自学教程：C++ ASN1_TIME_free函数代码示例

static LUA_FUNCTION(openssl_crl_new){  X509* x509 = lua_isnoneornil(L, 1) ? NULL : CHECK_OBJECT(1, X509, "openssl.x509");  time_t lastUpdate = luaL_optinteger(L, 3, (lua_Integer)time(&lastUpdate));  time_t nextUpdate = luaL_optinteger(L, 4, (lua_Integer)(lastUpdate + 7 * 24 * 3600));  long version = luaL_optint(L, 5, 1);  X509_CRL * crl = NULL;  ASN1_TIME *ltm, *ntm;  if (!lua_isnoneornil(L, 2))    luaL_checktype(L, 2, LUA_TTABLE);  crl = X509_CRL_new();  X509_CRL_set_version(crl, version);  if (x509)    X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509));  ltm = ASN1_TIME_new();  ntm = ASN1_TIME_new();  ASN1_TIME_set(ltm, lastUpdate);  ASN1_TIME_set(ntm, nextUpdate);  X509_CRL_set_lastUpdate(crl, ltm);  X509_CRL_set_nextUpdate(crl, ntm);  ASN1_TIME_free(ltm);  ASN1_TIME_free(ntm);  if (lua_istable(L, 2) && lua_objlen(L, 2) > 0)  {    int i;    int n = lua_objlen(L, 2);    for (i = 1; i <= n; i++)    {      lua_rawgeti(L, 2, i);      if (lua_istable(L, -1))      {        X509_REVOKED *revoked;        lua_getfield(L, -1, "reason");        lua_getfield(L, -2, "time");        lua_getfield(L, -3, "sn");        revoked = create_revoked(L, BN_get(L, -1), lua_tointeger(L, -2), reason_get(L, -3));        if (revoked)        {          X509_CRL_add0_revoked(crl, revoked);        }        lua_pop(L, 3);      }      lua_pop(L, 1);    }  }  PUSH_OBJECT(crl, "openssl.x509_crl");  return 1;}

static VALUEossl_x509crl_set_next_update(VALUE self, VALUE time){    X509_CRL *crl;    ASN1_TIME *asn1time;    GetX509CRL(self, crl);    asn1time = ossl_x509_time_adjust(NULL, time);    if (!X509_CRL_set_nextUpdate(crl, asn1time)) {	ASN1_TIME_free(asn1time);	ossl_raise(eX509CRLError, "X509_CRL_set_nextUpdate");    }    ASN1_TIME_free(asn1time);    return time;}

static X509_REVOKED *create_revoked(const BIGNUM* bn, time_t t, int reason){  X509_REVOKED *revoked = X509_REVOKED_new();  ASN1_TIME *tm = ASN1_TIME_new();  ASN1_INTEGER *it =  BN_to_ASN1_INTEGER(bn, NULL);;  ASN1_TIME_set(tm, t);  X509_REVOKED_set_revocationDate(revoked, tm);  X509_REVOKED_set_serialNumber(revoked, it);  {    ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();    X509_EXTENSION * ext = X509_EXTENSION_new();    ASN1_ENUMERATED_set(e, reason);    X509_EXTENSION_set_data(ext, e);    X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));    X509_REVOKED_add_ext(revoked, ext, 0);    X509_EXTENSION_free(ext);    ASN1_ENUMERATED_free(e);  }  ASN1_TIME_free(tm);  ASN1_INTEGER_free(it);  return revoked;}

static X509_REVOKED *create_revoked(lua_State*L, const BIGNUM* bn, time_t t, int reason){  X509_REVOKED *revoked = X509_REVOKED_new();  ASN1_TIME *tm = ASN1_TIME_new();  ASN1_INTEGER *it =  BN_to_ASN1_INTEGER((BIGNUM*)bn, NULL);;  ASN1_TIME_set(tm, t);  X509_REVOKED_set_revocationDate(revoked, tm);  X509_REVOKED_set_serialNumber(revoked, it);#if OPENSSL_VERSION_NUMBER > 0x10000000L  revoked->reason = reason;#else  {    ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();    X509_EXTENSION * ext = X509_EXTENSION_new();    ASN1_ENUMERATED_set(e, reason);    X509_EXTENSION_set_data(ext, e);    X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));    X509_REVOKED_add_ext(revoked, ext, 0);    X509_EXTENSION_free(ext);    ASN1_ENUMERATED_free(e);  }#endif  ASN1_TIME_free(tm);  ASN1_INTEGER_free(it);  return revoked;}

static int cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t)	{	ASN1_TIME *tt;	int r = 0;	if (t)		tt = t;	else		tt = X509_gmtime_adj(NULL, 0);	if (!tt)		goto merr;	if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,						tt->type, tt, -1) <= 0)		goto merr;	r = 1;	merr:	if (!t)		ASN1_TIME_free(tt);	if (!r)		CMSerr(CMS_F_CMS_ADD1_SIGNINGTIME, ERR_R_MALLOC_FAILURE);	return r;	}

