static LUA_FUNCTION(openssl_crl_new)
{
X509* x509 = lua_isnoneornil(L, 1) ? NULL : CHECK_OBJECT(1, X509, "openssl.x509");
time_t lastUpdate = luaL_optinteger(L, 3, (lua_Integer)time(&lastUpdate));
time_t nextUpdate = luaL_optinteger(L, 4, (lua_Integer)(lastUpdate + 7 * 24 * 3600));
long version = luaL_optint(L, 5, 1);
X509_CRL * crl = NULL;
ASN1_TIME *ltm, *ntm;
if (!lua_isnoneornil(L, 2))
luaL_checktype(L, 2, LUA_TTABLE);
crl = X509_CRL_new();
X509_CRL_set_version(crl, version);
if (x509)
X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509));
ltm = ASN1_TIME_new();
ntm = ASN1_TIME_new();
ASN1_TIME_set(ltm, lastUpdate);
ASN1_TIME_set(ntm, nextUpdate);
X509_CRL_set_lastUpdate(crl, ltm);
X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
if (lua_istable(L, 2) && lua_objlen(L, 2) > 0)
{
int i;
int n = lua_objlen(L, 2);
for (i = 1; i <= n; i++)
{
lua_rawgeti(L, 2, i);
if (lua_istable(L, -1))
{
X509_REVOKED *revoked;
lua_getfield(L, -1, "reason");
lua_getfield(L, -2, "time");
lua_getfield(L, -3, "sn");
revoked = create_revoked(L, BN_get(L, -1), lua_tointeger(L, -2), reason_get(L, -3));
if (revoked)
{
X509_CRL_add0_revoked(crl, revoked);
}
lua_pop(L, 3);
}
lua_pop(L, 1);
}
}
PUSH_OBJECT(crl, "openssl.x509_crl");
return 1;
}
static X509_REVOKED *create_revoked(lua_State*L, const BIGNUM* bn, time_t t, int reason)
{
X509_REVOKED *revoked = X509_REVOKED_new();
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_INTEGER *it = BN_to_ASN1_INTEGER((BIGNUM*)bn, NULL);;
ASN1_TIME_set(tm, t);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
revoked->reason = reason;
#else
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_data(ext, e);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_REVOKED_add_ext(revoked, ext, 0);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
#endif
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
return revoked;
}
static X509_REVOKED *create_revoked(const BIGNUM* bn, time_t t, int reason)
{
X509_REVOKED *revoked = X509_REVOKED_new();
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_INTEGER *it = BN_to_ASN1_INTEGER(bn, NULL);;
ASN1_TIME_set(tm, t);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_data(ext, e);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_REVOKED_add_ext(revoked, ext, 0);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
return revoked;
}
static LUA_FUNCTION(openssl_crl_updateTime)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
if (lua_isnone(L, 2))
{
ASN1_TIME *ltm, *ntm;
ltm = X509_CRL_get_lastUpdate(crl);
ntm = X509_CRL_get_nextUpdate(crl);
PUSH_ASN1_TIME(L, ltm);
PUSH_ASN1_TIME(L, ntm);
return 2;
}
else
{
ASN1_TIME *ltm, *ntm;
int ret = 0;
time_t last, next;
if (lua_gettop(L) == 2)
{
time(&last);
next = last + luaL_checkint(L, 2);
}
else
{
last = luaL_checkint(L, 2);
next = last + luaL_checkint(L, 3);
luaL_argcheck(L, next > last, 3, "value must after #2");
}
ltm = ASN1_TIME_new();
ASN1_TIME_set(ltm, last);
ntm = ASN1_TIME_new();
ASN1_TIME_set(ntm, next);
ret = X509_CRL_set_lastUpdate(crl, ltm);
if (ret == 1)
ret = X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
openssl_pushresult(L, ret);
return 1;
}
}
static OCSP_BASICRESP *make_dummy_resp(void)
{
const unsigned char namestr[] = "openssl.example.com";
