Beispiel #1
0
static LUA_FUNCTION(openssl_crl_get)
{
  X509_CRL * crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
  int i = 0;
  X509_REVOKED *revoked = NULL;
  if (lua_isinteger(L, 2))
  {
    i = lua_tointeger(L, 2);
    luaL_argcheck(L, (i >= 0 && i < sk_X509_REVOKED_num(crl->crl->revoked)), 2, "Out of range");
    revoked = sk_X509_REVOKED_value(crl->crl->revoked, i);
  }
  else
  {
    ASN1_STRING *sn = CHECK_OBJECT(2, ASN1_STRING, "openssl.asn1_integer");
    int cnt = sk_X509_REVOKED_num(crl->crl->revoked);
    for (i = 0; i < cnt; i++)
    {
      X509_REVOKED *rev = sk_X509_REVOKED_value(crl->crl->revoked, i);
      if (ASN1_STRING_cmp(rev->serialNumber, sn) == 0)
      {
        revoked = rev;
        break;
      }
    }
  }
  if (revoked)
  {
    lua_newtable(L);

#if OPENSSL_VERSION_NUMBER > 0x10000000L
    AUXILIAR_SET(L, -1, "code", revoked->reason, number);
    AUXILIAR_SET(L, -1, "reason", openssl_i2s_revoke_reason(revoked->reason), string);
#else
    {
      int crit = 0;
      void* reason = X509_REVOKED_get_ext_d2i(revoked, NID_crl_reason, &crit, NULL);
      AUXILIAR_SET(L, -1, "code", ASN1_ENUMERATED_get(reason), number);
      AUXILIAR_SET(L, -1, "reason", openssl_i2s_revoke_reason(ASN1_ENUMERATED_get(reason)), string);
      ASN1_ENUMERATED_free(reason);
    }
#endif
    PUSH_ASN1_INTEGER(L, revoked->serialNumber);
    lua_setfield(L, -2, "serialNumber");

    PUSH_ASN1_TIME(L, revoked->revocationDate);
    lua_setfield(L, -2, "revocationDate");

    if (crl->crl->extensions)
    {
      lua_pushstring(L, "extensions");
      openssl_sk_x509_extension_totable(L, crl->crl->extensions);
      lua_rawset(L, -3);
    }
  }
  else
    lua_pushnil(L);
  return 1;
}
Beispiel #2
0
static int openssl_revoked_info(lua_State* L)
{
  X509_REVOKED* revoked = CHECK_OBJECT(1, X509_REVOKED, "openssl.x509_revoked");
  lua_newtable(L);

#if OPENSSL_VERSION_NUMBER > 0x10000000L
  AUXILIAR_SET(L, -1, "reason", openssl_i2s_revoke_reason(revoked->reason), string);
#else
  {
    int crit = 0;
    void* reason = X509_REVOKED_get_ext_d2i(revoked, NID_crl_reason, &crit, NULL);

    AUXILIAR_SET(L, -1, "reason", openssl_i2s_revoke_reason(ASN1_ENUMERATED_get(reason)), string);
    ASN1_ENUMERATED_free(reason);
  }
#endif
  PUSH_ASN1_INTEGER(L, revoked->serialNumber);
  lua_setfield(L, -2, "serialNumber");

  PUSH_ASN1_TIME(L, revoked->revocationDate);
  lua_setfield(L, -2, "revocationDate");

  if (revoked->extensions)
  {
    lua_pushstring(L, "extensions");
    openssl_sk_x509_extension_totable(L, revoked->extensions);
    lua_rawset(L, -3);
  }
  return 1;
};
Beispiel #3
0
static int openssl_x509_revoked_get_reason(X509_REVOKED *revoked)
{
  int crit = 0;
  int reason;
  ASN1_ENUMERATED *areason = X509_REVOKED_get_ext_d2i(revoked, NID_crl_reason, &crit, NULL);
  reason = (crit == -1) ? CRL_REASON_NONE : ASN1_ENUMERATED_get(areason);
  ASN1_ENUMERATED_free(areason);
  return reason;
}
Beispiel #4
0
char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
	     ASN1_ENUMERATED *e)
{
	ENUMERATED_NAMES *enam;
	long strval;
	strval = ASN1_ENUMERATED_get(e);
	for(enam = (ENUMERATED_NAMES*)method->usr_data; enam->lname; enam++) {
		if(strval == enam->bitnum) return BUF_strdup(enam->lname);
	}
	return i2s_ASN1_ENUMERATED(method, e);
}
Beispiel #5
0
static LUA_FUNCTION(openssl_crl_get)
{
  X509_CRL * crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
  int i = luaL_checkint(L, 2);
  if (i >= 0 && i < sk_X509_REVOKED_num(crl->crl->revoked))
  {
    X509_REVOKED *revoked = sk_X509_REVOKED_value(crl->crl->revoked, i);

    lua_newtable(L);

