From da968f69c7b25f0b3412713d5aa4249ffdcd0188 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Thu, 10 Jun 2021 13:51:14 +0200 Subject: [PATCH] MINOR: ssl: Add the OCSP entry key when displaying the details of a certificate This patch adds an "OCSP Response Key" information in the output of a "show ssl cert " call. The key can then be used in a "show ssl ocsp-response " CLI command. --- src/ssl_ckch.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 55636cc..071f45a 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1478,6 +1478,80 @@ end: return 0; } +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) +/* + * Build the OCSP tree entry's key for a given ckch_store. + * Returns a negative value in case of error. + */ +static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char certid[128], unsigned int *key_length) +{ + OCSP_RESPONSE *resp; + OCSP_BASICRESP *bs = NULL; + OCSP_SINGLERESP *sr; + OCSP_CERTID *id; + unsigned char *p = NULL; + + if (!key_length) + return -1; + + *key_length = 0; + + if (!ckch_store->ckch->ocsp_response) + return 0; + + p = (unsigned char *) ckch_store->ckch->ocsp_response->area; + + resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p, + ckch_store->ckch->ocsp_response->data); + if (!resp) { + goto end; + } + + bs = OCSP_response_get1_basic(resp); + if (!bs) { + goto end; + } + + sr = OCSP_resp_get0(bs, 0); + if (!sr) { + goto end; + } + + id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr); + + p = certid; + *key_length = i2d_OCSP_CERTID(id, &p); + +end: + return *key_length > 0; +} +#endif + +/* + * Dump the OCSP certificate key (if it exists) of certificate into + * buffer . + * Returns 0 in case of success. + */ +static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out) +{ +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) + unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {}; + unsigned int key_length = 0; + int i; + + if (ckch_store_build_certid(ckch_store, (unsigned char*)key, &key_length) >= 0) { + /* Dump the CERTID info */ + chunk_appendf(out, "OCSP Response Key: "); + for (i = 0; i < key_length; ++i) { + chunk_appendf(out, "%02x", key[i]); + } + chunk_appendf(out, "\n"); + } +#endif + + return 0; +} + /* IO handler of the details "show ssl cert " */ static int cli_io_handler_show_cert_detail(struct appctx *appctx) @@ -1509,6 +1583,8 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx) else if (retval) goto end; + ckch_store_show_ocsp_certid(ckchs, out); + end: if (ci_putchk(si_ic(si), out) == -1) { si_rx_room_blk(si); -- 1.7.10.4