static int openssl_ocsp_request_parse(lua_State*L)
{
OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request");
int utf8 = lua_isnoneornil(L, 2) ? 1 : lua_toboolean(L, 2);
OCSP_REQINFO *inf = req->tbsRequest;
OCSP_SIGNATURE *sig = req->optionalSignature;
BIO* bio = BIO_new(BIO_s_mem());
int i, num;
lua_newtable(L);
AUXILIAR_SET(L, -1, "version", ASN1_INTEGER_get(inf->version), integer);
if (inf->requestorName)
{
opensl_push_general_name(L, inf->requestorName, utf8);
lua_setfield(L, -2, "requestorName");
}
num = sk_OCSP_ONEREQ_num(inf->requestList);
lua_newtable(L);
for (i = 0; i < num; i++)
{
OCSP_ONEREQ *one = sk_OCSP_ONEREQ_value(inf->requestList, i);
OCSP_CERTID *a = one->reqCert;
lua_newtable(L);
{
openssl_push_x509_algor(L, a->hashAlgorithm);
lua_setfield(L, -2, "hashAlgorithm");
PUSH_ASN1_OCTET_STRING(L, a->issuerNameHash);
lua_setfield(L, -2, "issuerNameHash");
PUSH_ASN1_OCTET_STRING(L, a->issuerKeyHash);
lua_setfield(L, -2, "issuerKeyHash");
PUSH_ASN1_INTEGER(L, a->serialNumber);
lua_setfield(L, -2, "serialNumber");
}
lua_rawseti(L, -2, i + 1);
}
lua_setfield(L, -2, "requestList");
if (inf->requestExtensions){
STACK_OF(X509_EXTENSION) *extensions = sk_X509_EXTENSION_dup(inf->requestExtensions);
PUSH_OBJECT(extensions,"openssl.stack_of_x509_extension");
lua_setfield(L,-2, "extensions");
}
if (sig)
{
BIO_reset(bio);
X509_signature_print(bio, sig->signatureAlgorithm, sig->signature);
for (i = 0; i < sk_X509_num(sig->certs); i++)
{
X509_print(bio, sk_X509_value(sig->certs, i));
PEM_write_bio_X509(bio, sk_X509_value(sig->certs, i));
}
}
BIO_free(bio);
return 1;
}
int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
{
int i;
long l;
OCSP_CERTID* cid = NULL;
OCSP_ONEREQ *one = NULL;
OCSP_REQINFO *inf = o->tbsRequest;
OCSP_SIGNATURE *sig = o->optionalSignature;
if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
l=ASN1_INTEGER_get(inf->version);
if (BIO_printf(bp," Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
if (inf->requestorName != NULL)
{
if (BIO_write(bp,"\n Requestor Name: ",21) <= 0)
goto err;
GENERAL_NAME_print(bp, inf->requestorName);
}
if (BIO_write(bp,"\n Requestor List:\n",21) <= 0) goto err;
for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
{
one = sk_OCSP_ONEREQ_value(inf->requestList, i);
cid = one->reqCert;
ocsp_certid_print(bp, cid, 8);
if (!X509V3_extensions_print(bp,
"Request Single Extensions",
one->singleRequestExtensions, flags, 8))
goto err;
}
if (!X509V3_extensions_print(bp, "Request Extensions",
inf->requestExtensions, flags, 4))
goto err;
if (sig)
{
X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
for (i=0; i<sk_X509_num(sig->certs); i++)
{
X509_print(bp, sk_X509_value(sig->certs,i));
PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
}
}
return 1;
err:
return 0;
}
OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
{
return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
}
void OCSPResponseVerifier_impl::ProcessL()
{
if (!m_request || !m_response_der || m_response_length == 0 ||
!m_certificate_chain || !m_ca_storage)
LEAVE(OpStatus::ERR_OUT_OF_RANGE);
// Default value. Will be checked in the end of the function.
