From eed13e64effc819dc3515c637c3f057cfa1abcbb Mon Sep 17 00:00:00 2001
From: schwarze <>
Date: Mon, 12 Dec 2016 22:48:02 +0000
Subject: Write OCSP_CRLID_new(3) and OCSP_SERVICELOC_new(3) from scratch.
 These two and OCSP_CRLID_free(3) and OCSP_SERVICELOC_free(3) are public by
 being in OpenSSL doc/man3/X509_dup.pod. OCSP_crlID_new(3) and
 OCSP_url_svcloc_new(3) are related and, even though completely undocumented
 in OpenSSL, obviously much more important.

If you had told me a year ago that i would ever write such text,
i would have called you crazy.
---
 src/lib/libcrypto/man/Makefile                |  4 +-
 src/lib/libcrypto/man/OCSP_CRLID_new.3        | 97 +++++++++++++++++++++++++++
 src/lib/libcrypto/man/OCSP_REQUEST_new.3      |  5 +-
 src/lib/libcrypto/man/OCSP_SERVICELOC_new.3   | 91 +++++++++++++++++++++++++
 src/lib/libcrypto/man/OCSP_resp_find_status.3 |  3 +-
 5 files changed, 196 insertions(+), 4 deletions(-)
 create mode 100644 src/lib/libcrypto/man/OCSP_CRLID_new.3
 create mode 100644 src/lib/libcrypto/man/OCSP_SERVICELOC_new.3

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 89533851fb..300051f921 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.74 2016/12/11 18:06:09 schwarze Exp $
+# $OpenBSD: Makefile,v 1.75 2016/12/12 22:48:02 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -122,7 +122,9 @@ MAN=	\
 	HMAC.3 \
 	MD5.3 \
 	OBJ_nid2obj.3 \
+	OCSP_CRLID_new.3 \
 	OCSP_REQUEST_new.3 \
+	OCSP_SERVICELOC_new.3 \
 	OCSP_cert_to_id.3 \
 	OCSP_request_add1_nonce.3 \
 	OCSP_resp_find_status.3 \
diff --git a/src/lib/libcrypto/man/OCSP_CRLID_new.3 b/src/lib/libcrypto/man/OCSP_CRLID_new.3
new file mode 100644
index 0000000000..556ec7f20e
--- /dev/null
+++ b/src/lib/libcrypto/man/OCSP_CRLID_new.3
@@ -0,0 +1,97 @@
+.\"	$OpenBSD: OCSP_CRLID_new.3,v 1.1 2016/12/12 22:48:02 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 12 2016 $
+.Dt OCSP_CRLID_NEW 3
+.Os
+.Sh NAME
+.Nm OCSP_CRLID_new ,
+.Nm OCSP_CRLID_free ,
+.Nm OCSP_crlID_new
+.Nd OCSP CRL extension
+.Sh SYNOPSIS
+.In opsenssl/ocsp.h
+.Ft OCSP_CRLID *
+.Fn OCSP_CRLID_new void
+.Ft void
+.Fn OCSP_CRLID_free "OCSP_CRLID *crlid"
+.Ft X509_EXTENSION *
+.Fo OCSP_crlID_new
+.Fa "char *url"
+.Fa "long *number"
+.Fa "char *time"
+.Fc
+.Sh DESCRIPTION
+If a client asks about the validity of a certificate and it turns
+out to be invalid, the responder may optionally communicate which
+certificate revocation list the certificate was found on.
+The required data is stored as an ASN.1 CrlID structure in the
+singleExtensions field of the SingleResponse structure.
+The CrlID is represented by an
+.Vt OCSP_CRLID
+object, which will be stored inside the
+.Vt OCSP_SINGLERESP
+object documented in
+.Xr OCSP_SINGLERESP_new 3 .
+.Pp
+.Fn OCSP_CRLID_new
+allocates and initializes an empty
+.Vt OCSP_CRLID
+object.
+.Fn OCSP_CRLID_free
+frees
+.Fa crlid .
+.Pp
+.Fn OCSP_crlID_new
+accepts the
+.Fa url
+at which the CRL is available, the CRL
+.Fa number ,
+and/or the
+.Fa time
+at which the CRL was created.
+Each argument can be
+.Dv NULL ,
+in which case the respective field is omitted.
+The resulting CrlID structure is encoded in ASN.1 using
+.Xr X509V3_EXT_i2d 3
+with criticality 0.
+.Sh RETURN VALUES
+.Fn OCSP_CRLID_new
+returns a new
+.Vt OCSP_CRLID
+object or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn OCSP_crlID_new
+returns a new
+.Vt X509_EXTENSION
+object or
+.Dv NULL
+if an error occurred.
