Beispiel #1
0
static LUA_FUNCTION(openssl_crl_new)
{
  X509* x509 = lua_isnoneornil(L, 1) ? NULL : CHECK_OBJECT(1, X509, "openssl.x509");
  time_t lastUpdate = luaL_optinteger(L, 3, (lua_Integer)time(&lastUpdate));
  time_t nextUpdate = luaL_optinteger(L, 4, (lua_Integer)(lastUpdate + 7 * 24 * 3600));
  long version = luaL_optint(L, 5, 1);

  X509_CRL * crl = NULL;
  ASN1_TIME *ltm, *ntm;

  if (!lua_isnoneornil(L, 2))
    luaL_checktype(L, 2, LUA_TTABLE);

  crl = X509_CRL_new();
  X509_CRL_set_version(crl, version);
  if (x509)
    X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509));

  ltm = ASN1_TIME_new();
  ntm = ASN1_TIME_new();
  ASN1_TIME_set(ltm, lastUpdate);
  ASN1_TIME_set(ntm, nextUpdate);
  X509_CRL_set_lastUpdate(crl, ltm);
  X509_CRL_set_nextUpdate(crl, ntm);
  ASN1_TIME_free(ltm);
  ASN1_TIME_free(ntm);


  if (lua_istable(L, 2) && lua_objlen(L, 2) > 0)
  {
    int i;
    int n = lua_objlen(L, 2);

    for (i = 1; i <= n; i++)
    {
      lua_rawgeti(L, 2, i);
      if (lua_istable(L, -1))
      {
        X509_REVOKED *revoked;

        lua_getfield(L, -1, "reason");
        lua_getfield(L, -2, "time");
        lua_getfield(L, -3, "sn");

        revoked = create_revoked(L, BN_get(L, -1), lua_tointeger(L, -2), reason_get(L, -3));
        if (revoked)
        {
          X509_CRL_add0_revoked(crl, revoked);
        }
        lua_pop(L, 3);
      }
      lua_pop(L, 1);
    }
  }

  PUSH_OBJECT(crl, "openssl.x509_crl");
  return 1;
}
Beispiel #2
0
static X509_REVOKED *create_revoked(lua_State*L, const BIGNUM* bn, time_t t, int reason)
{
  X509_REVOKED *revoked = X509_REVOKED_new();
  ASN1_TIME *tm = ASN1_TIME_new();
  ASN1_INTEGER *it =  BN_to_ASN1_INTEGER((BIGNUM*)bn, NULL);;

  ASN1_TIME_set(tm, t);

  X509_REVOKED_set_revocationDate(revoked, tm);
  X509_REVOKED_set_serialNumber(revoked, it);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
  revoked->reason = reason;
#else
  {
    ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
    X509_EXTENSION * ext = X509_EXTENSION_new();

    ASN1_ENUMERATED_set(e, reason);

    X509_EXTENSION_set_data(ext, e);
    X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
    X509_REVOKED_add_ext(revoked, ext, 0);

    X509_EXTENSION_free(ext);
    ASN1_ENUMERATED_free(e);
  }
#endif
  ASN1_TIME_free(tm);
  ASN1_INTEGER_free(it);

  return revoked;
}
Beispiel #3
0
static X509_REVOKED *create_revoked(const BIGNUM* bn, time_t t, int reason)
{
  X509_REVOKED *revoked = X509_REVOKED_new();
  ASN1_TIME *tm = ASN1_TIME_new();
  ASN1_INTEGER *it =  BN_to_ASN1_INTEGER(bn, NULL);;

  ASN1_TIME_set(tm, t);

  X509_REVOKED_set_revocationDate(revoked, tm);
  X509_REVOKED_set_serialNumber(revoked, it);

  {
    ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
    X509_EXTENSION * ext = X509_EXTENSION_new();

    ASN1_ENUMERATED_set(e, reason);

    X509_EXTENSION_set_data(ext, e);
    X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
    X509_REVOKED_add_ext(revoked, ext, 0);

    X509_EXTENSION_free(ext);
    ASN1_ENUMERATED_free(e);
  }

  ASN1_TIME_free(tm);
  ASN1_INTEGER_free(it);

  return revoked;
}
Beispiel #4
0
static LUA_FUNCTION(openssl_crl_updateTime)
{
  X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
  if (lua_isnone(L, 2))
  {
    ASN1_TIME *ltm, *ntm;
    ltm = X509_CRL_get_lastUpdate(crl);
    ntm = X509_CRL_get_nextUpdate(crl);
    PUSH_ASN1_TIME(L, ltm);
    PUSH_ASN1_TIME(L, ntm);
    return 2;
  }
  else
  {
    ASN1_TIME *ltm, *ntm;
    int ret = 0;

    time_t last, next;

    if (lua_gettop(L) == 2)
    {
      time(&last);
      next = last + luaL_checkint(L, 2);
    }
    else
    {
      last = luaL_checkint(L, 2);
      next = last + luaL_checkint(L, 3);
      luaL_argcheck(L, next > last, 3, "value must after #2");
    }

