static X509_REVOKED *create_revoked(lua_State*L, const BIGNUM* bn, time_t t, int reason)
{
X509_REVOKED *revoked = X509_REVOKED_new();
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_INTEGER *it = BN_to_ASN1_INTEGER((BIGNUM*)bn, NULL);;
ASN1_TIME_set(tm, t);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
revoked->reason = reason;
#else
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_data(ext, e);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_REVOKED_add_ext(revoked, ext, 0);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
#endif
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
return revoked;
}
static X509_REVOKED *create_revoked(const BIGNUM* bn, time_t t, int reason)
{
X509_REVOKED *revoked = X509_REVOKED_new();
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_INTEGER *it = BN_to_ASN1_INTEGER(bn, NULL);;
ASN1_TIME_set(tm, t);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_data(ext, e);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_REVOKED_add_ext(revoked, ext, 0);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
return revoked;
}
PKI_OCSP_RESP *PKI_OCSP_RESP_new ( void )
{
// Crypto Provider's specific data structures
PKI_X509_OCSP_RESP_VALUE *r = NULL;
OCSP_BASICRESP *bs = NULL;
// Return container
PKI_OCSP_RESP * ret = NULL;
// Allocates the response object
if ((r = OCSP_RESPONSE_new()) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
}
// Sets the initial state to "Success"
if (!(ASN1_ENUMERATED_set(r->responseStatus,
PKI_X509_OCSP_RESP_STATUS_SUCCESSFUL)))
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
if (r) OCSP_RESPONSE_free (r);
return NULL;
}
// Creates the basic response object
if ((bs = OCSP_BASICRESP_new()) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
if( r ) OCSP_RESPONSE_free ( r );
return ( NULL );
}
// Let's now create the outer container
if(( ret = (PKI_OCSP_RESP *)
PKI_Malloc (sizeof(PKI_OCSP_RESP)))==NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
if ( bs ) OCSP_BASICRESP_free ( bs );
if ( r ) OCSP_RESPONSE_free ( r );
return NULL;
}
// Transfer ownership of r and bs to the container
ret->resp = r;
ret->bs = bs;
// Success - object created
return ret;
}
/* Create an OCSP response and encode an optional basic response */
OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
{
OCSP_RESPONSE *rsp = NULL;
if (!(rsp = OCSP_RESPONSE_new())) goto err;
if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
if (!bs) return rsp;
if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
goto err;
return rsp;
err:
if (rsp) OCSP_RESPONSE_free(rsp);
return NULL;
}
int PKI_X509_OCSP_RESP_set_status ( PKI_X509_OCSP_RESP *x,
PKI_X509_OCSP_RESP_STATUS status ) {
PKI_OCSP_RESP * r = NULL;
if ( !x || !x->value ) return PKI_ERR;
r = x->value;
if (!r->resp) return PKI_ERR;
if (!(ASN1_ENUMERATED_set(r->resp->responseStatus, status)))
return PKI_ERR;
return PKI_OK;
}
int
conv_eckey2gkey(EC_KEY *key, TANG_KEY_USE use, TANG_KEY *gkey, BN_CTX *ctx)
{
const EC_GROUP *grp = EC_KEY_get0_group(key);
int r;
if (!grp)
return EINVAL;
ASN1_OBJECT_free(gkey->grp);
gkey->grp = OBJ_nid2obj(EC_GROUP_get_curve_name(grp));
if (!gkey->grp)
return ENOMEM;
r = conv_point2os(grp, EC_KEY_get0_public_key(key), gkey->key, ctx);
if (r != 0)
return ENOMEM;
if (ASN1_ENUMERATED_set(gkey->use, use) <= 0)
return ENOMEM;
return 0;
}
OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
OCSP_CERTID *cid,
int status, int reason,
ASN1_TIME *revtime,
ASN1_TIME *thisupd, ASN1_TIME *nextupd)
{
OCSP_SINGLERESP *single = NULL;
OCSP_CERTSTATUS *cs;
OCSP_REVOKEDINFO *ri;
if(!rsp->tbsResponseData->responses &&
!(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
goto err;
if (!(single = OCSP_SINGLERESP_new()))
goto err;
if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
goto err;
if (nextupd &&
!ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
goto err;
OCSP_CERTID_free(single->certId);
if(!(single->certId = OCSP_CERTID_dup(cid)))
goto err;
cs = single->certStatus;
switch(cs->type = status)
{
case V_OCSP_CERTSTATUS_REVOKED:
if (!revtime)
{
OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
goto err;
}
if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
goto err;
if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
{
if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
goto err;
if (!(ASN1_ENUMERATED_set(ri->revocationReason,
reason)))
goto err;
}
break;
case V_OCSP_CERTSTATUS_GOOD:
cs->value.good = ASN1_NULL_new();
break;
case V_OCSP_CERTSTATUS_UNKNOWN:
cs->value.unknown = ASN1_NULL_new();
break;
default:
goto err;
}
if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
goto err;
return single;
err:
OCSP_SINGLERESP_free(single);
return NULL;
}
DWORD
VMCACreateRevokedFromCert(
X509 *pCert,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, time(NULL));
dwError = X509_REVOKED_set_serialNumber(pTempRev,
X509_get_serialNumber(pCert));
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
//TODO : Fix the UNSPECIFIED to real valid reason
// which users can pass in.
