MINOR: ssl: Add helper function that extracts an OCSP URI from a certificate

author Remi Tricot-Le Breton <rlebreton@haproxy.com>

Tue, 20 Dec 2022 10:11:04 +0000 (11:11 +0100)

committer William Lallemand <wlallemand@haproxy.org>

Wed, 21 Dec 2022 10:21:07 +0000 (11:21 +0100)
author Remi Tricot-Le Breton <rlebreton@haproxy.com>
Tue, 20 Dec 2022 10:11:04 +0000 (11:11 +0100)
committer William Lallemand <wlallemand@haproxy.org>
Wed, 21 Dec 2022 10:21:07 +0000 (11:21 +0100)
diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h

index 583266247ad8951f9b46cd5fea64ce9863a03683..b71eb3a2f57d1cb6c569a7758e41f84d86012957 100644 (file)
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -87,6 +87,7 @@ int ssl_sock_get_pkey_algo(struct connection *conn, struct buffer *out);
  unsigned int ssl_sock_get_verify_result(struct connection *conn);
  #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
  int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err);
+int ssl_ocsp_get_uri_from_cert(X509 *cert, struct buffer *out, char **err);
  #endif
  #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
  int ssl_sock_update_tlskey_ref(struct tls_keys_ref *ref,
diff --git a/src/ssl_sock.c b/src/ssl_sock.c

index 59fc93dd24cfbc1300af7beb059126b7e5864a47..69ae3e9db3560004a7e57eb5e40f9e1427a87dce 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1141,8 +1141,40 @@ int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err)
         return ssl_sock_load_ocsp_response(ocsp_response, NULL, NULL, err);
  }
  
-#endif
  
+/*
+ * Extract the first OCSP URI (if any) contained in <cert> and write it into
+ * <out>.
+ * Returns 0 in case of success, 1 otherwise.
+ */
+int ssl_ocsp_get_uri_from_cert(X509 *cert, struct buffer *out, char **err)
+{
+       STACK_OF(OPENSSL_STRING) *ocsp_uri_stk = NULL;
+       int ret = 1;
+
+       if (!cert || !out)
+               goto end;
+
+       ocsp_uri_stk = X509_get1_ocsp(cert);
+       if (ocsp_uri_stk == NULL) {
+               memprintf(err, "%sNo OCSP URL stack!\n", *err ? *err : "");
+               goto end;
+       }
+
+       chunk_strcpy(out, sk_OPENSSL_STRING_value(ocsp_uri_stk, 0));
+       if (b_data(out) == 0) {
+               memprintf(err, "%sNo OCSP URL!\n", *err ? *err : "");
+               goto end;
+       }
+
+       ret = 0;
+
+end:
+       X509_email_free(ocsp_uri_stk);
+       return ret;
+}
+
+#endif /* defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP */
  
  /*
   * Initialize an HMAC context <hctx> using the <key> and <md> parameters.
author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Tue, 20 Dec 2022 10:11:04 +0000 (11:11 +0100)
committer	William Lallemand <wlallemand@haproxy.org>
	Wed, 21 Dec 2022 10:21:07 +0000 (11:21 +0100)
include/haproxy/ssl_sock.h		patch \| blob \| blame \| history
src/ssl_sock.c		patch \| blob \| blame \| history