static ASN1_TIME *ASN1_TIME_adj_internal(ASN1_TIME *s, time_t t, int offset_day, long offset_sec,    int mode){	int allocated = 0;	struct tm tm;	size_t len;	char * p; 	if (gmtime_r(&t, &tm) == NULL) 		return (NULL);	if (offset_day || offset_sec) {		if (!OPENSSL_gmtime_adj(&tm, offset_day, offset_sec))			return (NULL);	}	switch (mode) {	case V_ASN1_UTCTIME:		p = utctime_string_from_tm(&tm);		break;	case V_ASN1_GENERALIZEDTIME:		p = gentime_string_from_tm(&tm);		break;	case RFC5280:		p = rfc5280_string_from_tm(&tm);		break;	default:		return (NULL);	}	if (p == NULL) {		ASN1error(ASN1_R_ILLEGAL_TIME_VALUE);		return (NULL);	}	if (s == NULL) {		if ((s = ASN1_TIME_new()) == NULL)			return (NULL);		allocated = 1;	}	len = strlen(p);	switch (len) {	case GENTIME_LENGTH:		s->type = V_ASN1_GENERALIZEDTIME;		break; 	case UTCTIME_LENGTH:		s->type = V_ASN1_UTCTIME;		break;	default:		if (allocated)			ASN1_TIME_free(s);		free(p);		return (NULL);	}	free(s->data);	s->data = p;	s->length = len;	return (s);}

static LUA_FUNCTION(openssl_crl_updateTime){  X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");  if (lua_isnone(L, 2))  {    ASN1_TIME *ltm, *ntm;    ltm = X509_CRL_get_lastUpdate(crl);    ntm = X509_CRL_get_nextUpdate(crl);    PUSH_ASN1_TIME(L, ltm);    PUSH_ASN1_TIME(L, ntm);    return 2;  }  else  {    ASN1_TIME *ltm, *ntm;    int ret = 0;    time_t last, next;    if (lua_gettop(L) == 2)    {      time(&last);      next = last + luaL_checkint(L, 2);    }    else    {      last = luaL_checkint(L, 2);      next = last + luaL_checkint(L, 3);      luaL_argcheck(L, next > last, 3, "value must after #2");    }    ltm = ASN1_TIME_new();    ASN1_TIME_set(ltm, last);    ntm = ASN1_TIME_new();    ASN1_TIME_set(ntm, next);    ret = X509_CRL_set_lastUpdate(crl, ltm);    if (ret == 1)      ret = X509_CRL_set_nextUpdate(crl, ntm);    ASN1_TIME_free(ltm);    ASN1_TIME_free(ntm);    openssl_pushresult(L, ret);    return 1;  }}

int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm){    ASN1_TIME *in;    in = *ptm;    if (in != tm) {        in = ASN1_STRING_dup(tm);        if (in != NULL) {            ASN1_TIME_free(*ptm);            *ptm = in;        }    }    return (in != NULL);}

static OCSP_BASICRESP *make_dummy_resp(void){    const unsigned char namestr[] = "openssl.example.com";    unsigned char keybytes[128] = {7};    OCSP_BASICRESP *bs = OCSP_BASICRESP_new();    OCSP_BASICRESP *bs_out = NULL;    OCSP_CERTID *cid = NULL;    ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));    ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);    X509_NAME *name = X509_NAME_new();    ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();    ASN1_INTEGER *serial = ASN1_INTEGER_new();    if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,                                   namestr, -1, -1, 1)        || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes))        || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))        goto err;    cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);    if (!TEST_ptr(bs)        || !TEST_ptr(thisupd)        || !TEST_ptr(nextupd)        || !TEST_ptr(cid)        || !TEST_true(OCSP_basic_add1_status(bs, cid,                                             V_OCSP_CERTSTATUS_UNKNOWN,                                             0, NULL, thisupd, nextupd)))        goto err;    bs_out = bs;    bs = NULL; err:    ASN1_TIME_free(thisupd);    ASN1_TIME_free(nextupd);    ASN1_BIT_STRING_free(key);    ASN1_INTEGER_free(serial);    OCSP_CERTID_free(cid);    OCSP_BASICRESP_free(bs);    X509_NAME_free(name);    return bs_out;}

static int test_x509_cmp_time_current(){    time_t now = time(NULL);    /* Pick a day earlier and later, relative to any system clock. */    ASN1_TIME *asn1_before = NULL, *asn1_after = NULL;    int cmp_result, failed = 0;    asn1_before = ASN1_TIME_adj(NULL, now, -1, 0);    asn1_after = ASN1_TIME_adj(NULL, now, 1, 0);    cmp_result  = X509_cmp_time(asn1_before, NULL);    if (!TEST_int_eq(cmp_result, -1))        failed = 1;    cmp_result = X509_cmp_time(asn1_after, NULL);    if (!TEST_int_eq(cmp_result, 1))        failed = 1;    ASN1_TIME_free(asn1_before);    ASN1_TIME_free(asn1_after);    return failed == 0;}

int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm){    ASN1_TIME *in;    if (x == NULL)        return (0);    in = x->revocationDate;    if (in != tm) {        in = ASN1_STRING_dup(tm);        if (in != NULL) {            ASN1_TIME_free(x->revocationDate);            x->revocationDate = in;        }    }    return (in != NULL);}

