static LUA_FUNCTION(openssl_crl_new)
{
X509* x509 = lua_isnoneornil(L, 1) ? NULL : CHECK_OBJECT(1, X509, "openssl.x509");
time_t lastUpdate = luaL_optinteger(L, 3, (lua_Integer)time(&lastUpdate));
time_t nextUpdate = luaL_optinteger(L, 4, (lua_Integer)(lastUpdate + 7 * 24 * 3600));
long version = luaL_optint(L, 5, 1);
X509_CRL * crl = NULL;
ASN1_TIME *ltm, *ntm;
if (!lua_isnoneornil(L, 2))
luaL_checktype(L, 2, LUA_TTABLE);
crl = X509_CRL_new();
X509_CRL_set_version(crl, version);
if (x509)
X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509));
ltm = ASN1_TIME_new();
ntm = ASN1_TIME_new();
ASN1_TIME_set(ltm, lastUpdate);
ASN1_TIME_set(ntm, nextUpdate);
X509_CRL_set_lastUpdate(crl, ltm);
X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
if (lua_istable(L, 2) && lua_objlen(L, 2) > 0)
{
int i;
int n = lua_objlen(L, 2);
for (i = 1; i <= n; i++)
{
lua_rawgeti(L, 2, i);
if (lua_istable(L, -1))
{
X509_REVOKED *revoked;
lua_getfield(L, -1, "reason");
lua_getfield(L, -2, "time");
lua_getfield(L, -3, "sn");
revoked = create_revoked(L, BN_get(L, -1), lua_tointeger(L, -2), reason_get(L, -3));
if (revoked)
{
X509_CRL_add0_revoked(crl, revoked);
}
lua_pop(L, 3);
}
lua_pop(L, 1);
}
}
PUSH_OBJECT(crl, "openssl.x509_crl");
return 1;
}
static VALUE
ossl_x509crl_set_next_update(VALUE self, VALUE time)
{
X509_CRL *crl;
ASN1_TIME *asn1time;
GetX509CRL(self, crl);
asn1time = ossl_x509_time_adjust(NULL, time);
if (!X509_CRL_set_nextUpdate(crl, asn1time)) {
ASN1_TIME_free(asn1time);
ossl_raise(eX509CRLError, "X509_CRL_set_nextUpdate");
}
ASN1_TIME_free(asn1time);
return time;
}
static X509_REVOKED *create_revoked(const BIGNUM* bn, time_t t, int reason)
{
X509_REVOKED *revoked = X509_REVOKED_new();
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_INTEGER *it = BN_to_ASN1_INTEGER(bn, NULL);;
ASN1_TIME_set(tm, t);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_data(ext, e);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_REVOKED_add_ext(revoked, ext, 0);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
return revoked;
}
static X509_REVOKED *create_revoked(lua_State*L, const BIGNUM* bn, time_t t, int reason)
{
X509_REVOKED *revoked = X509_REVOKED_new();
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_INTEGER *it = BN_to_ASN1_INTEGER((BIGNUM*)bn, NULL);;
ASN1_TIME_set(tm, t);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
revoked->reason = reason;
#else
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_data(ext, e);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_REVOKED_add_ext(revoked, ext, 0);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
#endif
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
return revoked;
}
static int cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t)
{
ASN1_TIME *tt;
int r = 0;
if (t)
tt = t;
else
tt = X509_gmtime_adj(NULL, 0);
if (!tt)
goto merr;
if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
tt->type, tt, -1) <= 0)
goto merr;
r = 1;
merr:
if (!t)
ASN1_TIME_free(tt);
if (!r)
CMSerr(CMS_F_CMS_ADD1_SIGNINGTIME, ERR_R_MALLOC_FAILURE);
return r;
}
static ASN1_TIME *
ASN1_TIME_adj_internal(ASN1_TIME *s, time_t t, int offset_day, long offset_sec,
int mode)
{
int allocated = 0;
struct tm tm;
size_t len;
char * p;
if (gmtime_r(&t, &tm) == NULL)
return (NULL);
if (offset_day || offset_sec) {
if (!OPENSSL_gmtime_adj(&tm, offset_day, offset_sec))
return (NULL);
}
switch (mode) {
case V_ASN1_UTCTIME:
p = utctime_string_from_tm(&tm);
break;
case V_ASN1_GENERALIZEDTIME:
p = gentime_string_from_tm(&tm);
break;
case RFC5280:
p = rfc5280_string_from_tm(&tm);
break;
default:
return (NULL);
}
if (p == NULL) {
ASN1error(ASN1_R_ILLEGAL_TIME_VALUE);
return (NULL);
}
if (s == NULL) {
if ((s = ASN1_TIME_new()) == NULL)
return (NULL);
allocated = 1;
}
len = strlen(p);
switch (len) {
case GENTIME_LENGTH:
s->type = V_ASN1_GENERALIZEDTIME;
break;
case UTCTIME_LENGTH:
s->type = V_ASN1_UTCTIME;
break;
default:
if (allocated)
ASN1_TIME_free(s);
free(p);
return (NULL);
}
free(s->data);
s->data = p;
s->length = len;
return (s);
}
static LUA_FUNCTION(openssl_crl_updateTime)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
if (lua_isnone(L, 2))
{
ASN1_TIME *ltm, *ntm;
ltm = X509_CRL_get_lastUpdate(crl);
ntm = X509_CRL_get_nextUpdate(crl);
PUSH_ASN1_TIME(L, ltm);
PUSH_ASN1_TIME(L, ntm);
return 2;
}
else
{
ASN1_TIME *ltm, *ntm;
int ret = 0;
time_t last, next;
if (lua_gettop(L) == 2)
{
time(&last);
next = last + luaL_checkint(L, 2);
}
else
{
last = luaL_checkint(L, 2);