unsigned char keybytes[128] = {7};
OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
OCSP_BASICRESP *bs_out = NULL;
OCSP_CERTID *cid = NULL;
ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
X509_NAME *name = X509_NAME_new();
ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
ASN1_INTEGER *serial = ASN1_INTEGER_new();
if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
namestr, -1, -1, 1)
|| !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes))
|| !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))
goto err;
cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
if (!TEST_ptr(bs)
|| !TEST_ptr(thisupd)
|| !TEST_ptr(nextupd)
|| !TEST_ptr(cid)
|| !TEST_true(OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd)))
goto err;
bs_out = bs;
bs = NULL;
err:
ASN1_TIME_free(thisupd);
ASN1_TIME_free(nextupd);
ASN1_BIT_STRING_free(key);
ASN1_INTEGER_free(serial);
OCSP_CERTID_free(cid);
OCSP_BASICRESP_free(bs);
X509_NAME_free(name);
return bs_out;
}
static LUA_FUNCTION(openssl_crl_set_updatetime)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
ASN1_TIME *ltm, *ntm;
int ret = 0;
time_t last, next;
time(&last);
last = luaL_optinteger(L, 2, (lua_Integer)last);
next = luaL_optinteger(L, 3, (lua_Integer)last + 7 * 24 * 3600);
ltm = ASN1_TIME_new();
ASN1_TIME_set(ltm, last);
ntm = ASN1_TIME_new();
ASN1_TIME_set(ntm, next);
ret = X509_CRL_set_lastUpdate(crl, ltm);
if (ret == 1)
ret = X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
lua_pushboolean(L, ret);
return 1;
}
static LUA_FUNCTION(openssl_crl_nextUpdate)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
if (lua_isnone(L, 2))
{
ASN1_TIME *tm = X509_CRL_get_nextUpdate(crl);
PUSH_ASN1_TIME(L, tm);
return 1;
}
else
{
int ret;
time_t time = luaL_checkint(L, 2);
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_TIME_set(tm, time);
ret = X509_CRL_set_nextUpdate(crl, tm);
ASN1_TIME_free(tm);
return openssl_pushresult(L, ret);
}
}
static int test_table(struct testdata *tbl, int idx)
{
int error = 0;
ASN1_TIME atime;
ASN1_TIME *ptime;
struct testdata *td = &tbl[idx];
int day, sec;
atime.data = (unsigned char*)td->data;
atime.length = strlen((char*)atime.data);
atime.type = td->type;
atime.flags = 0;
if (!TEST_int_eq(ASN1_TIME_check(&atime), td->check_result)) {
TEST_info("ASN1_TIME_check(%s) unexpected result", atime.data);
error = 1;
}
if (td->check_result == 0)
return 1;
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, td->t), 0)) {
TEST_info("ASN1_TIME_cmp_time_t(%s vs %ld) compare failed", atime.data, (long)td->t);
error = 1;
}
if (!TEST_true(ASN1_TIME_diff(&day, &sec, &atime, &atime))) {
TEST_info("ASN1_TIME_diff(%s) to self failed", atime.data);
error = 1;
}
if (!TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
TEST_info("ASN1_TIME_diff(%s) to self not equal", atime.data);
error = 1;
}
if (!TEST_true(ASN1_TIME_diff(&day, &sec, >ime, &atime))) {
TEST_info("ASN1_TIME_diff(%s) to baseline failed", atime.data);
error = 1;
} else if (!((td->cmp_result == 0 && TEST_true((day == 0 && sec == 0))) ||
(td->cmp_result == -1 && TEST_true((day < 0 || sec < 0))) ||
(td->cmp_result == 1 && TEST_true((day > 0 || sec > 0))))) {
TEST_info("ASN1_TIME_diff(%s) to baseline bad comparison", atime.data);
