Add support for RFC6960's id-pkix-ocsp-extended-revoke #3
Conversation
…-revoke extension defined by RFC6960.
Add it to responseExtensions and initialize it properly.
|
I added support for the extension here: https://github.com/openca/libpki/blob/master/src/openssl/pki_ocsp_resp.c#L214. Still not tested, though. This is better as this extension should be used only when the OCSP responder is using the "extended" notion of revoked (i.e., also non-issued certs are reported to be revoked). However, since this is not the default behavior of the OCSPd (should be set << ... when that response contains a "revoked" status for a non-issued certificate>>), I prefer to be able to provide the choice in the library to generate responses that do not carry the extension. CRL-based OCSPd should not set this extension as they are not aware if a non-revoked (not present in the CRL) certificate was ever issued by the CA, AFAIK. |
This patch adds an extension to the basic response created that specifies that our OCSP responder knows of the RFC6960 new Extended Revocation status. For this reason we also supply a new libPKI API call, PKI_TIME_set, so the OCSP responder can set the revocation time to "1 January 1970".
https://tools.ietf.org/html/rfc6960#section-2.2