static VALUE
ossl_x509crl_set_revoked(VALUE self, VALUE ary)
{
X509_CRL *crl;
X509_REVOKED *rev;
STACK_OF(X509_REVOKED) *sk;
long i;
Check_Type(ary, T_ARRAY);
/* All ary members should be X509 Revoked */
for (i=0; i<RARRAY_LEN(ary); i++) {
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Rev);
}
GetX509CRL(self, crl);
if ((sk = X509_CRL_get_REVOKED(crl))) {
while ((rev = sk_X509_REVOKED_pop(sk)))
X509_REVOKED_free(rev);
}
for (i=0; i<RARRAY_LEN(ary); i++) {
rev = DupX509RevokedPtr(RARRAY_AREF(ary, i));
if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
X509_REVOKED_free(rev);
ossl_raise(eX509CRLError, "X509_CRL_add0_revoked");
}
}
X509_CRL_sort(crl);
return ary;
}
void CA_LIST_ENTRY_free ( CA_LIST_ENTRY *ca ) {
if ( !ca ) return;
if ( ca->ca_id )
{
PKI_log(PKI_LOG_INFO, "MEM::Freeing %s CA config", ca->ca_id );
PKI_Free ( ca->ca_id );
}
if ( ca->ca_cert ) PKI_X509_CERT_free ( ca->ca_cert );
if ( ca->cid ) CA_ENTRY_CERTID_free ( ca->cid );
if ( ca->ca_url ) URL_free ( ca->ca_url );
if ( ca->crl_url ) URL_free ( ca->crl_url );
if ( ca->crl_list )
{
X509_REVOKED *r = NULL;
while ((r = sk_X509_REVOKED_pop ( ca->crl_list )) != NULL)
{
X509_REVOKED_free ( r );
}
}
if ( ca->nextUpdate ) PKI_TIME_free ( ca->nextUpdate );
if ( ca->lastUpdate ) PKI_TIME_free ( ca->lastUpdate );
if ( ca->token_name ) PKI_Free ( ca->token_name );
if ( ca->token ) PKI_TOKEN_free ( ca->token );
PKI_Free ( ca );
return;
}
int PKI_X509_CRL_ENTRY_free ( PKI_X509_CRL_ENTRY *entry ) {
if( !entry ) return (PKI_ERR);
if( entry ) X509_REVOKED_free ( (X509_REVOKED *) entry );
return (PKI_OK);
}
static VALUE
ossl_x509crl_add_revoked(VALUE self, VALUE revoked)
{
X509_CRL *crl;
X509_REVOKED *rev;
GetX509CRL(self, crl);
rev = DupX509RevokedPtr(revoked);
if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
X509_REVOKED_free(rev);
ossl_raise(eX509CRLError, "X509_CRL_add0_revoked");
}
X509_CRL_sort(crl);
return revoked;
}
static void
ossl_x509rev_free(void *ptr)
{
X509_REVOKED_free(ptr);
}
static int openssl_revoked_free(lua_State* L)
{
X509_REVOKED* revoked = CHECK_OBJECT(1, X509_REVOKED, "openssl.x509_revoked");
X509_REVOKED_free(revoked);
return 1;
}
DWORD
VMCACreateRevokedFromCert(
X509 *pCert,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, time(NULL));
dwError = X509_REVOKED_set_serialNumber(pTempRev,
X509_get_serialNumber(pCert));
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
//TODO : Fix the UNSPECIFIED to real valid reason
// which users can pass in.
