static VALUE
ossl_ocspbres_sign(int argc, VALUE *argv, VALUE self)
{
VALUE signer_cert, signer_key, certs, flags;
OCSP_BASICRESP *bs;
X509 *signer;
EVP_PKEY *key;
STACK_OF(X509) *x509s;
unsigned long flg;
int ret;
rb_scan_args(argc, argv, "22", &signer_cert, &signer_key, &certs, &flags);
signer = GetX509CertPtr(signer_cert);
key = GetPrivPKeyPtr(signer_key);
flg = NIL_P(flags) ? 0 : NUM2INT(flags);
if(NIL_P(certs)) {
x509s = sk_X509_new_null();
flg |= OCSP_NOCERTS;
}
else {
x509s = ossl_x509_ary2sk(certs);
}
GetOCSPBasicRes(self, bs);
ret = OCSP_basic_sign(bs, signer, key, EVP_sha1(), x509s, flg);
sk_X509_pop_free(x509s, X509_free);
if(!ret) ossl_raise(eOCSPError, NULL);
return self;
}
static int test_resp_signer(void)
{
OCSP_BASICRESP *bs = NULL;
X509 *signer = NULL, *tmp;
EVP_PKEY *key = NULL;
STACK_OF(X509) *extra_certs = NULL;
int ret = 0;
/*
* Test a response with no certs at all; get the signer from the
* extra certs given to OCSP_resp_get0_signer().
*/
bs = make_dummy_resp();
extra_certs = sk_X509_new_null();
if (!TEST_ptr(bs)
|| !TEST_ptr(extra_certs)
|| !TEST_true(get_cert_and_key(&signer, &key))
|| !TEST_true(sk_X509_push(extra_certs, signer))
|| !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
NULL, OCSP_NOCERTS)))
goto err;
if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs))
|| !TEST_int_eq(X509_cmp(tmp, signer), 0))
goto err;
OCSP_BASICRESP_free(bs);
/* Do it again but include the signer cert */
bs = make_dummy_resp();
tmp = NULL;
if (!TEST_ptr(bs)
|| !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
NULL, 0)))
goto err;
if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL))
|| !TEST_int_eq(X509_cmp(tmp, signer), 0))
goto err;
ret = 1;
err:
OCSP_BASICRESP_free(bs);
sk_X509_free(extra_certs);
X509_free(signer);
EVP_PKEY_free(key);
return ret;
}
static int openssl_ocsp_response(lua_State *L)
{
OCSP_RESPONSE *res = NULL;
if (lua_isstring(L, 1))
{
BIO* bio = load_bio_object(L, 1);
res = d2i_OCSP_RESPONSE_bio(bio, NULL);
/*
BIO_reset(bio);
if (!res)
{
res = PEM_read_bio_OCSP_RESPONSE(bio, NULL, NULL);
}
*/
BIO_free(bio);
}
else
{
ASN1_TIME* thispnd, *nextpnd;
OCSP_CERTID *ca_id, *cid;
OCSP_BASICRESP *bs;
OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request");
X509* ca = CHECK_OBJECT(2, X509, "openssl.x509");
X509* rcert = CHECK_OBJECT(3, X509, "openssl.x509");
EVP_PKEY *rkey = CHECK_OBJECT(4, EVP_PKEY, "openssl.evp_pkey");
unsigned long flag = luaL_optint(L, 6, 0);
int nmin = luaL_optint(L, 7, 0);
int nday = luaL_optint(L, 8, 1);
STACK_OF(X509) *rother = lua_isnoneornil(L, 9) ? NULL : CHECK_OBJECT(9, STACK_OF(X509), "openssl.stack_of_x509");
int i, id_count, type;
BIO* bio = NULL;
type = lua_type(L, 5);
if (type != LUA_TFUNCTION && type != LUA_TTABLE)
{
luaL_error(L, "#5 must be a table or function that to get status of certificate");
}
bio = BIO_new(BIO_s_mem());
ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
bs = OCSP_BASICRESP_new();
thispnd = X509_gmtime_adj(NULL, 0);
nextpnd = X509_gmtime_adj(NULL, nmin * 60 + nday * 3600 * 24);
id_count = OCSP_request_onereq_count(req);
for (i = 0; i < id_count; i++)
{
OCSP_ONEREQ *one;
ASN1_INTEGER *serial;
ASN1_OBJECT* inst = NULL;
ASN1_TIME* revtm = NULL;
ASN1_GENERALIZEDTIME *invtm = NULL;
OCSP_SINGLERESP *single = NULL;
int reason = OCSP_REVOKED_STATUS_UNSPECIFIED, status = V_OCSP_CERTSTATUS_UNKNOWN;
one = OCSP_request_onereq_get0(req, i);
cid = OCSP_onereq_get0_id(one);
if (OCSP_id_issuer_cmp(ca_id, cid))
{
OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thispnd, nextpnd);
continue;
}
OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
if (lua_istable(L, 5))
{
BUF_MEM *buf;
BIO_reset(bio);
i2a_ASN1_INTEGER(bio, serial);
BIO_get_mem_ptr(bio, &buf);
lua_pushlstring(L, buf->data, buf->length);
lua_gettable(L, 5);
if (lua_isnil(L, -1))
status = V_OCSP_CERTSTATUS_UNKNOWN;
else
{
luaL_checktype(L, -1, LUA_TTABLE);
lua_getfield(L, -1, "revoked");
if (lua_toboolean(L, -1))
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_REVOKED;
lua_getfield(L, -1, "revoked_time");
if (!lua_isnil(L, -1))
{
revtm = ASN1_TIME_new();
ASN1_TIME_set(revtm, luaL_checkint(L, -1));
}
lua_pop(L, 1);
lua_getfield(L, -1, "reason");
if (lua_isstring(L, -1))
reason = openssl_get_revoke_reason(lua_tostring(L, -1));
else
reason = luaL_checkint(L, -1);
lua_pop(L, 1);
}
else
{
lua_pop(L, 1);
status = V_OCSP_CERTSTATUS_GOOD;
}
}
}
else
{
}
if (reason == 7)
reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
else if (reason == 8)
{
reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
//inst = OBJ_txt2obj(str, 0);
}
else if (reason == 9 || reason == 10)
{
if ( reason == 9 )
reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
else if (reason == 10)
reason = OCSP_REVOKED_STATUS_CACOMPROMISE;
/*
invtm = ASN1_GENERALIZEDTIME_new();
if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str))
*/
}
single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd);
if (invtm)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
ASN1_TIME_free(revtm);
}
if (inst)
{
OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
ASN1_OBJECT_free(inst);
}
if (invtm)
ASN1_GENERALIZEDTIME_free(invtm);
}
OCSP_copy_nonce(bs, req);
OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag);
res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
BIO_free(bio);
}
if(res) {
PUSH_OBJECT(res, "openssl.ocsp_response");
}else
lua_pushnil(L);
return 1;
}