next = last + luaL_checkint(L, 3);
luaL_argcheck(L, next > last, 3, "value must after #2");
}
ltm = ASN1_TIME_new();
ASN1_TIME_set(ltm, last);
ntm = ASN1_TIME_new();
ASN1_TIME_set(ntm, next);
ret = X509_CRL_set_lastUpdate(crl, ltm);
if (ret == 1)
ret = X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
openssl_pushresult(L, ret);
return 1;
}
}
int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm)
{
ASN1_TIME *in;
in = *ptm;
if (in != tm) {
in = ASN1_STRING_dup(tm);
if (in != NULL) {
ASN1_TIME_free(*ptm);
*ptm = in;
}
}
return (in != NULL);
}
static OCSP_BASICRESP *make_dummy_resp(void)
{
const unsigned char namestr[] = "openssl.example.com";
unsigned char keybytes[128] = {7};
OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
OCSP_BASICRESP *bs_out = NULL;
OCSP_CERTID *cid = NULL;
ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
X509_NAME *name = X509_NAME_new();
ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
ASN1_INTEGER *serial = ASN1_INTEGER_new();
if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
namestr, -1, -1, 1)
|| !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes))
|| !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))
goto err;
cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
if (!TEST_ptr(bs)
|| !TEST_ptr(thisupd)
|| !TEST_ptr(nextupd)
|| !TEST_ptr(cid)
|| !TEST_true(OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd)))
goto err;
bs_out = bs;
bs = NULL;
err:
ASN1_TIME_free(thisupd);
ASN1_TIME_free(nextupd);
ASN1_BIT_STRING_free(key);
ASN1_INTEGER_free(serial);
OCSP_CERTID_free(cid);
OCSP_BASICRESP_free(bs);
X509_NAME_free(name);
return bs_out;
}
static int test_x509_cmp_time_current()
{
time_t now = time(NULL);
/* Pick a day earlier and later, relative to any system clock. */
ASN1_TIME *asn1_before = NULL, *asn1_after = NULL;
int cmp_result, failed = 0;
asn1_before = ASN1_TIME_adj(NULL, now, -1, 0);
asn1_after = ASN1_TIME_adj(NULL, now, 1, 0);
cmp_result = X509_cmp_time(asn1_before, NULL);
if (!TEST_int_eq(cmp_result, -1))
failed = 1;
cmp_result = X509_cmp_time(asn1_after, NULL);
if (!TEST_int_eq(cmp_result, 1))
failed = 1;
ASN1_TIME_free(asn1_before);
ASN1_TIME_free(asn1_after);
return failed == 0;
}
static LUA_FUNCTION(openssl_crl_set_updatetime)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
ASN1_TIME *ltm, *ntm;
int ret = 0;
time_t last, next;
time(&last);
last = luaL_optinteger(L, 2, (lua_Integer)last);
next = luaL_optinteger(L, 3, (lua_Integer)last + 7 * 24 * 3600);
ltm = ASN1_TIME_new();
ASN1_TIME_set(ltm, last);
ntm = ASN1_TIME_new();
ASN1_TIME_set(ntm, next);
ret = X509_CRL_set_lastUpdate(crl, ltm);
if (ret == 1)
ret = X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
lua_pushboolean(L, ret);
return 1;
}
int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
{
ASN1_TIME *in;
if (x == NULL)
return (0);
in = x->revocationDate;
if (in != tm) {
in = ASN1_STRING_dup(tm);
if (in != NULL) {
ASN1_TIME_free(x->revocationDate);
x->revocationDate = in;
}
}
return (in != NULL);
}
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
{
ASN1_TIME *in;
if (x == NULL)
return (0);
in = x->cert_info.validity.notAfter;
if (in != tm) {
in = ASN1_STRING_dup(tm);
if (in != NULL) {
ASN1_TIME_free(x->cert_info.validity.notAfter);
x->cert_info.validity.notAfter = in;
}
}
return (in != NULL);
}
int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
{
ASN1_TIME *in;
if (x == NULL)
return (0);
in = x->crl.nextUpdate;
if (in != tm) {
in = ASN1_STRING_dup(tm);
if (in != NULL) {
ASN1_TIME_free(x->crl.nextUpdate);
x->crl.nextUpdate = in;
}
}
return (in != NULL);
}
int
X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
{
ASN1_TIME *in;
if ((x == NULL) || (x->cert_info->validity == NULL))
return (0);
in = x->cert_info->validity->notBefore;
if (in != tm) {
in = ASN1_STRING_dup(tm);
if (in != NULL) {
ASN1_TIME_free(x->cert_info->validity->notBefore);
x->cert_info->validity->notBefore = in;
}
}
return (in != NULL);
}
static VALUE
decode_time(unsigned char* der, int length)
{
ASN1_TIME *time;
const unsigned char *p;
VALUE ret;
int status = 0;
p = der;
if(!(time = d2i_ASN1_TIME(NULL, &p, length)))
ossl_raise(eASN1Error, NULL);
ret = rb_protect((VALUE(*)_((VALUE)))asn1time_to_time,
(VALUE)time, &status);
ASN1_TIME_free(time);
if(status) rb_jump_tag(status);
return ret;
}
static LUA_FUNCTION(openssl_crl_nextUpdate)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
if (lua_isnone(L, 2))
{
ASN1_TIME *tm = X509_CRL_get_nextUpdate(crl);
