static int reason_get(lua_State*L, int reasonidx) { int reason = 0; if (lua_isnumber(L, reasonidx)) { reason = lua_tointeger(L, reasonidx); } else if (lua_isstring(L, reasonidx)) { const char* s = lua_tostring(L, reasonidx); reason = openssl_s2i_revoke_reason(s); } else if (lua_isnoneornil(L, reasonidx)) reason = 0; else luaL_argerror(L, reasonidx, "invalid revoke reason"); luaL_argcheck(L, reason >= 0 && reason < reason_num, reasonidx, "fail convert to revoke reason"); return reason; }
static int openssl_ocsp_response(lua_State *L) { OCSP_RESPONSE *res = NULL; if (lua_isstring(L, 1)) { BIO* bio = load_bio_object(L, 1); res = d2i_OCSP_RESPONSE_bio(bio, NULL); /* BIO_reset(bio); if (!res) { res = PEM_read_bio_OCSP_RESPONSE(bio, NULL, NULL); } */ BIO_free(bio); } else { ASN1_TIME* thispnd, *nextpnd; OCSP_CERTID *ca_id, *cid; OCSP_BASICRESP *bs; OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request"); X509* ca = CHECK_OBJECT(2, X509, "openssl.x509"); X509* rcert = CHECK_OBJECT(3, X509, "openssl.x509"); EVP_PKEY *rkey = CHECK_OBJECT(4, EVP_PKEY, "openssl.evp_pkey"); unsigned long flag = luaL_optint(L, 6, 0); int nmin = luaL_optint(L, 7, 0); int nday = luaL_optint(L, 8, 1); STACK_OF(X509) *rother = lua_isnoneornil(L, 9) ? NULL : CHECK_OBJECT(9, STACK_OF(X509), "openssl.stack_of_x509"); int i, id_count, type; BIO* bio = NULL; luaL_argcheck(L, openssl_pkey_is_private(rkey), 4, "must be private key"); type = lua_type(L, 5); if (type != LUA_TFUNCTION && type != LUA_TTABLE) { luaL_error(L, "#5 must be a table or function that to get status of certificate"); } bio = BIO_new(BIO_s_mem()); ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca); bs = OCSP_BASICRESP_new(); thispnd = X509_gmtime_adj(NULL, 0); nextpnd = X509_gmtime_adj(NULL, nmin * 60 + nday * 3600 * 24); id_count = OCSP_request_onereq_count(req); for (i = 0; i < id_count; i++) { OCSP_ONEREQ *one; ASN1_INTEGER *serial; ASN1_OBJECT* inst = NULL; ASN1_TIME* revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single = NULL; int reason = OCSP_REVOKED_STATUS_UNSPECIFIED, status = V_OCSP_CERTSTATUS_UNKNOWN; one = OCSP_request_onereq_get0(req, i); cid = OCSP_onereq_get0_id(one); if (OCSP_id_issuer_cmp(ca_id, cid)) { OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thispnd, nextpnd); continue; } OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); if (lua_istable(L, 5)) { BUF_MEM *buf; BIO_reset(bio); i2a_ASN1_INTEGER(bio, serial); BIO_get_mem_ptr(bio, &buf); lua_pushlstring(L, buf->data, buf->length); lua_gettable(L, 5); if (lua_isnil(L, -1)) status = V_OCSP_CERTSTATUS_UNKNOWN; else { luaL_checktype(L, -1, LUA_TTABLE); lua_getfield(L, -1, "revoked"); if (lua_toboolean(L, -1)) { lua_pop(L, 1); status = V_OCSP_CERTSTATUS_REVOKED; lua_getfield(L, -1, "revoked_time"); if (!lua_isnil(L, -1)) { revtm = ASN1_TIME_new(); ASN1_TIME_set(revtm, luaL_checkint(L, -1)); } lua_pop(L, 1); lua_getfield(L, -1, "reason"); if (lua_isstring(L, -1)) reason = openssl_s2i_revoke_reason(lua_tostring(L, -1)); else reason = luaL_checkint(L, -1); lua_pop(L, 1); } else { lua_pop(L, 1); status = V_OCSP_CERTSTATUS_GOOD; } } } else { //TODO: } if (reason == 7) reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL; else if (reason == 8) { reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; //inst = OBJ_txt2obj(str, 0); } else if (reason == 9 || reason == 10) { if ( reason == 9 ) reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE; else if (reason == 10) reason = OCSP_REVOKED_STATUS_CACOMPROMISE; /* invtm = ASN1_GENERALIZEDTIME_new(); if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str)) */ } single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd); if (invtm) { OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); ASN1_TIME_free(revtm); } if (inst) { OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); } if (invtm) ASN1_GENERALIZEDTIME_free(invtm); } OCSP_copy_nonce(bs, req); OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag); res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); BIO_free(bio); } if (res) { PUSH_OBJECT(res, "openssl.ocsp_response"); } else lua_pushnil(L); return 1; }