int X509_set_notAfter(X509 *x, const ASN1_TIME *tm){    ASN1_TIME *in;    if (x == NULL)        return (0);    in = x->cert_info.validity.notAfter;    if (in != tm) {        in = ASN1_STRING_dup(tm);        if (in != NULL) {            ASN1_TIME_free(x->cert_info.validity.notAfter);            x->cert_info.validity.notAfter = in;        }    }    return (in != NULL);}

int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm){    ASN1_TIME *in;    if (x == NULL)        return (0);    in = x->crl.nextUpdate;    if (in != tm) {        in = ASN1_STRING_dup(tm);        if (in != NULL) {            ASN1_TIME_free(x->crl.nextUpdate);            x->crl.nextUpdate = in;        }    }    return (in != NULL);}

intX509_set_notBefore(X509 *x, const ASN1_TIME *tm){	ASN1_TIME *in;	if ((x == NULL) || (x->cert_info->validity == NULL))		return (0);	in = x->cert_info->validity->notBefore;	if (in != tm) {		in = ASN1_STRING_dup(tm);		if (in != NULL) {			ASN1_TIME_free(x->cert_info->validity->notBefore);			x->cert_info->validity->notBefore = in;		}	}	return (in != NULL);}

static VALUEdecode_time(unsigned char* der, int length){    ASN1_TIME *time;    const unsigned char *p;    VALUE ret;    int status = 0;    p = der;    if(!(time = d2i_ASN1_TIME(NULL, &p, length)))	ossl_raise(eASN1Error, NULL);    ret = rb_protect((VALUE(*)_((VALUE)))asn1time_to_time,		     (VALUE)time, &status);    ASN1_TIME_free(time);    if(status) rb_jump_tag(status);    return ret;}

static VALUEossl_ocspbres_add_status(VALUE self, VALUE cid, VALUE status,                         VALUE reason, VALUE revtime,                         VALUE thisupd, VALUE nextupd, VALUE ext){    OCSP_BASICRESP *bs;    OCSP_SINGLERESP *single;    OCSP_CERTID *id;    int st, rsn;    ASN1_TIME *ths, *nxt, *rev;    int error, i, rstatus = 0;    VALUE tmp;    st = NUM2INT(status);    rsn = NIL_P(status) ? 0 : NUM2INT(reason);    if(!NIL_P(ext)) {        /* All ary's members should be X509Extension */        Check_Type(ext, T_ARRAY);        for (i = 0; i < RARRAY_LEN(ext); i++)            OSSL_Check_Kind(RARRAY_AT(ext, i), cX509Ext);    }    error = 0;    ths = nxt = rev = NULL;    if(!NIL_P(revtime)) {        tmp = rb_protect(rb_Integer, revtime, &rstatus);        if(rstatus) goto err;        rev = X509_gmtime_adj(NULL, NUM2INT(tmp));    }    tmp = rb_protect(rb_Integer, thisupd, &rstatus);    if(rstatus) goto err;    ths = X509_gmtime_adj(NULL, NUM2INT(tmp));    tmp = rb_protect(rb_Integer, nextupd, &rstatus);    if(rstatus) goto err;    nxt = X509_gmtime_adj(NULL, NUM2INT(tmp));    GetOCSPBasicRes(self, bs);    SafeGetOCSPCertId(cid, id);    if(!(single = OCSP_basic_add1_status(bs, id, st, rsn, rev, ths, nxt))) {        error = 1;        goto err;    }    if(!NIL_P(ext)) {        X509_EXTENSION *x509ext;        sk_X509_EXTENSION_pop_free(single->singleExtensions, X509_EXTENSION_free);        single->singleExtensions = NULL;        for(i = 0; i < RARRAY_LEN(ext); i++) {            x509ext = DupX509ExtPtr(RARRAY_AT(ext, i));            if(!OCSP_SINGLERESP_add_ext(single, x509ext, -1)) {                X509_EXTENSION_free(x509ext);                error = 1;                goto err;            }            X509_EXTENSION_free(x509ext);        }    }err:    ASN1_TIME_free(ths);    ASN1_TIME_free(nxt);    ASN1_TIME_free(rev);    if(error) ossl_raise(eOCSPError, NULL);    if(rstatus) rb_jump_tag(rstatus);    return self;}