error = 1;
}
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, gtime_t), td->cmp_result)) {
TEST_info("ASN1_TIME_cmp_time_t(%s) to baseline bad comparison", atime.data);
error = 1;
}
ptime = ASN1_TIME_set(NULL, td->t);
if (!TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_set(%ld) failed", (long)td->t);
error = 1;
} else {
int local_error = 0;
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, td->t), 0)) {
TEST_info("ASN1_TIME_set(%ld) compare failed (%s->%s)",
(long)td->t, td->data, ptime->data);
local_error = error = 1;
}
if (!TEST_int_eq(ptime->type, td->expected_type)) {
TEST_info("ASN1_TIME_set(%ld) unexpected type", (long)td->t);
local_error = error = 1;
}
if (local_error)
TEST_info("ASN1_TIME_set() = %*s", ptime->length, ptime->data);
ASN1_TIME_free(ptime);
}
ptime = ASN1_TIME_new();
if (!TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_new() failed");
error = 1;
} else {
int local_error = 0;
if (!TEST_int_eq(ASN1_TIME_set_string(ptime, td->data), td->check_result)) {
TEST_info("ASN1_TIME_set_string_gmt(%s) failed", td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ASN1_TIME_normalize(ptime), td->check_result)) {
TEST_info("ASN1_TIME_normalize(%s) failed", td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ptime->type, td->expected_type)) {
TEST_info("ASN1_TIME_set_string_gmt(%s) unexpected type", td->data);
local_error = error = 1;
}
day = sec = 0;
if (!TEST_true(ASN1_TIME_diff(&day, &sec, ptime, &atime)) || !TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
TEST_info("ASN1_TIME_diff(day=%d, sec=%d, %s) after ASN1_TIME_set_string_gmt() failed", day, sec, td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, gtime_t), td->cmp_result)) {
TEST_info("ASN1_TIME_cmp_time_t(%s) after ASN1_TIME_set_string_gnt() to baseline bad comparison", td->data);
local_error = error = 1;
}
if (local_error)
TEST_info("ASN1_TIME_set_string_gmt() = %*s", ptime->length, ptime->data);
ASN1_TIME_free(ptime);
}
ptime = ASN1_TIME_new();
if (!TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_new() failed");
error = 1;
} else {
int local_error = 0;
if (!TEST_int_eq(ASN1_TIME_set_string(ptime, td->data), td->check_result)) {
TEST_info("ASN1_TIME_set_string(%s) failed", td->data);
local_error = error = 1;
}
day = sec = 0;
if (!TEST_true(ASN1_TIME_diff(&day, &sec, ptime, &atime)) || !TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {
TEST_info("ASN1_TIME_diff(day=%d, sec=%d, %s) after ASN1_TIME_set_string() failed", day, sec, td->data);
local_error = error = 1;
}
if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, gtime_t), td->cmp_result)) {
TEST_info("ASN1_TIME_cmp_time_t(%s) after ASN1_TIME_set_string() to baseline bad comparison", td->data);
local_error = error = 1;
}
if (local_error)
TEST_info("ASN1_TIME_set_string() = %*s", ptime->length, ptime->data);
ASN1_TIME_free(ptime);
}
if (td->type == V_ASN1_UTCTIME) {
ptime = ASN1_TIME_to_generalizedtime(&atime, NULL);
if (td->convert_result == 1 && !TEST_ptr(ptime)) {
TEST_info("ASN1_TIME_to_generalizedtime(%s) failed", atime.data);
error = 1;
} else if (td->convert_result == 0 && !TEST_ptr_null(ptime)) {
TEST_info("ASN1_TIME_to_generalizedtime(%s) should have failed", atime.data);
error = 1;
}
