static LUA_FUNCTION(openssl_pkcs7_sign)
{
BIO *in = load_bio_object(L, 1);
X509 *cert = CHECK_OBJECT(2, X509, "openssl.x509");
EVP_PKEY *privkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
STACK_OF(X509) *others = lua_isnoneornil(L, 4) ? 0 : openssl_sk_x509_fromtable(L, 4);
long flags = luaL_optint(L, 5, 0);
PKCS7 *p7 = NULL;
luaL_argcheck(L, openssl_pkey_is_private(privkey), 3, "must be private key");
if (!X509_check_private_key(cert, privkey))
luaL_error(L, "sigcert and private key not match");
p7 = PKCS7_sign(cert, privkey, others, in, flags);
BIO_free(in);
if (others)
sk_X509_pop_free(others, X509_free);
if (p7)
{
PUSH_OBJECT(p7, "openssl.pkcs7");
return 1;
}
else
{
luaL_error(L, "error creating PKCS7 structure!");
}
return 0;
}
static int openssl_ocsp_request_sign(lua_State*L)
{
OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request");
X509 *signer = CHECK_OBJECT(2, X509, "openssl.x509");
EVP_PKEY *pkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
STACK_OF(X509) *others = NULL;
const EVP_MD *md = EVP_sha1();
int ret;
int sflags = 0;
luaL_argcheck(L, openssl_pkey_is_private(pkey), 3, "must be private key");
if (lua_isnoneornil(L, 4))
{
sflags = OCSP_NOCERTS;
}
else
{
others = CHECK_OBJECT(4, STACK_OF(X509), "openssl.stack_of_x509");
}
sflags = luaL_optint(L, 6, sflags);
if (!lua_isnoneornil(L, 7))
md = CHECK_OBJECT(7, EVP_MD, "openssl.evp_digest");
ret = OCSP_request_sign(req, signer, pkey, md, others, sflags);
lua_pushboolean(L, ret);
return 1;
}
static LUA_FUNCTION(openssl_csr_check)
{
X509_REQ *csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req");
EVP_PKEY *pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey");
int ret;
luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key");
ret = X509_REQ_check_private_key(csr, pkey);
return openssl_pushresult(L, ret);
};
static LUA_FUNCTION(openssl_pkcs12_export)
{
X509 * cert = CHECK_OBJECT(1, X509, "openssl.x509");
EVP_PKEY *priv_key = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey");
char * pass = (char*)luaL_checkstring(L, 3);
int top = lua_gettop(L);
BIO * bio_out = NULL;
PKCS12 * p12 = NULL;
const char * friendly_name = NULL;
STACK_OF(X509) *ca = NULL;
int ret = 0;
luaL_argcheck(L, openssl_pkey_is_private(priv_key), 2, "must be private key");
if (top > 3)
{
if (lua_isstring(L, 4))
friendly_name = lua_tostring(L, 4);
else if (lua_isuserdata(L, 4))
ca = CHECK_OBJECT(4, STACK_OF(X509), "openssl.stack_of_x509");
else
luaL_argerror(L, 4, "must be string as friendly_name or openssl.stack_of_x509 object as cacets");
if (top > 4)
ca = CHECK_OBJECT(5, STACK_OF(X509), "openssl.stack_of_x509");
}
if (cert && !X509_check_private_key(cert, priv_key))
{
luaL_error(L, "private key does not correspond to cert");
}
/* end parse extra config */
/*PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca,
int nid_key, int nid_cert, int iter, int mac_iter, int keytype);*/
p12 = PKCS12_create(pass, (char*)friendly_name, priv_key, cert, ca, 0, 0, 0, 0, 0);
if (!p12)
luaL_error(L, "PKCS12_careate failed,pleases get more error info");
bio_out = BIO_new(BIO_s_mem());
if (i2d_PKCS12_bio(bio_out, p12))
{
BUF_MEM *bio_buf;
BIO_get_mem_ptr(bio_out, &bio_buf);
lua_pushlstring(L, bio_buf->data, bio_buf->length);
ret = 1;
}
BIO_free(bio_out);
PKCS12_free(p12);
return ret;
}
static LUA_FUNCTION(openssl_crl_check)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
EVP_PKEY* pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey");
unsigned long flags = luaL_optinteger(L, 3, X509_V_FLAG_SUITEB_128_LOS);
int ret;
luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key");
