New options to 'ca' utility to support CRL entry extensions.

Add revelant new X509V3 extensions.

Add OIDs.

Fix ASN1 memory leak code to pop info if external allocation used.

3 files changed, 33 insertions, 4 deletions

diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index 62e80535b9..a6166f5745 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -60,9 +60,10 @@
 extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
+extern X509V3_EXT_METHOD v3_crl_hold;
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
@@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_crld,
 &v3_ext_ku,
 &v3_crl_reason,
+&v3_crl_invdate,
 &v3_sxnet,
 &v3_info,
 &v3_ocsp_nonce,
@@ -96,7 +98,8 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_ocsp_accresp,
 &v3_ocsp_nocheck,
 &v3_ocsp_acutoff,
-&v3_ocsp_serviceloc
+&v3_ocsp_serviceloc,
+&v3_crl_hold
 };
 
 /* Number of standard extensions */
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index d8301a67bd..9ea59fb8f9 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -276,7 +276,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
 
 	if(!ext) {
 		X509V3err(X509V3_F_X509V3_ADD_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
-		return -1;
+		return 0;
 	}
 
 	/* If extension exists replace it.. */
diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509v3/v3_ocsp.c
index d21b6fbedb..c3e553afee 100644
--- a/crypto/x509v3/v3_ocsp.c
+++ b/crypto/x509v3/v3_ocsp.c
@@ -63,11 +63,12 @@
 #include <openssl/ocsp.h>
 #include <openssl/x509v3.h>
 
-/* OCSP extensions.
+/* OCSP extensions and a couple of CRL entry extensions
  */
 
 static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
 static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent);
 
 static void *ocsp_nonce_new(void);
 static int i2d_ocsp_nonce(void *a, unsigned char **pp);
@@ -97,6 +98,24 @@ X509V3_EXT_METHOD v3_ocsp_acutoff = {
 	NULL
 };
 
+X509V3_EXT_METHOD v3_crl_invdate = {
+	NID_invalidity_date, 0, &ASN1_GENERALIZEDTIME_it,
+	0,0,0,0,
+	0,0,
+	0,0,
+	i2r_ocsp_acutoff,0,
+	NULL
+};
+
+X509V3_EXT_METHOD v3_crl_hold = {
+	NID_hold_instruction_code, 0, &ASN1_OBJECT_it,
+	0,0,0,0,
+	0,0,
+	0,0,
+	i2r_object,0,
+	NULL
+};
+
 X509V3_EXT_METHOD v3_ocsp_nonce = {
 	NID_id_pkix_OCSP_Nonce, 0, NULL,
 	ocsp_nonce_new,
@@ -161,6 +180,13 @@ static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, in
 }
 
 
+static int i2r_object(X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
+{
+	if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+	if(!i2a_ASN1_OBJECT(bp, oid)) return 0;
+	return 1;
+}
+
 /* OCSP nonce. This is needs special treatment because it doesn't have
  * an ASN1 encoding at all: it just contains arbitrary data.
  */