static LUA_FUNCTION(openssl_pkcs7_sign) { BIO *in = load_bio_object(L, 1); X509 *cert = CHECK_OBJECT(2, X509, "openssl.x509"); EVP_PKEY *privkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey"); STACK_OF(X509) *others = lua_isnoneornil(L, 4) ? 0 : openssl_sk_x509_fromtable(L, 4); long flags = luaL_optint(L, 5, 0); PKCS7 *p7 = NULL; luaL_argcheck(L, openssl_pkey_is_private(privkey), 3, "must be private key"); if (!X509_check_private_key(cert, privkey)) luaL_error(L, "sigcert and private key not match"); p7 = PKCS7_sign(cert, privkey, others, in, flags); BIO_free(in); if (others) sk_X509_pop_free(others, X509_free); if (p7) { PUSH_OBJECT(p7, "openssl.pkcs7"); return 1; } else { luaL_error(L, "error creating PKCS7 structure!"); } return 0; }
static int openssl_ocsp_request_sign(lua_State*L) { OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request"); X509 *signer = CHECK_OBJECT(2, X509, "openssl.x509"); EVP_PKEY *pkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey"); STACK_OF(X509) *others = NULL; const EVP_MD *md = EVP_sha1(); int ret; int sflags = 0; luaL_argcheck(L, openssl_pkey_is_private(pkey), 3, "must be private key"); if (lua_isnoneornil(L, 4)) { sflags = OCSP_NOCERTS; } else { others = CHECK_OBJECT(4, STACK_OF(X509), "openssl.stack_of_x509"); } sflags = luaL_optint(L, 6, sflags); if (!lua_isnoneornil(L, 7)) md = CHECK_OBJECT(7, EVP_MD, "openssl.evp_digest"); ret = OCSP_request_sign(req, signer, pkey, md, others, sflags); lua_pushboolean(L, ret); return 1; }
static LUA_FUNCTION(openssl_csr_check) { X509_REQ *csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req"); EVP_PKEY *pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey"); int ret; luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key"); ret = X509_REQ_check_private_key(csr, pkey); return openssl_pushresult(L, ret); };
static LUA_FUNCTION(openssl_pkcs12_export) { X509 * cert = CHECK_OBJECT(1, X509, "openssl.x509"); EVP_PKEY *priv_key = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey"); char * pass = (char*)luaL_checkstring(L, 3); int top = lua_gettop(L); BIO * bio_out = NULL; PKCS12 * p12 = NULL; const char * friendly_name = NULL; STACK_OF(X509) *ca = NULL; int ret = 0; luaL_argcheck(L, openssl_pkey_is_private(priv_key), 2, "must be private key"); if (top > 3) { if (lua_isstring(L, 4)) friendly_name = lua_tostring(L, 4); else if (lua_isuserdata(L, 4)) ca = CHECK_OBJECT(4, STACK_OF(X509), "openssl.stack_of_x509"); else luaL_argerror(L, 4, "must be string as friendly_name or openssl.stack_of_x509 object as cacets"); if (top > 4) ca = CHECK_OBJECT(5, STACK_OF(X509), "openssl.stack_of_x509"); } if (cert && !X509_check_private_key(cert, priv_key)) { luaL_error(L, "private key does not correspond to cert"); } /* end parse extra config */ /*PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, int keytype);*/ p12 = PKCS12_create(pass, (char*)friendly_name, priv_key, cert, ca, 0, 0, 0, 0, 0); if (!p12) luaL_error(L, "PKCS12_careate failed,pleases get more error info"); bio_out = BIO_new(BIO_s_mem()); if (i2d_PKCS12_bio(bio_out, p12)) { BUF_MEM *bio_buf; BIO_get_mem_ptr(bio_out, &bio_buf); lua_pushlstring(L, bio_buf->data, bio_buf->length); ret = 1; } BIO_free(bio_out); PKCS12_free(p12); return ret; }