ret = X509_CRL_check_suiteb(crl, pkey, flags);
return openssl_pushresult(L, ret == X509_V_OK);
}
static LUA_FUNCTION(openssl_pkcs7_sign_add_signer)
{
PKCS7 *p7 = CHECK_OBJECT(1, PKCS7, "openssl.pkcs7");
X509 *signcert = CHECK_OBJECT(2, X509, "openssl.x509");
EVP_PKEY *pkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
const EVP_MD* md = get_digest(L, 4);
long flags = luaL_optint(L, 5, 0);
PKCS7_SIGNER_INFO *signer = 0;
luaL_argcheck(L, openssl_pkey_is_private(pkey), 3, "must be private key");
luaL_argcheck(L, X509_check_private_key(signcert, pkey), 3,
"sigcert and private key not match");
signer = PKCS7_sign_add_signer(p7, signcert, pkey, md, flags);
(void) signer;
return openssl_pushresult(L, signcert != NULL ? 1 : 0);
}
static LUA_FUNCTION(openssl_csr_to_x509)
{
X509_REQ * csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req");
EVP_PKEY * pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey");
int days = luaL_optint(L, 3, 365);
X509* cert = X509_REQ_to_X509_a(csr, days, pkey);
luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key");
if (cert)
{
PUSH_OBJECT(cert, "openssl.x509");
return 1;
}
return openssl_pushresult(L, 0);
}
static int openssl_cms_sign(lua_State *L)
{
X509* signcert = CHECK_OBJECT(1, X509, "openssl.x509");
EVP_PKEY* pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey");
STACK_OF(X509)* certs = CHECK_OBJECT(3, STACK_OF(X509), "openssl.stack_of_x509");
BIO* data = load_bio_object(L, 4);
unsigned int flags = luaL_optint(L, 5, 0);
CMS_ContentInfo *cms;
luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key");
cms = CMS_sign(signcert, pkey, certs, data, flags);
if (cms)
{
PUSH_OBJECT(cms, "openssl.cms");
return 1;
}
return openssl_pushresult(L, 0);
}
static LUA_FUNCTION(openssl_pkey_decrypt)
{
size_t dlen = 0;
EVP_PKEY *pkey = CHECK_OBJECT(1, EVP_PKEY, "openssl.evp_pkey");
const char *data = luaL_checklstring(L, 2, &dlen);
int padding = auxiliar_checkoption(L, 3, "pkcs1", sPadding, iPadding);
size_t clen = EVP_PKEY_size(pkey);
EVP_PKEY_CTX *ctx = NULL;
int ret = 0;
if (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_RSA2) {
luaL_argerror(L, 2, "EVP_PKEY must be of type RSA or RSA2");
return ret;
}
if (openssl_pkey_is_private(pkey))
{
ctx = EVP_PKEY_CTX_new(pkey, pkey->engine);
if (EVP_PKEY_decrypt_init(ctx) == 1)
{
if (EVP_PKEY_CTX_set_rsa_padding(ctx, padding) == 1)
{
byte* buf = malloc(clen);
if (EVP_PKEY_decrypt(ctx, buf, &clen, (const unsigned char*)data, dlen) == 1)
{
lua_pushlstring(L, (const char*)buf, clen);
ret = 1;
}
else
ret = openssl_pushresult(L, 0);
free(buf);
}
else
ret = openssl_pushresult(L, 0);
}
else
ret = openssl_pushresult(L, 0);
EVP_PKEY_CTX_free(ctx);
}
else
{
luaL_argerror(L, 2, "EVP_PKEY must be private key");
}
return ret;
}
static LUA_FUNCTION(openssl_csr_sign)
{
X509_REQ * csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req");
EVP_PKEY *pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey");
if (openssl_pkey_is_private(pkey))
{
const EVP_MD* md = get_digest(L, 3);
return openssl_pushresult(L, X509_REQ_sign(csr, pkey, md));
} else if (lua_isnoneornil(L, 3) && X509_REQ_set_pubkey(csr, pkey))
{
unsigned char* tosign = NULL;
const ASN1_ITEM *it = ASN1_ITEM_rptr(X509_REQ_INFO);
int inl = ASN1_item_i2d((void*)csr->req_info, &tosign, it);
if (inl > 0 && tosign)
{
lua_pushlstring(L, (const char*)tosign, inl);
OPENSSL_free(tosign);
return 1;
}
return openssl_pushresult(L, 0);
} else {
size_t siglen;
const unsigned char* sigdata = (const unsigned char*)luaL_checklstring(L, 3, &siglen);
const EVP_MD* md = get_digest(L, 4);
