From 05a0a1dba7994fdef90dfd8a92c2dc888fa0ce9a Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Fri, 26 May 2017 11:33:30 +0000
Subject: [PATCH] add: handle the 'noOCSP' feature in the include section

Change-Id: I4b1b92796f7c021c847ba45f67291bc1d5b78860
---
 src/config.cpp       | 14 ++++++++++++++
 src/crypto/X509.cpp  |  2 +-
 src/crypto/sslUtil.h |  2 ++
 test/genTestData.sh  |  1 +
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/config.cpp b/src/config.cpp
index ccd2f24..8b17596 100644
--- a/src/config.cpp
+++ b/src/config.cpp
@@ -92,6 +92,20 @@ int parseProfiles() {
         prof.id = std::stoi( id );
         prof.eku = map->at( "eku" );
         prof.ku = map->at( "ku" );
+        {
+            std::string include = map->at( "include" );
+            size_t pos = 0;
+            size_t end = 0;
+            std::unordered_set<std::string> include_set;
+
+            while( ( end = include.find( ",", pos ) ) != std::string::npos ) {
+                include_set.emplace( include.substr( pos, end - pos ) );
+                pos = end + 1;
+            }
+
+            include_set.emplace( include.substr( pos ) );
+            prof.include = include_set;
+        }
         prof.maxValidity = std::stoi( map->at( "days" ) ) * /* DAYS */24 * 60 * 60;
 
 
diff --git a/src/crypto/X509.cpp b/src/crypto/X509.cpp
index 9c2ed9a..3d0efbc 100644
--- a/src/crypto/X509.cpp
+++ b/src/crypto/X509.cpp
@@ -185,7 +185,7 @@ void X509Cert::setExtensions( std::shared_ptr<X509> caCert, std::vector<std::sha
     std::string ku = std::string( "critical," ) + prof.ku;
     add_ext( caCert, target, NID_key_usage, ku.c_str() );
     add_ext( caCert, target, NID_ext_key_usage, prof.eku.c_str() );
-    add_ext( caCert, target, NID_info_access, ( ( ocspPath.empty() ? "" : "OCSP;URI:" + ocspPath + "," ) + "caIssuers;URI:" + crtURL ).c_str() );
+    add_ext( caCert, target, NID_info_access, ( ( ocspPath.empty() || prof.include.find( "noOCSP" ) != prof.include.end() ? "" : "OCSP;URI:" + ocspPath + "," ) + "caIssuers;URI:" + crtURL ).c_str() );
     add_ext( caCert, target, NID_crl_distribution_points, ( "URI:" + crlURL ).c_str() );
 
     if( sans.empty() ) {
diff --git a/src/crypto/sslUtil.h b/src/crypto/sslUtil.h
index 2ecba42..f0eaaf6 100644
--- a/src/crypto/sslUtil.h
+++ b/src/crypto/sslUtil.h
@@ -6,6 +6,7 @@
 #include <vector>
 #include <cinttypes>
 #include <ctime>
+#include <unordered_set>
 
 #include <openssl/ssl.h>
 
@@ -34,6 +35,7 @@ struct Profile {
 
     std::vector<std::shared_ptr<CAConfig>> ca;
     std::time_t maxValidity;
+    std::unordered_set<std::string> include;
     std::shared_ptr<CAConfig> getCA() {
         std::shared_ptr<CAConfig> min = nullptr;
 
diff --git a/test/genTestData.sh b/test/genTestData.sh
index 9b175f9..0de15bd 100755
--- a/test/genTestData.sh
+++ b/test/genTestData.sh
@@ -26,6 +26,7 @@ ca=unassured
 eku=
 ku=
 days=10
+include=
 EOF
 
 mkdir -p ca/unassured_2015_2
-- 
2.39.2