ASN1_ENUMERATED_set(pCode, CRL_REASON_UNSPECIFIED);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
DWORD
VMCACreateRevokedFromCert_Reason(
ASN1_INTEGER *asnSerial,
DWORD dwRevokedDate,
VMCA_CRL_REASON certRevokeReason,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, (time_t)dwRevokedDate);
dwError = X509_REVOKED_set_serialNumber(pTempRev,
asnSerial);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
ASN1_ENUMERATED_set(pCode, certRevokeReason);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
X509_REVOKED *openssl_X509_REVOKED(lua_State*L, int snidx, int timeidx, int reasonidx) {
X509_REVOKED *revoked = X509_REVOKED_new();
const char* serial = luaL_checkstring(L, snidx);
BIGNUM * bn = NULL;
ASN1_TIME *tm = NULL;
int reason = 0;
ASN1_INTEGER *it = NULL;
if(!BN_hex2bn(&bn, serial))
{
goto end;
};
if(lua_isnumber(L,timeidx) || lua_isnoneornil(L, timeidx))
{
time_t t;
time(&t);
t = luaL_optinteger(L, 3, (lua_Integer)t);
tm = ASN1_TIME_new();
ASN1_TIME_set(tm,t);
} else if(lua_isstring(L, timeidx))
{
} else {
goto end;
}
if(lua_isnumber(L, reasonidx) || lua_isnoneornil(L, reasonidx))
{
reason = luaL_optinteger(L, reasonidx, 0);
if(reason < 0 || reason >= reason_num) {
goto end;
}
} else if(lua_isstring(L, reasonidx))
{
const char* s = lua_tostring(L, reasonidx);
reason = openssl_get_revoke_reason(s);
if(reason < 0 || reason >= reason_num) {
goto end;
}
} else
{
goto end;
};
it = BN_to_ASN1_INTEGER(bn,NULL);
X509_REVOKED_set_revocationDate(revoked, tm);
X509_REVOKED_set_serialNumber(revoked, it);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
revoked->reason = reason;
#else
/*
{
ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();
X509_EXTENSION * ext = X509_EXTENSION_new();
ASN1_ENUMERATED_set(e, reason);
X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));
X509_EXTENSION_set_data(ext,e);
if(!revoked->extensions)
revoked->extensions = sk_X509_EXTENSION_new_null();
X509_REVOKED_add_ext()
sk_X509_REVOKED_push(revoked->extensions,ext);
X509_EXTENSION_free(ext);
ASN1_ENUMERATED_free(e);
}
*/
#endif
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
BN_free(bn);
return revoked;
end:
X509_REVOKED_free(revoked);
ASN1_TIME_free(tm);
ASN1_INTEGER_free(it);
BN_free(bn);
return NULL;
}
PKI_X509_CRL_ENTRY * PKI_X509_CRL_ENTRY_new_serial( const char *serial,
PKI_X509_CRL_REASON reason, const PKI_TIME *revDate,
const PKI_X509_PROFILE *profile ) {
PKI_X509_CRL_ENTRY *entry = NULL;
// Entry to be added to the CRL
PKI_INTEGER * s_int = NULL;
// ASN1 Integer
PKI_TIME * a_date = NULL;
// ASN1 Rev Date
// Input check
if (!serial) {
PKI_ERROR(PKI_ERR_PARAM_NULL, "Missing serial number");
return NULL;
}
// Allocates the Memory for the entry
if((entry = (PKI_X509_CRL_ENTRY *) X509_REVOKED_new()) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
}
// If no revocation date is provided, let's use "now"
if (!revDate && (a_date = PKI_TIME_new(0)) == NULL) {
// Can not allocate the revocation date time
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
} else {
// Gets the Pointer from the caller
a_date = (PKI_TIME *)revDate;
}
// Generates the integer carrying the serial number
if ((s_int = PKI_INTEGER_new_char(serial)) != NULL) {
// Sets the serial number in the X509_REVOKED structure
if (X509_REVOKED_set_serialNumber(entry, s_int) == 1) {
// Sets the revocation date
if (a_date && !X509_REVOKED_set_revocationDate((X509_REVOKED *) entry, a_date)) {
PKI_ERROR(PKI_ERR_GENERAL, "Can not assign revocation date");
goto err;