/* (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL) ? V_ASN1_NULL : V_ASN1_UNDEF, */
X509_ALGOR_set0(csr->sig_alg, OBJ_nid2obj(md->pkey_type), V_ASN1_NULL, NULL);
if (csr->signature->data != NULL)
OPENSSL_free(csr->signature->data);
csr->signature->data = OPENSSL_malloc(siglen);
memcpy(csr->signature->data, sigdata, siglen);
csr->signature->length = siglen;
/*
* In the interests of compatibility, I'll make sure that the bit string
* has a 'not-used bits' value of 0
*/
csr->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
csr->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
lua_pushboolean(L, 1);
return 1;
}
}
/****************************SSL CTX********************************/
static int openssl_ssl_ctx_use(lua_State*L)
{
int ret;
SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx");
EVP_PKEY* pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey");
X509* cert = CHECK_OBJECT(3, X509, "openssl.x509");
luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key");
ret = SSL_CTX_use_certificate(ctx, cert);
if (ret == 1)
{
ret = SSL_CTX_use_PrivateKey(ctx, pkey);
if (ret == 1)
{
ret = SSL_CTX_check_private_key(ctx);
}
}
return openssl_pushresult(L, ret);
}
static int openssl_ssl_use(lua_State*L)
{
SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
X509* x = CHECK_OBJECT(2, X509, "openssl.x509");
EVP_PKEY* pkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
int ret;
luaL_argcheck(L, openssl_pkey_is_private(pkey), 3, "must be private key");
ret = SSL_use_PrivateKey(s, pkey);
if (ret == 1)
{
ret = SSL_use_certificate(s, x);
if (ret == 1)
{
ret = SSL_check_private_key(s);
}
}
return openssl_pushresult(L, ret);
}
static LUA_FUNCTION(openssl_crl_diff)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
X509_CRL *newer = CHECK_OBJECT(2, X509_CRL, "openssl.x509_crl");
EVP_PKEY* pkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
const EVP_MD *md = lua_isnoneornil(L, 4)
? EVP_get_digestbyname("sha1") : get_digest(L, 4);
unsigned int flags = luaL_optinteger(L, 5, 0);
X509_CRL *diff;
luaL_argcheck(L, openssl_pkey_is_private(pkey), 3, "must be private key");
diff = X509_CRL_diff(crl, newer, pkey, md, flags);
if (diff)
{
PUSH_OBJECT(diff, "openssl.x509_crl");
}
else
lua_pushnil(L);
return 1;
}
static LUA_FUNCTION(openssl_verifyInit)
{
const EVP_MD *md = get_digest(L, 1);
EVP_PKEY* pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey");
ENGINE* e = lua_gettop(L) > 2 ? CHECK_OBJECT(3, ENGINE, "openssl.engine") : NULL;
EVP_PKEY_CTX *pctx = 0;
EVP_MD_CTX *ctx = EVP_MD_CTX_create();
luaL_argcheck(L, !openssl_pkey_is_private(pkey), 2, "need public key");
if (ctx)
{
int ret = EVP_DigestVerifyInit(ctx, &pctx, md, e, pkey);
if (ret)
{
PUSH_OBJECT(ctx, "openssl.evp_digest_ctx");
}
else
return openssl_pushresult(L, ret);
}
else
lua_pushnil(L);
return 1;
}
static LUA_FUNCTION(openssl_pkey_export)
{
EVP_PKEY * key;
int ispriv = 0;
int exraw = 0;
int expem = 1;
size_t passphrase_len = 0;
BIO * bio_out = NULL;
int ret = 0;
const EVP_CIPHER * cipher;
const char * passphrase = NULL;
key = CHECK_OBJECT(1, EVP_PKEY, "openssl.evp_pkey");
ispriv = openssl_pkey_is_private(key);
if (!lua_isnoneornil(L, 2))
expem = lua_toboolean(L, 2);
if (expem)
{
if (!lua_isnoneornil(L, 3))
exraw = lua_toboolean(L, 3);
passphrase = luaL_optlstring(L, 4, NULL, &passphrase_len);
} else
{
passphrase = luaL_optlstring(L, 3, NULL, &passphrase_len);
}
if (passphrase)
{
cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
}
else
{
cipher = NULL;
}
bio_out = BIO_new(BIO_s_mem());
if (expem)
{
if (exraw==0)
{
ret = ispriv ?