static LUA_FUNCTION(openssl_crl_check) { X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl"); EVP_PKEY* pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey"); unsigned long flags = luaL_optinteger(L, 3, X509_V_FLAG_SUITEB_128_LOS); int ret; luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key"); ret = X509_CRL_check_suiteb(crl, pkey, flags); return openssl_pushresult(L, ret == X509_V_OK); }
static LUA_FUNCTION(openssl_pkcs7_sign_add_signer) { PKCS7 *p7 = CHECK_OBJECT(1, PKCS7, "openssl.pkcs7"); X509 *signcert = CHECK_OBJECT(2, X509, "openssl.x509"); EVP_PKEY *pkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey"); const EVP_MD* md = get_digest(L, 4); long flags = luaL_optint(L, 5, 0); PKCS7_SIGNER_INFO *signer = 0; luaL_argcheck(L, openssl_pkey_is_private(pkey), 3, "must be private key"); luaL_argcheck(L, X509_check_private_key(signcert, pkey), 3, "sigcert and private key not match"); signer = PKCS7_sign_add_signer(p7, signcert, pkey, md, flags); (void) signer; return openssl_pushresult(L, signcert != NULL ? 1 : 0); }
static LUA_FUNCTION(openssl_csr_to_x509) { X509_REQ * csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req"); EVP_PKEY * pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey"); int days = luaL_optint(L, 3, 365); X509* cert = X509_REQ_to_X509_a(csr, days, pkey); luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key"); if (cert) { PUSH_OBJECT(cert, "openssl.x509"); return 1; } return openssl_pushresult(L, 0); }
static int openssl_cms_sign(lua_State *L) { X509* signcert = CHECK_OBJECT(1, X509, "openssl.x509"); EVP_PKEY* pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey"); STACK_OF(X509)* certs = CHECK_OBJECT(3, STACK_OF(X509), "openssl.stack_of_x509"); BIO* data = load_bio_object(L, 4); unsigned int flags = luaL_optint(L, 5, 0); CMS_ContentInfo *cms; luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key"); cms = CMS_sign(signcert, pkey, certs, data, flags); if (cms) { PUSH_OBJECT(cms, "openssl.cms"); return 1; } return openssl_pushresult(L, 0); }
static LUA_FUNCTION(openssl_pkey_decrypt) { size_t dlen = 0; EVP_PKEY *pkey = CHECK_OBJECT(1, EVP_PKEY, "openssl.evp_pkey"); const char *data = luaL_checklstring(L, 2, &dlen); int padding = auxiliar_checkoption(L, 3, "pkcs1", sPadding, iPadding); size_t clen = EVP_PKEY_size(pkey); EVP_PKEY_CTX *ctx = NULL; int ret = 0; if (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_RSA2) { luaL_argerror(L, 2, "EVP_PKEY must be of type RSA or RSA2"); return ret; } if (openssl_pkey_is_private(pkey)) { ctx = EVP_PKEY_CTX_new(pkey, pkey->engine); if (EVP_PKEY_decrypt_init(ctx) == 1) { if (EVP_PKEY_CTX_set_rsa_padding(ctx, padding) == 1) { byte* buf = malloc(clen); if (EVP_PKEY_decrypt(ctx, buf, &clen, (const unsigned char*)data, dlen) == 1) { lua_pushlstring(L, (const char*)buf, clen); ret = 1; } else ret = openssl_pushresult(L, 0); free(buf); } else ret = openssl_pushresult(L, 0); } else ret = openssl_pushresult(L, 0); EVP_PKEY_CTX_free(ctx); } else { luaL_argerror(L, 2, "EVP_PKEY must be private key"); } return ret; }