int createEmptyCRL(char* pemSigningKey, char* pemCaCert, int crldays, int crlhours, char* result) {  int err = 0;  //convert to BIOs and then keys and x509 structures  BIO* bioCert = BIO_new_mem_buf(pemCaCert, -1);  if (!bioCert) {    BIO_free(bioCert);    return ERR_peek_error();  }  BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1);  if (!bioSigningKey) {    BIO_free(bioCert);    BIO_free(bioSigningKey);    return ERR_peek_error();  }  X509* caCert = PEM_read_bio_X509(bioCert, NULL, NULL, NULL);  if (!caCert) {    BIO_free(bioCert);    BIO_free(bioSigningKey);    return ERR_peek_error();  }  EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL);  if (!caKey) {    BIO_free(bioCert);    BIO_free(bioSigningKey);    return ERR_peek_error();  }  X509_CRL* crl = X509_CRL_new();  X509_CRL_set_issuer_name(crl, X509_get_subject_name(caCert));  //set update times (probably not essential, but why not.  ASN1_TIME* tmptm = ASN1_TIME_new();  X509_gmtime_adj(tmptm, long(0));  X509_CRL_set_lastUpdate(crl, tmptm);  X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);  X509_CRL_set_nextUpdate(crl, tmptm);  ASN1_TIME_free(tmptm);  X509_CRL_sort(crl);  //extensions would go here.  if (!(err = X509_CRL_sign(crl,caKey,EVP_sha1())))  {    BIO_free(bioCert);    BIO_free(bioSigningKey);    return err;  }  BIO *mem = BIO_new(BIO_s_mem());  PEM_write_bio_X509_CRL(mem,crl);  BUF_MEM *bptr;  BIO_get_mem_ptr(mem, &bptr);  BIO_read(mem, result, bptr->length);  BIO_free(bioCert);  BIO_free(bioSigningKey);  BIO_free(mem);  return 0;}

static int test_table(struct testdata *tbl, int idx){    int error = 0;    ASN1_TIME atime;    ASN1_TIME *ptime;    struct testdata *td = &tbl[idx];    int day, sec;    atime.data = (unsigned char*)td->data;    atime.length = strlen((char*)atime.data);    atime.type = td->type;    atime.flags = 0;    if (!TEST_int_eq(ASN1_TIME_check(&atime), td->check_result)) {        TEST_info("ASN1_TIME_check(%s) unexpected result", atime.data);        error = 1;    }    if (td->check_result == 0)        return 1;    if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, td->t), 0)) {        TEST_info("ASN1_TIME_cmp_time_t(%s vs %ld) compare failed", atime.data, (long)td->t);        error = 1;    }    if (!TEST_true(ASN1_TIME_diff(&day, &sec, &atime, &atime))) {        TEST_info("ASN1_TIME_diff(%s) to self failed", atime.data);        error = 1;    }    if (!TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {        TEST_info("ASN1_TIME_diff(%s) to self not equal", atime.data);        error = 1;    }    if (!TEST_true(ASN1_TIME_diff(&day, &sec, &gtime, &atime))) {        TEST_info("ASN1_TIME_diff(%s) to baseline failed", atime.data);        error = 1;    } else if (!((td->cmp_result == 0 && TEST_true((day == 0 && sec == 0))) ||                 (td->cmp_result == -1 && TEST_true((day < 0 || sec < 0))) ||                 (td->cmp_result == 1 && TEST_true((day > 0 || sec > 0))))) {        TEST_info("ASN1_TIME_diff(%s) to baseline bad comparison", atime.data);        error = 1;    }    if (!TEST_int_eq(ASN1_TIME_cmp_time_t(&atime, gtime_t), td->cmp_result)) {        TEST_info("ASN1_TIME_cmp_time_t(%s) to baseline bad comparison", atime.data);        error = 1;    }    ptime = ASN1_TIME_set(NULL, td->t);    if (!TEST_ptr(ptime)) {        TEST_info("ASN1_TIME_set(%ld) failed", (long)td->t);        error = 1;    } else {        int local_error = 0;        if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, td->t), 0)) {            TEST_info("ASN1_TIME_set(%ld) compare failed (%s->%s)",                    (long)td->t, td->data, ptime->data);            local_error = error = 1;        }        if (!TEST_int_eq(ptime->type, td->expected_type)) {            TEST_info("ASN1_TIME_set(%ld) unexpected type", (long)td->t);            local_error = error = 1;        }        if (local_error)            TEST_info("ASN1_TIME_set() = %*s", ptime->length, ptime->data);        ASN1_TIME_free(ptime);    }    ptime = ASN1_TIME_new();    if (!TEST_ptr(ptime)) {        TEST_info("ASN1_TIME_new() failed");        error = 1;    } else {        int local_error = 0;        if (!TEST_int_eq(ASN1_TIME_set_string(ptime, td->data), td->check_result)) {            TEST_info("ASN1_TIME_set_string_gmt(%s) failed", td->data);            local_error = error = 1;        }        if (!TEST_int_eq(ASN1_TIME_normalize(ptime), td->check_result)) {            TEST_info("ASN1_TIME_normalize(%s) failed", td->data);            local_error = error = 1;        }        if (!TEST_int_eq(ptime->type, td->expected_type)) {            TEST_info("ASN1_TIME_set_string_gmt(%s) unexpected type", td->data);            local_error = error = 1;        }        day = sec = 0;        if (!TEST_true(ASN1_TIME_diff(&day, &sec, ptime, &atime)) || !TEST_int_eq(day, 0) || !TEST_int_eq(sec, 0)) {            TEST_info("ASN1_TIME_diff(day=%d, sec=%d, %s) after ASN1_TIME_set_string_gmt() failed", day, sec, td->data);            local_error = error = 1;        }        if (!TEST_int_eq(ASN1_TIME_cmp_time_t(ptime, gtime_t), td->cmp_result)) {            TEST_info("ASN1_TIME_cmp_time_t(%s) after ASN1_TIME_set_string_gnt() to baseline bad comparison", td->data);            local_error = error = 1;        }        if (local_error)            TEST_info("ASN1_TIME_set_string_gmt() = %*s", ptime->length, ptime->data);        ASN1_TIME_free(ptime);    }//.........这里部分代码省略.........