if (ptime != NULL && !TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, td->t), 0)) {
TEST_info("ASN1_TIME_to_generalizedtime(%s->%s) bad result", atime.data, ptime->data);
error = 1;
}
ASN1_TIME_free(ptime);
}
/* else cannot simply convert GENERALIZEDTIME to UTCTIME */
if (error)
TEST_error("atime=%s", atime.data);
return !error;
}
void openssl_x509_crl()
{
RSA *r;
BIO *bp;
int len;
FILE *fp;
BIGNUM *bne;
X509_CRL *crl;
EVP_PKEY *pkey;
X509_NAME *issuer;
ASN1_INTEGER *serial;
X509_REVOKED *revoked;
ASN1_TIME *lastUpdate, *nextUpdate, *rvTime;
unsigned char *buf, *p, tmp[MAX1_LEN] = "crl cert";
printf("\nX509_CRL info:\n");
bne = BN_new();
BN_set_word(bne, RSA_3);
r = RSA_new();
RSA_generate_key_ex(r, MAX1_LEN, bne, NULL);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, r);
crl = X509_CRL_new();
X509_CRL_set_version(crl, 3);
issuer = X509_NAME_new();
X509_NAME_add_entry_by_NID(issuer, NID_commonName,
V_ASN1_PRINTABLESTRING, tmp, 10, -1, 0);
X509_CRL_set_issuer_name(crl, issuer);
lastUpdate = ASN1_TIME_new();
ASN1_TIME_set(lastUpdate, time(NULL));
X509_CRL_set_lastUpdate(crl, lastUpdate);
nextUpdate = ASN1_TIME_new();
ASN1_TIME_set(nextUpdate, time(NULL) + 1280);
X509_CRL_set_nextUpdate(crl, nextUpdate);
revoked = X509_REVOKED_new();
serial = ASN1_INTEGER_new();
ASN1_INTEGER_set(serial, 1280);
X509_REVOKED_set_serialNumber(revoked, serial);
rvTime = ASN1_TIME_new();
ASN1_TIME_set(rvTime, time(NULL) + 2000);
X509_CRL_set_nextUpdate(crl, rvTime);
X509_REVOKED_set_revocationDate(revoked, rvTime);
X509_CRL_add0_revoked(crl, revoked);
X509_CRL_sort(crl);
X509_CRL_sign(crl, pkey, EVP_md5());
bp = BIO_new(BIO_s_file());
BIO_set_fp(bp, stdout, BIO_NOCLOSE);
X509_CRL_print(bp, crl);
len = i2d_X509_CRL(crl, NULL);
buf = (unsigned char *)malloc(len + 10);
p = buf;
len = i2d_X509_CRL(crl, &p);
fp = fopen("/tmp/crl.crl", "wb");
fwrite(buf, 1, len, fp);
fclose(fp);
free(buf);
BIO_free(bp);
X509_CRL_free(crl);
}
static LUA_FUNCTION(openssl_crl_new)
{
int i;
int n = lua_gettop(L);
X509_CRL * crl = X509_CRL_new();
int ret = X509_CRL_set_version(crl, 0);
X509* cacert = NULL;
EVP_PKEY* capkey = NULL;
const EVP_MD* md = NULL;
int step;
for (i = 1; ret == 1 && i <= n; i++)
{
if (i == 1)
{
luaL_argcheck(L, lua_istable(L, 1), 1, "must be table contains rovked entry table{reason,time,sn}");
if (lua_rawlen(L, i) > 0)
{
int j, m;
m = lua_rawlen(L, i);
for (j = 1; ret == 1 && j <= m; j++)
{
X509_REVOKED *revoked;
BIGNUM* sn;
lua_rawgeti(L, i, j);
luaL_checktable(L, -1);
lua_getfield(L, -1, "reason");
lua_getfield(L, -2, "time");
lua_getfield(L, -3, "sn");
sn = BN_get(L, -1);
revoked = create_revoked(sn, lua_tointeger(L, -2), reason_get(L, -3));
if (revoked)
{
ret = X509_CRL_add0_revoked(crl, revoked);
}
BN_free(sn);
lua_pop(L, 3);
lua_pop(L, 1);
};
}
};
if (i == 2)
{
cacert = CHECK_OBJECT(2, X509, "openssl.x509");
ret = X509_CRL_set_issuer_name(crl, X509_get_issuer_name(cacert));
}
if (i == 3)
{
capkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
luaL_argcheck(L, openssl_pkey_is_private(capkey), 3, "must be private key");
luaL_argcheck(L, X509_check_private_key(cacert, capkey) == 1, 3, "evp_pkey not match with x509 in #2");
}
}
md = lua_isnoneornil(L, 4) ? EVP_get_digestbyname("sha1") : get_digest(L, 4);