}
// All Ok here
} else {
// Error While assigning the serial
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not assign the serial (%s)", serial);
goto err;
}
} else {
// Error generating the ASN1 Integer
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not convert serial %s to Integer", serial);
goto err;
}
if (reason != PKI_CRL_REASON_UNSPECIFIED) {
int supported_reason = -1;
ASN1_ENUMERATED *rtmp = ASN1_ENUMERATED_new();
switch (reason )
{
case PKI_CRL_REASON_CERTIFICATE_HOLD:
case PKI_CRL_REASON_HOLD_INSTRUCTION_REJECT:
if (!X509_REVOKED_add1_ext_i2d(entry,
NID_hold_instruction_code,
PKI_OID_get("holdInstructionReject"), 0, 0)) {
PKI_ERROR(PKI_ERR_X509_CRL, "Can not add holdInstructionReject");
goto err;
}
if (revDate && !X509_REVOKED_add1_ext_i2d(entry,
NID_invalidity_date, (PKI_TIME *)revDate, 0, 0)) {
PKI_ERROR(PKI_ERR_X509_CRL, "Can not add invalidity date");
goto err;
}
supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD;
break;
/* --- Deprecated in RFC 5280 ---
case PKI_CRL_REASON_HOLD_INSTRUCTION_NONE:
if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code,
PKI_OID_get( "holdInstructionReject"), 0, 0)) {
goto err;
};
if( revDate && !X509_REVOKED_add1_ext_i2d ( entry,
NID_invalidity_date, revDate, 0, 0)) {
goto err;
};
reason = PKI_CRL_REASON_CERTIFICATE_HOLD;
break;
*/
case PKI_CRL_REASON_HOLD_INSTRUCTION_CALLISSUER:
if (!X509_REVOKED_add1_ext_i2d(
entry,
NID_hold_instruction_code,
PKI_OID_get(
"holdInstructionCallIssuer"), 0, 0)) {
goto err;
}
if( revDate && !X509_REVOKED_add1_ext_i2d(
entry,
NID_invalidity_date,
(PKI_TIME *)revDate,
0, 0)) {
goto err;
}
supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD;
break;
case PKI_CRL_REASON_KEY_COMPROMISE:
case PKI_CRL_REASON_CA_COMPROMISE:
case PKI_CRL_REASON_AFFILIATION_CHANGED:
case PKI_CRL_REASON_SUPERSEDED:
case PKI_CRL_REASON_CESSATION_OF_OPERATION:
case PKI_CRL_REASON_REMOVE_FROM_CRL:
case PKI_CRL_REASON_PRIVILEGE_WITHDRAWN:
case PKI_CRL_REASON_AA_COMPROMISE:
PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Not Implemented Yet %d", reason);
break;
default:
PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Unknown %d", reason);
supported_reason = -1;
break;
}
if (supported_reason >= 0)
{
if (!ASN1_ENUMERATED_set(rtmp, supported_reason)) goto err;
if (!X509_REVOKED_add1_ext_i2d( entry, NID_crl_reason, rtmp, 0, 0)) goto err;
}
/*
if( reason == CRL_REASON_HOLD_INSTRUCTION ) {
// if (!X509_REVOKED_add1_ext_i2d ( entry,
// NID_invalidity_date, revDate, 0, 0)) {
// goto err;
// };
// if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code,
// PKI_OID_get( "holdInstructionReject"), 0, 0)) {
// goto err;
// };
};
*/
}
/*
if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
goto err;
if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
{
rtmp = ASN1_ENUMERATED_new();
if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
goto err;
if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
goto err;
}
if (rev && comp_time)
{
if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0))
goto err;
}
if (rev && hold)
{
if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0))
goto err;
}
*/
// Free Allocated Memory
if (s_int) PKI_INTEGER_free(s_int);
if (a_date && !revDate) PKI_TIME_free(a_date);
// Returns the created entry
return entry;
err:
// Free Allocated memory
if (s_int) PKI_INTEGER_free(s_int);
if (a_date && !revDate) PKI_TIME_free(a_date);
if (entry) X509_REVOKED_free((X509_REVOKED *) entry);
// Returns null (error)
return NULL;
}
