MINOR: ssl: Add helper function that extracts an OCSP URI from a certificate
This function extracts the first OCSP URI (if any) contained in a
certificate. It only takes the first of potentially multiple URIs.
diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index 5832662..b71eb3a 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -87,6 +87,7 @@
unsigned int ssl_sock_get_verify_result(struct connection *conn);
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err);
+int ssl_ocsp_get_uri_from_cert(X509 *cert, struct buffer *out, char **err);
#endif
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
int ssl_sock_update_tlskey_ref(struct tls_keys_ref *ref,
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 59fc93d..69ae3e9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1141,8 +1141,40 @@
return ssl_sock_load_ocsp_response(ocsp_response, NULL, NULL, err);
}
-#endif
+
+/*
+ * Extract the first OCSP URI (if any) contained in <cert> and write it into
+ * <out>.
+ * Returns 0 in case of success, 1 otherwise.
+ */
+int ssl_ocsp_get_uri_from_cert(X509 *cert, struct buffer *out, char **err)
+{
+ STACK_OF(OPENSSL_STRING) *ocsp_uri_stk = NULL;
+ int ret = 1;
+
+ if (!cert || !out)
+ goto end;
+
+ ocsp_uri_stk = X509_get1_ocsp(cert);
+ if (ocsp_uri_stk == NULL) {
+ memprintf(err, "%sNo OCSP URL stack!\n", *err ? *err : "");
+ goto end;
+ }
+
+ chunk_strcpy(out, sk_OPENSSL_STRING_value(ocsp_uri_stk, 0));
+ if (b_data(out) == 0) {
+ memprintf(err, "%sNo OCSP URL!\n", *err ? *err : "");
+ goto end;
+ }
+
+ ret = 0;
+
+end:
+ X509_email_free(ocsp_uri_stk);
+ return ret;
+}
+#endif /* defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP */
/*
* Initialize an HMAC context <hctx> using the <key> and <md> parameters.