step = lua_isnoneornil(L, 5) ? 7 * 24 * 3600 : luaL_checkint(L, 5);
if (ret == 1)
{
time_t lastUpdate;
time_t nextUpdate;
ASN1_TIME *ltm, *ntm;
time(&lastUpdate);
nextUpdate = lastUpdate + step;
ltm = ASN1_TIME_new();
ntm = ASN1_TIME_new();
ASN1_TIME_set(ltm, lastUpdate);
ASN1_TIME_set(ntm, nextUpdate);
ret = X509_CRL_set_lastUpdate(crl, ltm);
if (ret == 1)
ret = X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
}
if (cacert && capkey && md)
{
ret = (X509_CRL_sign(crl, capkey, md) == EVP_PKEY_size(capkey));
}
if (ret == 1)
{
PUSH_OBJECT(crl, "openssl.x509_crl");
}
else
{
X509_CRL_free(crl);
return openssl_pushresult(L, ret);
};
return 1;
}
DWORD
VMCAUpdateTimeStamps(
X509_CRL *pCrl,
time_t tmLastUpdate,
time_t tmNextUpdate,
DWORD nCrlNum
)
{
ASN1_TIME *pAsnLastUpdate = NULL;
ASN1_TIME *pAsnNextUpdate = NULL;
DWORD dwError = 0;
ASN1_INTEGER *pSerial = NULL;
if(pCrl == NULL) {
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
pAsnLastUpdate = ASN1_TIME_new();
if(pAsnLastUpdate == NULL){
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pAsnNextUpdate = ASN1_TIME_new();
if(pAsnNextUpdate == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pAsnLastUpdate, tmLastUpdate);
ASN1_TIME_set(pAsnNextUpdate, tmNextUpdate);
dwError = X509_CRL_set_lastUpdate(pCrl, pAsnLastUpdate);
BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_START_TIME);
dwError = X509_CRL_set_nextUpdate(pCrl, pAsnNextUpdate);
BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_END_TIME);
pSerial = ASN1_INTEGER_new();
if (pSerial == NULL){
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_INTEGER_set(pSerial, nCrlNum);
X509_CRL_add1_ext_i2d(pCrl, NID_crl_number, pSerial,0,0);
error:
if ( pAsnLastUpdate != NULL) {
ASN1_TIME_free(pAsnLastUpdate);
}
if( pAsnNextUpdate != NULL) {
ASN1_TIME_free(pAsnNextUpdate);
}
if(pSerial != NULL) {
ASN1_INTEGER_free(pSerial);
}
return dwError;
}
DWORD
VMCACreateRevokedFromCert(
X509 *pCert,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, time(NULL));
dwError = X509_REVOKED_set_serialNumber(pTempRev,
X509_get_serialNumber(pCert));
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
//TODO : Fix the UNSPECIFIED to real valid reason
// which users can pass in.
ASN1_ENUMERATED_set(pCode, CRL_REASON_UNSPECIFIED);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
DWORD
VMCACreateRevokedFromCert_Reason(
ASN1_INTEGER *asnSerial,
DWORD dwRevokedDate,
VMCA_CRL_REASON certRevokeReason,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, (time_t)dwRevokedDate);
dwError = X509_REVOKED_set_serialNumber(pTempRev,
asnSerial);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
ASN1_ENUMERATED_set(pCode, certRevokeReason);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
X509_REVOKED *openssl_X509_REVOKED(lua_State*L, int snidx, int timeidx, int reasonidx) {
X509_REVOKED *revoked = X509_REVOKED_new();
const char* serial = luaL_checkstring(L, snidx);
BIGNUM * bn = NULL;
ASN1_TIME *tm = NULL;
int reason = 0;
ASN1_INTEGER *it = NULL;
if(!BN_hex2bn(&bn, serial))
{
goto end;
};
if(lua_isnumber(L,timeidx) || lua_isnoneornil(L, timeidx))
{
time_t t;
time(&t);
t = luaL_optinteger(L, 3, (lua_Integer)t);
tm = ASN1_TIME_new();
ASN1_TIME_set(tm,t);
} else if(lua_isstring(L, timeidx))