    ltm = ASN1_TIME_new();
    ASN1_TIME_set(ltm, last);
    ntm = ASN1_TIME_new();
    ASN1_TIME_set(ntm, next);
    ret = X509_CRL_set_lastUpdate(crl, ltm);
    if (ret == 1)
      ret = X509_CRL_set_nextUpdate(crl, ntm);
    ASN1_TIME_free(ltm);
    ASN1_TIME_free(ntm);
    openssl_pushresult(L, ret);
    return 1;
  }
}
Beispiel #5
0
static OCSP_BASICRESP *make_dummy_resp(void)
{
    const unsigned char namestr[] = "openssl.example.com";
    unsigned char keybytes[128] = {7};
    OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
    OCSP_BASICRESP *bs_out = NULL;
    OCSP_CERTID *cid = NULL;
    ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
    ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
    X509_NAME *name = X509_NAME_new();
    ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
    ASN1_INTEGER *serial = ASN1_INTEGER_new();

    if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
                                   namestr, -1, -1, 1)
        || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes))
        || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))
        goto err;
    cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
    if (!TEST_ptr(bs)
        || !TEST_ptr(thisupd)
        || !TEST_ptr(nextupd)
        || !TEST_ptr(cid)
        || !TEST_true(OCSP_basic_add1_status(bs, cid,
                                             V_OCSP_CERTSTATUS_UNKNOWN,
                                             0, NULL, thisupd, nextupd)))
        goto err;
    bs_out = bs;
    bs = NULL;
 err:
    ASN1_TIME_free(thisupd);
    ASN1_TIME_free(nextupd);
    ASN1_BIT_STRING_free(key);
    ASN1_INTEGER_free(serial);
    OCSP_CERTID_free(cid);
    OCSP_BASICRESP_free(bs);
    X509_NAME_free(name);
    return bs_out;
}
Beispiel #6
0
static LUA_FUNCTION(openssl_crl_set_updatetime)
{
  X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
  ASN1_TIME *ltm, *ntm;
  int ret = 0;

  time_t last, next;
  time(&last);
  last = luaL_optinteger(L, 2, (lua_Integer)last);
  next = luaL_optinteger(L, 3, (lua_Integer)last + 7 * 24 * 3600);

  ltm = ASN1_TIME_new();
  ASN1_TIME_set(ltm, last);
  ntm = ASN1_TIME_new();
  ASN1_TIME_set(ntm, next);

  ret = X509_CRL_set_lastUpdate(crl, ltm);
  if (ret == 1)
    ret = X509_CRL_set_nextUpdate(crl, ntm);
  ASN1_TIME_free(ltm);
  ASN1_TIME_free(ntm);
  lua_pushboolean(L, ret);
  return 1;
}
Beispiel #7
0
static LUA_FUNCTION(openssl_crl_nextUpdate)
{
  X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
  if (lua_isnone(L, 2))
  {
    ASN1_TIME *tm = X509_CRL_get_nextUpdate(crl);
    PUSH_ASN1_TIME(L, tm);
    return 1;
  }
  else
  {
    int ret;
    time_t time = luaL_checkint(L, 2);
    ASN1_TIME *tm = ASN1_TIME_new();
    ASN1_TIME_set(tm, time);

    ret = X509_CRL_set_nextUpdate(crl, tm);
    ASN1_TIME_free(tm);
    return openssl_pushresult(L, ret);
  }
}
Beispiel #8
0
static int test_table(struct testdata *tbl, int idx)
{
    int error = 0;
    ASN1_TIME atime;
    ASN1_TIME *ptime;
    struct testdata *td = &tbl[idx];
    int day, sec;

    atime.data = (unsigned char*)td->data;
    atime.length = strlen((char*)atime.data);
    atime.type = td->type;
    atime.flags = 0;

    if (!TEST_int_eq(ASN1_TIME_check(&atime), td->check_result)) {
        TEST_info("ASN1_TIME_check(%s) unexpected result", atime.data);
        error = 1;
    }
    if (td->check_result == 0)
        return 1;

    if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, td->t), 0)) {
        TEST_info("ASN1_TIME_cmp_time_t(%s vs %ld) compare failed", atime.data, (long)td->t);
        error = 1;
    }

    if (!TEST_true(ASN1_TIME_diff(&day, &sec, &atime, &atime))) {
        TEST_info("ASN1_TIME_diff(%s) to self failed", atime.data);
        error = 1;
    }
    if (!TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
        TEST_info("ASN1_TIME_diff(%s) to self not equal", atime.data);
        error = 1;
    }

    if (!TEST_true(ASN1_TIME_diff(&day, &sec, &gtime, &atime))) {
        TEST_info("ASN1_TIME_diff(%s) to baseline failed", atime.data);
        error = 1;
    } else if (!((td->cmp_result == 0 && TEST_true((day == 0 && sec == 0))) ||
                 (td->cmp_result == -1 && TEST_true((day < 0 || sec < 0))) ||
                 (td->cmp_result == 1 && TEST_true((day > 0 || sec > 0))))) {
        TEST_info("ASN1_TIME_diff(%s) to baseline bad comparison", atime.data);
        error = 1;
    }