static LUA_FUNCTION(openssl_csr_sign) { X509_REQ * csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req"); EVP_PKEY *pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey"); if (openssl_pkey_is_private(pkey)) { const EVP_MD* md = get_digest(L, 3); return openssl_pushresult(L, X509_REQ_sign(csr, pkey, md)); } else if (lua_isnoneornil(L, 3) && X509_REQ_set_pubkey(csr, pkey)) { unsigned char* tosign = NULL; const ASN1_ITEM *it = ASN1_ITEM_rptr(X509_REQ_INFO); int inl = ASN1_item_i2d((void*)csr->req_info, &tosign, it); if (inl > 0 && tosign) { lua_pushlstring(L, (const char*)tosign, inl); OPENSSL_free(tosign); return 1; } return openssl_pushresult(L, 0); } else { size_t siglen; const unsigned char* sigdata = (const unsigned char*)luaL_checklstring(L, 3, &siglen); const EVP_MD* md = get_digest(L, 4); /* (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL) ? V_ASN1_NULL : V_ASN1_UNDEF, */ X509_ALGOR_set0(csr->sig_alg, OBJ_nid2obj(md->pkey_type), V_ASN1_NULL, NULL); if (csr->signature->data != NULL) OPENSSL_free(csr->signature->data); csr->signature->data = OPENSSL_malloc(siglen); memcpy(csr->signature->data, sigdata, siglen); csr->signature->length = siglen; /* * In the interests of compatibility, I'll make sure that the bit string * has a 'not-used bits' value of 0 */ csr->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); csr->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT; lua_pushboolean(L, 1); return 1; } }
/****************************SSL CTX********************************/ static int openssl_ssl_ctx_use(lua_State*L) { int ret; SSL_CTX* ctx = CHECK_OBJECT(1, SSL_CTX, "openssl.ssl_ctx"); EVP_PKEY* pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey"); X509* cert = CHECK_OBJECT(3, X509, "openssl.x509"); luaL_argcheck(L, openssl_pkey_is_private(pkey), 2, "must be private key"); ret = SSL_CTX_use_certificate(ctx, cert); if (ret == 1) { ret = SSL_CTX_use_PrivateKey(ctx, pkey); if (ret == 1) { ret = SSL_CTX_check_private_key(ctx); } } return openssl_pushresult(L, ret); }
static int openssl_ssl_use(lua_State*L) { SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl"); X509* x = CHECK_OBJECT(2, X509, "openssl.x509"); EVP_PKEY* pkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey"); int ret; luaL_argcheck(L, openssl_pkey_is_private(pkey), 3, "must be private key"); ret = SSL_use_PrivateKey(s, pkey); if (ret == 1) { ret = SSL_use_certificate(s, x); if (ret == 1) { ret = SSL_check_private_key(s); } } return openssl_pushresult(L, ret); }
static LUA_FUNCTION(openssl_crl_diff) { X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl"); X509_CRL *newer = CHECK_OBJECT(2, X509_CRL, "openssl.x509_crl"); EVP_PKEY* pkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey"); const EVP_MD *md = lua_isnoneornil(L, 4) ? EVP_get_digestbyname("sha1") : get_digest(L, 4); unsigned int flags = luaL_optinteger(L, 5, 0); X509_CRL *diff; luaL_argcheck(L, openssl_pkey_is_private(pkey), 3, "must be private key"); diff = X509_CRL_diff(crl, newer, pkey, md, flags); if (diff) { PUSH_OBJECT(diff, "openssl.x509_crl"); } else lua_pushnil(L); return 1; }
static LUA_FUNCTION(openssl_verifyInit) { const EVP_MD *md = get_digest(L, 1); EVP_PKEY* pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey"); ENGINE* e = lua_gettop(L) > 2 ? CHECK_OBJECT(3, ENGINE, "openssl.engine") : NULL; EVP_PKEY_CTX *pctx = 0; EVP_MD_CTX *ctx = EVP_MD_CTX_create(); luaL_argcheck(L, !openssl_pkey_is_private(pkey), 2, "need public key"); if (ctx) { int ret = EVP_DigestVerifyInit(ctx, &pctx, md, e, pkey); if (ret) { PUSH_OBJECT(ctx, "openssl.evp_digest_ctx"); } else return openssl_pushresult(L, ret); } else lua_pushnil(L); return 1; }