#if OPENSSL_VERSION_NUMBER > 0x10000000L
    AUXILIAR_SET(L, -1, "reason", openssl_i2s_revoke_reason(revoked->reason), string);
#else
    {
      int crit = 0;
      void* reason = X509_REVOKED_get_ext_d2i(revoked, NID_crl_reason, &crit, NULL);

      AUXILIAR_SET(L, -1, "reason", openssl_i2s_revoke_reason(ASN1_ENUMERATED_get(reason)), string);
      ASN1_ENUMERATED_free(reason);
    }
#endif
    PUSH_ASN1_INTEGER(L, revoked->serialNumber);
    lua_setfield(L, -2, "serialNumber");

    PUSH_ASN1_TIME(L, revoked->revocationDate);
    lua_setfield(L, -2, "revocationDate");

    if (crl->crl->extensions)
    {
      lua_pushstring(L, "extensions");
      openssl_sk_x509_extension_totable(L, crl->crl->extensions);
      lua_rawset(L, -3);
    }
    return 1;
  }
  else
    lua_pushnil(L);
  return 1;
}
Beispiel #6
0
static LUA_FUNCTION(openssl_crl_parse)
{
  X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
  int utf8 = lua_isnoneornil(L, 2) ? 1 : lua_toboolean(L, 2);
  int n, i;

  lua_newtable(L);
  AUXILIAR_SET(L, -1, "version", X509_CRL_get_version(crl), integer);

  /* hash as used in CA directories to lookup cert by subject name */
  {
    char buf[32];
    snprintf(buf, sizeof(buf), "%08lx", X509_NAME_hash(X509_CRL_get_issuer(crl)));
    AUXILIAR_SET(L, -1, "hash", buf, string);
  }

  {
    const EVP_MD *digest = EVP_get_digestbyname("sha1");
    unsigned char md[EVP_MAX_MD_SIZE];
    int n = sizeof(md);

    if (X509_CRL_digest(crl, digest, md, (unsigned int*)&n))
    {
      lua_newtable(L);
      AUXILIAR_SET(L, -1, "alg", OBJ_nid2sn(EVP_MD_type(digest)), string);
      AUXILIAR_SETLSTR(L, -1, "hash", (const char*)md, n);

      lua_setfield(L, -2, "fingerprint");
    }
  }

  openssl_push_xname_asobject(L, X509_CRL_get_issuer(crl));
  lua_setfield(L, -2, "issuer");

  PUSH_ASN1_TIME(L,X509_CRL_get_lastUpdate(crl));
  lua_setfield(L, -2, "lastUpdate");
  PUSH_ASN1_TIME(L,X509_CRL_get_nextUpdate(crl));
  lua_setfield(L, -2, "nextUpdate");

  openssl_push_x509_algor(L, crl->crl->sig_alg);
  lua_setfield(L, -2, "sig_alg");
  
  PUSH_ASN1_INTEGER(L, X509_CRL_get_ext_d2i(crl, NID_crl_number, NULL, NULL));
  lua_setfield(L, -2, "crl_number");

  PUSH_OBJECT(sk_X509_EXTENSION_dup(crl->crl->extensions),"openssl.stack_of_x509_extension");
  lua_setfield(L, -2, "extensions");

  n = sk_X509_REVOKED_num(crl->crl->revoked);
  lua_newtable(L);
  for (i = 0; i < n; i++)
  {
    X509_REVOKED *revoked = sk_X509_REVOKED_value(crl->crl->revoked, i);
    lua_newtable(L);

#if OPENSSL_VERSION_NUMBER > 0x10000000L
    AUXILIAR_SET(L, -1, "CRLReason", reason_flags[revoked->reason].lname, string);
#else
    {
      int crit = 0;
      void* reason = X509_REVOKED_get_ext_d2i(revoked, NID_crl_reason, &crit, NULL);

      AUXILIAR_SET(L, -1, "CRLReason", reason_flags[ASN1_ENUMERATED_get(reason)].lname, string);
      ASN1_ENUMERATED_free(reason);
    }
#endif
    PUSH_ASN1_INTEGER(L, revoked->serialNumber);
    lua_setfield(L,-2, "serialNumber");

    PUSH_ASN1_TIME(L, revoked->revocationDate);
    lua_setfield(L,-2, "revocationDate");