PUSH_ASN1_TIME(L, tm);
return 1;
}
else
{
int ret;
time_t time = luaL_checkint(L, 2);
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_TIME_set(tm, time);
ret = X509_CRL_set_nextUpdate(crl, tm);
ASN1_TIME_free(tm);
return openssl_pushresult(L, ret);
}
}
static VALUE
ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,
VALUE reason, VALUE revtime,
VALUE thisupd, VALUE nextupd, VALUE ext)
{
OCSP_BASICRESP *bs;
OCSP_SINGLERESP *single;
OCSP_CERTID *id;
int st, rsn;
ASN1_TIME *ths, *nxt, *rev;
int error, i, rstatus = 0;
VALUE tmp;
st = NUM2INT(status);
rsn = NIL_P(status) ? 0 : NUM2INT(reason);
if(!NIL_P(ext)) {
/* All ary's members should be X509Extension */
Check_Type(ext, T_ARRAY);
for (i = 0; i < RARRAY_LEN(ext); i++)
OSSL_Check_Kind(RARRAY_AT(ext, i), cX509Ext);
}
error = 0;
ths = nxt = rev = NULL;
if(!NIL_P(revtime)) {
tmp = rb_protect(rb_Integer, revtime, &rstatus);
if(rstatus) goto err;
rev = X509_gmtime_adj(NULL, NUM2INT(tmp));
}
tmp = rb_protect(rb_Integer, thisupd, &rstatus);
if(rstatus) goto err;
ths = X509_gmtime_adj(NULL, NUM2INT(tmp));
tmp = rb_protect(rb_Integer, nextupd, &rstatus);
if(rstatus) goto err;
nxt = X509_gmtime_adj(NULL, NUM2INT(tmp));
GetOCSPBasicRes(self, bs);
SafeGetOCSPCertId(cid, id);
if(!(single = OCSP_basic_add1_status(bs, id, st, rsn, rev, ths, nxt))) {
error = 1;
goto err;
}
if(!NIL_P(ext)) {
X509_EXTENSION *x509ext;
sk_X509_EXTENSION_pop_free(single->singleExtensions, X509_EXTENSION_free);
single->singleExtensions = NULL;
for(i = 0; i < RARRAY_LEN(ext); i++) {
x509ext = DupX509ExtPtr(RARRAY_AT(ext, i));
if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)) {
X509_EXTENSION_free(x509ext);
error = 1;
goto err;
}
X509_EXTENSION_free(x509ext);
}
}
err:
ASN1_TIME_free(ths);
ASN1_TIME_free(nxt);
ASN1_TIME_free(rev);
if(error) ossl_raise(eOCSPError, NULL);
if(rstatus) rb_jump_tag(rstatus);
return self;
}
int createEmptyCRL(char* pemSigningKey, char* pemCaCert, int crldays, int crlhours, char* result) {
int err = 0;
//convert to BIOs and then keys and x509 structures
BIO* bioCert = BIO_new_mem_buf(pemCaCert, -1);
if (!bioCert) {
BIO_free(bioCert);
return ERR_peek_error();
}
BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1);
if (!bioSigningKey) {
BIO_free(bioCert);
BIO_free(bioSigningKey);
return ERR_peek_error();
}
X509* caCert = PEM_read_bio_X509(bioCert, NULL, NULL, NULL);
if (!caCert) {
BIO_free(bioCert);
BIO_free(bioSigningKey);
return ERR_peek_error();
}
EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL);
if (!caKey) {
BIO_free(bioCert);
BIO_free(bioSigningKey);
return ERR_peek_error();
}
X509_CRL* crl = X509_CRL_new();
X509_CRL_set_issuer_name(crl, X509_get_subject_name(caCert));
//set update times (probably not essential, but why not.
ASN1_TIME* tmptm = ASN1_TIME_new();
X509_gmtime_adj(tmptm, long(0));
X509_CRL_set_lastUpdate(crl, tmptm);
X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
X509_CRL_set_nextUpdate(crl, tmptm);
ASN1_TIME_free(tmptm);
X509_CRL_sort(crl);
//extensions would go here.
if (!(err = X509_CRL_sign(crl,caKey,EVP_sha1())))
{
BIO_free(bioCert);
BIO_free(bioSigningKey);
return err;
}
BIO *mem = BIO_new(BIO_s_mem());
PEM_write_bio_X509_CRL(mem,crl);
BUF_MEM *bptr;
BIO_get_mem_ptr(mem, &bptr);
BIO_read(mem, result, bptr->length);
BIO_free(bioCert);
BIO_free(bioSigningKey);
BIO_free(mem);
return 0;
}
static int test_table(struct testdata *tbl, int idx)
{
int error = 0;
ASN1_TIME atime;
ASN1_TIME *ptime;
struct testdata *td = &tbl[idx];
int day, sec;
atime.data = (unsigned char*)td->data;
atime.length = strlen((char*)atime.data);
atime.type = td->type;
atime.flags = 0;
if (!TEST_int_eq(ASN1_TIME_check(&atime), td->check_result)) {
TEST_info("ASN1_TIME_check(%s) unexpected result", atime.data);
error = 1;
}
if (td->check_result == 0)
return 1;
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, td->t), 0)) {
TEST_info("ASN1_TIME_cmp_time_t(%s vs %ld) compare failed", atime.data, (long)td->t);
error = 1;
}
if (!TEST_true(ASN1_TIME_diff(&day, &sec, &atime, &atime))) {
TEST_info("ASN1_TIME_diff(%s) to self failed", atime.data);
error = 1;
}
if (!TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
TEST_info("ASN1_TIME_diff(%s) to self not equal", atime.data);
error = 1;
}
if (!TEST_true(ASN1_TIME_diff(&day, &sec, >ime, &atime))) {
TEST_info("ASN1_TIME_diff(%s) to baseline failed", atime.data);
error = 1;
} else if (!((td->cmp_result == 0 && TEST_true((day == 0 && sec == 0))) ||
(td->cmp_result == -1 && TEST_true((day < 0 || sec < 0))) ||