{
} else {
goto end;
}
if(lua_isnumber(L, reasonidx) || lua_isnoneornil(L, reasonidx))
{
reason = luaL_optinteger(L, reasonidx, 0);
if(reason < 0 || reason >= reason_num) {
goto end;
}
} else if(lua_isstring(L, reasonidx))
{
const char* s = lua_tostring(L, reasonidx);
reason = openssl_get_revoke_reason(s);
if(reason < 0 || reason >= reason_num) {
goto end;
}
} else
{
goto end;
};
it = BN_to_ASN1_INTEGER(bn,NULL);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
revoked->reason = reason;
#else
/*
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_EXTENSION_set_data(ext,e);
if(!revoked->extensions)
revoked->extensions = sk_X509_EXTENSION_new_null();
X509_REVOKED_add_ext()
sk_X509_REVOKED_push(revoked->extensions,ext);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
*/
#endif
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
BN_free(bn);
return revoked;
end:
X509_REVOKED_free(revoked);
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
BN_free(bn);
return NULL;
}
static int openssl_ocsp_response(lua_State *L)
{
OCSP_RESPONSE *res = NULL;
if (lua_isstring(L, 1))
{
BIO* bio = load_bio_object(L, 1);
res = d2i_OCSP_RESPONSE_bio(bio, NULL);
/*
BIO_reset(bio);
if (!res)
{
res = PEM_read_bio_OCSP_RESPONSE(bio, NULL, NULL);
}
*/
BIO_free(bio);
}
else
{
ASN1_TIME* thispnd, *nextpnd;
OCSP_CERTID *ca_id, *cid;
OCSP_BASICRESP *bs;
OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request");
X509* ca = CHECK_OBJECT(2, X509, "openssl.x509");
X509* rcert = CHECK_OBJECT(3, X509, "openssl.x509");
EVP_PKEY *rkey = CHECK_OBJECT(4, EVP_PKEY, "openssl.evp_pkey");
unsigned long flag = luaL_optint(L, 6, 0);
int nmin = luaL_optint(L, 7, 0);
int nday = luaL_optint(L, 8, 1);
STACK_OF(X509) *rother = lua_isnoneornil(L, 9) ? NULL : CHECK_OBJECT(9, STACK_OF(X509), "openssl.stack_of_x509");
int i, id_count, type;
BIO* bio = NULL;
type = lua_type(L, 5);
if (type != LUA_TFUNCTION && type != LUA_TTABLE)
{
luaL_error(L, "#5 must be a table or function that to get status of certificate");
}
bio = BIO_new(BIO_s_mem());
ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
bs = OCSP_BASICRESP_new();
thispnd = X509_gmtime_adj(NULL, 0);
nextpnd = X509_gmtime_adj(NULL, nmin * 60 + nday * 3600 * 24);
id_count = OCSP_request_onereq_count(req);
for (i = 0; i < id_count; i++)
{
OCSP_ONEREQ *one;
ASN1_INTEGER *serial;
ASN1_OBJECT* inst = NULL;
ASN1_TIME* revtm = NULL;
ASN1_GENERALIZEDTIME *invtm = NULL;
OCSP_SINGLERESP *single = NULL;
int reason = OCSP_REVOKED_STATUS_UNSPECIFIED, status = V_OCSP_CERTSTATUS_UNKNOWN;
one = OCSP_request_onereq_get0(req, i);
cid = OCSP_onereq_get0_id(one);
if (OCSP_id_issuer_cmp(ca_id, cid))
{
OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thispnd, nextpnd);
continue;
}
OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
if (lua_istable(L, 5))
{
BUF_MEM *buf;
BIO_reset(bio);
i2a_ASN1_INTEGER(bio, serial);
BIO_get_mem_ptr(bio, &buf);
lua_pushlstring(L, buf->data, buf->length);
lua_gettable(L, 5);
if (lua_isnil(L, -1))
status = V_OCSP_CERTSTATUS_UNKNOWN;
else
{
luaL_checktype(L, -1, LUA_TTABLE);
lua_getfield(L, -1, "revoked");
if (lua_toboolean(L, -1))
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_REVOKED;
lua_getfield(L, -1, "revoked_time");
if (!lua_isnil(L, -1))