    if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, gtime_t), td->cmp_result)) {
        TEST_info("ASN1_TIME_cmp_time_t(%s) to baseline bad comparison", atime.data);
        error = 1;
    }

    ptime = ASN1_TIME_set(NULL, td->t);
    if (!TEST_ptr(ptime)) {
        TEST_info("ASN1_TIME_set(%ld) failed", (long)td->t);
        error = 1;
    } else {
        int local_error = 0;
        if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, td->t), 0)) {
            TEST_info("ASN1_TIME_set(%ld) compare failed (%s->%s)",
                    (long)td->t, td->data, ptime->data);
            local_error = error = 1;
        }
        if (!TEST_int_eq(ptime->type, td->expected_type)) {
            TEST_info("ASN1_TIME_set(%ld) unexpected type", (long)td->t);
            local_error = error = 1;
        }
        if (local_error)
            TEST_info("ASN1_TIME_set() = %*s", ptime->length, ptime->data);
        ASN1_TIME_free(ptime);
    }

    ptime = ASN1_TIME_new();
    if (!TEST_ptr(ptime)) {
        TEST_info("ASN1_TIME_new() failed");
        error = 1;
    } else {
        int local_error = 0;
        if (!TEST_int_eq(ASN1_TIME_set_string(ptime, td->data), td->check_result)) {
            TEST_info("ASN1_TIME_set_string_gmt(%s) failed", td->data);
            local_error = error = 1;
        }
        if (!TEST_int_eq(ASN1_TIME_normalize(ptime), td->check_result)) {
            TEST_info("ASN1_TIME_normalize(%s) failed", td->data);
            local_error = error = 1;
        }
        if (!TEST_int_eq(ptime->type, td->expected_type)) {
            TEST_info("ASN1_TIME_set_string_gmt(%s) unexpected type", td->data);
            local_error = error = 1;
        }
        day = sec = 0;
        if (!TEST_true(ASN1_TIME_diff(&day, &sec, ptime, &atime)) || !TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
            TEST_info("ASN1_TIME_diff(day=%d, sec=%d, %s) after ASN1_TIME_set_string_gmt() failed", day, sec, td->data);
            local_error = error = 1;
        }
        if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, gtime_t), td->cmp_result)) {
            TEST_info("ASN1_TIME_cmp_time_t(%s) after ASN1_TIME_set_string_gnt() to baseline bad comparison", td->data);
            local_error = error = 1;
        }
        if (local_error)
            TEST_info("ASN1_TIME_set_string_gmt() = %*s", ptime->length, ptime->data);
        ASN1_TIME_free(ptime);
    }

    ptime = ASN1_TIME_new();
    if (!TEST_ptr(ptime)) {
        TEST_info("ASN1_TIME_new() failed");
        error = 1;
    } else {
        int local_error = 0;
        if (!TEST_int_eq(ASN1_TIME_set_string(ptime, td->data), td->check_result)) {
            TEST_info("ASN1_TIME_set_string(%s) failed", td->data);
            local_error = error = 1;
        }
        day = sec = 0;
        if (!TEST_true(ASN1_TIME_diff(&day, &sec, ptime, &atime)) || !TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
            TEST_info("ASN1_TIME_diff(day=%d, sec=%d, %s) after ASN1_TIME_set_string() failed", day, sec, td->data);
            local_error = error = 1;
        }
        if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, gtime_t), td->cmp_result)) {
            TEST_info("ASN1_TIME_cmp_time_t(%s) after ASN1_TIME_set_string() to baseline bad comparison", td->data);
            local_error = error = 1;
        }
        if (local_error)
            TEST_info("ASN1_TIME_set_string() = %*s", ptime->length, ptime->data);
        ASN1_TIME_free(ptime);
    }

    if (td->type == V_ASN1_UTCTIME) {
        ptime = ASN1_TIME_to_generalizedtime(&atime, NULL);
        if (td->convert_result == 1 && !TEST_ptr(ptime)) {
            TEST_info("ASN1_TIME_to_generalizedtime(%s) failed", atime.data);
            error = 1;
        } else if (td->convert_result == 0 && !TEST_ptr_null(ptime)) {
            TEST_info("ASN1_TIME_to_generalizedtime(%s) should have failed", atime.data);
            error = 1;
        }
        if (ptime != NULL && !TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, td->t), 0)) {
            TEST_info("ASN1_TIME_to_generalizedtime(%s->%s) bad result", atime.data, ptime->data);
            error = 1;
        }
        ASN1_TIME_free(ptime);
    }
    /* else cannot simply convert GENERALIZEDTIME to UTCTIME */

    if (error)
        TEST_error("atime=%s", atime.data);

    return !error;
}
Beispiel #9
0
void openssl_x509_crl()
{
	RSA *r;
	BIO *bp;
	int len;
	FILE *fp;
	BIGNUM *bne;
	X509_CRL *crl;
	EVP_PKEY *pkey;
	X509_NAME *issuer;
	ASN1_INTEGER *serial;
	X509_REVOKED *revoked;
	ASN1_TIME *lastUpdate, *nextUpdate, *rvTime;
	unsigned char *buf, *p, tmp[MAX1_LEN] = "crl cert";