OP_STATUS status = OpStatus::ERR;
// Default verify status.
m_verify_status = CryptoCertificateChain::VERIFY_STATUS_UNKNOWN;
OCSP_RESPONSE* ocsp_response = 0;
OCSP_BASICRESP* ocsp_basicresp = 0;
do
{
const OCSPRequest_impl* request_impl =
static_cast <const OCSPRequest_impl*> (m_request);
const CryptoCertificateChain_impl* chain_impl =
static_cast <const CryptoCertificateChain_impl*> (m_certificate_chain);
const CryptoCertificateStorage_impl* storage_impl =
static_cast <const CryptoCertificateStorage_impl*> (m_ca_storage);
if (!request_impl || !chain_impl || !storage_impl)
{
status = OpStatus::ERR_OUT_OF_RANGE;
break;
}
OCSP_REQUEST* ocsp_request = request_impl->GetOCSP_REQUEST();
STACK_OF(X509)* x509_chain = chain_impl->GetStackOfX509();
X509_STORE* x509_store = storage_impl->GetX509Store();
OP_ASSERT(ocsp_request && x509_chain && x509_store);
// Both ocsp_request, x509_chain and x509_store are owned
// by their container objects.
// Temporary variable, according to the documentation.
const unsigned char* response_tmp = m_response_der;
ocsp_response = d2i_OCSP_RESPONSE(0, &response_tmp, m_response_length);
OPENSSL_VERIFY_OR_BREAK2(ocsp_response, status);
// Check that the OCSP responder was able to respond correctly.
int ocsp_response_status = OCSP_response_status(ocsp_response);
OPENSSL_BREAK2_IF(ocsp_response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL, status);
ocsp_basicresp = OCSP_response_get1_basic(ocsp_response);
OPENSSL_VERIFY_OR_BREAK2(ocsp_basicresp, status);
// Verify that the response is correctly signed.
int response_valid_status =
OCSP_basic_verify(ocsp_basicresp, x509_chain, x509_store, /* flags = */ 0);
OPENSSL_BREAK2_IF(response_valid_status != 1, status);
OP_ASSERT(ocsp_request->tbsRequest && ocsp_request->tbsRequest->requestList);
OCSP_ONEREQ* ocsp_onereq =
sk_OCSP_ONEREQ_value(ocsp_request->tbsRequest->requestList, 0);
OPENSSL_VERIFY_OR_BREAK(ocsp_onereq);
// ocsp_request owns ocsp_onereq.
OCSP_CERTID* ocsp_certid = ocsp_onereq->reqCert;
OPENSSL_VERIFY_OR_BREAK(ocsp_certid);
// ocsp_request owns ocsp_certid.
int revocation_code = -1, response_code = -1;
ASN1_GENERALIZEDTIME* thisupd = 0;
ASN1_GENERALIZEDTIME* nextupd = 0;
int err = OCSP_resp_find_status(
ocsp_basicresp, ocsp_certid, &response_code, &revocation_code,
0, &thisupd, &nextupd);
OPENSSL_BREAK2_IF(err != 1 || response_code < 0, status);
// Allow some difference in client and server clocks.
const long int CLOCK_SHARPNESS = 3600;
// Default age limit for responses without nextUpdate field.
const long int DEFAULT_MAXAGE = 100 * 24 * 3600;
err = OCSP_check_validity(thisupd, nextupd, CLOCK_SHARPNESS, DEFAULT_MAXAGE);
OPENSSL_BREAK2_IF(err != 1, status);
switch (response_code)
{
case V_OCSP_CERTSTATUS_GOOD:
m_verify_status = CryptoCertificateChain::OK_CHECKED_WITH_OCSP;
status = OpStatus::OK;
break;
case V_OCSP_CERTSTATUS_REVOKED:
m_verify_status = CryptoCertificateChain::CERTIFICATE_REVOKED;
status = OpStatus::OK;
break;
default:
OP_ASSERT(!"Unexpected OCSP response code!");
// fall-through
case V_OCSP_CERTSTATUS_UNKNOWN:
OP_ASSERT(m_verify_status == CryptoCertificateChain::VERIFY_STATUS_UNKNOWN);
break;
}
} while(0);
if(ocsp_basicresp)
OCSP_BASICRESP_free(ocsp_basicresp);
if(ocsp_response)
OCSP_RESPONSE_free(ocsp_response);
// There shouldn't be any errors.
OP_ASSERT(ERR_peek_error() == 0);
LEAVE_IF_ERROR(status);
}
