opencrypto
commented
8 years ago I added support for the extension here: https://github.com/openca/libpki/blob/master/src/openssl/pki_ocsp_resp.c#L214. Still not tested, though. This is better as this extension should be used only when the OCSP responder is using the "extended" notion of revoked (i.e., also non-issued certs are reported to be revoked). However, since this is not the default behavior of the OCSPd (should be set << ... when that response contains a "revoked" status for a non-issued certificate>>), I prefer to be able to provide the choice in the library to generate responses that do not carry the extension. CRL-based OCSPd should not set this extension as they are not aware if a non-revoked (not present in the CRL) certificate was ever issued by the CA, AFAIK.
This patch adds an extension to the basic response created that specifies that our OCSP responder knows of the RFC6960 new Extended Revocation status. For this reason we also supply a new libPKI API call, PKI_TIME_set, so the OCSP responder can set the revocation time to "1 January 1970".
https://tools.ietf.org/html/rfc6960#section-2.2