(td->cmp_result == 1 && TEST_true((day > 0 || sec > 0))))) {
TEST_info("ASN1_TIME_diff(%s) to baseline bad comparison", atime.data);
error = 1;
}
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, gtime_t), td->cmp_result)) {
TEST_info("ASN1_TIME_cmp_time_t(%s) to baseline bad comparison", atime.data);
error = 1;
}
ptime = ASN1_TIME_set(NULL, td->t);
if (!TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_set(%ld) failed", (long)td->t);
error = 1;
} else {
int local_error = 0;
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, td->t), 0)) {
TEST_info("ASN1_TIME_set(%ld) compare failed (%s->%s)",
(long)td->t, td->data, ptime->data);
local_error = error = 1;
}
if (!TEST_int_eq(ptime->type, td->expected_type)) {
TEST_info("ASN1_TIME_set(%ld) unexpected type", (long)td->t);
local_error = error = 1;
}
if (local_error)
TEST_info("ASN1_TIME_set() = %*s", ptime->length, ptime->data);
ASN1_TIME_free(ptime);
}
ptime = ASN1_TIME_new();
if (!TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_new() failed");
error = 1;
} else {
int local_error = 0;
if (!TEST_int_eq(ASN1_TIME_set_string(ptime, td->data), td->check_result)) {
TEST_info("ASN1_TIME_set_string_gmt(%s) failed", td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ASN1_TIME_normalize(ptime), td->check_result)) {
TEST_info("ASN1_TIME_normalize(%s) failed", td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ptime->type, td->expected_type)) {
TEST_info("ASN1_TIME_set_string_gmt(%s) unexpected type", td->data);
local_error = error = 1;
}
day = sec = 0;
if (!TEST_true(ASN1_TIME_diff(&day, &sec, ptime, &atime)) || !TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
TEST_info("ASN1_TIME_diff(day=%d, sec=%d, %s) after ASN1_TIME_set_string_gmt() failed", day, sec, td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, gtime_t), td->cmp_result)) {
TEST_info("ASN1_TIME_cmp_time_t(%s) after ASN1_TIME_set_string_gnt() to baseline bad comparison", td->data);
local_error = error = 1;
}
if (local_error)
TEST_info("ASN1_TIME_set_string_gmt() = %*s", ptime->length, ptime->data);
ASN1_TIME_free(ptime);
}
ptime = ASN1_TIME_new();
if (!TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_new() failed");
error = 1;
} else {
int local_error = 0;
if (!TEST_int_eq(ASN1_TIME_set_string(ptime, td->data), td->check_result)) {
TEST_info("ASN1_TIME_set_string(%s) failed", td->data);
local_error = error = 1;
}
day = sec = 0;
if (!TEST_true(ASN1_TIME_diff(&day, &sec, ptime, &atime)) || !TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
TEST_info("ASN1_TIME_diff(day=%d, sec=%d, %s) after ASN1_TIME_set_string() failed", day, sec, td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, gtime_t), td->cmp_result)) {
TEST_info("ASN1_TIME_cmp_time_t(%s) after ASN1_TIME_set_string() to baseline bad comparison", td->data);
local_error = error = 1;
}
if (local_error)
TEST_info("ASN1_TIME_set_string() = %*s", ptime->length, ptime->data);
ASN1_TIME_free(ptime);
}
if (td->type == V_ASN1_UTCTIME) {
ptime = ASN1_TIME_to_generalizedtime(&atime, NULL);
if (td->convert_result == 1 && !TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_to_generalizedtime(%s) failed", atime.data);
error = 1;
} else if (td->convert_result == 0 && !TEST_ptr_null(ptime)) {
TEST_info("ASN1_TIME_to_generalizedtime(%s) should have failed", atime.data);
error = 1;
}
if (ptime != NULL && !TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, td->t), 0)) {
TEST_info("ASN1_TIME_to_generalizedtime(%s->%s) bad result", atime.data, ptime->data);
error = 1;
}
ASN1_TIME_free(ptime);
}
/* else cannot simply convert GENERALIZEDTIME to UTCTIME */
if (error)
TEST_error("atime=%s", atime.data);
return !error;
}
CFMutableDictionaryRef SDMMD__CreatePairingMaterial(CFDataRef devicePubkey)
{
CFMutableDictionaryRef record = NULL;
RSA *rsaBIOData = NULL;
BIO *deviceBIO = SDMMD__create_bio_from_data(devicePubkey);
if (deviceBIO) {
PEM_read_bio_RSAPublicKey(deviceBIO, &rsaBIOData, NULL, NULL);
BIO_free(deviceBIO);
}
else {
printf("Could not decode device public key\\n");
}
RSA *rootKeyPair = RSA_generate_key(2048, 65537, NULL, NULL);
if (!rootKeyPair) {
printf("Could not allocate root key pair\n");
}
RSA *hostKeyPair = RSA_generate_key(2048, 65537, NULL, NULL);
if (!hostKeyPair) {
printf("Could not allocate host key pair\n");
}
sdmmd_return_t result = kAMDSuccess;
EVP_PKEY *rootEVP = EVP_PKEY_new();
if (!rootEVP) {
printf("Could not allocate root EVP key\\n");
}
else {