+.Sh SEE ALSO
+.Xr OCSP_resp_find_status 3 ,
+.Xr OCSP_response_status 3
+.Sh STANDARDS
+RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
+Status Protocol, section 4.4.2: CRL References
+.Sh CAVEATS
+The function names
+.Fn OCSP_CRLID_new
+and
+.Fn OCSP_crlID_new
+only differ in case.
diff --git a/src/lib/libcrypto/man/OCSP_REQUEST_new.3 b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
index deac9104d9..58f1bc1935 100644
--- a/src/lib/libcrypto/man/OCSP_REQUEST_new.3
+++ b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: OCSP_REQUEST_new.3,v 1.4 2016/12/12 17:46:23 schwarze Exp $
+.\"	$OpenBSD: OCSP_REQUEST_new.3,v 1.5 2016/12/12 22:48:02 schwarze Exp $
 .\"	OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -303,7 +303,8 @@ OCSP_REQUEST_free(req);
 .Xr OCSP_request_add1_nonce 3 ,
 .Xr OCSP_resp_find_status 3 ,
 .Xr OCSP_response_status 3 ,
-.Xr OCSP_sendreq_new 3
+.Xr OCSP_sendreq_new 3 ,
+.Xr OCSP_SERVICELOC_new 3
 .Sh STANDARDS
 RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
 Status Protocol, section 4.1: Request Syntax
diff --git a/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3 b/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
new file mode 100644
index 0000000000..07200114e5
--- /dev/null
+++ b/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
@@ -0,0 +1,91 @@
+.\"	$OpenBSD: OCSP_SERVICELOC_new.3,v 1.1 2016/12/12 22:48:02 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 12 2016 $
+.Dt OCSP_SERVICELOC_NEW 3
+.Os
+.Sh NAME
+.Nm OCSP_SERVICELOC_new ,
+.Nm OCSP_SERVICELOC_free ,
+.Nm OCSP_url_svcloc_new
+.Nd OCSP service locator extension
+.Sh SYNOPSIS
+.In openssl/ocsp.h
+.Ft OCSP_SERVICELOC *
+.Fn OCSP_SERVICELOC_new void
+.Ft void
+.Fn OCSP_SERVICELOC_free "OCSP_SERVICELOC *sloc"
+.Ft X509_EXTENSION *
+.Fo OCSP_url_svcloc_new
+.Fa "X509_NAME *issuer"
+.Fa "char **urls"
+.Fc
+.Sh DESCRIPTION
+Due to restrictions of network routing, a client may be unable to
+directly contact the authoritative OCSP server for a certificate
+that needs to be checked.
+In that case, the request can be sent via a proxy server.
+An ASN.1 ServiceLocator structure is included in the
+singleRequestExtensions field of the Request structure to indicate
+where to forward the request.
+The ServiceLocator is represented by a
+.Vt OCSP_SERVICELOC
+object, which will be stored inside the
+.Vt OCSP_ONEREQ
+object documented in
+.Xr OCSP_ONEREQ_new 3 .
+.Pp
+.Fn OCSP_SERVICELOC_new
+allocates and initializes an empty
+.Vt OCSP_SERVICELOC
+object.
+.Fn OCSP_SERVICELOC_free
+frees
+.Fa sloc .
+.Pp
+.Fn OCSP_url_svcloc_new
+requires an
+.Fa issuer
+name and optionally accepts an array or
+.Fa urls .
+If
+.Fa urls
+or its first element is
+.Dv NULL ,
+the locator field is omitted from the ServiceLocator structure
+and only the issuer is included.
+The resulting ServiceLocator structure is encoded in ASN.1 using
+.Xr X509V3_EXT_i2d 3
+with criticality 0.
+.Sh RETURN VALUES
+.Fn OCSP_SERVICELOC_new
+returns a new
+.Vt OCSP_SERVICELOC
+object or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn OCSP_url_svcloc_new
+returns a new
+.Vt X509_EXTENSION
+object or
+.Dv NULL
+if an error occurred.
+.Sh SEE ALSO
+.Xr OCSP_REQUEST_new 3
+.Sh STANDARDS
+RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
+Status Protocol, section 4.4.6: Service Locator
diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3
index eca0a2c15f..23aaa26e38 100644
--- a/src/lib/libcrypto/man/OCSP_resp_find_status.3
+++ b/src/lib/libcrypto/man/OCSP_resp_find_status.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: OCSP_resp_find_status.3,v 1.3 2016/12/12 20:10:04 schwarze Exp $
+.\"	$OpenBSD: OCSP_resp_find_status.3,v 1.4 2016/12/12 22:48:02 schwarze Exp $
 .\"	OpenSSL c952780c Jun 21 07:03:34 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -362,6 +362,7 @@ returns the status of
 or -1 if an error occurred.
 .Sh SEE ALSO
 .Xr OCSP_cert_to_id 3 ,
+.Xr OCSP_CRLID_new 3 ,
 .Xr OCSP_request_add1_nonce 3 ,
 .Xr OCSP_REQUEST_new 3 ,
 .Xr OCSP_response_status 3 ,
-- 
cgit v1.2.3-55-g6feb