static int openssl_ocsp_request_parse(lua_State*L) { OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request"); int utf8 = lua_isnoneornil(L, 2) ? 1 : lua_toboolean(L, 2); OCSP_REQINFO *inf = req->tbsRequest; OCSP_SIGNATURE *sig = req->optionalSignature; BIO* bio = BIO_new(BIO_s_mem()); int i, num; lua_newtable(L); AUXILIAR_SET(L, -1, "version", ASN1_INTEGER_get(inf->version), integer); if (inf->requestorName) { opensl_push_general_name(L, inf->requestorName, utf8); lua_setfield(L, -2, "requestorName"); } num = sk_OCSP_ONEREQ_num(inf->requestList); lua_newtable(L); for (i = 0; i < num; i++) { OCSP_ONEREQ *one = sk_OCSP_ONEREQ_value(inf->requestList, i); OCSP_CERTID *a = one->reqCert; lua_newtable(L); { openssl_push_x509_algor(L, a->hashAlgorithm); lua_setfield(L, -2, "hashAlgorithm"); PUSH_ASN1_OCTET_STRING(L, a->issuerNameHash); lua_setfield(L, -2, "issuerNameHash"); PUSH_ASN1_OCTET_STRING(L, a->issuerKeyHash); lua_setfield(L, -2, "issuerKeyHash"); PUSH_ASN1_INTEGER(L, a->serialNumber); lua_setfield(L, -2, "serialNumber"); } lua_rawseti(L, -2, i + 1); } lua_setfield(L, -2, "requestList"); if (inf->requestExtensions){ STACK_OF(X509_EXTENSION) *extensions = sk_X509_EXTENSION_dup(inf->requestExtensions); PUSH_OBJECT(extensions,"openssl.stack_of_x509_extension"); lua_setfield(L,-2, "extensions"); } if (sig) { BIO_reset(bio); X509_signature_print(bio, sig->signatureAlgorithm, sig->signature); for (i = 0; i < sk_X509_num(sig->certs); i++) { X509_print(bio, sk_X509_value(sig->certs, i)); PEM_write_bio_X509(bio, sk_X509_value(sig->certs, i)); } } BIO_free(bio); return 1; }
int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags) { int i; long l; OCSP_CERTID* cid = NULL; OCSP_ONEREQ *one = NULL; OCSP_REQINFO *inf = o->tbsRequest; OCSP_SIGNATURE *sig = o->optionalSignature; if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err; l=ASN1_INTEGER_get(inf->version); if (BIO_printf(bp," Version: %lu (0x%lx)",l+1,l) <= 0) goto err; if (inf->requestorName != NULL) { if (BIO_write(bp,"\n Requestor Name: ",21) <= 0) goto err; GENERAL_NAME_print(bp, inf->requestorName); } if (BIO_write(bp,"\n Requestor List:\n",21) <= 0) goto err; for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) { one = sk_OCSP_ONEREQ_value(inf->requestList, i); cid = one->reqCert; ocsp_certid_print(bp, cid, 8); if (!X509V3_extensions_print(bp, "Request Single Extensions", one->singleRequestExtensions, flags, 8)) goto err; } if (!X509V3_extensions_print(bp, "Request Extensions", inf->requestExtensions, flags, 4)) goto err; if (sig) { X509_signature_print(bp, sig->signatureAlgorithm, sig->signature); for (i=0; i<sk_X509_num(sig->certs); i++) { X509_print(bp, sk_X509_value(sig->certs,i)); PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i)); } } return 1; err: return 0; }
OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i) { return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i); }