result = EVP_PKEY_assign(rootEVP, EVP_CTRL_RAND_KEY, PtrCast(rootKeyPair, char *));
if (!result) {
printf("Could not assign root key pair\n");
}
}
EVP_PKEY *hostEVP = EVP_PKEY_new();
if (!hostEVP) {
printf("Could not allocate host EVP key\\n");
}
else {
result = EVP_PKEY_assign(hostEVP, EVP_CTRL_RAND_KEY, PtrCast(hostKeyPair, char *));
if (!result) {
printf("Could not assign host key pair\n");
}
}
EVP_PKEY *deviceEVP = EVP_PKEY_new();
if (!deviceEVP) {
printf("Could not allocate device EVP key\\n");
}
else {
result = EVP_PKEY_assign(deviceEVP, EVP_CTRL_RAND_KEY, PtrCast(rsaBIOData, char *));
if (!result) {
printf("Could not assign device key pair\n");
}
}
X509 *rootX509 = X509_new();
if (!rootX509) {
printf("Could not create root X509\\n");
}
else {
X509_set_pubkey(rootX509, rootEVP);
X509_set_version(rootX509, 2);
ASN1_INTEGER *rootSerial = X509_get_serialNumber(rootX509);
ASN1_INTEGER_set(rootSerial, 0);
ASN1_TIME *rootAsn1time = ASN1_TIME_new();
ASN1_TIME_set(rootAsn1time, 0);
X509_set_notBefore(rootX509, rootAsn1time);
ASN1_TIME_set(rootAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years
X509_set_notAfter(rootX509, rootAsn1time);
ASN1_TIME_free(rootAsn1time);
SDMMD__add_ext(rootX509, NID_basic_constraints, "critical,CA:TRUE");
SDMMD__add_ext(rootX509, NID_subject_key_identifier, "hash");
result = X509_sign(rootX509, rootEVP, EVP_sha1());
if (!result) {
printf("Could not sign root cert\\n");
}
}
X509 *hostX509 = X509_new();
if (!hostX509) {
printf("Could not create host X509\\n");
}
else {
X509_set_pubkey(hostX509, hostEVP);
X509_set_version(hostX509, 2);
ASN1_INTEGER *hostSerial = X509_get_serialNumber(hostX509);
ASN1_INTEGER_set(hostSerial, 0);
ASN1_TIME *hostAsn1time = ASN1_TIME_new();
ASN1_TIME_set(hostAsn1time, 0);
X509_set_notBefore(hostX509, hostAsn1time);
ASN1_TIME_set(hostAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years
X509_set_notAfter(hostX509, hostAsn1time);
ASN1_TIME_free(hostAsn1time);
SDMMD__add_ext(hostX509, NID_basic_constraints, "critical,CA:FALSE");
SDMMD__add_ext(hostX509, NID_subject_key_identifier, "hash");
SDMMD__add_ext(hostX509, NID_key_usage, "critical,digitalSignature,keyEncipherment");
result = X509_sign(hostX509, rootEVP, EVP_sha1());
if (!result) {
printf("Could not sign host cert\\n");
}
}
X509 *deviceX509 = X509_new();
if (!deviceX509) {
printf("Could not create device X509\\n");
}
else {
X509_set_pubkey(deviceX509, deviceEVP);
X509_set_version(deviceX509, 2);
ASN1_INTEGER *deviceSerial = X509_get_serialNumber(deviceX509);
ASN1_INTEGER_set(deviceSerial, 0);
ASN1_TIME *deviceAsn1time = ASN1_TIME_new();
ASN1_TIME_set(deviceAsn1time, 0);
X509_set_notBefore(deviceX509, deviceAsn1time);
ASN1_TIME_set(deviceAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years
X509_set_notAfter(deviceX509, deviceAsn1time);
ASN1_TIME_free(deviceAsn1time);
SDMMD__add_ext(deviceX509, NID_basic_constraints, "critical,CA:FALSE");
SDMMD__add_ext(deviceX509, NID_subject_key_identifier, "hash");
SDMMD__add_ext(deviceX509, NID_key_usage, "critical,digitalSignature,keyEncipherment");
result = X509_sign(deviceX509, rootEVP, EVP_sha1());
if (!result) {
printf("Could not sign device cert\\n");
}
}
CFDataRef rootCert = SDMMD_CreateDataFromX509Certificate(rootX509);
CFDataRef hostCert = SDMMD_CreateDataFromX509Certificate(hostX509);
CFDataRef deviceCert = SDMMD_CreateDataFromX509Certificate(deviceX509);
CFDataRef rootPrivKey = SDMMD_CreateDataFromPrivateKey(rootEVP);
CFDataRef hostPrivKey = SDMMD_CreateDataFromPrivateKey(hostEVP);
CFStringRef hostId = SDMMD_CreateUUID();
record = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (record) {
CFDictionarySetValue(record, CFSTR("RootCertificate"), rootCert);
CFDictionarySetValue(record, CFSTR("HostCertificate"), hostCert);
CFDictionarySetValue(record, CFSTR("DeviceCertificate"), deviceCert);
CFDictionarySetValue(record, CFSTR("RootPrivateKey"), rootPrivKey);
CFDictionarySetValue(record, CFSTR("HostPrivateKey"), hostPrivKey);
CFDictionarySetValue(record, CFSTR("HostID"), hostId);
}
CFSafeRelease(rootCert);
CFSafeRelease(hostCert);
CFSafeRelease(deviceCert);
CFSafeRelease(rootPrivKey);
CFSafeRelease(hostPrivKey);
CFSafeRelease(hostId);
Safe(EVP_PKEY_free, rootEVP);
Safe(EVP_PKEY_free, hostEVP);
Safe(EVP_PKEY_free, deviceEVP);
Safe(X509_free, rootX509);
Safe(X509_free, hostX509);
Safe(X509_free, deviceX509);
return record;
}
int ocspd_load_ca_crl ( CA_LIST_ENTRY *a, OCSPD_CONFIG *conf ) {
if(!a) return(-1);
if( conf->debug )