	printf("\nX509_CRL info:\n");
	bne = BN_new();
	BN_set_word(bne, RSA_3);
	r = RSA_new();
	RSA_generate_key_ex(r, MAX1_LEN, bne, NULL);
	pkey = EVP_PKEY_new();
	EVP_PKEY_assign_RSA(pkey, r);

	crl = X509_CRL_new();
	X509_CRL_set_version(crl, 3);

	issuer = X509_NAME_new();
	X509_NAME_add_entry_by_NID(issuer, NID_commonName,
								V_ASN1_PRINTABLESTRING, tmp, 10, -1, 0);
	X509_CRL_set_issuer_name(crl, issuer);

	lastUpdate = ASN1_TIME_new();
	ASN1_TIME_set(lastUpdate, time(NULL));
	X509_CRL_set_lastUpdate(crl, lastUpdate);

	nextUpdate = ASN1_TIME_new();
	ASN1_TIME_set(nextUpdate, time(NULL) + 1280);
	X509_CRL_set_nextUpdate(crl, nextUpdate);

	revoked = X509_REVOKED_new();
	serial = ASN1_INTEGER_new();
	ASN1_INTEGER_set(serial, 1280);
	X509_REVOKED_set_serialNumber(revoked, serial);

	rvTime = ASN1_TIME_new();
	ASN1_TIME_set(rvTime, time(NULL) + 2000);
	X509_CRL_set_nextUpdate(crl, rvTime);
	X509_REVOKED_set_revocationDate(revoked, rvTime);

	X509_CRL_add0_revoked(crl, revoked);
	X509_CRL_sort(crl);
	X509_CRL_sign(crl, pkey, EVP_md5());

	bp = BIO_new(BIO_s_file());
	BIO_set_fp(bp, stdout, BIO_NOCLOSE);
	X509_CRL_print(bp, crl);
	len = i2d_X509_CRL(crl, NULL);
	buf = (unsigned char *)malloc(len + 10);
	p = buf;
	len = i2d_X509_CRL(crl, &p);
	fp = fopen("/tmp/crl.crl", "wb");
	fwrite(buf, 1, len, fp);
	fclose(fp);

	free(buf);
	BIO_free(bp);
	X509_CRL_free(crl);
}
Beispiel #10
0
static LUA_FUNCTION(openssl_crl_new)
{
  int i;
  int n = lua_gettop(L);
  X509_CRL * crl = X509_CRL_new();
  int ret = X509_CRL_set_version(crl, 0);
  X509* cacert = NULL;
  EVP_PKEY* capkey = NULL;
  const EVP_MD* md = NULL;
  int step;

  for (i = 1; ret == 1 && i <= n; i++)
  {
    if (i == 1)
    {
      luaL_argcheck(L, lua_istable(L, 1), 1, "must be table contains rovked entry table{reason,time,sn}");
      if (lua_rawlen(L, i) > 0)
      {
        int j, m;
        m = lua_rawlen(L, i);

        for (j = 1; ret == 1 && j <= m; j++)
        {
          X509_REVOKED *revoked;
          BIGNUM* sn;
          lua_rawgeti(L, i, j);
          luaL_checktable(L, -1);

          lua_getfield(L, -1, "reason");
          lua_getfield(L, -2, "time");
          lua_getfield(L, -3, "sn");
          sn = BN_get(L, -1);
          revoked = create_revoked(sn, lua_tointeger(L, -2), reason_get(L, -3));
          if (revoked)
          {
            ret = X509_CRL_add0_revoked(crl, revoked);
          }
          BN_free(sn);
          lua_pop(L, 3);
          lua_pop(L, 1);
        };
      }
    };
    if (i == 2)
    {
      cacert = CHECK_OBJECT(2, X509, "openssl.x509");
      ret = X509_CRL_set_issuer_name(crl, X509_get_issuer_name(cacert));
    }
    if (i == 3)
    {
      capkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
      luaL_argcheck(L, openssl_pkey_is_private(capkey), 3, "must be private key");
      luaL_argcheck(L, X509_check_private_key(cacert, capkey) == 1, 3, "evp_pkey not match with x509 in #2");
    }
  }
  md = lua_isnoneornil(L, 4) ? EVP_get_digestbyname("sha1") : get_digest(L, 4);
  step = lua_isnoneornil(L, 5) ? 7 * 24 * 3600 : luaL_checkint(L, 5);

  if (ret == 1)
  {
    time_t lastUpdate;
    time_t nextUpdate;
    ASN1_TIME *ltm, *ntm;

    time(&lastUpdate);
    nextUpdate = lastUpdate + step;

