From cf61b97d5fb9208ac254e999d86b1cf40c12b442 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Wed, 23 Sep 2020 09:43:43 +0200
Subject: [PATCH] Generate a certificate with critical id-pkix-ocsp-nocheck
 extension

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12947)
---
 test/certs/mkcert.sh | 36 +++++++++++++++++++++++++++++++++++-
 test/certs/setup.sh  |  3 +++
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index 32fd5874d9f..a564e30c6bc 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -233,6 +233,40 @@ genee() {
 	    -set_serial 2 -days "${DAYS}" "$@"
 }
 
+geneeextra() {
+    local OPTIND=1
+    local purpose=serverAuth
+
+    while getopts p: o
+    do
+        case $o in
+        p) purpose="$OPTARG";;
+        *) echo "Usage: $0 geneeextra [-p EKU] cn keyname certname cakeyname cacertname extraext" >&2
+           return 1;;
+        esac
+    done
+
+    shift $((OPTIND - 1))
+    local cn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local ca=$1; shift
+    local extraext=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid, issuer" \
+	    "basicConstraints = CA:false" \
+	    "extendedKeyUsage = $purpose" \
+	    "subjectAltName = @alts"\
+	    "$extraext" "DNS=${cn}")
+    csr=$(req "$key" "CN = $cn") || return 1
+    echo "$csr" |
+	cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}" "$@"
+}
+
 geneenocsr() {
     local OPTIND=1
     local purpose=serverAuth
@@ -241,7 +275,7 @@ geneenocsr() {
     do
         case $o in
         p) purpose="$OPTARG";;
-        *) echo "Usage: $0 genee [-p EKU] cn certname cakeyname cacertname" >&2
+        *) echo "Usage: $0 geneenocsr [-p EKU] cn certname cakeyname cacertname" >&2
            return 1;;
         esac
     done
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index ee3d678219b..58d824ee266 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -400,3 +400,6 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \
     root-ed448-key root-ed448-cert
 OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
     server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert
+
+# Cert with id-pkix-ocsp-no-check
+./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00"
-- 
2.47.2