ASN1_ENUMERATED_set(pCode, CRL_REASON_UNSPECIFIED);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
DWORD
VMCACreateRevokedFromCert_Reason(
ASN1_INTEGER *asnSerial,
DWORD dwRevokedDate,
VMCA_CRL_REASON certRevokeReason,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, (time_t)dwRevokedDate);
dwError = X509_REVOKED_set_serialNumber(pTempRev,
asnSerial);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
ASN1_ENUMERATED_set(pCode, certRevokeReason);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
PKI_X509_CRL_ENTRY * PKI_X509_CRL_ENTRY_new_serial( const char *serial,
PKI_X509_CRL_REASON reason, const PKI_TIME *revDate,
const PKI_X509_PROFILE *profile ) {
PKI_X509_CRL_ENTRY *entry = NULL;
// Entry to be added to the CRL
PKI_INTEGER * s_int = NULL;
// ASN1 Integer
PKI_TIME * a_date = NULL;
// ASN1 Rev Date
// Input check
if (!serial) {
PKI_ERROR(PKI_ERR_PARAM_NULL, "Missing serial number");
return NULL;
}
// Allocates the Memory for the entry
if((entry = (PKI_X509_CRL_ENTRY *) X509_REVOKED_new()) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
}
// If no revocation date is provided, let's use "now"
if (!revDate && (a_date = PKI_TIME_new(0)) == NULL) {
// Can not allocate the revocation date time
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
} else {
// Gets the Pointer from the caller
a_date = (PKI_TIME *)revDate;
}
// Generates the integer carrying the serial number
if ((s_int = PKI_INTEGER_new_char(serial)) != NULL) {
// Sets the serial number in the X509_REVOKED structure
if (X509_REVOKED_set_serialNumber(entry, s_int) == 1) {
// Sets the revocation date
if (a_date && !X509_REVOKED_set_revocationDate((X509_REVOKED *) entry, a_date)) {
PKI_ERROR(PKI_ERR_GENERAL, "Can not assign revocation date");
goto err;
}
// All Ok here
} else {
// Error While assigning the serial
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not assign the serial (%s)", serial);
goto err;
}
} else {
// Error generating the ASN1 Integer
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not convert serial %s to Integer", serial);
goto err;
}
if (reason != PKI_CRL_REASON_UNSPECIFIED) {
int supported_reason = -1;
ASN1_ENUMERATED *rtmp = ASN1_ENUMERATED_new();
switch (reason )
{
case PKI_CRL_REASON_CERTIFICATE_HOLD:
case PKI_CRL_REASON_HOLD_INSTRUCTION_REJECT:
if (!X509_REVOKED_add1_ext_i2d(entry,
NID_hold_instruction_code,
PKI_OID_get("holdInstructionReject"), 0, 0)) {
PKI_ERROR(PKI_ERR_X509_CRL, "Can not add holdInstructionReject");
goto err;
}
if (revDate && !X509_REVOKED_add1_ext_i2d(entry,
NID_invalidity_date, (PKI_TIME *)revDate, 0, 0)) {
PKI_ERROR(PKI_ERR_X509_CRL, "Can not add invalidity date");
goto err;
}
supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD;
break;
/* --- Deprecated in RFC 5280 ---
case PKI_CRL_REASON_HOLD_INSTRUCTION_NONE:
if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code,
PKI_OID_get( "holdInstructionReject"), 0, 0)) {
goto err;
};
if( revDate && !X509_REVOKED_add1_ext_i2d ( entry,
NID_invalidity_date, revDate, 0, 0)) {
goto err;
};
reason = PKI_CRL_REASON_CERTIFICATE_HOLD;
break;
*/
case PKI_CRL_REASON_HOLD_INSTRUCTION_CALLISSUER:
if (!X509_REVOKED_add1_ext_i2d(
entry,
NID_hold_instruction_code,
PKI_OID_get(
"holdInstructionCallIssuer"), 0, 0)) {
goto err;
}
if( revDate && !X509_REVOKED_add1_ext_i2d(
entry,
NID_invalidity_date,
(PKI_TIME *)revDate,
0, 0)) {
goto err;
}
supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD;
break;
case PKI_CRL_REASON_KEY_COMPROMISE:
case PKI_CRL_REASON_CA_COMPROMISE:
case PKI_CRL_REASON_AFFILIATION_CHANGED:
case PKI_CRL_REASON_SUPERSEDED:
case PKI_CRL_REASON_CESSATION_OF_OPERATION:
case PKI_CRL_REASON_REMOVE_FROM_CRL:
case PKI_CRL_REASON_PRIVILEGE_WITHDRAWN:
case PKI_CRL_REASON_AA_COMPROMISE:
PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Not Implemented Yet %d", reason);
break;
default:
PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Unknown %d", reason);
supported_reason = -1;
break;
}
if (supported_reason >= 0)
{
if (!ASN1_ENUMERATED_set(rtmp, supported_reason)) goto err;
if (!X509_REVOKED_add1_ext_i2d( entry, NID_crl_reason, rtmp, 0, 0)) goto err;
}
/*
if( reason == CRL_REASON_HOLD_INSTRUCTION ) {
// if (!X509_REVOKED_add1_ext_i2d ( entry,
// NID_invalidity_date, revDate, 0, 0)) {
// goto err;
// };
// if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code,
// PKI_OID_get( "holdInstructionReject"), 0, 0)) {
// goto err;
// };
};
*/
}
/*
if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
goto err;
if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
{
rtmp = ASN1_ENUMERATED_new();
if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
goto err;
if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
goto err;
}
if (rev && comp_time)
{
if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0))
goto err;
}
if (rev && hold)
{
if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0))
goto err;
}
*/
// Free Allocated Memory
if (s_int) PKI_INTEGER_free(s_int);
if (a_date && !revDate) PKI_TIME_free(a_date);
// Returns the created entry
return entry;
err:
// Free Allocated memory
if (s_int) PKI_INTEGER_free(s_int);
if (a_date && !revDate) PKI_TIME_free(a_date);
if (entry) X509_REVOKED_free((X509_REVOKED *) entry);
// Returns null (error)
return NULL;
}