    PUSH_OBJECT(sk_X509_EXTENSION_dup(revoked->extensions),"openssl.stack_of_x509_extension");
    lua_setfield(L,-2, "extensions");

    lua_rawseti(L, -2, i + 1);
  }

  lua_setfield(L, -2, "revoked");
  return 1;
}
Beispiel #7
0
static int crl_set_issuers(X509_CRL *crl)
{

    int i, j;
    GENERAL_NAMES *gens, *gtmp;
    STACK_OF(X509_REVOKED) *revoked;

    revoked = X509_CRL_get_REVOKED(crl);

    gens = NULL;
    for (i = 0; i < sk_X509_REVOKED_num(revoked); i++) {
        X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i);
        STACK_OF(X509_EXTENSION) *exts;
        ASN1_ENUMERATED *reason;
        X509_EXTENSION *ext;
        gtmp = X509_REVOKED_get_ext_d2i(rev,
                                        NID_certificate_issuer, &j, NULL);
        if (!gtmp && (j != -1)) {
            crl->flags |= EXFLAG_INVALID;
            return 1;
        }

        if (gtmp) {
            gens = gtmp;
            if (!crl->issuers) {
                crl->issuers = sk_GENERAL_NAMES_new_null();
                if (!crl->issuers)
                    return 0;
            }
            if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp))
                return 0;
        }
        rev->issuer = gens;

        reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, &j, NULL);
        if (!reason && (j != -1)) {
            crl->flags |= EXFLAG_INVALID;
            return 1;
        }

        if (reason) {
            rev->reason = ASN1_ENUMERATED_get(reason);
            ASN1_ENUMERATED_free(reason);
        } else
            rev->reason = CRL_REASON_NONE;

        /* Check for critical CRL entry extensions */

        exts = rev->extensions;

        for (j = 0; j < sk_X509_EXTENSION_num(exts); j++) {
            ext = sk_X509_EXTENSION_value(exts, j);
            if (X509_EXTENSION_get_critical(ext)) {
                if (OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_certificate_issuer)
                    continue;
                crl->flags |= EXFLAG_CRITICAL;
                break;
            }
        }

    }

    return 1;

}
int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
        {
	int i, ret = 0;
	long l;
	OCSP_CERTID *cid = NULL;
	OCSP_BASICRESP *br = NULL;
	OCSP_RESPID *rid = NULL;
	OCSP_RESPDATA  *rd = NULL;
	OCSP_CERTSTATUS *cst = NULL;
	OCSP_REVOKEDINFO *rev = NULL;
	OCSP_SINGLERESP *single = NULL;
	OCSP_RESPBYTES *rb = o->responseBytes;

	if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
	l=ASN1_ENUMERATED_get(o->responseStatus);
	if (BIO_printf(bp,"    OCSP Response Status: %s (0x%lx)\n",
		       OCSP_response_status_str(l), l) <= 0) goto err;
	if (rb == NULL) return 1;
        if (BIO_puts(bp,"    Response Type: ") <= 0)
	        goto err;
	if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
	        goto err;
	if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) 
	        {
		BIO_puts(bp," (unknown response type)\n");
		return 1;
		}

	i = ASN1_STRING_length(rb->response);
	if (!(br = OCSP_response_get1_basic(o))) goto err;
	rd = br->tbsResponseData;
	l=ASN1_INTEGER_get(rd->version);
	if (BIO_printf(bp,"\n    Version: %lu (0x%lx)\n",
		       l+1,l) <= 0) goto err;
	if (BIO_puts(bp,"    Responder Id: ") <= 0) goto err;

	rid =  rd->responderId;
	switch (rid->type)
		{
		case V_OCSP_RESPID_NAME:
		        X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
		        break;
		case V_OCSP_RESPID_KEY:
		        i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
		        break;
		}

	if (BIO_printf(bp,"\n    Produced At: ")<=0) goto err;
	if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
	if (BIO_printf(bp,"\n    Responses:\n") <= 0) goto err;
	for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
	        {
		if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
		single = sk_OCSP_SINGLERESP_value(rd->responses, i);
		cid = single->certId;
		if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
		cst = single->certStatus;
		if (BIO_printf(bp,"    Cert Status: %s",
			       OCSP_cert_status_str(cst->type)) <= 0)
		        goto err;
		if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
		        {
		        rev = cst->value.revoked;
			if (BIO_printf(bp, "\n    Revocation Time: ") <= 0) 
			        goto err;
			if (!ASN1_GENERALIZEDTIME_print(bp, 
							rev->revocationTime)) 
				goto err;
			if (rev->revocationReason) 
			        {
				l=ASN1_ENUMERATED_get(rev->revocationReason);
				if (BIO_printf(bp, 
					 "\n    Revocation Reason: %s (0x%lx)",
					       OCSP_crl_reason_str(l), l) <= 0)
				        goto err;
				}
			}
		if (BIO_printf(bp,"\n    This Update: ") <= 0) goto err;
		if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate)) 
			goto err;
		if (single->nextUpdate)
		        {
			if (BIO_printf(bp,"\n    Next Update: ") <= 0)goto err;
			if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
				goto err;
			}
		if (BIO_write(bp,"\n",1) <= 0) goto err;
		if (!X509V3_extensions_print(bp,
					"Response Single Extensions",
					single->singleExtensions, flags, 8))
							goto err;
		if (BIO_write(bp,"\n",1) <= 0) goto err;
		}
	if (!X509V3_extensions_print(bp, "Response Extensions",
					rd->responseExtensions, flags, 4))
							goto err;
	if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
							goto err;