CFMutableDictionaryRef SDMMD__CreatePairingMaterial(CFDataRef devicePubkey){	CFMutableDictionaryRef record = NULL;	RSA *rsaBIOData = NULL;	BIO *deviceBIO = SDMMD__create_bio_from_data(devicePubkey);	if (deviceBIO) {		PEM_read_bio_RSAPublicKey(deviceBIO, &rsaBIOData, NULL, NULL);		BIO_free(deviceBIO);	}	else {		printf("Could not decode device public key//n");	}	RSA *rootKeyPair = RSA_generate_key(2048, 65537, NULL, NULL);	if (!rootKeyPair) {		printf("Could not allocate root key pair/n");	}	RSA *hostKeyPair = RSA_generate_key(2048, 65537, NULL, NULL);	if (!hostKeyPair) {		printf("Could not allocate host key pair/n");	}	sdmmd_return_t result = kAMDSuccess;	EVP_PKEY *rootEVP = EVP_PKEY_new();	if (!rootEVP) {		printf("Could not allocate root EVP key//n");	}	else {		result = EVP_PKEY_assign(rootEVP, EVP_CTRL_RAND_KEY, PtrCast(rootKeyPair, char *));		if (!result) {			printf("Could not assign root key pair/n");		}	}	EVP_PKEY *hostEVP = EVP_PKEY_new();	if (!hostEVP) {		printf("Could not allocate host EVP key//n");	}	else {		result = EVP_PKEY_assign(hostEVP, EVP_CTRL_RAND_KEY, PtrCast(hostKeyPair, char *));		if (!result) {			printf("Could not assign host key pair/n");		}	}	EVP_PKEY *deviceEVP = EVP_PKEY_new();	if (!deviceEVP) {		printf("Could not allocate device EVP key//n");	}	else {		result = EVP_PKEY_assign(deviceEVP, EVP_CTRL_RAND_KEY, PtrCast(rsaBIOData, char *));		if (!result) {			printf("Could not assign device key pair/n");		}	}	X509 *rootX509 = X509_new();	if (!rootX509) {		printf("Could not create root X509//n");	}	else {		X509_set_pubkey(rootX509, rootEVP);		X509_set_version(rootX509, 2);		ASN1_INTEGER *rootSerial = X509_get_serialNumber(rootX509);		ASN1_INTEGER_set(rootSerial, 0);		ASN1_TIME *rootAsn1time = ASN1_TIME_new();		ASN1_TIME_set(rootAsn1time, 0);		X509_set_notBefore(rootX509, rootAsn1time);		ASN1_TIME_set(rootAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years		X509_set_notAfter(rootX509, rootAsn1time);		ASN1_TIME_free(rootAsn1time);		SDMMD__add_ext(rootX509, NID_basic_constraints, "critical,CA:TRUE");		SDMMD__add_ext(rootX509, NID_subject_key_identifier, "hash");		result = X509_sign(rootX509, rootEVP, EVP_sha1());		if (!result) {			printf("Could not sign root cert//n");		}	}	X509 *hostX509 = X509_new();	if (!hostX509) {		printf("Could not create host X509//n");	}	else {		X509_set_pubkey(hostX509, hostEVP);		X509_set_version(hostX509, 2);		ASN1_INTEGER *hostSerial = X509_get_serialNumber(hostX509);		ASN1_INTEGER_set(hostSerial, 0);		ASN1_TIME *hostAsn1time = ASN1_TIME_new();		ASN1_TIME_set(hostAsn1time, 0);		X509_set_notBefore(hostX509, hostAsn1time);		ASN1_TIME_set(hostAsn1time, 0x12cc0300); // 60 sec * 60 minutes * 24 hours * 365 days * 10 years//.........这里部分代码省略.........

