Restore some revocation-related X.509 extensions.
These are tied to OPENSSL_NO_OCSP in upstream but do not actually depend
on most of the OCSP machinery. The CRL invdate extension, in particular,
isn't associated with OCSP at all. cryptography.io gets upset if these
two extensions aren't parseable, and they're tiny.
I do not believe this actually affects anything beyond functions like
X509_get_ext_d2i. In particular, the list of NIDs for the criticality
check is elsewhere.
Change-Id: I889f6ebf4ca4b34b1d9ff15f45e05878132826a1
Reviewed-on: https://boringssl-review.googlesource.com/28549
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/x509v3/CMakeLists.txt b/crypto/x509v3/CMakeLists.txt
index b2eb618..6119639 100644
--- a/crypto/x509v3/CMakeLists.txt
+++ b/crypto/x509v3/CMakeLists.txt
@@ -31,6 +31,7 @@
v3_int.c
v3_lib.c
v3_ncons.c
+ v3_ocsp.c
v3_pci.c
v3_pcia.c
v3_pcons.c
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index 78fa793..a6ca45b 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -107,19 +107,17 @@
&v3_ext_ku,
&v3_delta_crl,
&v3_crl_reason,
-#ifndef OPENSSL_NO_OCSP
&v3_crl_invdate,
-#endif
&v3_sxnet,
&v3_info,
#ifndef OPENSSL_NO_OCSP
&v3_ocsp_nonce,
&v3_ocsp_crlid,
&v3_ocsp_accresp,
- &v3_ocsp_nocheck,
&v3_ocsp_acutoff,
&v3_ocsp_serviceloc,
#endif
+ &v3_ocsp_nocheck,
&v3_sinfo,
&v3_policy_constraints,
#ifndef OPENSSL_NO_OCSP
diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509v3/v3_ocsp.c
new file mode 100644
index 0000000..c63646a
--- /dev/null
+++ b/crypto/x509v3/v3_ocsp.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/x509v3.h>
+
+#include <openssl/asn1.h>
+#include <openssl/bio.h>
+#include <openssl/nid.h>
+
+/*
+ * OCSP extensions and a couple of CRL entry extensions
+ */
+
+static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
+ BIO *out, int indent);
+
+static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+ void *nocheck, BIO *out, int indent);
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, const char *str);
+
+const X509V3_EXT_METHOD v3_crl_invdate = {
+ NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
+ 0, 0, 0, 0,
+ 0, 0,
+ 0, 0,
+ i2r_ocsp_acutoff, 0,
+ NULL
+};
+
+const X509V3_EXT_METHOD v3_ocsp_nocheck = {
+ NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
+ 0, 0, 0, 0,
+ 0, s2i_ocsp_nocheck,
+ 0, 0,
+ i2r_ocsp_nocheck, 0,
+ NULL
+};
+
+static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
+ BIO *bp, int ind)
+{
+ if (BIO_printf(bp, "%*s", ind, "") <= 0)
+ return 0;
+ if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
+ return 0;
+ return 1;
+}
+
+/* Nocheck is just a single NULL. Don't print anything and always set it */
+
+static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
+ BIO *out, int indent)
+{
+ return 1;
+}
+
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+ X509V3_CTX *ctx, const char *str)
+{
+ return ASN1_NULL_new();
+}