static LUA_FUNCTION(openssl_pkey_export) { EVP_PKEY * key; int ispriv = 0; int exraw = 0; int expem = 1; size_t passphrase_len = 0; BIO * bio_out = NULL; int ret = 0; const EVP_CIPHER * cipher; const char * passphrase = NULL; key = CHECK_OBJECT(1, EVP_PKEY, "openssl.evp_pkey"); ispriv = openssl_pkey_is_private(key); if (!lua_isnoneornil(L, 2)) expem = lua_toboolean(L, 2); if (expem) { if (!lua_isnoneornil(L, 3)) exraw = lua_toboolean(L, 3); passphrase = luaL_optlstring(L, 4, NULL, &passphrase_len); } else { passphrase = luaL_optlstring(L, 3, NULL, &passphrase_len); } if (passphrase) { cipher = (EVP_CIPHER *) EVP_des_ede3_cbc(); } else { cipher = NULL; } bio_out = BIO_new(BIO_s_mem()); if (expem) { if (exraw==0) { ret = ispriv ? PEM_write_bio_PrivateKey(bio_out, key, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL) : PEM_write_bio_PUBKEY(bio_out, key); } else { /* export raw key format */ switch (EVP_PKEY_type(key->type)) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: ret = ispriv ? PEM_write_bio_RSAPrivateKey(bio_out, key->pkey.rsa, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL) : PEM_write_bio_RSAPublicKey(bio_out, key->pkey.rsa); break; case EVP_PKEY_DSA: case EVP_PKEY_DSA2: case EVP_PKEY_DSA3: case EVP_PKEY_DSA4: { ret = ispriv ? PEM_write_bio_DSAPrivateKey(bio_out, key->pkey.dsa, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL) : PEM_write_bio_DSA_PUBKEY(bio_out, key->pkey.dsa); } break; case EVP_PKEY_DH: ret = PEM_write_bio_DHparams(bio_out, key->pkey.dh); break; #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: ret = ispriv ? PEM_write_bio_ECPrivateKey(bio_out, key->pkey.ec, cipher, (unsigned char *)passphrase, passphrase_len, NULL, NULL) : PEM_write_bio_EC_PUBKEY(bio_out, key->pkey.ec); break; #endif default: ret = 0; break; } } } else { if (ispriv) { if (passphrase == NULL) { ret = i2d_PrivateKey_bio(bio_out, key); } else { ret = i2d_PKCS8PrivateKey_bio(bio_out, key, cipher, (char *)passphrase, passphrase_len, NULL, NULL); } } else { int l; l = i2d_PublicKey(key, NULL); if (l > 0) { unsigned char* p = malloc(l); unsigned char* pp = p; l = i2d_PublicKey(key, &pp); if (l > 0) { BIO_write(bio_out, p, l); ret = 1; } else ret = 0; free(p); } else ret = 0; } } if (ret) { char * bio_mem_ptr; long bio_mem_len; bio_mem_len = BIO_get_mem_data(bio_out, &bio_mem_ptr); lua_pushlstring(L, bio_mem_ptr, bio_mem_len); ret = 1; } if (bio_out) { BIO_free(bio_out); } return ret; }
static LUA_FUNCTION(openssl_csr_new) { X509_REQ *csr = X509_REQ_new(); int i; int n = lua_gettop(L); int ret = X509_REQ_set_version(csr, 0L); for (i = 1; ret == 1 && i <= n; i++) { luaL_argcheck(L, auxiliar_isclass(L, "openssl.stack_of_x509_extension", i) || auxiliar_isclass(L, "openssl.stack_of_x509_attribute", i) || auxiliar_isclass(L, "openssl.x509_name", i) || auxiliar_isclass(L, "openssl.evp_pkey", i), i, "must be x509_name, stack_of_x509_extension or stack_of_x509_attribute"); if (auxiliar_isclass(L, "openssl.x509_name", i)) { X509_NAME * subject = CHECK_OBJECT(i, X509_NAME, "openssl.x509_name"); ret = X509_REQ_set_subject_name(csr, subject); } if (auxiliar_isclass(L, "openssl.stack_of_x509_attribute", i)) { int j, m; STACK_OF(X509_ATTRIBUTE) *attrs = CHECK_OBJECT(i, STACK_OF(X509_ATTRIBUTE), "openssl.stack_of_x509_attribute"); m = sk_X509_ATTRIBUTE_num(attrs); for (j = 0; ret == 1 && j < m; j++) { ret = X509_REQ_add1_attr(csr, sk_X509_ATTRIBUTE_value(attrs, j)); } } if (auxiliar_isclass(L, "openssl.stack_of_x509_extension", i)) { STACK_OF(X509_EXTENSION) *exts = CHECK_OBJECT(i, STACK_OF(X509_EXTENSION), "openssl.stack_of_x509_extension"); ret = X509_REQ_add_extensions(csr, exts); } if (auxiliar_isclass(L, "openssl.evp_pkey", i)) { EVP_PKEY *pkey; const EVP_MD *md; luaL_argcheck(L, i == n || i == n - 1, i, "must is evp_pkey object"); pkey = CHECK_OBJECT(i, EVP_PKEY, "openssl.evp_pkey"); luaL_argcheck(L, openssl_pkey_is_private(pkey), i, "must be private key"); if (i == n - 1) md = get_digest(L, n); else md = EVP_get_digestbyname("sha1"); ret = X509_REQ_set_pubkey(csr, pkey); if (ret == 1) { ret = X509_REQ_sign(csr, pkey, md); if (ret > 0) ret = 1; } break; } }; if (ret == 1) PUSH_OBJECT(csr, "openssl.x509_req"); else { X509_REQ_free(csr); return openssl_pushresult(L, ret); } return 1; }
static LUA_FUNCTION(openssl_crl_new) { int i; int n = lua_gettop(L); X509_CRL * crl = X509_CRL_new(); int ret = X509_CRL_set_version(crl, 0); X509* cacert = NULL; EVP_PKEY* capkey = NULL; const EVP_MD* md = NULL; int step; for (i = 1; ret == 1 && i <= n; i++) { if (i == 1) { luaL_argcheck(L, lua_istable(L, 1), 1, "must be table contains rovked entry table{reason,time,sn}"); if (lua_rawlen(L, i) > 0) { int j, m; m = lua_rawlen(L, i); for (j = 1; ret == 1 && j <= m; j++) { X509_REVOKED *revoked; BIGNUM* sn; lua_rawgeti(L, i, j); luaL_checktable(L, -1); lua_getfield(L, -1, "reason"); lua_getfield(L, -2, "time"); lua_getfield(L, -3, "sn"); sn = BN_get(L, -1); revoked = create_revoked(sn, lua_tointeger(L, -2), reason_get(L, -3)); if (revoked) { ret = X509_CRL_add0_revoked(crl, revoked); } BN_free(sn); lua_pop(L, 3); lua_pop(L, 1); }; } }; if (i == 2) { cacert = CHECK_OBJECT(2, X509, "openssl.x509"); ret = X509_CRL_set_issuer_name(crl, X509_get_issuer_name(cacert)); } if (i == 3) { capkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey"); luaL_argcheck(L, openssl_pkey_is_private(capkey), 3, "must be private key"); luaL_argcheck(L, X509_check_private_key(cacert, capkey) == 1, 3, "evp_pkey not match with x509 in #2"); } } md = lua_isnoneornil(L, 4) ? EVP_get_digestbyname("sha1") : get_digest(L, 4); step = lua_isnoneornil(L, 5) ? 7 * 24 * 3600 : luaL_checkint(L, 5); if (ret == 1) { time_t lastUpdate; time_t nextUpdate; ASN1_TIME *ltm, *ntm; time(&lastUpdate); nextUpdate = lastUpdate + step; ltm = ASN1_TIME_new(); ntm = ASN1_TIME_new(); ASN1_TIME_set(ltm, lastUpdate); ASN1_TIME_set(ntm, nextUpdate); ret = X509_CRL_set_lastUpdate(crl, ltm); if (ret == 1) ret = X509_CRL_set_nextUpdate(crl, ntm); ASN1_TIME_free(ltm); ASN1_TIME_free(ntm); } if (cacert && capkey && md) { ret = (X509_CRL_sign(crl, capkey, md) == EVP_PKEY_size(capkey)); } if (ret == 1) { PUSH_OBJECT(crl, "openssl.x509_crl"); } else { X509_CRL_free(crl); return openssl_pushresult(L, ret); }; return 1; }
