000..b7433e8
--- /dev/null
+++ b/regress/167-verify-cert.lua
@@ -0,0 +1,47 @@
+#!/usr/bin/env lua
+
+local regress = require "regress"
+
+if (regress.openssl.OPENSSL_VERSION_NUMBER and regress.openssl.OPENSSL_VERSION_NUMBER < 0x10002000)
+	or (regress.openssl.LIBRESSL_VERSION_NUMBER and regress.openssl.LIBRESSL_VERSION_NUMBER < 0x20705000)
+then
+	-- skipping test due to different behaviour in earlier OpenSSL versions
+	return
+end
+
+local params = regress.verify_param.new()
+params:setDepth(0)
+
+local ca_key, ca_crt = regress.genkey()
+do -- should fail as no trust anchor
+	regress.check(not ca_crt:verify({params=params, chain=nil, store=nil}))
+end
+
+local store = regress.store.new()
+store:add(ca_crt)
+do -- should succeed as cert is in the store
+	regress.check(ca_crt:verify({params=params, chain=nil, store=store}))
+end
+
+local intermediate_key, intermediate_crt = regress.genkey(nil, ca_key, ca_crt)
+do -- should succeed as ca cert is in the store
+	regress.check(intermediate_crt:verify({params=params, chain=nil, store=store}))
+end
+
+local _, crt = regress.genkey(nil, intermediate_key, intermediate_crt)
+do -- should fail as intermediate cert is missing
+	regress.check(not crt:verify({params=params, chain=nil, store=store}))
+end
+
+local chain = regress.chain.new()
+chain:add(intermediate_crt)
+do -- should fail as max depth is too low
+	regress.check(not crt:verify({params=params, chain=chain, store=store}))
+end
+
+params:setDepth(1)
+do -- should succeed
+	regress.check(crt:verify({params=params, chain=chain, store=store}))
+end
+
+regress.say "OK"
diff --git a/regress/regress.lua b/regress/regress.lua
index 19ee065..5cdd22d 100644
--- a/regress/regress.lua
+++ b/regress/regress.lua
@@ -8,7 +8,9 @@ local regress = {
 	x509 = require"openssl.x509",
 	name = require"openssl.x509.name",
 	altname = require"openssl.x509.altname",
+	chain = require"openssl.x509.chain",
 	store = require"openssl.x509.store",
+	verify_param = require"openssl.x509.verify_param",
 	pack = table.pack or function (...)
 		local t = { ... }
 		t.n = select("#", ...)
-- 
cgit v1.2.3-59-g8ed1b