static LUA_FUNCTION(openssl_pkcs7_add)
{
PKCS7 *p7 = CHECK_OBJECT(1, PKCS7, "openssl.pkcs7");
int n = lua_gettop(L);
int i, ret;
ret = 1;
luaL_argcheck(L, lua_isuserdata(L, 2), 2, "must supply certificate or crl object");
for (i = 2; i <= n; i++)
{
luaL_argcheck(L, auxiliar_isclass(L, "openssl.x509", i) || auxiliar_isclass(L, "openssl.x509_crl", i),
i, "must supply certificate or crl object");
if (auxiliar_isclass(L, "openssl.x509", i))
{
X509* x = CHECK_OBJECT(i, X509, "openssl.x509");
ret = PKCS7_add_certificate(p7, x);
}
else
{
X509_CRL *crl = CHECK_OBJECT(i, X509_CRL, "openssl.x509_crl");
ret = PKCS7_add_crl(p7, crl);
}
luaL_argcheck(L, ret, i, "add to pkcs7 fail");
}
return openssl_pushresult(L, ret);
}
int PKI_X509_PKCS7_add_crl ( PKI_X509_PKCS7 *p7, PKI_X509_CRL *crl ) {
if ( !p7 || !p7->value || !crl ) {
PKI_log_err( "PKI_X509_PKCS7_add_crl()::Missing CRL");
return PKI_ERR;
}
PKCS7_add_crl( p7->value, crl->value );
return( PKI_OK );
}
static VALUE
ossl_pkcs7_add_crl(VALUE self, VALUE crl)
{
PKCS7 *pkcs7;
X509_CRL *x509crl;
GetPKCS7(self, pkcs7); /* NO DUP needed! */
x509crl = GetX509CRLPtr(crl);
if (!PKCS7_add_crl(pkcs7, x509crl)) {
ossl_raise(ePKCS7Error, NULL);
}
return self;
}
void Pkcs7SignedDataBuilder::addCrl(CertificateRevocationList &crl) throw (Pkcs7Exception, InvalidStateException)
{
int rc;
if (this->state != Pkcs7Builder::INIT && this->state != Pkcs7Builder::UPDATE)
{
throw InvalidStateException("Pkcs7SignedDataBuilder::addCrl");
}
rc = PKCS7_add_crl(this->pkcs7, crl.getX509Crl());
if (!rc)
{
PKCS7_free(this->pkcs7);
this->pkcs7 = NULL;
throw Pkcs7Exception(Pkcs7Exception::ADDING_CERTIFICATE, "Pkcs7SignedDataBuilder::addCrl", true);
}
}
int PKI_X509_PKCS7_add_crl_stack ( PKI_X509_PKCS7 *p7,
PKI_X509_CRL_STACK *crl_sk ) {
int i;
if( !p7 || !p7->value || !crl_sk ) {
PKI_log_err( "PKI_X509_PKCS7_add_crl_stack()::Missing param!");
return PKI_ERR;
}
for( i=0; i < PKI_STACK_X509_CRL_elements( crl_sk ); i++ ) {
PKI_X509_CRL *crl = NULL;
if(( crl = PKI_STACK_X509_CRL_get_num ( crl_sk, i )) == NULL ){
continue;
}
PKCS7_add_crl ( p7->value, crl->value );
}
return PKI_OK;
}
/* Allocate the SCEP_MSG structures */
SCEP_MSG *SCEP_MSG_new( int messageType, X509 *cert, EVP_PKEY *pkey,
X509 *recip_cert, SCEP_MSG *inMsg, X509_REQ *req,
X509 *issued_cert, SCEP_ISSUER_AND_SUBJECT *cert_info,
PKCS7_ISSUER_AND_SERIAL *ias, X509_CRL *crl, X509 *cacert,
EVP_CIPHER cipher ) {
SCEP_MSG *msg = NULL;
PKCS7_SIGNER_INFO *si = NULL;
EVP_MD *dgst=NULL;
unsigned char *raw_data = NULL;
int envelope = 0;
long raw_len = 0;
BIO *debug_bio = NULL;
BIO *p7ebio = NULL;
BIO *inbio = NULL;
char buf[256];
if ((debug_bio=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(debug_bio,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
//if( !cert || !pkey || !recip_cert )
if( !cert || !pkey )
return NULL;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Generating New SCEP-Message...\n", __FILE__, __LINE__);
/* Allocate memory and initialize structures */
if((msg = SCEP_MSG_new_null()) == NULL) return NULL;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Allocate memory\n", __FILE__, __LINE__);
/* Signed Infos */
dgst = (EVP_MD *) EVP_get_digestbyname("md5");
if( (si = PKCS7_SIGNER_INFO_new()) == NULL ) goto err;
if(!PKCS7_SIGNER_INFO_set(si, cert, pkey, dgst)) goto err;
sk_PKCS7_SIGNER_INFO_push( msg->sk_signer_info, si );
msg->signer_ias = si->issuer_and_serial;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] signer infos set\n", __FILE__, __LINE__);
/* If pkey, let's add to the message structure to ease
* message encryption (enveloped data content creation) */
SCEP_MSG_set_pkey ( msg, pkey );
// msg->signer_pkey = pkey;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] encryption key set\n", __FILE__, __LINE__);
/* If not explicit, we guess the certificate to be present
* in the passed inMsg structure, if any. Otherwise ERROR! */
if( !recip_cert && inMsg ) recip_cert = inMsg->signer_cert;
/* Set the messageType */
SCEP_set_messageType ( msg, messageType );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] message type set\n", __FILE__, __LINE__);
switch( messageType ) {
case MSG_CERTREP:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for CERTREP\n", __FILE__, __LINE__);
msg->env_data.NID_p7data = NID_pkcs7_signed;
msg->env_data.p7 = PKCS7_new();
PKCS7_set_type( msg->env_data.p7, NID_pkcs7_signed );
PKCS7_content_new( msg->env_data.p7, NID_pkcs7_data );