    ltm = ASN1_TIME_new();
    ntm = ASN1_TIME_new();
    ASN1_TIME_set(ltm, lastUpdate);
    ASN1_TIME_set(ntm, nextUpdate);
    ret = X509_CRL_set_lastUpdate(crl, ltm);
    if (ret == 1)
      ret = X509_CRL_set_nextUpdate(crl, ntm);
    ASN1_TIME_free(ltm);
    ASN1_TIME_free(ntm);
  }
  if (cacert && capkey && md)
  {
    ret = (X509_CRL_sign(crl, capkey, md) == EVP_PKEY_size(capkey));
  }
  if (ret == 1)
  {
    PUSH_OBJECT(crl, "openssl.x509_crl");
  }
  else
  {
    X509_CRL_free(crl);
    return openssl_pushresult(L, ret);
  };

  return 1;
}
Beispiel #11
0
DWORD
VMCAUpdateTimeStamps(
    X509_CRL *pCrl,
    time_t tmLastUpdate,
    time_t tmNextUpdate,
    DWORD nCrlNum
)
{
    ASN1_TIME *pAsnLastUpdate = NULL;
    ASN1_TIME *pAsnNextUpdate = NULL;
    DWORD dwError = 0;
    ASN1_INTEGER *pSerial = NULL;

    if(pCrl == NULL) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_ERROR(dwError);
    }

    pAsnLastUpdate = ASN1_TIME_new();
    if(pAsnLastUpdate == NULL){
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    pAsnNextUpdate  = ASN1_TIME_new();
    if(pAsnNextUpdate == NULL) {
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    ASN1_TIME_set(pAsnLastUpdate, tmLastUpdate);
    ASN1_TIME_set(pAsnNextUpdate, tmNextUpdate);

    dwError = X509_CRL_set_lastUpdate(pCrl, pAsnLastUpdate);
    BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_START_TIME);

    dwError = X509_CRL_set_nextUpdate(pCrl, pAsnNextUpdate);
    BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_END_TIME);
    pSerial = ASN1_INTEGER_new();
    if (pSerial == NULL){
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }
    ASN1_INTEGER_set(pSerial, nCrlNum);

    X509_CRL_add1_ext_i2d(pCrl, NID_crl_number, pSerial,0,0);

error:
    if ( pAsnLastUpdate != NULL) {
        ASN1_TIME_free(pAsnLastUpdate);
    }

    if( pAsnNextUpdate != NULL) {
        ASN1_TIME_free(pAsnNextUpdate);
    }

    if(pSerial != NULL) {
        ASN1_INTEGER_free(pSerial);
    }
    return dwError;
}
Beispiel #12
0
DWORD
VMCACreateRevokedFromCert(
    X509 *pCert,
    X509_REVOKED **pRevoked)
{

    DWORD dwError = 0;
    X509_REVOKED *pTempRev = NULL;
    ASN1_TIME *pRevTime = NULL;
    ASN1_ENUMERATED *pCode = NULL;

    pCode = ASN1_ENUMERATED_new();
    if(pCode == NULL) {
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    pTempRev = X509_REVOKED_new();
    if (pTempRev == NULL) {
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    pRevTime = ASN1_TIME_new();
    if (pRevTime == NULL) {
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    ASN1_TIME_set(pRevTime, time(NULL));
    dwError = X509_REVOKED_set_serialNumber(pTempRev,
                    X509_get_serialNumber(pCert));
    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);

    dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);

    //TODO : Fix the UNSPECIFIED to real valid reason
    // which users can pass in.
    ASN1_ENUMERATED_set(pCode, CRL_REASON_UNSPECIFIED);
    dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
                            NID_crl_reason, pCode, 0, 0);

    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
    *pRevoked = pTempRev;

cleanup :
    if(pRevTime != NULL) {
        ASN1_TIME_free(pRevTime);
    }

    if(pCode !=NULL) {
        ASN1_ENUMERATED_free(pCode);
    }
    return dwError;

error:
    if(pTempRev != NULL)
    {
        X509_REVOKED_free(pTempRev);
    }
    goto cleanup;
}
Beispiel #13
0
DWORD
VMCACreateRevokedFromCert_Reason(
    ASN1_INTEGER *asnSerial,
    DWORD dwRevokedDate,
    VMCA_CRL_REASON certRevokeReason,
    X509_REVOKED **pRevoked)
{

    DWORD dwError = 0;
    X509_REVOKED *pTempRev = NULL;
    ASN1_TIME *pRevTime = NULL;
    ASN1_ENUMERATED *pCode = NULL;

    pCode = ASN1_ENUMERATED_new();
    if(pCode == NULL) {
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    pTempRev = X509_REVOKED_new();
    if (pTempRev == NULL) {
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    pRevTime = ASN1_TIME_new();
    if (pRevTime == NULL) {
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    ASN1_TIME_set(pRevTime, (time_t)dwRevokedDate);
    dwError = X509_REVOKED_set_serialNumber(pTempRev,
                                            asnSerial);
    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);

    dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);

    ASN1_ENUMERATED_set(pCode, certRevokeReason);
    dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
                            NID_crl_reason, pCode, 0, 0);