static int openssl_ocsp_response(lua_State *L) { OCSP_RESPONSE *res = NULL; if (lua_isstring(L, 1)) { BIO* bio = load_bio_object(L, 1); res = d2i_OCSP_RESPONSE_bio(bio, NULL); /* BIO_reset(bio); if (!res) { res = PEM_read_bio_OCSP_RESPONSE(bio, NULL, NULL); } */ BIO_free(bio); } else { ASN1_TIME* thispnd, *nextpnd; OCSP_CERTID *ca_id, *cid; OCSP_BASICRESP *bs; OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request"); X509* ca = CHECK_OBJECT(2, X509, "openssl.x509"); X509* rcert = CHECK_OBJECT(3, X509, "openssl.x509"); EVP_PKEY *rkey = CHECK_OBJECT(4, EVP_PKEY, "openssl.evp_pkey"); unsigned long flag = luaL_optint(L, 6, 0); int nmin = luaL_optint(L, 7, 0); int nday = luaL_optint(L, 8, 1); STACK_OF(X509) *rother = lua_isnoneornil(L, 9) ? NULL : CHECK_OBJECT(9, STACK_OF(X509), "openssl.stack_of_x509"); int i, id_count, type; BIO* bio = NULL; luaL_argcheck(L, openssl_pkey_is_private(rkey), 4, "must be private key"); type = lua_type(L, 5); if (type != LUA_TFUNCTION && type != LUA_TTABLE) { luaL_error(L, "#5 must be a table or function that to get status of certificate"); } bio = BIO_new(BIO_s_mem()); ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca); bs = OCSP_BASICRESP_new(); thispnd = X509_gmtime_adj(NULL, 0); nextpnd = X509_gmtime_adj(NULL, nmin * 60 + nday * 3600 * 24); id_count = OCSP_request_onereq_count(req); for (i = 0; i < id_count; i++) { OCSP_ONEREQ *one; ASN1_INTEGER *serial; ASN1_OBJECT* inst = NULL; ASN1_TIME* revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single = NULL; int reason = OCSP_REVOKED_STATUS_UNSPECIFIED, status = V_OCSP_CERTSTATUS_UNKNOWN; one = OCSP_request_onereq_get0(req, i); cid = OCSP_onereq_get0_id(one); if (OCSP_id_issuer_cmp(ca_id, cid)) { OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thispnd, nextpnd); continue; } OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); if (lua_istable(L, 5)) { BUF_MEM *buf; BIO_reset(bio); i2a_ASN1_INTEGER(bio, serial); BIO_get_mem_ptr(bio, &buf); lua_pushlstring(L, buf->data, buf->length); lua_gettable(L, 5); if (lua_isnil(L, -1)) status = V_OCSP_CERTSTATUS_UNKNOWN; else { luaL_checktype(L, -1, LUA_TTABLE); lua_getfield(L, -1, "revoked"); if (lua_toboolean(L, -1)) { lua_pop(L, 1); status = V_OCSP_CERTSTATUS_REVOKED; lua_getfield(L, -1, "revoked_time"); if (!lua_isnil(L, -1)) { revtm = ASN1_TIME_new(); ASN1_TIME_set(revtm, luaL_checkint(L, -1)); } lua_pop(L, 1); lua_getfield(L, -1, "reason"); if (lua_isstring(L, -1)) reason = openssl_s2i_revoke_reason(lua_tostring(L, -1)); else reason = luaL_checkint(L, -1); lua_pop(L, 1); } else { lua_pop(L, 1); status = V_OCSP_CERTSTATUS_GOOD; } } } else { //TODO: } if (reason == 7) reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL; else if (reason == 8) { reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; //inst = OBJ_txt2obj(str, 0); } else if (reason == 9 || reason == 10) { if ( reason == 9 ) reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE; else if (reason == 10) reason = OCSP_REVOKED_STATUS_CACOMPROMISE; /* invtm = ASN1_GENERALIZEDTIME_new(); if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str)) */ } single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd); if (invtm) { OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); ASN1_TIME_free(revtm); } if (inst) { OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); } if (invtm) ASN1_GENERALIZEDTIME_free(invtm); } OCSP_copy_nonce(bs, req); OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag); res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); BIO_free(bio); } if (res) { PUSH_OBJECT(res, "openssl.ocsp_response"); } else lua_pushnil(L); return 1; }