if( issued_cert ) {
if (debug)
BIO_printf( debug_bio,
"%s:%d: creating inner degenerated PKCS7... \n",
__FILE__, __LINE__);
/* Adds issued certificate */
PKCS7_add_certificate( msg->env_data.p7, issued_cert );
// PKCS7_add_certificate( msg->env_data.p7, cert );
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__);
} else if( crl ) {
if (debug)
BIO_printf( debug_bio,
"%s:%d: Adding CRL ... \n",
__FILE__, __LINE__);
/* Adds crl */
PKCS7_add_crl( msg->env_data.p7, crl );
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: done \n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_PKCSREQ:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for PKCSREQ\n", __FILE__, __LINE__);
/* The inner pkcs7 structure is signed
* and enveloped and the data is to be
* the X509_REQ passed */
msg->env_data.NID_p7data =
NID_pkcs7_signedAndEnveloped;
if( req ) {
msg->env_data.content.req = req;
/* Ask for the data p7 to be generated and
* encrypted */
envelope = 1;
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_GETCRL:
if (debug)
{
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCRL\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
break;
case MSG_GETCERT:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERT\n", __FILE__, __LINE__);
msg->env_data.NID_p7data =
NID_pkcs7_signedAndEnveloped;
/* If it is a query for a general certificate
* the CAcert should be included in the enveloped
* data*/
/* Otherwise, if it is a request for its own
* certificate, the self-signed certificate should
* be included */
// if( cacert )
// msg->env_data.cacert = cacert;
/* Issuer and Serial should be present ! */
if( !ias ) goto err;
msg->env_data.content.ias = ias;
envelope = 1;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_GETCERTINITIAL:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for GETCERTINITIAL\n", __FILE__, __LINE__);
msg->env_data.NID_p7data = NID_pkcs7_signed;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
break;
case MSG_V2REQUEST: /* Not currently handled */
if (debug) {
BIO_printf( debug_bio, "%s:%d: [Debug Info] Actions for V2REQUEST\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
default:
goto err;
}
if (debug)
BIO_printf( debug_bio, "%s:%d: Debug ... \n", __FILE__, __LINE__);
/* If different from NULL, we have to encode something */
if( envelope == 1 ) {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] encode\n", __FILE__, __LINE__);
/* Encrypt the message data */
if( !SCEP_MSG_encrypt( msg, recip_cert, cipher )) goto err;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] add sign-cert to structure\n", __FILE__, __LINE__);
/* Signer certificate */
msg->signer_cert = cert;
if (debug)
PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] add attributes\n", __FILE__, __LINE__);
/* Set message attributes, if any */
if ( inMsg ) {
char *tmp = NULL;
int len = 0;
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] take data from request\n", __FILE__, __LINE__);
switch ( msg->messageType ) {
default:
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set transId\n", __FILE__, __LINE__);
/* The transId is ever required */
tmp = SCEP_get_string_attr_by_name( inMsg->attrs, "transId");
if( tmp ) {
SCEP_set_transId( msg, tmp, strlen(tmp));
OPENSSL_free( tmp );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set recipient nonce (sendernonce from req)\n", __FILE__, __LINE__);
/* Copy the sendernonce to the recipient nonce and
* generate a new sendernonce for the generated msg */
tmp = SCEP_get_octect_attr_by_name( inMsg->attrs,
"senderNonce", &len);
if( tmp ) {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] %d\n", __FILE__, __LINE__, tmp);
SCEP_set_recipientNonce( msg, tmp, len );
OPENSSL_free( tmp );
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set sender nonce\n", __FILE__, __LINE__);
SCEP_set_senderNonce_new(msg);
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] set pki_status\n", __FILE__, __LINE__);
SCEP_set_pkiStatus ( msg, PKI_PENDING );
if (debug) {
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
} else {
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] generate new data\n", __FILE__, __LINE__);
SCEP_set_senderNonce_new ( msg );
SCEP_set_recipientNonce_new ( msg );
SCEP_set_transId_new ( msg );
if (debug)
BIO_printf( debug_bio, "%s:%d: [Debug Info] done\n", __FILE__, __LINE__);
}
if (debug)
PEM_write_bio_SCEP_MSG( debug_bio, msg, pkey );
return (msg);
err:
ERR_print_errors_fp(stderr);
return(NULL);
}