    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
    *pRevoked = pTempRev;

cleanup :
    if(pRevTime != NULL) {
        ASN1_TIME_free(pRevTime);
    }

    if(pCode !=NULL) {
        ASN1_ENUMERATED_free(pCode);
    }
    return dwError;

error:
    if(pTempRev != NULL)
    {
        X509_REVOKED_free(pTempRev);
    }
    goto cleanup;
}
Beispiel #14
0
X509_REVOKED *openssl_X509_REVOKED(lua_State*L, int snidx, int timeidx, int reasonidx) {
    X509_REVOKED *revoked = X509_REVOKED_new();
    const char* serial = luaL_checkstring(L, snidx);
    BIGNUM * bn = NULL;
    ASN1_TIME *tm = NULL;
    int reason = 0;
    ASN1_INTEGER *it = NULL;


    if(!BN_hex2bn(&bn, serial))
    {
        goto end;
    };

    if(lua_isnumber(L,timeidx) || lua_isnoneornil(L, timeidx))
    {
        time_t t;
        time(&t);
        t = luaL_optinteger(L, 3, (lua_Integer)t);
        tm = ASN1_TIME_new();
        ASN1_TIME_set(tm,t);
    } else if(lua_isstring(L, timeidx))
    {

    } else {
        goto end;
    }

    if(lua_isnumber(L, reasonidx) || lua_isnoneornil(L, reasonidx))
    {
        reason = luaL_optinteger(L, reasonidx, 0);
        if(reason < 0 || reason >= reason_num) {
            goto end;
        }

    } else if(lua_isstring(L, reasonidx))
    {
        const char* s = lua_tostring(L, reasonidx);
        reason = openssl_get_revoke_reason(s);
        if(reason < 0 || reason >= reason_num) {
            goto end;
        }
    } else
    {
        goto end;
    };

    it = BN_to_ASN1_INTEGER(bn,NULL);
    X509_REVOKED_set_revocationDate(revoked, tm);
    X509_REVOKED_set_serialNumber(revoked, it);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
    revoked->reason = reason;
#else
    /*
    {
        ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
    	X509_EXTENSION * ext = X509_EXTENSION_new();

        ASN1_ENUMERATED_set(e, reason);

        X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
        X509_EXTENSION_set_data(ext,e);

        if(!revoked->extensions)
            revoked->extensions = sk_X509_EXTENSION_new_null();

    	X509_REVOKED_add_ext()
        sk_X509_REVOKED_push(revoked->extensions,ext);

        X509_EXTENSION_free(ext);
        ASN1_ENUMERATED_free(e);
    }
    */
#endif

    ASN1_TIME_free(tm);
    ASN1_INTEGER_free(it);
    BN_free(bn);

    return revoked;
end:
    X509_REVOKED_free(revoked);
    ASN1_TIME_free(tm);
    ASN1_INTEGER_free(it);
    BN_free(bn);
    return NULL;
}
Beispiel #15
0
static int openssl_ocsp_response(lua_State *L)
{
  OCSP_RESPONSE *res = NULL;

  if (lua_isstring(L, 1))
  {
    BIO* bio = load_bio_object(L, 1);
    res = d2i_OCSP_RESPONSE_bio(bio, NULL);
    /*
    BIO_reset(bio);
    if (!res)
    {
      res = PEM_read_bio_OCSP_RESPONSE(bio, NULL, NULL);
    }
    */
    BIO_free(bio);
  }
  else
  {
    ASN1_TIME* thispnd, *nextpnd;
    OCSP_CERTID *ca_id, *cid;
    OCSP_BASICRESP *bs;
    OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request");
    X509* ca = CHECK_OBJECT(2, X509, "openssl.x509");
    X509* rcert = CHECK_OBJECT(3, X509, "openssl.x509");
    EVP_PKEY *rkey = CHECK_OBJECT(4, EVP_PKEY, "openssl.evp_pkey");

    unsigned long flag = luaL_optint(L, 6, 0);
    int nmin = luaL_optint(L, 7, 0);
    int nday = luaL_optint(L, 8, 1);
    STACK_OF(X509) *rother = lua_isnoneornil(L, 9) ? NULL : CHECK_OBJECT(9, STACK_OF(X509), "openssl.stack_of_x509");

    int i, id_count, type;
    BIO* bio = NULL;

    type = lua_type(L, 5);
    if (type != LUA_TFUNCTION && type != LUA_TTABLE)
    {
      luaL_error(L, "#5 must be a table or function that to get status of certificate");
    }
    bio = BIO_new(BIO_s_mem());
    ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
    bs = OCSP_BASICRESP_new();
    thispnd = X509_gmtime_adj(NULL, 0);
    nextpnd = X509_gmtime_adj(NULL, nmin * 60 + nday * 3600 * 24);
    id_count = OCSP_request_onereq_count(req);

    for (i = 0; i < id_count; i++)
    {
      OCSP_ONEREQ  *one;
      ASN1_INTEGER *serial;
      ASN1_OBJECT* inst = NULL;
      ASN1_TIME* revtm = NULL;
      ASN1_GENERALIZEDTIME *invtm = NULL;
      OCSP_SINGLERESP *single = NULL;
      int reason = OCSP_REVOKED_STATUS_UNSPECIFIED, status = V_OCSP_CERTSTATUS_UNKNOWN;

      one = OCSP_request_onereq_get0(req, i);
      cid = OCSP_onereq_get0_id(one);
      if (OCSP_id_issuer_cmp(ca_id, cid))
      {
        OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN,
                               0, NULL, thispnd, nextpnd);
        continue;
      }
      OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);

      if (lua_istable(L, 5))
      {
        BUF_MEM *buf;
        BIO_reset(bio);
        i2a_ASN1_INTEGER(bio, serial);

