int PKI_X509_OCSP_RESP_add ( PKI_X509_OCSP_RESP *resp,
OCSP_CERTID *cid, PKI_OCSP_CERTSTATUS status,
PKI_TIME *revokeTime, PKI_TIME *thisUpdate,
PKI_TIME *nextUpdate,
PKI_X509_CRL_REASON reason,
PKI_X509_EXTENSION *invalidityDate ) {
OCSP_SINGLERESP *single = NULL;
PKI_TIME *myThisUpdate = NULL;
PKI_OCSP_RESP *r = NULL;
if ( !resp || !resp->value || !cid ) return ( PKI_ERR );
r = resp->value;
if( !r->bs )
{
// Creates the basic response object
if ((r->bs = OCSP_BASICRESP_new()) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return PKI_ERR;
}
}
if (thisUpdate == NULL )
{
myThisUpdate = X509_gmtime_adj(NULL,0);
}
else
{
myThisUpdate = PKI_TIME_dup(thisUpdate);
}
if((single = OCSP_basic_add1_status(r->bs, cid,
status, reason, revokeTime, myThisUpdate, nextUpdate))== NULL)
{
PKI_log_err ("Can not create basic entry!");
return ( PKI_ERR );
}
if (myThisUpdate) PKI_TIME_free(myThisUpdate);
if (invalidityDate)
{
if (!OCSP_SINGLERESP_add1_ext_i2d(single,
NID_invalidity_date, invalidityDate, 0, 0))
{
PKI_log_err("Can not create extension entry for response!");
return PKI_ERR;
}
}
return PKI_OK;
}
PKI_OCSP_RESP *PKI_OCSP_RESP_new ( void )
{
// Crypto Provider's specific data structures
PKI_X509_OCSP_RESP_VALUE *r = NULL;
OCSP_BASICRESP *bs = NULL;
// Return container
PKI_OCSP_RESP * ret = NULL;
// Allocates the response object
if ((r = OCSP_RESPONSE_new()) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
}
// Sets the initial state to "Success"
if (!(ASN1_ENUMERATED_set(r->responseStatus,
PKI_X509_OCSP_RESP_STATUS_SUCCESSFUL)))
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
if (r) OCSP_RESPONSE_free (r);
return NULL;
}
// Creates the basic response object
if ((bs = OCSP_BASICRESP_new()) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
if( r ) OCSP_RESPONSE_free ( r );
return ( NULL );
}
// Let's now create the outer container
if(( ret = (PKI_OCSP_RESP *)
PKI_Malloc (sizeof(PKI_OCSP_RESP)))==NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
if ( bs ) OCSP_BASICRESP_free ( bs );
if ( r ) OCSP_RESPONSE_free ( r );
return NULL;
}
// Transfer ownership of r and bs to the container
ret->resp = r;
ret->bs = bs;
// Success - object created
return ret;
}
/*
* OCSP::BasicResponse
*/
static VALUE
ossl_ocspbres_alloc(VALUE klass)
{
OCSP_BASICRESP *bs;
VALUE obj;
if(!(bs = OCSP_BASICRESP_new()))
ossl_raise(eOCSPError, NULL);
WrapOCSPBasicRes(klass, obj, bs);
return obj;
}
static OCSP_BASICRESP *make_dummy_resp(void)
{
const unsigned char namestr[] = "openssl.example.com";
unsigned char keybytes[128] = {7};
OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
OCSP_BASICRESP *bs_out = NULL;
OCSP_CERTID *cid = NULL;
ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
X509_NAME *name = X509_NAME_new();
ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
ASN1_INTEGER *serial = ASN1_INTEGER_new();
if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
namestr, -1, -1, 1)
|| !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes))
|| !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))
goto err;
cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
if (!TEST_ptr(bs)
|| !TEST_ptr(thisupd)
|| !TEST_ptr(nextupd)
|| !TEST_ptr(cid)
|| !TEST_true(OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd)))
goto err;
bs_out = bs;
bs = NULL;
err:
ASN1_TIME_free(thisupd);
ASN1_TIME_free(nextupd);
ASN1_BIT_STRING_free(key);
ASN1_INTEGER_free(serial);
OCSP_CERTID_free(cid);
OCSP_BASICRESP_free(bs);
X509_NAME_free(name);
return bs_out;
}
static int openssl_ocsp_response(lua_State *L)