int ocspd_load_ca_crl ( CA_LIST_ENTRY *a, OCSPD_CONFIG *conf ) {	if(!a) return(-1);	if( conf->debug )		PKI_log_debug( "ACQUIRING WRITE LOCK -- BEGIN CRL RELOAD");	PKI_RWLOCK_write_lock ( &conf->crl_lock );	// pthread_rwlock_wrlock( &crl_lock );	if( conf->debug )		PKI_log_debug( "INFO::LOCK ACQUIRED (CRL RELOAD)");	if( a->crl ) PKI_X509_CRL_free ( a->crl );	a->crl = NULL;	a->crl_list = NULL;	if( a->crl_url == NULL ) {		 PKI_log_err ( "Missing CRL URL for CA %s", a->ca_id );		return(-1);	}	/* We now re-load the CRL */	if( (a->crl = PKI_X509_CRL_get_url( a->crl_url, NULL, NULL)) == NULL ) {		PKI_log_err ("Can not reload CRL [ %s ] for CA [%s]", 						a->crl_url->addr, a->ca_id);		PKI_RWLOCK_release_write ( &conf->crl_lock );		return(-1);	}	if( conf->verbose )		PKI_log( PKI_LOG_INFO, "INFO::CRL successfully reloaded [ %s ]",			a->ca_id );	/* Let's get the CRLs entries, if any */	if( ocspd_build_crl_entries_list ( a, a->crl ) == NULL ) { 		if( conf->verbose )			PKI_log(PKI_LOG_INFO, "INFO::No Entries for CRL [ %s ]",				a->ca_id );	};	if(conf->verbose)		PKI_log( PKI_LOG_INFO, "INFO::CRL loaded successfully [ %s ]", 								a->ca_id );	/* If previous values are there, then we clear them up */	if ( a->lastUpdate ) ASN1_TIME_free(a->lastUpdate);	if ( a->nextUpdate ) ASN1_TIME_free(a->nextUpdate);	/* Get new values from the recently loaded CRL */	a->lastUpdate = M_ASN1_TIME_dup (		PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_LASTUPDATE ));	a->nextUpdate = M_ASN1_TIME_dup (		PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_NEXTUPDATE ));	if(conf->debug) PKI_log_debug("RELEASING LOCK (CRL RELOAD)");	PKI_RWLOCK_release_write ( &conf->crl_lock );	// pthread_rwlock_unlock ( &crl_lock );	if(conf->debug) PKI_log_debug ( "LOCK RELEASED --END--");	/* Now check the CRL validity */	a->crl_status = check_crl_validity( a, conf );	if( a->crl_status == CRL_OK ) {		PKI_log(PKI_LOG_ALWAYS, "%s's CRL reloaded (OK)", a->ca_id);	}	return(0);}

X509_REVOKED *openssl_X509_REVOKED(lua_State*L, int snidx, int timeidx, int reasonidx) {    X509_REVOKED *revoked = X509_REVOKED_new();    const char* serial = luaL_checkstring(L, snidx);    BIGNUM * bn = NULL;    ASN1_TIME *tm = NULL;    int reason = 0;    ASN1_INTEGER *it = NULL;    if(!BN_hex2bn(&bn, serial))    {        goto end;    };    if(lua_isnumber(L,timeidx) || lua_isnoneornil(L, timeidx))    {        time_t t;        time(&t);        t = luaL_optinteger(L, 3, (lua_Integer)t);        tm = ASN1_TIME_new();        ASN1_TIME_set(tm,t);    } else if(lua_isstring(L, timeidx))    {    } else {        goto end;    }    if(lua_isnumber(L, reasonidx) || lua_isnoneornil(L, reasonidx))    {        reason = luaL_optinteger(L, reasonidx, 0);        if(reason < 0 || reason >= reason_num) {            goto end;        }    } else if(lua_isstring(L, reasonidx))    {        const char* s = lua_tostring(L, reasonidx);        reason = openssl_get_revoke_reason(s);        if(reason < 0 || reason >= reason_num) {            goto end;        }    } else    {        goto end;    };    it = BN_to_ASN1_INTEGER(bn,NULL);    X509_REVOKED_set_revocationDate(revoked, tm);    X509_REVOKED_set_serialNumber(revoked, it);#if OPENSSL_VERSION_NUMBER > 0x10000000L    revoked->reason = reason;#else    /*    {        ASN1_ENUMERATED * e = ASN1_ENUMERATED_new();    	X509_EXTENSION * ext = X509_EXTENSION_new();        ASN1_ENUMERATED_set(e, reason);        X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason));        X509_EXTENSION_set_data(ext,e);        if(!revoked->extensions)            revoked->extensions = sk_X509_EXTENSION_new_null();    	X509_REVOKED_add_ext()        sk_X509_REVOKED_push(revoked->extensions,ext);        X509_EXTENSION_free(ext);        ASN1_ENUMERATED_free(e);    }    */#endif    ASN1_TIME_free(tm);    ASN1_INTEGER_free(it);    BN_free(bn);    return revoked;end:    X509_REVOKED_free(revoked);    ASN1_TIME_free(tm);    ASN1_INTEGER_free(it);    BN_free(bn);    return NULL;}

