Upgrade chrome's OpenSSL to same version Android ships with.

openssl/doc/apps/x509v3_config.pod

 =pod
 
 =for comment openssl_manual_section:5
 
 =head1 NAME
 
 x509v3_config - X509 V3 certificate extension configuration format
 
 =head1 DESCRIPTION
 
@@ skipping 34 matching lines @@
  pathlen=1
 
 Both forms are equivalent.
 
 The syntax of raw extensions is governed by the extension code: it can
 for example contain data in multiple sections. The correct syntax to
 use is defined by the extension code itself: check out the certificate
 policies extension for an example.
 
 If an extension type is unsupported then the I<arbitrary> extension syntax
-must be used, see the L<ARBITRART EXTENSIONS|/"ARBITRARY EXTENSIONS"> section for more details.
+must be used, see the L<ARBITRARY EXTENSIONS|/"ARBITRARY EXTENSIONS"> section for more details.
 
 =head1 STANDARD EXTENSIONS
 
 The following sections describe each supported extension in detail.
 
 =head2 Basic Constraints.
 
 This is a multi valued extension which indicates whether a certificate is
 a CA certificate. The first (mandatory) name is B<CA> followed by B<TRUE> or
 B<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by an
@@ skipping 105 matching lines @@
 the extension.
 
 The IP address used in the B<IP> options can be in either IPv4 or IPv6 format.
 
 The value of B<dirName> should point to a section containing the distinguished
 name to use as a set of name value pairs. Multi values AVAs can be formed by
 preceeding the name with a B<+> character.
 
 otherName can include arbitrary data associated with an OID: the value
 should be the OID followed by a semicolon and the content in standard
-ASN1_generate_nconf() format.
+L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> format.
 
 Examples:
 
  subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
  subjectAltName=IP:192.168.7.1
  subjectAltName=IP:13::17
  subjectAltName=email:my@other.address,RID:1.2.3.4
  subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
 
  subjectAltName=dirName:dir_sect
@@ skipping 27 matching lines @@
 certain values are meaningful, for example OCSP and caIssuers.
 
 Example:
 
  authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
  authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
 
 
 =head2 CRL distribution points.
 
-This is a multi-valued extension that supports all the literal options of
-subject alternative name. Of the few software packages that currently interpret
-this extension most only interpret the URI option.
+This is a multi-valued extension whose options can be either in name:value pair
+using the same form as subject alternative name or a single value representing
+a section name containing all the distribution point fields.
 
-Currently each option will set a new DistributionPoint with the fullName
-field set to the given value.
+For a name:value pair a new DistributionPoint with the fullName field set to
+the given value both the cRLissuer and reasons fields are omitted in this case.
 
-Other fields like cRLissuer and reasons cannot currently be set or displayed:
-at this time no examples were available that used these fields.
+In the single option case the section indicated contains values for each
+field. In this section:
 
-Examples:
+If the name is "fullname" the value field should contain the full name
+of the distribution point in the same format as subject alternative name.
+
+If the name is "relativename" then the value field should contain a section
+name whose contents represent a DN fragment to be placed in this field.
+
+The name "CRLIssuer" if present should contain a value for this field in
+subject alternative name format.
+
+If the name is "reasons" the value field should consist of a comma
+separated field containing the reasons. Valid reasons are: "keyCompromise",
+"CACompromise", "affiliationChanged", "superseded", "cessationOfOperation",
+"certificateHold", "privilegeWithdrawn" and "AACompromise".
+
+
+Simple examples:
 
  crlDistributionPoints=URI:http://myhost.com/myca.crl
  crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl
 
+Full distribution point example:
+
+ crlDistributionPoints=crldp1_section
+
+ [crldp1_section]
+
+ fullname=URI:http://myhost.com/myca.crl
+ CRLissuer=dirName:issuer_sect
+ reasons=keyCompromise, CACompromise
+
+ [issuer_sect]
+ C=UK
+ O=Organisation
+ CN=Some Name
+
+=head2 Issuing Distribution Point
+
+This extension should only appear in CRLs. It is a multi valued extension
+whose syntax is similar to the "section" pointed to by the CRL distribution
+points extension with a few differences.
+
+The names "reasons" and "CRLissuer" are not recognized.
+
+The name "onlysomereasons" is accepted which sets this field. The value is
+in the same format as the CRL distribution point "reasons" field.
+
+The names "onlyuser", "onlyCA", "onlyAA" and "indirectCRL" are also accepted
+the values should be a boolean value (TRUE or FALSE) to indicate the value of
+the corresponding field.
+
+Example:
+
+ issuingDistributionPoint=critical, @idp_section
+
+ [idp_section]
+
+ fullname=URI:http://myhost.com/myca.crl
+ indirectCRL=TRUE
+ onlysomereasons=keyCompromise, CACompromise
+
+ [issuer_sect]
+ C=UK
+ O=Organisation
+ CN=Some Name
+
+ 
 =head2 Certificate Policies.
 
 This is a I<raw> extension. All the fields of this extension can be set by
 using the appropriate syntax.
 
 If you follow the PKIX recommendations and just using one OID then you just
 include the value of that OID. Multiple OIDs can be set separated by commas,
 for example:
 
  certificatePolicies= 1.2.4.5, 1.1.3.4
@@ skipping 68 matching lines @@
 is not supported and the B<IP> form should consist of an IP addresses and 
 subnet mask separated by a B</>.
 
 Examples:
 
  nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
 
  nameConstraints=permitted;email:.somedomain.com
 
  nameConstraints=excluded;email:.com
+issuingDistributionPoint = idp_section
+
+=head2 OCSP No Check
+
+The OCSP No Check extension is a string extension but its value is ignored.
+
+Example:
+
+ noCheck = ignored
+
 
 =head1 DEPRECATED EXTENSIONS
 
 The following extensions are non standard, Netscape specific and largely
 obsolete. Their use in new applications is discouraged.
 
 =head2 Netscape String extensions.
 
 Netscape Comment (B<nsComment>) is a string extension containing a comment
 which will be displayed when the certificate is viewed in some browsers.
@@ skipping 21 matching lines @@
 =head1 ARBITRARY EXTENSIONS
 
 If an extension is not supported by the OpenSSL code then it must be encoded
 using the arbitrary extension format. It is also possible to use the arbitrary
 format for supported extensions. Extreme care should be taken to ensure that
 the data is formatted correctly for the given extension type.
 
 There are two ways to encode arbitrary extensions.
 
 The first way is to use the word ASN1 followed by the extension content
-using the same syntax as ASN1_generate_nconf(). For example:
+using the same syntax as L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)>.
+For example:
 
  1.2.3.4=critical,ASN1:UTF8String:Some random data
 
  1.2.3.4=ASN1:SEQUENCE:seq_sect
 
  [seq_sect]
 
  field1 = UTF8:field1
  field2 = UTF8:field2
 
@@ skipping 59 matching lines @@
 The X509v3 extension code was first added to OpenSSL 0.9.2.
 
 Policy mappings, inhibit any policy and name constraints support was added in
 OpenSSL 0.9.8
 
 The B<directoryName> and B<otherName> option as well as the B<ASN1> option
 for arbitrary extensions was added in OpenSSL 0.9.8
 
 =head1 SEE ALSO
 
-L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>
+L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>,
+L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)>
 
 
 =cut