PEM_write_bio_PrivateKey(bio_out, key, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL) :
PEM_write_bio_PUBKEY(bio_out, key);
}
else
{
/* export raw key format */
switch (EVP_PKEY_type(key->type))
{
case EVP_PKEY_RSA:
case EVP_PKEY_RSA2:
ret = ispriv ? PEM_write_bio_RSAPrivateKey(bio_out, key->pkey.rsa, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL)
: PEM_write_bio_RSAPublicKey(bio_out, key->pkey.rsa);
break;
case EVP_PKEY_DSA:
case EVP_PKEY_DSA2:
case EVP_PKEY_DSA3:
case EVP_PKEY_DSA4:
{
ret = ispriv ? PEM_write_bio_DSAPrivateKey(bio_out, key->pkey.dsa, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL)
: PEM_write_bio_DSA_PUBKEY(bio_out, key->pkey.dsa);
}
break;
case EVP_PKEY_DH:
ret = PEM_write_bio_DHparams(bio_out, key->pkey.dh);
break;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
ret = ispriv ? PEM_write_bio_ECPrivateKey(bio_out, key->pkey.ec, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL)
: PEM_write_bio_EC_PUBKEY(bio_out, key->pkey.ec);
break;
#endif
default:
ret = 0;
break;
}
}
}
else
{
if (ispriv)
{
if (passphrase == NULL)
{
ret = i2d_PrivateKey_bio(bio_out, key);
} else
{
ret = i2d_PKCS8PrivateKey_bio(bio_out, key, cipher, (char *)passphrase, passphrase_len, NULL, NULL);
}
} else
{
int l;
l = i2d_PublicKey(key, NULL);
if (l > 0)
{
unsigned char* p = malloc(l);
unsigned char* pp = p;
l = i2d_PublicKey(key, &pp);
if (l > 0)
{
BIO_write(bio_out, p, l);
ret = 1;
} else
ret = 0;
free(p);
} else
ret = 0;
}
}
if (ret)
{
char * bio_mem_ptr;
long bio_mem_len;
bio_mem_len = BIO_get_mem_data(bio_out, &bio_mem_ptr);
lua_pushlstring(L, bio_mem_ptr, bio_mem_len);
ret = 1;
}
if (bio_out)
{
BIO_free(bio_out);
}
return ret;
}
static LUA_FUNCTION(openssl_csr_new)
{
X509_REQ *csr = X509_REQ_new();
int i;
int n = lua_gettop(L);
int ret = X509_REQ_set_version(csr, 0L);
for (i = 1; ret == 1 && i <= n; i++)
{
luaL_argcheck(L,
auxiliar_isclass(L, "openssl.stack_of_x509_extension", i) ||
auxiliar_isclass(L, "openssl.stack_of_x509_attribute", i) ||
auxiliar_isclass(L, "openssl.x509_name", i) ||
auxiliar_isclass(L, "openssl.evp_pkey", i),
i, "must be x509_name, stack_of_x509_extension or stack_of_x509_attribute");
if (auxiliar_isclass(L, "openssl.x509_name", i))
{
X509_NAME * subject = CHECK_OBJECT(i, X509_NAME, "openssl.x509_name");
ret = X509_REQ_set_subject_name(csr, subject);
}
if (auxiliar_isclass(L, "openssl.stack_of_x509_attribute", i))
{
int j, m;
STACK_OF(X509_ATTRIBUTE) *attrs = CHECK_OBJECT(i, STACK_OF(X509_ATTRIBUTE), "openssl.stack_of_x509_attribute");
m = sk_X509_ATTRIBUTE_num(attrs);
for (j = 0; ret == 1 && j < m; j++)
{
ret = X509_REQ_add1_attr(csr, sk_X509_ATTRIBUTE_value(attrs, j));
}
}
if (auxiliar_isclass(L, "openssl.stack_of_x509_extension", i))
{
STACK_OF(X509_EXTENSION) *exts =
CHECK_OBJECT(i, STACK_OF(X509_EXTENSION), "openssl.stack_of_x509_extension");
ret = X509_REQ_add_extensions(csr, exts);
}
if (auxiliar_isclass(L, "openssl.evp_pkey", i))
{
EVP_PKEY *pkey;
const EVP_MD *md;
luaL_argcheck(L, i == n || i == n - 1, i, "must is evp_pkey object");