PKI_log_debug( "ACQUIRING WRITE LOCK -- BEGIN CRL RELOAD");
PKI_RWLOCK_write_lock ( &conf->crl_lock );
// pthread_rwlock_wrlock( &crl_lock );
if( conf->debug )
PKI_log_debug( "INFO::LOCK ACQUIRED (CRL RELOAD)");
if( a->crl ) PKI_X509_CRL_free ( a->crl );
a->crl = NULL;
a->crl_list = NULL;
if( a->crl_url == NULL ) {
PKI_log_err ( "Missing CRL URL for CA %s", a->ca_id );
return(-1);
}
/* We now re-load the CRL */
if( (a->crl = PKI_X509_CRL_get_url( a->crl_url, NULL, NULL)) == NULL ) {
PKI_log_err ("Can not reload CRL [ %s ] for CA [%s]",
a->crl_url->addr, a->ca_id);
PKI_RWLOCK_release_write ( &conf->crl_lock );
return(-1);
}
if( conf->verbose )
PKI_log( PKI_LOG_INFO, "INFO::CRL successfully reloaded [ %s ]",
a->ca_id );
/* Let's get the CRLs entries, if any */
if( ocspd_build_crl_entries_list ( a, a->crl ) == NULL ) {
if( conf->verbose )
PKI_log(PKI_LOG_INFO, "INFO::No Entries for CRL [ %s ]",
a->ca_id );
};
if(conf->verbose)
PKI_log( PKI_LOG_INFO, "INFO::CRL loaded successfully [ %s ]",
a->ca_id );
/* If previous values are there, then we clear them up */
if ( a->lastUpdate ) ASN1_TIME_free(a->lastUpdate);
if ( a->nextUpdate ) ASN1_TIME_free(a->nextUpdate);
/* Get new values from the recently loaded CRL */
a->lastUpdate = M_ASN1_TIME_dup (
PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_LASTUPDATE ));
a->nextUpdate = M_ASN1_TIME_dup (
PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_NEXTUPDATE ));
if(conf->debug) PKI_log_debug("RELEASING LOCK (CRL RELOAD)");
PKI_RWLOCK_release_write ( &conf->crl_lock );
// pthread_rwlock_unlock ( &crl_lock );
if(conf->debug) PKI_log_debug ( "LOCK RELEASED --END--");
/* Now check the CRL validity */
a->crl_status = check_crl_validity( a, conf );
if( a->crl_status == CRL_OK ) {
PKI_log(PKI_LOG_ALWAYS, "%s's CRL reloaded (OK)", a->ca_id);
}
return(0);
}
X509_REVOKED *openssl_X509_REVOKED(lua_State*L, int snidx, int timeidx, int reasonidx) {
X509_REVOKED *revoked = X509_REVOKED_new();
const char* serial = luaL_checkstring(L, snidx);
BIGNUM * bn = NULL;
ASN1_TIME *tm = NULL;
int reason = 0;
ASN1_INTEGER *it = NULL;
if(!BN_hex2bn(&bn, serial))
{
goto end;
};
if(lua_isnumber(L,timeidx) || lua_isnoneornil(L, timeidx))
{
time_t t;
time(&t);
t = luaL_optinteger(L, 3, (lua_Integer)t);
tm = ASN1_TIME_new();
ASN1_TIME_set(tm,t);
} else if(lua_isstring(L, timeidx))
{
} else {
goto end;
}
if(lua_isnumber(L, reasonidx) || lua_isnoneornil(L, reasonidx))
{
reason = luaL_optinteger(L, reasonidx, 0);
if(reason < 0 || reason >= reason_num) {
goto end;
}
} else if(lua_isstring(L, reasonidx))
{
const char* s = lua_tostring(L, reasonidx);
reason = openssl_get_revoke_reason(s);
if(reason < 0 || reason >= reason_num) {
goto end;
}
} else
{
goto end;
};
it = BN_to_ASN1_INTEGER(bn,NULL);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
revoked->reason = reason;
#else
/*
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_EXTENSION_set_data(ext,e);
if(!revoked->extensions)
revoked->extensions = sk_X509_EXTENSION_new_null();
X509_REVOKED_add_ext()
sk_X509_REVOKED_push(revoked->extensions,ext);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
*/
#endif
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
BN_free(bn);
return revoked;
end:
X509_REVOKED_free(revoked);
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
BN_free(bn);
return NULL;
}
static int openssl_ocsp_response(lua_State *L)
{
OCSP_RESPONSE *res = NULL;
if (lua_isstring(L, 1))
{
BIO* bio = load_bio_object(L, 1);
res = d2i_OCSP_RESPONSE_bio(bio, NULL);
/*
BIO_reset(bio);
if (!res)
{
res = PEM_read_bio_OCSP_RESPONSE(bio, NULL, NULL);
}
*/
BIO_free(bio);
}
else
{
ASN1_TIME* thispnd, *nextpnd;
OCSP_CERTID *ca_id, *cid;
OCSP_BASICRESP *bs;
OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request");
X509* ca = CHECK_OBJECT(2, X509, "openssl.x509");
X509* rcert = CHECK_OBJECT(3, X509, "openssl.x509");
EVP_PKEY *rkey = CHECK_OBJECT(4, EVP_PKEY, "openssl.evp_pkey");
unsigned long flag = luaL_optint(L, 6, 0);
int nmin = luaL_optint(L, 7, 0);
int nday = luaL_optint(L, 8, 1);
STACK_OF(X509) *rother = lua_isnoneornil(L, 9) ? NULL : CHECK_OBJECT(9, STACK_OF(X509), "openssl.stack_of_x509");
int i, id_count, type;
BIO* bio = NULL;
type = lua_type(L, 5);
if (type != LUA_TFUNCTION && type != LUA_TTABLE)
{
luaL_error(L, "#5 must be a table or function that to get status of certificate");
}
bio = BIO_new(BIO_s_mem());
ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
bs = OCSP_BASICRESP_new();
thispnd = X509_gmtime_adj(NULL, 0);