        BIO_get_mem_ptr(bio, &buf);
        lua_pushlstring(L, buf->data, buf->length);
        lua_gettable(L, 5);
        if (lua_isnil(L, -1))
          status = V_OCSP_CERTSTATUS_UNKNOWN;
        else
        {
          luaL_checktype(L, -1, LUA_TTABLE);
          lua_getfield(L, -1, "revoked");
          if (lua_toboolean(L, -1))
          {
            lua_pop(L, 1);

            status = V_OCSP_CERTSTATUS_REVOKED;

            lua_getfield(L, -1, "revoked_time");
            if (!lua_isnil(L, -1))
            {
              revtm = ASN1_TIME_new();
              ASN1_TIME_set(revtm, luaL_checkint(L, -1));
            }
            lua_pop(L, 1);

            lua_getfield(L, -1, "reason");
            if (lua_isstring(L, -1))
              reason = openssl_get_revoke_reason(lua_tostring(L, -1));
            else
              reason = luaL_checkint(L, -1);
            lua_pop(L, 1);



          }
          else
          {
            lua_pop(L, 1);
            status = V_OCSP_CERTSTATUS_GOOD;
          }
        }
      }
      else
      {

      }

      if (reason == 7)
        reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
      else if (reason == 8)
      {
        reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
        //inst = OBJ_txt2obj(str, 0);
      }
      else if (reason == 9 || reason == 10)
      {
        if ( reason == 9 )
          reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
        else if (reason == 10)
          reason = OCSP_REVOKED_STATUS_CACOMPROMISE;
        /*
        invtm = ASN1_GENERALIZEDTIME_new();
        if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str))
        */
      }


      single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd);


      if (invtm)
      {
        OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
        ASN1_TIME_free(revtm);
      }
      if (inst)
      {
        OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
        ASN1_OBJECT_free(inst);
      }
      if (invtm)
        ASN1_GENERALIZEDTIME_free(invtm);
    }
    OCSP_copy_nonce(bs, req);
    OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag);

    res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
    BIO_free(bio);
  }
  if(res) {
    PUSH_OBJECT(res, "openssl.ocsp_response");
  }else
    lua_pushnil(L);
  return 1;
}
CFMutableDictionaryRef SDMMD__CreatePairingMaterial(CFDataRef devicePubkey)
{
	CFMutableDictionaryRef record = NULL;
	RSA *rsaBIOData = NULL;
	BIO *deviceBIO = SDMMD__create_bio_from_data(devicePubkey);
	if (deviceBIO) {
		PEM_read_bio_RSAPublicKey(deviceBIO, &rsaBIOData, NULL, NULL);
		BIO_free(deviceBIO);
	}
	else {
		printf("Could not decode device public key\\n");
	}

	RSA *rootKeyPair = RSA_generate_key(2048, 65537, NULL, NULL);
	if (!rootKeyPair) {
		printf("Could not allocate root key pair\n");
	}

	RSA *hostKeyPair = RSA_generate_key(2048, 65537, NULL, NULL);
	if (!hostKeyPair) {
		printf("Could not allocate host key pair\n");
	}

	sdmmd_return_t result = kAMDSuccess;

	EVP_PKEY *rootEVP = EVP_PKEY_new();
	if (!rootEVP) {
		printf("Could not allocate root EVP key\\n");
	}
	else {
		result = EVP_PKEY_assign(rootEVP, EVP_CTRL_RAND_KEY, PtrCast(rootKeyPair, char *));
		if (!result) {
			printf("Could not assign root key pair\n");
		}
	}

	EVP_PKEY *hostEVP = EVP_PKEY_new();
	if (!hostEVP) {
		printf("Could not allocate host EVP key\\n");
	}
	else {
		result = EVP_PKEY_assign(hostEVP, EVP_CTRL_RAND_KEY, PtrCast(hostKeyPair, char *));
		if (!result) {
			printf("Could not assign host key pair\n");
		}
	}

	EVP_PKEY *deviceEVP = EVP_PKEY_new();
	if (!deviceEVP) {
		printf("Could not allocate device EVP key\\n");
	}
	else {
		result = EVP_PKEY_assign(deviceEVP, EVP_CTRL_RAND_KEY, PtrCast(rsaBIOData, char *));
		if (!result) {
			printf("Could not assign device key pair\n");
		}
	}

	X509 *rootX509 = X509_new();
	if (!rootX509) {
		printf("Could not create root X509\\n");
	}
	else {
		X509_set_pubkey(rootX509, rootEVP);
		X509_set_version(rootX509, 2);

