int PKI_X509_OCSP_RESP_add ( PKI_X509_OCSP_RESP *resp, OCSP_CERTID *cid, PKI_OCSP_CERTSTATUS status, PKI_TIME *revokeTime, PKI_TIME *thisUpdate, PKI_TIME *nextUpdate, PKI_X509_CRL_REASON reason, PKI_X509_EXTENSION *invalidityDate ) { OCSP_SINGLERESP *single = NULL; PKI_TIME *myThisUpdate = NULL; PKI_OCSP_RESP *r = NULL; if ( !resp || !resp->value || !cid ) return ( PKI_ERR ); r = resp->value; if( !r->bs ) { // Creates the basic response object if ((r->bs = OCSP_BASICRESP_new()) == NULL) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return PKI_ERR; } } if (thisUpdate == NULL ) { myThisUpdate = X509_gmtime_adj(NULL,0); } else { myThisUpdate = PKI_TIME_dup(thisUpdate); } if((single = OCSP_basic_add1_status(r->bs, cid, status, reason, revokeTime, myThisUpdate, nextUpdate))== NULL) { PKI_log_err ("Can not create basic entry!"); return ( PKI_ERR ); } if (myThisUpdate) PKI_TIME_free(myThisUpdate); if (invalidityDate) { if (!OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invalidityDate, 0, 0)) { PKI_log_err("Can not create extension entry for response!"); return PKI_ERR; } } return PKI_OK; }
static OCSP_BASICRESP *make_dummy_resp(void) { const unsigned char namestr[] = "openssl.example.com"; unsigned char keybytes[128] = {7}; OCSP_BASICRESP *bs = OCSP_BASICRESP_new(); OCSP_BASICRESP *bs_out = NULL; OCSP_CERTID *cid = NULL; ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL)); ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200); X509_NAME *name = X509_NAME_new(); ASN1_BIT_STRING *key = ASN1_BIT_STRING_new(); ASN1_INTEGER *serial = ASN1_INTEGER_new(); if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC, namestr, -1, -1, 1) || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes)) || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1)) goto err; cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial); if (!TEST_ptr(bs) || !TEST_ptr(thisupd) || !TEST_ptr(nextupd) || !TEST_ptr(cid) || !TEST_true(OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd))) goto err; bs_out = bs; bs = NULL; err: ASN1_TIME_free(thisupd); ASN1_TIME_free(nextupd); ASN1_BIT_STRING_free(key); ASN1_INTEGER_free(serial); OCSP_CERTID_free(cid); OCSP_BASICRESP_free(bs); X509_NAME_free(name); return bs_out; }
static VALUE ossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status, VALUE reason, VALUE revtime, VALUE thisupd, VALUE nextupd, VALUE ext) { OCSP_BASICRESP *bs; OCSP_SINGLERESP *single; OCSP_CERTID *id; int st, rsn; ASN1_TIME *ths, *nxt, *rev; int error, i, rstatus = 0; VALUE tmp; st = NUM2INT(status); rsn = NIL_P(status) ? 0 : NUM2INT(reason); if(!NIL_P(ext)) { /* All ary's members should be X509Extension */ Check_Type(ext, T_ARRAY); for (i = 0; i < RARRAY_LEN(ext); i++) OSSL_Check_Kind(RARRAY_AT(ext, i), cX509Ext); } error = 0; ths = nxt = rev = NULL; if(!NIL_P(revtime)) { tmp = rb_protect(rb_Integer, revtime, &rstatus); if(rstatus) goto err; rev = X509_gmtime_adj(NULL, NUM2INT(tmp)); } tmp = rb_protect(rb_Integer, thisupd, &rstatus); if(rstatus) goto err; ths = X509_gmtime_adj(NULL, NUM2INT(tmp)); tmp = rb_protect(rb_Integer, nextupd, &rstatus); if(rstatus) goto err; nxt = X509_gmtime_adj(NULL, NUM2INT(tmp)); GetOCSPBasicRes(self, bs); SafeGetOCSPCertId(cid, id); if(!(single = OCSP_basic_add1_status(bs, id, st, rsn, rev, ths, nxt))) { error = 1; goto err; } if(!NIL_P(ext)) { X509_EXTENSION *x509ext; sk_X509_EXTENSION_pop_free(single->singleExtensions, X509_EXTENSION_free); single->singleExtensions = NULL; for(i = 0; i < RARRAY_LEN(ext); i++) { x509ext = DupX509ExtPtr(RARRAY_AT(ext, i)); if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)) { X509_EXTENSION_free(x509ext); error = 1; goto err; } X509_EXTENSION_free(x509ext); } } err: ASN1_TIME_free(ths); ASN1_TIME_free(nxt); ASN1_TIME_free(rev); if(error) ossl_raise(eOCSPError, NULL); if(rstatus) rb_jump_tag(rstatus); return self; }