	for (i=0; i<sk_X509_num(br->certs); i++)
		{
		X509_print(bp, sk_X509_value(br->certs,i));
		PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
		}

	ret = 1;
err:
	OCSP_BASICRESP_free(br);
	return ret;
	}
Beispiel #9
0
/*
 * Revoke one certificate at a time
 * No check performed to see if certificate already revoked.
 */
void revoke_cert(char * ca_name, char * name)
{
    char filename[FIELD_SZ+5];
    FILE * f ;
    X509_CRL * crl ;
    X509 * cert ;
    ASN1_INTEGER * r_serial ;
    ASN1_INTEGER * crlnum ;
    X509_REVOKED * rev ;
    ASN1_TIME * tm ;
    identity ca ;
    BIO * out ;
    BIGNUM * b_crlnum ;

    /* Find requested certificate by name */
    sprintf(filename, "%s.crt", name);
    if ((f=fopen(filename, "r"))==NULL) {
        fprintf(stderr, "Cannot find: %s\n", filename);
        return ; 
    }
    cert = PEM_read_X509(f, NULL, NULL, NULL);
    fclose(f);
    /* Get certificate serial number */
    r_serial = X509_get_serialNumber(cert);

    /* Find out if if was already revoked */

    /* Make a revoked object with that serial */
    rev = X509_REVOKED_new();
    X509_REVOKED_set_serialNumber(rev, r_serial);
    X509_free(cert);
    /* Set reason to unspecified */
    rev->reason = ASN1_ENUMERATED_get(CRL_REASON_UNSPECIFIED);

    /* Load or create new CRL */
    if ((crl = load_crl(ca_name))==NULL) {
        crl = X509_CRL_new();
        X509_CRL_set_version(crl, 1);
        /* Set CRL number */
        crlnum = ASN1_INTEGER_new();
        ASN1_INTEGER_set(crlnum, 1);
        X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, 0);
        ASN1_INTEGER_free(crlnum);
    } else {
        crlnum = X509_CRL_get_ext_d2i(crl, NID_crl_number, 0, 0);
        b_crlnum = ASN1_INTEGER_to_BN(crlnum, NULL);
        BN_add_word(b_crlnum, 1);
        BN_to_ASN1_INTEGER(b_crlnum, crlnum);
        BN_free(b_crlnum);
        X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, X509V3_ADD_REPLACE_EXISTING);
        ASN1_INTEGER_free(crlnum);
    }

    /* What time is it? */
    tm = ASN1_TIME_new();
    X509_gmtime_adj(tm, 0);
    X509_REVOKED_set_revocationDate(rev, tm);
    X509_CRL_set_lastUpdate(crl, tm);

    /* Set CRL next update to a year from now */
    X509_gmtime_adj(tm, 365*24*60*60);
    X509_CRL_set_nextUpdate(crl, tm);
    ASN1_TIME_free(tm);

    /* Add revoked to CRL */
    X509_CRL_add0_revoked(crl, rev);    
    X509_CRL_sort(crl);

    /* Load root key to sign CRL */
    if (load_ca(ca_name, &ca)!=0) {
        fprintf(stderr, "Cannot find CA key/crt\n");
        return ;
    }
    X509_CRL_set_issuer_name(crl, X509_get_subject_name(ca.cert));
    X509_free(ca.cert);

    /* Sign CRL */
    X509_CRL_sign(crl, ca.key, EVP_sha256());
    EVP_PKEY_free(ca.key);

    /* Dump CRL */
    sprintf(filename, "%s.crl", ca_name);
    if ((f = fopen(filename, "wb"))==NULL) {
        fprintf(stderr, "Cannot write %s: aborting\n", filename);
        X509_CRL_free(crl);
        return ;
    }
    out = BIO_new(BIO_s_file());
    BIO_set_fp(out, f, BIO_NOCLOSE);
    PEM_write_bio_X509_CRL(out, crl);
    BIO_free_all(out);
    fclose(f);
    X509_CRL_free(crl);
    return ;
}