void OCSPResponseVerifier_impl::ProcessL() { if (!m_request || !m_response_der || m_response_length == 0 || !m_certificate_chain || !m_ca_storage) LEAVE(OpStatus::ERR_OUT_OF_RANGE); // Default value. Will be checked in the end of the function. OP_STATUS status = OpStatus::ERR; // Default verify status. m_verify_status = CryptoCertificateChain::VERIFY_STATUS_UNKNOWN; OCSP_RESPONSE* ocsp_response = 0; OCSP_BASICRESP* ocsp_basicresp = 0; do { const OCSPRequest_impl* request_impl = static_cast <const OCSPRequest_impl*> (m_request); const CryptoCertificateChain_impl* chain_impl = static_cast <const CryptoCertificateChain_impl*> (m_certificate_chain); const CryptoCertificateStorage_impl* storage_impl = static_cast <const CryptoCertificateStorage_impl*> (m_ca_storage); if (!request_impl || !chain_impl || !storage_impl) { status = OpStatus::ERR_OUT_OF_RANGE; break; } OCSP_REQUEST* ocsp_request = request_impl->GetOCSP_REQUEST(); STACK_OF(X509)* x509_chain = chain_impl->GetStackOfX509(); X509_STORE* x509_store = storage_impl->GetX509Store(); OP_ASSERT(ocsp_request && x509_chain && x509_store); // Both ocsp_request, x509_chain and x509_store are owned // by their container objects. // Temporary variable, according to the documentation. const unsigned char* response_tmp = m_response_der; ocsp_response = d2i_OCSP_RESPONSE(0, &response_tmp, m_response_length); OPENSSL_VERIFY_OR_BREAK2(ocsp_response, status); // Check that the OCSP responder was able to respond correctly. int ocsp_response_status = OCSP_response_status(ocsp_response); OPENSSL_BREAK2_IF(ocsp_response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL, status); ocsp_basicresp = OCSP_response_get1_basic(ocsp_response); OPENSSL_VERIFY_OR_BREAK2(ocsp_basicresp, status); // Verify that the response is correctly signed. int response_valid_status = OCSP_basic_verify(ocsp_basicresp, x509_chain, x509_store, /* flags = */ 0); OPENSSL_BREAK2_IF(response_valid_status != 1, status); OP_ASSERT(ocsp_request->tbsRequest && ocsp_request->tbsRequest->requestList); OCSP_ONEREQ* ocsp_onereq = sk_OCSP_ONEREQ_value(ocsp_request->tbsRequest->requestList, 0); OPENSSL_VERIFY_OR_BREAK(ocsp_onereq); // ocsp_request owns ocsp_onereq. OCSP_CERTID* ocsp_certid = ocsp_onereq->reqCert; OPENSSL_VERIFY_OR_BREAK(ocsp_certid); // ocsp_request owns ocsp_certid. int revocation_code = -1, response_code = -1; ASN1_GENERALIZEDTIME* thisupd = 0; ASN1_GENERALIZEDTIME* nextupd = 0; int err = OCSP_resp_find_status( ocsp_basicresp, ocsp_certid, &response_code, &revocation_code, 0, &thisupd, &nextupd); OPENSSL_BREAK2_IF(err != 1 || response_code < 0, status); // Allow some difference in client and server clocks. const long int CLOCK_SHARPNESS = 3600; // Default age limit for responses without nextUpdate field. const long int DEFAULT_MAXAGE = 100 * 24 * 3600; err = OCSP_check_validity(thisupd, nextupd, CLOCK_SHARPNESS, DEFAULT_MAXAGE); OPENSSL_BREAK2_IF(err != 1, status); switch (response_code) { case V_OCSP_CERTSTATUS_GOOD: m_verify_status = CryptoCertificateChain::OK_CHECKED_WITH_OCSP; status = OpStatus::OK; break; case V_OCSP_CERTSTATUS_REVOKED: m_verify_status = CryptoCertificateChain::CERTIFICATE_REVOKED; status = OpStatus::OK; break; default: OP_ASSERT(!"Unexpected OCSP response code!"); // fall-through case V_OCSP_CERTSTATUS_UNKNOWN: OP_ASSERT(m_verify_status == CryptoCertificateChain::VERIFY_STATUS_UNKNOWN); break; } } while(0); if(ocsp_basicresp) OCSP_BASICRESP_free(ocsp_basicresp); if(ocsp_response) OCSP_RESPONSE_free(ocsp_response); // There shouldn't be any errors. OP_ASSERT(ERR_peek_error() == 0); LEAVE_IF_ERROR(status); }