From 47a4f1239d4571bcac2e8cc444db465b0e962d95 Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 20 Dec 2022 11:11:04 +0100
Subject: [PATCH] MINOR: ssl: Add helper function that extracts an OCSP URI
 from a certificate

This function extracts the first OCSP URI (if any) contained in a
certificate. It only takes the first of potentially multiple URIs.
---
 include/haproxy/ssl_sock.h |  1 +
 src/ssl_sock.c             | 34 +++++++++++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index 583266247a..b71eb3a2f5 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -87,6 +87,7 @@ int ssl_sock_get_pkey_algo(struct connection *conn, struct buffer *out);
 unsigned int ssl_sock_get_verify_result(struct connection *conn);
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err);
+int ssl_ocsp_get_uri_from_cert(X509 *cert, struct buffer *out, char **err);
 #endif
 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
 int ssl_sock_update_tlskey_ref(struct tls_keys_ref *ref,
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 59fc93dd24..69ae3e9db3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1141,8 +1141,40 @@ int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err)
 	return ssl_sock_load_ocsp_response(ocsp_response, NULL, NULL, err);
 }
 
-#endif
 
+/*
+ * Extract the first OCSP URI (if any) contained in <cert> and write it into
+ * <out>.
+ * Returns 0 in case of success, 1 otherwise.
+ */
+int ssl_ocsp_get_uri_from_cert(X509 *cert, struct buffer *out, char **err)
+{
+	STACK_OF(OPENSSL_STRING) *ocsp_uri_stk = NULL;
+	int ret = 1;
+
+	if (!cert || !out)
+		goto end;
+
+	ocsp_uri_stk = X509_get1_ocsp(cert);
+	if (ocsp_uri_stk == NULL) {
+		memprintf(err, "%sNo OCSP URL stack!\n", *err ? *err : "");
+		goto end;
+	}
+
+	chunk_strcpy(out, sk_OPENSSL_STRING_value(ocsp_uri_stk, 0));
+	if (b_data(out) == 0) {
+		memprintf(err, "%sNo OCSP URL!\n", *err ? *err : "");
+		goto end;
+	}
+
+	ret = 0;
+
+end:
+	X509_email_free(ocsp_uri_stk);
+	return ret;
+}
+
+#endif /* defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP */
 
 /*
  * Initialize an HMAC context <hctx> using the <key> and <md> parameters.
-- 
2.47.2