{
revtm = ASN1_TIME_new();
ASN1_TIME_set(revtm, luaL_checkint(L, -1));
}
lua_pop(L, 1);
lua_getfield(L, -1, "reason");
if (lua_isstring(L, -1))
reason = openssl_get_revoke_reason(lua_tostring(L, -1));
else
reason = luaL_checkint(L, -1);
lua_pop(L, 1);
}
else
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_GOOD;
}
}
}
else
{
}
if (reason == 7)
reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
else if (reason == 8)
{
reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
//inst = OBJ_txt2obj(str, 0);
}
else if (reason == 9 || reason == 10)
{
if ( reason == 9 )
reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
else if (reason == 10)
reason = OCSP_REVOKED_STATUS_CACOMPROMISE;
/*
invtm = ASN1_GENERALIZEDTIME_new();
if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str))
*/
}
single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd);
if (invtm)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
ASN1_TIME_free(revtm);
}
if (inst)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
ASN1_OBJECT_free(inst);
}
if (invtm)
ASN1_GENERALIZEDTIME_free(invtm);
}
OCSP_copy_nonce(bs, req);
OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag);
res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
BIO_free(bio);
}
if(res) {
PUSH_OBJECT(res, "openssl.ocsp_response");
}else
lua_pushnil(L);
return 1;
}
CFMutableDictionaryRef SDMMD__CreatePairingMaterial(CFDataRef devicePubkey)
{
CFMutableDictionaryRef record = NULL;
RSA *rsaBIOData = NULL;
BIO *deviceBIO = SDMMD__create_bio_from_data(devicePubkey);
if (deviceBIO) {
PEM_read_bio_RSAPublicKey(deviceBIO, &rsaBIOData, NULL, NULL);
BIO_free(deviceBIO);
}
else {
printf("Could not decode device public key\\n");
}
RSA *rootKeyPair = RSA_generate_key(2048, 65537, NULL, NULL);
if (!rootKeyPair) {
printf("Could not allocate root key pair\n");
}
RSA *hostKeyPair = RSA_generate_key(2048, 65537, NULL, NULL);
if (!hostKeyPair) {
printf("Could not allocate host key pair\n");
}
sdmmd_return_t result = kAMDSuccess;
EVP_PKEY *rootEVP = EVP_PKEY_new();
if (!rootEVP) {
printf("Could not allocate root EVP key\\n");
}
else {
result = EVP_PKEY_assign(rootEVP, EVP_CTRL_RAND_KEY, PtrCast(rootKeyPair, char *));
if (!result) {
printf("Could not assign root key pair\n");
}
}
EVP_PKEY *hostEVP = EVP_PKEY_new();
if (!hostEVP) {
printf("Could not allocate host EVP key\\n");
}
else {
result = EVP_PKEY_assign(hostEVP, EVP_CTRL_RAND_KEY, PtrCast(hostKeyPair, char *));
if (!result) {
printf("Could not assign host key pair\n");
}
}
EVP_PKEY *deviceEVP = EVP_PKEY_new();
if (!deviceEVP) {
printf("Could not allocate device EVP key\\n");
}
else {
result = EVP_PKEY_assign(deviceEVP, EVP_CTRL_RAND_KEY, PtrCast(rsaBIOData, char *));
if (!result) {
printf("Could not assign device key pair\n");
}
}
X509 *rootX509 = X509_new();
if (!rootX509) {
printf("Could not create root X509\\n");
}
else {
X509_set_pubkey(rootX509, rootEVP);
X509_set_version(rootX509, 2);
ASN1_INTEGER *rootSerial = X509_get_serialNumber(rootX509);
ASN1_INTEGER_set(rootSerial, 0);
ASN1_TIME *rootAsn1time = ASN1_TIME_new();
ASN1_TIME_set(rootAsn1time, 0);
X509_set_notBefore(rootX509, rootAsn1time);
ASN1_TIME_set(rootAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years