pkey = CHECK_OBJECT(i, EVP_PKEY, "openssl.evp_pkey");
luaL_argcheck(L, openssl_pkey_is_private(pkey), i, "must be private key");
if (i == n - 1)
md = get_digest(L, n);
else
md = EVP_get_digestbyname("sha1");
ret = X509_REQ_set_pubkey(csr, pkey);
if (ret == 1)
{
ret = X509_REQ_sign(csr, pkey, md);
if (ret > 0)
ret = 1;
}
break;
}
};
if (ret == 1)
PUSH_OBJECT(csr, "openssl.x509_req");
else
{
X509_REQ_free(csr);
return openssl_pushresult(L, ret);
}
return 1;
}
static LUA_FUNCTION(openssl_crl_new)
{
int i;
int n = lua_gettop(L);
X509_CRL * crl = X509_CRL_new();
int ret = X509_CRL_set_version(crl, 0);
X509* cacert = NULL;
EVP_PKEY* capkey = NULL;
const EVP_MD* md = NULL;
int step;
for (i = 1; ret == 1 && i <= n; i++)
{
if (i == 1)
{
luaL_argcheck(L, lua_istable(L, 1), 1, "must be table contains rovked entry table{reason,time,sn}");
if (lua_rawlen(L, i) > 0)
{
int j, m;
m = lua_rawlen(L, i);
for (j = 1; ret == 1 && j <= m; j++)
{
X509_REVOKED *revoked;
BIGNUM* sn;
lua_rawgeti(L, i, j);
luaL_checktable(L, -1);
lua_getfield(L, -1, "reason");
lua_getfield(L, -2, "time");
lua_getfield(L, -3, "sn");
sn = BN_get(L, -1);
revoked = create_revoked(sn, lua_tointeger(L, -2), reason_get(L, -3));
if (revoked)
{
ret = X509_CRL_add0_revoked(crl, revoked);
}
BN_free(sn);
lua_pop(L, 3);
lua_pop(L, 1);
};
}
};
if (i == 2)
{
cacert = CHECK_OBJECT(2, X509, "openssl.x509");
ret = X509_CRL_set_issuer_name(crl, X509_get_issuer_name(cacert));
}
if (i == 3)
{
capkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
luaL_argcheck(L, openssl_pkey_is_private(capkey), 3, "must be private key");
luaL_argcheck(L, X509_check_private_key(cacert, capkey) == 1, 3, "evp_pkey not match with x509 in #2");
}
}
md = lua_isnoneornil(L, 4) ? EVP_get_digestbyname("sha1") : get_digest(L, 4);
step = lua_isnoneornil(L, 5) ? 7 * 24 * 3600 : luaL_checkint(L, 5);
if (ret == 1)
{
time_t lastUpdate;
time_t nextUpdate;
ASN1_TIME *ltm, *ntm;
time(&lastUpdate);
nextUpdate = lastUpdate + step;
ltm = ASN1_TIME_new();
ntm = ASN1_TIME_new();
ASN1_TIME_set(ltm, lastUpdate);
ASN1_TIME_set(ntm, nextUpdate);
ret = X509_CRL_set_lastUpdate(crl, ltm);
if (ret == 1)
ret = X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
}
if (cacert && capkey && md)
{
ret = (X509_CRL_sign(crl, capkey, md) == EVP_PKEY_size(capkey));
}
if (ret == 1)
{
PUSH_OBJECT(crl, "openssl.x509_crl");
}
else
{
X509_CRL_free(crl);
return openssl_pushresult(L, ret);
};
return 1;
}
static int openssl_ocsp_response(lua_State *L)
{
OCSP_RESPONSE *res = NULL;
if (lua_isstring(L, 1))
{
BIO* bio = load_bio_object(L, 1);
res = d2i_OCSP_RESPONSE_bio(bio, NULL);
/*
BIO_reset(bio);
if (!res)
{
res = PEM_read_bio_OCSP_RESPONSE(bio, NULL, NULL);
}
*/
BIO_free(bio);
}
else
{
ASN1_TIME* thispnd, *nextpnd;
OCSP_CERTID *ca_id, *cid;
OCSP_BASICRESP *bs;
OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request");
X509* ca = CHECK_OBJECT(2, X509, "openssl.x509");
X509* rcert = CHECK_OBJECT(3, X509, "openssl.x509");
EVP_PKEY *rkey = CHECK_OBJECT(4, EVP_PKEY, "openssl.evp_pkey");
unsigned long flag = luaL_optint(L, 6, 0);