		ASN1_INTEGER *rootSerial = X509_get_serialNumber(rootX509);
		ASN1_INTEGER_set(rootSerial, 0);

		ASN1_TIME *rootAsn1time = ASN1_TIME_new();
		ASN1_TIME_set(rootAsn1time, 0);
		X509_set_notBefore(rootX509, rootAsn1time);
		ASN1_TIME_set(rootAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years
		X509_set_notAfter(rootX509, rootAsn1time);
		ASN1_TIME_free(rootAsn1time);

		SDMMD__add_ext(rootX509, NID_basic_constraints, "critical,CA:TRUE");
		SDMMD__add_ext(rootX509, NID_subject_key_identifier, "hash");

		result = X509_sign(rootX509, rootEVP, EVP_sha1());
		if (!result) {
			printf("Could not sign root cert\\n");
		}
	}

	X509 *hostX509 = X509_new();
	if (!hostX509) {
		printf("Could not create host X509\\n");
	}
	else {
		X509_set_pubkey(hostX509, hostEVP);
		X509_set_version(hostX509, 2);

		ASN1_INTEGER *hostSerial = X509_get_serialNumber(hostX509);
		ASN1_INTEGER_set(hostSerial, 0);

		ASN1_TIME *hostAsn1time = ASN1_TIME_new();
		ASN1_TIME_set(hostAsn1time, 0);
		X509_set_notBefore(hostX509, hostAsn1time);
		ASN1_TIME_set(hostAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years
		X509_set_notAfter(hostX509, hostAsn1time);
		ASN1_TIME_free(hostAsn1time);

		SDMMD__add_ext(hostX509, NID_basic_constraints, "critical,CA:FALSE");
		SDMMD__add_ext(hostX509, NID_subject_key_identifier, "hash");
		SDMMD__add_ext(hostX509, NID_key_usage, "critical,digitalSignature,keyEncipherment");

		result = X509_sign(hostX509, rootEVP, EVP_sha1());
		if (!result) {
			printf("Could not sign host cert\\n");
		}
	}

	X509 *deviceX509 = X509_new();
	if (!deviceX509) {
		printf("Could not create device X509\\n");
	}
	else {
		X509_set_pubkey(deviceX509, deviceEVP);
		X509_set_version(deviceX509, 2);

		ASN1_INTEGER *deviceSerial = X509_get_serialNumber(deviceX509);
		ASN1_INTEGER_set(deviceSerial, 0);

		ASN1_TIME *deviceAsn1time = ASN1_TIME_new();
		ASN1_TIME_set(deviceAsn1time, 0);
		X509_set_notBefore(deviceX509, deviceAsn1time);
		ASN1_TIME_set(deviceAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years
		X509_set_notAfter(deviceX509, deviceAsn1time);
		ASN1_TIME_free(deviceAsn1time);

		SDMMD__add_ext(deviceX509, NID_basic_constraints, "critical,CA:FALSE");
		SDMMD__add_ext(deviceX509, NID_subject_key_identifier, "hash");
		SDMMD__add_ext(deviceX509, NID_key_usage, "critical,digitalSignature,keyEncipherment");

		result = X509_sign(deviceX509, rootEVP, EVP_sha1());
		if (!result) {
			printf("Could not sign device cert\\n");
		}
	}

	CFDataRef rootCert = SDMMD_CreateDataFromX509Certificate(rootX509);
	CFDataRef hostCert = SDMMD_CreateDataFromX509Certificate(hostX509);
	CFDataRef deviceCert = SDMMD_CreateDataFromX509Certificate(deviceX509);
	CFDataRef rootPrivKey = SDMMD_CreateDataFromPrivateKey(rootEVP);
	CFDataRef hostPrivKey = SDMMD_CreateDataFromPrivateKey(hostEVP);
	CFStringRef hostId = SDMMD_CreateUUID();

	record = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
	if (record) {
		CFDictionarySetValue(record, CFSTR("RootCertificate"), rootCert);

		CFDictionarySetValue(record, CFSTR("HostCertificate"), hostCert);

		CFDictionarySetValue(record, CFSTR("DeviceCertificate"), deviceCert);

		CFDictionarySetValue(record, CFSTR("RootPrivateKey"), rootPrivKey);

		CFDictionarySetValue(record, CFSTR("HostPrivateKey"), hostPrivKey);

		CFDictionarySetValue(record, CFSTR("HostID"), hostId);
	}
	CFSafeRelease(rootCert);
	CFSafeRelease(hostCert);
	CFSafeRelease(deviceCert);
	CFSafeRelease(rootPrivKey);
	CFSafeRelease(hostPrivKey);
	CFSafeRelease(hostId);

	Safe(EVP_PKEY_free, rootEVP);
	Safe(EVP_PKEY_free, hostEVP);
	Safe(EVP_PKEY_free, deviceEVP);
	Safe(X509_free, rootX509);
	Safe(X509_free, hostX509);
	Safe(X509_free, deviceX509);

	return record;
}