From 0fdf13d3964173c3c34b3a85cfc86fcc72c341b8 Mon Sep 17 00:00:00 2001
From: samuel40791765 <sachiang@amazon.com>
Date: Fri, 27 Sep 2024 22:42:57 +0000
Subject: [PATCH 1/3] align bignum_to_string bit limitation with OpenSSL

---
 crypto/x509/v3_utl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 47f412993e..a4287b2865 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -172,7 +172,7 @@ static char *bignum_to_string(const BIGNUM *bn) {
   // Display large numbers in hex and small numbers in decimal. Converting to
   // decimal takes quadratic time and is no more useful than hex for large
   // numbers.
-  if (BN_num_bits(bn) < 32) {
+  if (BN_num_bits(bn) < 128) {
     return BN_bn2dec(bn);
   }
 

From 3e9f334ac882c9751f9a16bc3a0e470b3795acb7 Mon Sep 17 00:00:00 2001
From: samuel40791765 <sachiang@amazon.com>
Date: Fri, 27 Sep 2024 22:54:23 +0000
Subject: [PATCH 2/3] no-op defines for Ruby

---
 crypto/x509/v3_utl.c     | 1 +
 crypto/x509/x509_test.cc | 6 ++++--
 include/openssl/ocsp.h   | 7 +++++++
 include/openssl/x509.h   | 4 ++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index a4287b2865..584bb49e2f 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -172,6 +172,7 @@ static char *bignum_to_string(const BIGNUM *bn) {
   // Display large numbers in hex and small numbers in decimal. Converting to
   // decimal takes quadratic time and is no more useful than hex for large
   // numbers.
+  // The threshold for large numbers is set at 128 bits to align with OpenSSL.
   if (BN_num_bits(bn) < 128) {
     return BN_bn2dec(bn);
   }
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 313141e5e8..05f4a3e91e 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -3190,9 +3190,11 @@ TEST(X509Test, PrettyPrintIntegers) {
       "-42",
       "256",
       "-256",
+      "4886718345",
+      "-4886718345",
       // Large numbers are pretty-printed in hex to avoid taking quadratic time.
-      "0x0123456789",
-      "-0x0123456789",
+      "0x0123456789012345678901234567890123456789",
+      "-0x0123456789012345678901234567890123456789",
   };
   for (const char *in : kTests) {
     SCOPED_TRACE(in);
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index 2f7d249f62..ea99f314d2 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -39,6 +39,10 @@ extern "C" {
 //        aACompromise            (10) }
 //
 // Reason Code RFC: https://www.rfc-editor.org/rfc/rfc5280#section-5.3.1
+//
+// Note: OCSP_REVOKED_STATUS_NOSTATUS is defined by OpenSSL and is not defined
+//       within the RFC.
+#define OCSP_REVOKED_STATUS_NOSTATUS -1
 #define OCSP_REVOKED_STATUS_UNSPECIFIED 0
 #define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
 #define OCSP_REVOKED_STATUS_CACOMPROMISE 2
@@ -58,6 +62,9 @@ extern "C" {
 // Certificates included within |bs| or |req| will be included in the
 // search for the signing certificate by default, unless |OCSP_NOINTERN| is set.
 #define OCSP_NOINTERN 0x2
+// OCSP_NOSIGS does nothing. In OpenSSL, this skips signature verification in
+// |OCSP_basic_verify| and |OCSP_request_verify|.
+#define OCSP_NOSIGS
 // OCSP_NOCHAIN is for |OCSP_basic_verify| and |OCSP_request_verify|.
 // For |OCSP_basic_verify|, certificates in both |certs| and in |bs| are
 // considered as certificates for the construction of the validation path for
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 31a24b140a..0aea0cbd6b 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -2906,6 +2906,10 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param,
 // X509_TRUST_OBJECT_SIGN evaluates trust with the |NID_code_sign| OID, for
 // validating code signing certificates.
 #define X509_TRUST_OBJECT_SIGN 5
+// X509_TRUST_OCSP_SIGN does nothing. It's unused in OpenSSL and AWS-LC.
+#define X509_TRUST_OCSP_SIGN 6
+// X509_TRUST_OCSP_REQUEST does nothing. It's unused in OpenSSL and AWS-LC.
+#define X509_TRUST_OCSP_REQUEST 7
 // X509_TRUST_TSA evaluates trust with the |NID_time_stamp| OID, for validating
 // Time Stamping Authority (RFC 3161) certificates.
 #define X509_TRUST_TSA 8

From a4b97fd6f4b90b82abdd8f3a0f7a5c23368bef5e Mon Sep 17 00:00:00 2001
From: samuel40791765 <sachiang@amazon.com>
Date: Mon, 30 Sep 2024 21:24:54 +0000
Subject: [PATCH 3/3] use 33 bit number for testing

---
 crypto/x509/x509_test.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 05f4a3e91e..4a9a1191dc 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -3193,8 +3193,8 @@ TEST(X509Test, PrettyPrintIntegers) {
       "4886718345",
       "-4886718345",
       // Large numbers are pretty-printed in hex to avoid taking quadratic time.
-      "0x0123456789012345678901234567890123456789",
-      "-0x0123456789012345678901234567890123456789",
+      "0x0123456789012345678901234567890123",
+      "-0x0123456789012345678901234567890123",
   };
   for (const char *in : kTests) {
     SCOPED_TRACE(in);