static int openssl_ocsp_response(lua_State *L) { OCSP_RESPONSE *res = NULL; if (lua_isstring(L, 1)) { BIO* bio = load_bio_object(L, 1); res = d2i_OCSP_RESPONSE_bio(bio, NULL); /* BIO_reset(bio); if (!res) { res = PEM_read_bio_OCSP_RESPONSE(bio, NULL, NULL); } */ BIO_free(bio); } else { ASN1_TIME* thispnd, *nextpnd; OCSP_CERTID *ca_id, *cid; OCSP_BASICRESP *bs; OCSP_REQUEST *req = CHECK_OBJECT(1, OCSP_REQUEST, "openssl.ocsp_request"); X509* ca = CHECK_OBJECT(2, X509, "openssl.x509"); X509* rcert = CHECK_OBJECT(3, X509, "openssl.x509"); EVP_PKEY *rkey = CHECK_OBJECT(4, EVP_PKEY, "openssl.evp_pkey"); unsigned long flag = luaL_optint(L, 6, 0); int nmin = luaL_optint(L, 7, 0); int nday = luaL_optint(L, 8, 1); STACK_OF(X509) *rother = lua_isnoneornil(L, 9) ? NULL : CHECK_OBJECT(9, STACK_OF(X509), "openssl.stack_of_x509"); int i, id_count, type; BIO* bio = NULL; type = lua_type(L, 5); if (type != LUA_TFUNCTION && type != LUA_TTABLE) { luaL_error(L, "#5 must be a table or function that to get status of certificate"); } bio = BIO_new(BIO_s_mem()); ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca); bs = OCSP_BASICRESP_new(); thispnd = X509_gmtime_adj(NULL, 0); nextpnd = X509_gmtime_adj(NULL, nmin * 60 + nday * 3600 * 24); id_count = OCSP_request_onereq_count(req); for (i = 0; i < id_count; i++) { OCSP_ONEREQ *one; ASN1_INTEGER *serial; ASN1_OBJECT* inst = NULL; ASN1_TIME* revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single = NULL; int reason = OCSP_REVOKED_STATUS_UNSPECIFIED, status = V_OCSP_CERTSTATUS_UNKNOWN; one = OCSP_request_onereq_get0(req, i); cid = OCSP_onereq_get0_id(one); if (OCSP_id_issuer_cmp(ca_id, cid)) { OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thispnd, nextpnd); continue; } OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); if (lua_istable(L, 5)) { BUF_MEM *buf; BIO_reset(bio); i2a_ASN1_INTEGER(bio, serial); BIO_get_mem_ptr(bio, &buf); lua_pushlstring(L, buf->data, buf->length); lua_gettable(L, 5); if (lua_isnil(L, -1)) status = V_OCSP_CERTSTATUS_UNKNOWN; else { luaL_checktype(L, -1, LUA_TTABLE); lua_getfield(L, -1, "revoked"); if (lua_toboolean(L, -1)) { lua_pop(L, 1); status = V_OCSP_CERTSTATUS_REVOKED; lua_getfield(L, -1, "revoked_time"); if (!lua_isnil(L, -1)) { revtm = ASN1_TIME_new(); ASN1_TIME_set(revtm, luaL_checkint(L, -1)); } lua_pop(L, 1); lua_getfield(L, -1, "reason"); if (lua_isstring(L, -1)) reason = openssl_get_revoke_reason(lua_tostring(L, -1)); else reason = luaL_checkint(L, -1); lua_pop(L, 1); } else { lua_pop(L, 1); status = V_OCSP_CERTSTATUS_GOOD; } } } else { } if (reason == 7) reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL; else if (reason == 8) { reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; //inst = OBJ_txt2obj(str, 0); } else if (reason == 9 || reason == 10) { if ( reason == 9 ) reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE; else if (reason == 10) reason = OCSP_REVOKED_STATUS_CACOMPROMISE; /* invtm = ASN1_GENERALIZEDTIME_new(); if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str)) */ } single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd); if (invtm) { OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); ASN1_TIME_free(revtm); } if (inst) { OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); } if (invtm) ASN1_GENERALIZEDTIME_free(invtm); } OCSP_copy_nonce(bs, req); OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag); res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); BIO_free(bio); } if(res) { PUSH_OBJECT(res, "openssl.ocsp_response"); }else lua_pushnil(L); return 1; }