nextpnd = X509_gmtime_adj(NULL, nmin * 60 + nday * 3600 * 24);
id_count = OCSP_request_onereq_count(req);
for (i = 0; i < id_count; i++)
{
OCSP_ONEREQ *one;
ASN1_INTEGER *serial;
ASN1_OBJECT* inst = NULL;
ASN1_TIME* revtm = NULL;
ASN1_GENERALIZEDTIME *invtm = NULL;
OCSP_SINGLERESP *single = NULL;
int reason = OCSP_REVOKED_STATUS_UNSPECIFIED, status = V_OCSP_CERTSTATUS_UNKNOWN;
one = OCSP_request_onereq_get0(req, i);
cid = OCSP_onereq_get0_id(one);
if (OCSP_id_issuer_cmp(ca_id, cid))
{
OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thispnd, nextpnd);
continue;
}
OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
if (lua_istable(L, 5))
{
BUF_MEM *buf;
BIO_reset(bio);
i2a_ASN1_INTEGER(bio, serial);
BIO_get_mem_ptr(bio, &buf);
lua_pushlstring(L, buf->data, buf->length);
lua_gettable(L, 5);
if (lua_isnil(L, -1))
status = V_OCSP_CERTSTATUS_UNKNOWN;
else
{
luaL_checktype(L, -1, LUA_TTABLE);
lua_getfield(L, -1, "revoked");
if (lua_toboolean(L, -1))
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_REVOKED;
lua_getfield(L, -1, "revoked_time");
if (!lua_isnil(L, -1))
{
revtm = ASN1_TIME_new();
ASN1_TIME_set(revtm, luaL_checkint(L, -1));
}
lua_pop(L, 1);
lua_getfield(L, -1, "reason");
if (lua_isstring(L, -1))
reason = openssl_get_revoke_reason(lua_tostring(L, -1));
else
reason = luaL_checkint(L, -1);
lua_pop(L, 1);
}
else
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_GOOD;
}
}
}
else
{
}
if (reason == 7)
reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
else if (reason == 8)
{
reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
//inst = OBJ_txt2obj(str, 0);
}
else if (reason == 9 || reason == 10)
{
if ( reason == 9 )
reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
else if (reason == 10)
reason = OCSP_REVOKED_STATUS_CACOMPROMISE;
/*
invtm = ASN1_GENERALIZEDTIME_new();
if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str))
*/
}
single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd);
if (invtm)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
ASN1_TIME_free(revtm);
}
if (inst)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
ASN1_OBJECT_free(inst);
}
if (invtm)
ASN1_GENERALIZEDTIME_free(invtm);
}
OCSP_copy_nonce(bs, req);
OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag);
res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
BIO_free(bio);
}
if(res) {
PUSH_OBJECT(res, "openssl.ocsp_response");
}else
lua_pushnil(L);
return 1;
}
DWORD
VMCACreateRevokedFromCert_Reason(
ASN1_INTEGER *asnSerial,
DWORD dwRevokedDate,
VMCA_CRL_REASON certRevokeReason,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, (time_t)dwRevokedDate);
dwError = X509_REVOKED_set_serialNumber(pTempRev,
asnSerial);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
ASN1_ENUMERATED_set(pCode, certRevokeReason);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
DWORD
VMCACreateRevokedFromCert(
X509 *pCert,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, time(NULL));
dwError = X509_REVOKED_set_serialNumber(pTempRev,
X509_get_serialNumber(pCert));
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
//TODO : Fix the UNSPECIFIED to real valid reason
// which users can pass in.
ASN1_ENUMERATED_set(pCode, CRL_REASON_UNSPECIFIED);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
DWORD
VMCAUpdateTimeStamps(
X509_CRL *pCrl,
time_t tmLastUpdate,
time_t tmNextUpdate,
DWORD nCrlNum
)
{
ASN1_TIME *pAsnLastUpdate = NULL;
ASN1_TIME *pAsnNextUpdate = NULL;
DWORD dwError = 0;
ASN1_INTEGER *pSerial = NULL;
if(pCrl == NULL) {
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
pAsnLastUpdate = ASN1_TIME_new();
if(pAsnLastUpdate == NULL){
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pAsnNextUpdate = ASN1_TIME_new();
if(pAsnNextUpdate == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pAsnLastUpdate, tmLastUpdate);
ASN1_TIME_set(pAsnNextUpdate, tmNextUpdate);
dwError = X509_CRL_set_lastUpdate(pCrl, pAsnLastUpdate);
BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_START_TIME);
dwError = X509_CRL_set_nextUpdate(pCrl, pAsnNextUpdate);
BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_END_TIME);
pSerial = ASN1_INTEGER_new();
if (pSerial == NULL){
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_INTEGER_set(pSerial, nCrlNum);
X509_CRL_add1_ext_i2d(pCrl, NID_crl_number, pSerial,0,0);
error:
if ( pAsnLastUpdate != NULL) {
ASN1_TIME_free(pAsnLastUpdate);
}
if( pAsnNextUpdate != NULL) {
ASN1_TIME_free(pAsnNextUpdate);
}
if(pSerial != NULL) {
ASN1_INTEGER_free(pSerial);