{
OCSP_RESPONSE *res = NULL;
if (lua_isstring(L, 1))
{
BIO* bio = load_bio_object(L, 1);
res = d2i_OCSP_RESPONSE_bio(bio, NULL);
/*
BIO_reset(bio);
if (!res)
{
res = PEM_read_bio_OCSP_RESPONSE(bio, NULL, NULL);
}
*/
BIO_free(bio);
}
else
{
ASN1_TIME* thispnd, *nextpnd;
OCSP_CERTID *ca_id, *cid;
OCSP_BASICRESP *bs;
OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request");
X509* ca = CHECK_OBJECT(2, X509, "openssl.x509");
X509* rcert = CHECK_OBJECT(3, X509, "openssl.x509");
EVP_PKEY *rkey = CHECK_OBJECT(4, EVP_PKEY, "openssl.evp_pkey");
unsigned long flag = luaL_optint(L, 6, 0);
int nmin = luaL_optint(L, 7, 0);
int nday = luaL_optint(L, 8, 1);
STACK_OF(X509) *rother = lua_isnoneornil(L, 9) ? NULL : CHECK_OBJECT(9, STACK_OF(X509), "openssl.stack_of_x509");
int i, id_count, type;
BIO* bio = NULL;
type = lua_type(L, 5);
if (type != LUA_TFUNCTION && type != LUA_TTABLE)
{
luaL_error(L, "#5 must be a table or function that to get status of certificate");
}
bio = BIO_new(BIO_s_mem());
ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
bs = OCSP_BASICRESP_new();
thispnd = X509_gmtime_adj(NULL, 0);
nextpnd = X509_gmtime_adj(NULL, nmin * 60 + nday * 3600 * 24);
id_count = OCSP_request_onereq_count(req);
for (i = 0; i < id_count; i++)
{
OCSP_ONEREQ *one;
ASN1_INTEGER *serial;
ASN1_OBJECT* inst = NULL;
ASN1_TIME* revtm = NULL;
ASN1_GENERALIZEDTIME *invtm = NULL;
OCSP_SINGLERESP *single = NULL;
int reason = OCSP_REVOKED_STATUS_UNSPECIFIED, status = V_OCSP_CERTSTATUS_UNKNOWN;
one = OCSP_request_onereq_get0(req, i);
cid = OCSP_onereq_get0_id(one);
if (OCSP_id_issuer_cmp(ca_id, cid))
{
OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thispnd, nextpnd);
continue;
}
OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
if (lua_istable(L, 5))
{
BUF_MEM *buf;
BIO_reset(bio);
i2a_ASN1_INTEGER(bio, serial);
BIO_get_mem_ptr(bio, &buf);
lua_pushlstring(L, buf->data, buf->length);
lua_gettable(L, 5);
if (lua_isnil(L, -1))
status = V_OCSP_CERTSTATUS_UNKNOWN;
else
{
luaL_checktype(L, -1, LUA_TTABLE);
lua_getfield(L, -1, "revoked");
if (lua_toboolean(L, -1))
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_REVOKED;
lua_getfield(L, -1, "revoked_time");
if (!lua_isnil(L, -1))
{
revtm = ASN1_TIME_new();
ASN1_TIME_set(revtm, luaL_checkint(L, -1));
}
lua_pop(L, 1);
lua_getfield(L, -1, "reason");
if (lua_isstring(L, -1))
reason = openssl_get_revoke_reason(lua_tostring(L, -1));
else
reason = luaL_checkint(L, -1);
lua_pop(L, 1);
}
else
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_GOOD;
}
}
}
else
{
}
if (reason == 7)
reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
else if (reason == 8)
{
reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
//inst = OBJ_txt2obj(str, 0);
}
else if (reason == 9 || reason == 10)
{
if ( reason == 9 )
reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
else if (reason == 10)
reason = OCSP_REVOKED_STATUS_CACOMPROMISE;
/*
invtm = ASN1_GENERALIZEDTIME_new();
if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str))
*/
}
single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd);
if (invtm)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
ASN1_TIME_free(revtm);
}
if (inst)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
ASN1_OBJECT_free(inst);
}
if (invtm)
ASN1_GENERALIZEDTIME_free(invtm);
}
OCSP_copy_nonce(bs, req);
OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag);
res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
BIO_free(bio);
}
if(res) {
PUSH_OBJECT(res, "openssl.ocsp_response");
}else
lua_pushnil(L);
return 1;
}
