ok beck@
> On Nov 23, 2021, at 21:14, Theo Buehler <[email protected]> wrote:
>
> Two small diffs now that beck has linked the certificate transparency
> code to the build.
>
> The diff for ext_dat.h links the CT methods to the standard extensions.
> This replaces the gibberish from the CT extensions which are now present
> in most certs with something readable. Try
>
> $ openssl s_client -connect libressl.org:443 | openssl x509 -noout -text
>
> The diff for ct_prn makes sure that the timestamp is actually printed.
> Our ASN1_GENERALIZEDTIME_set_string() does not accept fractional
> seconds, so don't feed them into it for printing. eopenssl11 doesn't
> print the fractional sections either.
>
> Index: x509/ext_dat.h
> ===================================================================
> RCS file: /cvs/src/lib/libcrypto/x509/ext_dat.h,v
> retrieving revision 1.3
> diff -u -p -r1.3 ext_dat.h
> --- x509/ext_dat.h 2 Sep 2021 21:27:26 -0000 1.3
> +++ x509/ext_dat.h 16 Nov 2021 16:56:19 -0000
> @@ -73,6 +73,7 @@ extern X509V3_EXT_METHOD v3_crl_hold, v3
> extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
> extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
> extern const X509V3_EXT_METHOD v3_addr, v3_asid;
> +extern const X509V3_EXT_METHOD v3_ct_scts[3];
>
> /* This table will be searched using OBJ_bsearch so it *must* kept in
> * order of the ext_nid values.
> @@ -129,6 +130,11 @@ static const X509V3_EXT_METHOD *standard
> &v3_idp,
> &v3_alt[2],
> &v3_freshest_crl,
> +#ifndef OPENSSL_NO_CT
> + &v3_ct_scts[0],
> + &v3_ct_scts[1],
> + &v3_ct_scts[2],
> +#endif
> };
>
> /* Number of standard extensions */
> Index: ct/ct_prn.c
> ===================================================================
> RCS file: /cvs/src/lib/libcrypto/ct/ct_prn.c,v
> retrieving revision 1.3
> diff -u -p -r1.3 ct_prn.c
> --- ct/ct_prn.c 20 Nov 2021 01:10:49 -0000 1.3
> +++ ct/ct_prn.c 21 Nov 2021 15:32:56 -0000
> @@ -71,8 +71,7 @@ timestamp_print(uint64_t timestamp, BIO
> * Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15
> * characters long with a final Z. Update it with fractional seconds.
> */
> - snprintf(genstr, sizeof(genstr), "%.14s.%03dZ",
> - ASN1_STRING_get0_data(gen), (unsigned int)(timestamp % 1000));
> + snprintf(genstr, sizeof(genstr), "%.14sZ", ASN1_STRING_get0_data(gen));
> if (ASN1_GENERALIZEDTIME_set_string(gen, genstr))
> ASN1_GENERALIZEDTIME_print(out, gen);
> ASN1_GENERALIZEDTIME_free(gen);
>