X509_set_notAfter(rootX509, rootAsn1time);
ASN1_TIME_free(rootAsn1time);
SDMMD__add_ext(rootX509, NID_basic_constraints, "critical,CA:TRUE");
SDMMD__add_ext(rootX509, NID_subject_key_identifier, "hash");
result = X509_sign(rootX509, rootEVP, EVP_sha1());
if (!result) {
printf("Could not sign root cert\\n");
}
}
X509 *hostX509 = X509_new();
if (!hostX509) {
printf("Could not create host X509\\n");
}
else {
X509_set_pubkey(hostX509, hostEVP);
X509_set_version(hostX509, 2);
ASN1_INTEGER *hostSerial = X509_get_serialNumber(hostX509);
ASN1_INTEGER_set(hostSerial, 0);
ASN1_TIME *hostAsn1time = ASN1_TIME_new();
ASN1_TIME_set(hostAsn1time, 0);
X509_set_notBefore(hostX509, hostAsn1time);
ASN1_TIME_set(hostAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years
X509_set_notAfter(hostX509, hostAsn1time);
ASN1_TIME_free(hostAsn1time);
SDMMD__add_ext(hostX509, NID_basic_constraints, "critical,CA:FALSE");
SDMMD__add_ext(hostX509, NID_subject_key_identifier, "hash");
SDMMD__add_ext(hostX509, NID_key_usage, "critical,digitalSignature,keyEncipherment");
result = X509_sign(hostX509, rootEVP, EVP_sha1());
if (!result) {
printf("Could not sign host cert\\n");
}
}
X509 *deviceX509 = X509_new();
if (!deviceX509) {
printf("Could not create device X509\\n");
}
else {
X509_set_pubkey(deviceX509, deviceEVP);
X509_set_version(deviceX509, 2);
ASN1_INTEGER *deviceSerial = X509_get_serialNumber(deviceX509);
ASN1_INTEGER_set(deviceSerial, 0);
ASN1_TIME *deviceAsn1time = ASN1_TIME_new();
ASN1_TIME_set(deviceAsn1time, 0);
X509_set_notBefore(deviceX509, deviceAsn1time);
ASN1_TIME_set(deviceAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years
X509_set_notAfter(deviceX509, deviceAsn1time);
ASN1_TIME_free(deviceAsn1time);
SDMMD__add_ext(deviceX509, NID_basic_constraints, "critical,CA:FALSE");
SDMMD__add_ext(deviceX509, NID_subject_key_identifier, "hash");
SDMMD__add_ext(deviceX509, NID_key_usage, "critical,digitalSignature,keyEncipherment");
result = X509_sign(deviceX509, rootEVP, EVP_sha1());
if (!result) {
printf("Could not sign device cert\\n");
}
}
CFDataRef rootCert = SDMMD_CreateDataFromX509Certificate(rootX509);
CFDataRef hostCert = SDMMD_CreateDataFromX509Certificate(hostX509);
CFDataRef deviceCert = SDMMD_CreateDataFromX509Certificate(deviceX509);
CFDataRef rootPrivKey = SDMMD_CreateDataFromPrivateKey(rootEVP);
CFDataRef hostPrivKey = SDMMD_CreateDataFromPrivateKey(hostEVP);
CFStringRef hostId = SDMMD_CreateUUID();
record = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (record) {
CFDictionarySetValue(record, CFSTR("RootCertificate"), rootCert);
CFDictionarySetValue(record, CFSTR("HostCertificate"), hostCert);
CFDictionarySetValue(record, CFSTR("DeviceCertificate"), deviceCert);
CFDictionarySetValue(record, CFSTR("RootPrivateKey"), rootPrivKey);
CFDictionarySetValue(record, CFSTR("HostPrivateKey"), hostPrivKey);
CFDictionarySetValue(record, CFSTR("HostID"), hostId);
}
CFSafeRelease(rootCert);
CFSafeRelease(hostCert);
CFSafeRelease(deviceCert);
CFSafeRelease(rootPrivKey);
CFSafeRelease(hostPrivKey);
CFSafeRelease(hostId);
Safe(EVP_PKEY_free, rootEVP);
Safe(EVP_PKEY_free, hostEVP);
Safe(EVP_PKEY_free, deviceEVP);
Safe(X509_free, rootX509);
Safe(X509_free, hostX509);
Safe(X509_free, deviceX509);
return record;
}