//.........这里部分代码省略.........      if (lua_istable(L, 5))      {        BUF_MEM *buf;        BIO_reset(bio);        i2a_ASN1_INTEGER(bio, serial);        BIO_get_mem_ptr(bio, &buf);        lua_pushlstring(L, buf->data, buf->length);        lua_gettable(L, 5);        if (lua_isnil(L, -1))          status = V_OCSP_CERTSTATUS_UNKNOWN;        else        {          luaL_checktype(L, -1, LUA_TTABLE);          lua_getfield(L, -1, "revoked");          if (lua_toboolean(L, -1))          {            lua_pop(L, 1);            status = V_OCSP_CERTSTATUS_REVOKED;            lua_getfield(L, -1, "revoked_time");            if (!lua_isnil(L, -1))            {              revtm = ASN1_TIME_new();              ASN1_TIME_set(revtm, luaL_checkint(L, -1));            }            lua_pop(L, 1);            lua_getfield(L, -1, "reason");            if (lua_isstring(L, -1))              reason = openssl_get_revoke_reason(lua_tostring(L, -1));            else              reason = luaL_checkint(L, -1);            lua_pop(L, 1);          }          else          {            lua_pop(L, 1);            status = V_OCSP_CERTSTATUS_GOOD;          }        }      }      else      {      }      if (reason == 7)        reason = OCSP_REVOKED_STATUS_REMOVEFROMCRL;      else if (reason == 8)      {        reason = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;        //inst = OBJ_txt2obj(str, 0);      }      else if (reason == 9 || reason == 10)      {        if ( reason == 9 )          reason = OCSP_REVOKED_STATUS_KEYCOMPROMISE;        else if (reason == 10)          reason = OCSP_REVOKED_STATUS_CACOMPROMISE;        /*        invtm = ASN1_GENERALIZEDTIME_new();        if (!ASN1_GENERALIZEDTIME_set_string(invtm, arg_str))        */      }      single = OCSP_basic_add1_status(bs, cid, status, reason, revtm, thispnd, nextpnd);      if (invtm)      {        OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);        ASN1_TIME_free(revtm);      }      if (inst)      {        OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);        ASN1_OBJECT_free(inst);      }      if (invtm)        ASN1_GENERALIZEDTIME_free(invtm);    }    OCSP_copy_nonce(bs, req);    OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flag);    res = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);    BIO_free(bio);  }  if(res) {    PUSH_OBJECT(res, "openssl.ocsp_response");  }else    lua_pushnil(L);  return 1;}

DWORDVMCACreateRevokedFromCert_Reason(    ASN1_INTEGER *asnSerial,    DWORD dwRevokedDate,    VMCA_CRL_REASON certRevokeReason,    X509_REVOKED **pRevoked){    DWORD dwError = 0;    X509_REVOKED *pTempRev = NULL;    ASN1_TIME *pRevTime = NULL;    ASN1_ENUMERATED *pCode = NULL;    pCode = ASN1_ENUMERATED_new();    if(pCode == NULL) {        dwError = VMCA_OUT_MEMORY_ERR;        BAIL_ON_ERROR(dwError);    }    pTempRev = X509_REVOKED_new();    if (pTempRev == NULL) {        dwError = VMCA_OUT_MEMORY_ERR;        BAIL_ON_ERROR(dwError);    }    pRevTime = ASN1_TIME_new();    if (pRevTime == NULL) {        dwError = VMCA_OUT_MEMORY_ERR;        BAIL_ON_ERROR(dwError);    }    ASN1_TIME_set(pRevTime, (time_t)dwRevokedDate);    dwError = X509_REVOKED_set_serialNumber(pTempRev,                                            asnSerial);    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);    dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);    ASN1_ENUMERATED_set(pCode, certRevokeReason);    dwError = X509_REVOKED_add1_ext_i2d(pTempRev,                            NID_crl_reason, pCode, 0, 0);    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);    *pRevoked = pTempRev;cleanup :    if(pRevTime != NULL) {        ASN1_TIME_free(pRevTime);    }    if(pCode !=NULL) {        ASN1_ENUMERATED_free(pCode);    }    return dwError;error:    if(pTempRev != NULL)    {        X509_REVOKED_free(pTempRev);    }    goto cleanup;}

DWORDVMCACreateRevokedFromCert(    X509 *pCert,    X509_REVOKED **pRevoked){    DWORD dwError = 0;    X509_REVOKED *pTempRev = NULL;    ASN1_TIME *pRevTime = NULL;    ASN1_ENUMERATED *pCode = NULL;    pCode = ASN1_ENUMERATED_new();    if(pCode == NULL) {        dwError = VMCA_OUT_MEMORY_ERR;        BAIL_ON_ERROR(dwError);    }    pTempRev = X509_REVOKED_new();    if (pTempRev == NULL) {        dwError = VMCA_OUT_MEMORY_ERR;        BAIL_ON_ERROR(dwError);    }    pRevTime = ASN1_TIME_new();    if (pRevTime == NULL) {        dwError = VMCA_OUT_MEMORY_ERR;        BAIL_ON_ERROR(dwError);    }    ASN1_TIME_set(pRevTime, time(NULL));    dwError = X509_REVOKED_set_serialNumber(pTempRev,                    X509_get_serialNumber(pCert));    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);    dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);    //TODO : Fix the UNSPECIFIED to real valid reason    // which users can pass in.    ASN1_ENUMERATED_set(pCode, CRL_REASON_UNSPECIFIED);    dwError = X509_REVOKED_add1_ext_i2d(pTempRev,                            NID_crl_reason, pCode, 0, 0);    BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);    *pRevoked = pTempRev;cleanup :    if(pRevTime != NULL) {        ASN1_TIME_free(pRevTime);    }    if(pCode !=NULL) {        ASN1_ENUMERATED_free(pCode);    }    return dwError;error:    if(pTempRev != NULL)    {        X509_REVOKED_free(pTempRev);    }    goto cleanup;}