}
return dwError;
}
static LUA_FUNCTION(openssl_crl_new)
{
int i;
int n = lua_gettop(L);
X509_CRL * crl = X509_CRL_new();
int ret = X509_CRL_set_version(crl, 0);
X509* cacert = NULL;
EVP_PKEY* capkey = NULL;
const EVP_MD* md = NULL;
int step;
for (i = 1; ret == 1 && i <= n; i++)
{
if (i == 1)
{
luaL_argcheck(L, lua_istable(L, 1), 1, "must be table contains rovked entry table{reason,time,sn}");
if (lua_rawlen(L, i) > 0)
{
int j, m;
m = lua_rawlen(L, i);
for (j = 1; ret == 1 && j <= m; j++)
{
X509_REVOKED *revoked;
BIGNUM* sn;
lua_rawgeti(L, i, j);
luaL_checktable(L, -1);
lua_getfield(L, -1, "reason");
lua_getfield(L, -2, "time");
lua_getfield(L, -3, "sn");
sn = BN_get(L, -1);
revoked = create_revoked(sn, lua_tointeger(L, -2), reason_get(L, -3));
if (revoked)
{
ret = X509_CRL_add0_revoked(crl, revoked);
}
BN_free(sn);
lua_pop(L, 3);
lua_pop(L, 1);
};
}
};
if (i == 2)
{
cacert = CHECK_OBJECT(2, X509, "openssl.x509");
ret = X509_CRL_set_issuer_name(crl, X509_get_issuer_name(cacert));
}
if (i == 3)
{
capkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
luaL_argcheck(L, openssl_pkey_is_private(capkey), 3, "must be private key");
luaL_argcheck(L, X509_check_private_key(cacert, capkey) == 1, 3, "evp_pkey not match with x509 in #2");
}
}
md = lua_isnoneornil(L, 4) ? EVP_get_digestbyname("sha1") : get_digest(L, 4);
step = lua_isnoneornil(L, 5) ? 7 * 24 * 3600 : luaL_checkint(L, 5);
if (ret == 1)
{
time_t lastUpdate;
time_t nextUpdate;
ASN1_TIME *ltm, *ntm;
time(&lastUpdate);
nextUpdate = lastUpdate + step;
ltm = ASN1_TIME_new();
ntm = ASN1_TIME_new();
ASN1_TIME_set(ltm, lastUpdate);
ASN1_TIME_set(ntm, nextUpdate);
ret = X509_CRL_set_lastUpdate(crl, ltm);
if (ret == 1)
ret = X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
}
if (cacert && capkey && md)
{
ret = (X509_CRL_sign(crl, capkey, md) == EVP_PKEY_size(capkey));
}
if (ret == 1)
{
PUSH_OBJECT(crl, "openssl.x509_crl");
}
else
{
X509_CRL_free(crl);
return openssl_pushresult(L, ret);
};
return 1;
}
/*
* Revoke one certificate at a time
* No check performed to see if certificate already revoked.
*/
void revoke_cert(char * ca_name, char * name)
{
char filename[FIELD_SZ+5];
FILE * f ;
X509_CRL * crl ;
X509 * cert ;
ASN1_INTEGER * r_serial ;
ASN1_INTEGER * crlnum ;
X509_REVOKED * rev ;
ASN1_TIME * tm ;
identity ca ;
BIO * out ;
BIGNUM * b_crlnum ;
/* Find requested certificate by name */
sprintf(filename, "%s.crt", name);
if ((f=fopen(filename, "r"))==NULL) {
fprintf(stderr, "Cannot find: %s\n", filename);
return ;
}
cert = PEM_read_X509(f, NULL, NULL, NULL);
fclose(f);
/* Get certificate serial number */
r_serial = X509_get_serialNumber(cert);
/* Find out if if was already revoked */
/* Make a revoked object with that serial */
rev = X509_REVOKED_new();
X509_REVOKED_set_serialNumber(rev, r_serial);
X509_free(cert);
/* Set reason to unspecified */
rev->reason = ASN1_ENUMERATED_get(CRL_REASON_UNSPECIFIED);
/* Load or create new CRL */
if ((crl = load_crl(ca_name))==NULL) {
crl = X509_CRL_new();
X509_CRL_set_version(crl, 1);
/* Set CRL number */
crlnum = ASN1_INTEGER_new();
ASN1_INTEGER_set(crlnum, 1);
X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, 0);
ASN1_INTEGER_free(crlnum);
} else {
crlnum = X509_CRL_get_ext_d2i(crl, NID_crl_number, 0, 0);
b_crlnum = ASN1_INTEGER_to_BN(crlnum, NULL);
BN_add_word(b_crlnum, 1);
BN_to_ASN1_INTEGER(b_crlnum, crlnum);
BN_free(b_crlnum);
X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, X509V3_ADD_REPLACE_EXISTING);
ASN1_INTEGER_free(crlnum);
}
/* What time is it? */
tm = ASN1_TIME_new();
X509_gmtime_adj(tm, 0);
X509_REVOKED_set_revocationDate(rev, tm);
X509_CRL_set_lastUpdate(crl, tm);
/* Set CRL next update to a year from now */
X509_gmtime_adj(tm, 365*24*60*60);
X509_CRL_set_nextUpdate(crl, tm);
ASN1_TIME_free(tm);
/* Add revoked to CRL */
X509_CRL_add0_revoked(crl, rev);
X509_CRL_sort(crl);
/* Load root key to sign CRL */
if (load_ca(ca_name, &ca)!=0) {
fprintf(stderr, "Cannot find CA key/crt\n");
return ;
}
X509_CRL_set_issuer_name(crl, X509_get_subject_name(ca.cert));
X509_free(ca.cert);
/* Sign CRL */
X509_CRL_sign(crl, ca.key, EVP_sha256());
EVP_PKEY_free(ca.key);
/* Dump CRL */
sprintf(filename, "%s.crl", ca_name);
if ((f = fopen(filename, "wb"))==NULL) {
fprintf(stderr, "Cannot write %s: aborting\n", filename);
X509_CRL_free(crl);
return ;
}
out = BIO_new(BIO_s_file());
BIO_set_fp(out, f, BIO_NOCLOSE);
PEM_write_bio_X509_CRL(out, crl);
BIO_free_all(out);
fclose(f);
X509_CRL_free(crl);
return ;
}