int nmin = luaL_optint(L, 7, 0);
int nday = luaL_optint(L, 8, 1);
STACK_OF(X509) *rother = lua_isnoneornil(L, 9) ? NULL : CHECK_OBJECT(9, STACK_OF(X509), "openssl.stack_of_x509");
int i, id_count, type;
BIO* bio = NULL;
luaL_argcheck(L, openssl_pkey_is_private(rkey), 4, "must be private key");
type = lua_type(L, 5);
if (type != LUA_TFUNCTION && type != LUA_TTABLE)
{
luaL_error(L, "#5 must be a table or function that to get status of certificate");
}
bio = BIO_new(BIO_s_mem());
ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
bs = OCSP_BASICRESP_new();
thispnd = X509_gmtime_adj(NULL, 0);
nextpnd = X509_gmtime_adj(NULL, nmin * 60 + nday * 3600 * 24);
id_count = OCSP_request_onereq_count(req);
for (i = 0; i < id_count; i++)
{
OCSP_ONEREQ *one;
ASN1_INTEGER *serial;
ASN1_OBJECT* inst = NULL;
ASN1_TIME* revtm = NULL;
ASN1_GENERALIZEDTIME *invtm = NULL;
OCSP_SINGLERESP *single = NULL;
int reason = OCSP_REVOKED_STATUS_UNSPECIFIED, status = V_OCSP_CERTSTATUS_UNKNOWN;
one = OCSP_request_onereq_get0(req, i);
cid = OCSP_onereq_get0_id(one);
if (OCSP_id_issuer_cmp(ca_id, cid))
{
OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thispnd, nextpnd);
continue;
}
OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
if (lua_istable(L, 5))
{
BUF_MEM *buf;
BIO_reset(bio);
i2a_ASN1_INTEGER(bio, serial);
BIO_get_mem_ptr(bio, &buf);
lua_pushlstring(L, buf->data, buf->length);
lua_gettable(L, 5);
if (lua_isnil(L, -1))
status = V_OCSP_CERTSTATUS_UNKNOWN;
else
{
luaL_checktype(L, -1, LUA_TTABLE);
lua_getfield(L, -1, "revoked");
if (lua_toboolean(L, -1))
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_REVOKED;
lua_getfield(L, -1, "revoked_time");
if (!lua_isnil(L, -1))
{
revtm = ASN1_TIME_new();
ASN1_TIME_set(revtm, luaL_checkint(L, -1));
}
lua_pop(L, 1);
lua_getfield(L, -1, "reason");
if (lua_isstring(L, -1))
reason = openssl_s2i_revoke_reason(lua_tostring(L, -1));
else
reason = luaL_checkint(L, -1);
lua_pop(L, 1);
}
else
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_GOOD;
}
}
}
else
{
//TODO:
}
if (reason == 7)
reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
else if (reason == 8)
{
reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
//inst = OBJ_txt2obj(str, 0);
}
else if (reason == 9 || reason == 10)
{
if ( reason == 9 )
reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
else if (reason == 10)
reason = OCSP_REVOKED_STATUS_CACOMPROMISE;
/*
invtm = ASN1_GENERALIZEDTIME_new();
if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str))
*/
}
single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd);
if (invtm)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
ASN1_TIME_free(revtm);
}
if (inst)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
ASN1_OBJECT_free(inst);
}
if (invtm)
ASN1_GENERALIZEDTIME_free(invtm);
}
OCSP_copy_nonce(bs, req);
OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag);
res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
BIO_free(bio);
}
if (res)
{
PUSH_OBJECT(res, "openssl.ocsp_response");
}
else
lua_pushnil(L);
return 1;
}