DWORDVMCAUpdateTimeStamps(    X509_CRL *pCrl,    time_t tmLastUpdate,    time_t tmNextUpdate,    DWORD nCrlNum){    ASN1_TIME *pAsnLastUpdate = NULL;    ASN1_TIME *pAsnNextUpdate = NULL;    DWORD dwError = 0;    ASN1_INTEGER *pSerial = NULL;    if(pCrl == NULL) {        dwError = ERROR_INVALID_PARAMETER;        BAIL_ON_ERROR(dwError);    }    pAsnLastUpdate = ASN1_TIME_new();    if(pAsnLastUpdate == NULL){        dwError = VMCA_OUT_MEMORY_ERR;        BAIL_ON_ERROR(dwError);    }    pAsnNextUpdate  = ASN1_TIME_new();    if(pAsnNextUpdate == NULL) {        dwError = VMCA_OUT_MEMORY_ERR;        BAIL_ON_ERROR(dwError);    }    ASN1_TIME_set(pAsnLastUpdate, tmLastUpdate);    ASN1_TIME_set(pAsnNextUpdate, tmNextUpdate);    dwError = X509_CRL_set_lastUpdate(pCrl, pAsnLastUpdate);    BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_START_TIME);    dwError = X509_CRL_set_nextUpdate(pCrl, pAsnNextUpdate);    BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_END_TIME);    pSerial = ASN1_INTEGER_new();    if (pSerial == NULL){        dwError = VMCA_OUT_MEMORY_ERR;        BAIL_ON_ERROR(dwError);    }    ASN1_INTEGER_set(pSerial, nCrlNum);    X509_CRL_add1_ext_i2d(pCrl, NID_crl_number, pSerial,0,0);error:    if ( pAsnLastUpdate != NULL) {        ASN1_TIME_free(pAsnLastUpdate);    }    if( pAsnNextUpdate != NULL) {        ASN1_TIME_free(pAsnNextUpdate);    }    if(pSerial != NULL) {        ASN1_INTEGER_free(pSerial);    }    return dwError;}

/* * Revoke one certificate at a time * No check performed to see if certificate already revoked. */void revoke_cert(char * ca_name, char * name){    char filename[FIELD_SZ+5];    FILE * f ;    X509_CRL * crl ;    X509 * cert ;    ASN1_INTEGER * r_serial ;    ASN1_INTEGER * crlnum ;    X509_REVOKED * rev ;    ASN1_TIME * tm ;    identity ca ;    BIO * out ;    BIGNUM * b_crlnum ;    /* Find requested certificate by name */    sprintf(filename, "%s.crt", name);    if ((f=fopen(filename, "r"))==NULL) {        fprintf(stderr, "Cannot find: %s/n", filename);        return ;     }    cert = PEM_read_X509(f, NULL, NULL, NULL);    fclose(f);    /* Get certificate serial number */    r_serial = X509_get_serialNumber(cert);    /* Find out if if was already revoked */    /* Make a revoked object with that serial */    rev = X509_REVOKED_new();    X509_REVOKED_set_serialNumber(rev, r_serial);    X509_free(cert);    /* Set reason to unspecified */    rev->reason = ASN1_ENUMERATED_get(CRL_REASON_UNSPECIFIED);    /* Load or create new CRL */    if ((crl = load_crl(ca_name))==NULL) {        crl = X509_CRL_new();        X509_CRL_set_version(crl, 1);        /* Set CRL number */        crlnum = ASN1_INTEGER_new();        ASN1_INTEGER_set(crlnum, 1);        X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, 0);        ASN1_INTEGER_free(crlnum);    } else {        crlnum = X509_CRL_get_ext_d2i(crl, NID_crl_number, 0, 0);        b_crlnum = ASN1_INTEGER_to_BN(crlnum, NULL);        BN_add_word(b_crlnum, 1);        BN_to_ASN1_INTEGER(b_crlnum, crlnum);        BN_free(b_crlnum);        X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, X509V3_ADD_REPLACE_EXISTING);        ASN1_INTEGER_free(crlnum);    }    /* What time is it? */    tm = ASN1_TIME_new();    X509_gmtime_adj(tm, 0);    X509_REVOKED_set_revocationDate(rev, tm);    X509_CRL_set_lastUpdate(crl, tm);    /* Set CRL next update to a year from now */    X509_gmtime_adj(tm, 365*24*60*60);    X509_CRL_set_nextUpdate(crl, tm);    ASN1_TIME_free(tm);    /* Add revoked to CRL */    X509_CRL_add0_revoked(crl, rev);        X509_CRL_sort(crl);    /* Load root key to sign CRL */    if (load_ca(ca_name, &ca)!=0) {        fprintf(stderr, "Cannot find CA key/crt/n");        return ;    }    X509_CRL_set_issuer_name(crl, X509_get_subject_name(ca.cert));    X509_free(ca.cert);    /* Sign CRL */    X509_CRL_sign(crl, ca.key, EVP_sha256());    EVP_PKEY_free(ca.key);    /* Dump CRL */    sprintf(filename, "%s.crl", ca_name);    if ((f = fopen(filename, "wb"))==NULL) {        fprintf(stderr, "Cannot write %s: aborting/n", filename);        X509_CRL_free(crl);        return ;    }    out = BIO_new(BIO_s_file());    BIO_set_fp(out, f, BIO_NOCLOSE);    PEM_write_bio_X509_CRL(out, crl);    BIO_free_all(out);    fclose(f);    X509_CRL_free(crl);    return ;}