Add support for OCSP noCheck X509 extension

2026-04-05 20:15:36 +02:00 · 2017-08-15 15:15:19 +01:00
parent d6700fd019
commit 4e075e4f5c
4 changed files with 28 additions and 0 deletions
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@@ -183,6 +183,11 @@
 #define MBEDTLS_OID_TIME_STAMPING               MBEDTLS_OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
 #define MBEDTLS_OID_OCSP_SIGNING                MBEDTLS_OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */

+#define MBEDTLS_OID_AD                          MBEDTLS_OID_PKIX "\x30" /**< id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } */
+#define MBEDTLS_OID_OCSP                        MBEDTLS_OID_AD "\x01" /**< id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } */
+
+#define MBEDTLS_OID_OCSP_NOCHECK                MBEDTLS_OID_OCSP "\x05" /**< id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } */
+
 /*
 * PKCS definition OIDs
 */
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -161,6 +161,7 @@
 #define MBEDTLS_X509_EXT_NS_CERT_TYPE                (1 << 16)

 #define MBEDTLS_X509_EXT_AUTHORITY_INFO_ACCESS       (1 << 17)
+#define MBEDTLS_X509_EXT_OCSP_NOCHECK                (1 << 18)

 /*
 * Storage format identifiers
--- a/library/oid.c
+++ b/library/oid.c
@@ -282,6 +282,10 @@ static const oid_x509_ext_t oid_x509_ext[] =
        { ADD_LEN( MBEDTLS_OID_AUTHORITY_INFO_ACCESS ), "id-pe-authorityInfoAccess", "Authority Information Access" },
        MBEDTLS_X509_EXT_AUTHORITY_INFO_ACCESS,
    },
+    {
+        { ADD_LEN( MBEDTLS_OID_OCSP_NOCHECK ), "id-pkix-ocsp-nocheck", "OCSP NoCheck" },
+        MBEDTLS_X509_EXT_OCSP_NOCHECK,
+    },
    {
        { NULL, 0, NULL, NULL },
        0,
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -730,6 +730,17 @@ static int x509_get_crt_ext( unsigned char **p,
                return( ret );
            break;

+        case MBEDTLS_X509_EXT_OCSP_NOCHECK:
+            /*
+             * Parse OCSP NoCheck
+             *
+             * TODO: It might be good to check that this extension is persent
+             * only when the Extended Key Usage is either ANY or OCSP Signing
+             */
+            if( *p != end_ext_octet )
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
+            break;
+
        case MBEDTLS_X509_EXT_AUTHORITY_INFO_ACCESS:
            /* Parse Authority Information Access */
            if( ( ret = x509_get_authority_info_access( p, end_ext_octet,
@@ -1649,6 +1660,13 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
            return( ret );
    }

+    if( crt->ext_types & MBEDTLS_X509_EXT_OCSP_NOCHECK )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: NULL",
+                                prefix, "OCSP nocheck" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
    if( crt->ext_types & MBEDTLS_X509_EXT_AUTHORITY_INFO_ACCESS )
    {
        ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: ",