commit da968f69c7b25f0b3412713d5aa4249ffdcd0188
author Remi Tricot-Le Breton <rlebreton@haproxy.com> Thu Jun 10 13:51:14 2021 +0200
committer William Lallemand <wlallemand@haproxy.org> Thu Jun 10 16:44:11 2021 +0200
tree 9eb6c79105377fdf83c1c6ea04d303a1273c8fc3
parent d92fd11c77df0cfbdbe3806539a43544b24f5d74

MINOR: ssl: Add the OCSP entry key when displaying the details of a certificate

This patch adds an "OCSP Response Key" information in the output of a
"show ssl cert <certfile>" call. The key can then be used in a "show ssl
ocsp-response <key>" CLI command.

src/ssl_ckch.c

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 55636cc..071f45a 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1478,6 +1478,80 @@
 	return 0;
 }
 
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+/*
+ * Build the OCSP tree entry's key for a given ckch_store.
+ * Returns a negative value in case of error.
+ */
+static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char certid[128], unsigned int *key_length)
+{
+	OCSP_RESPONSE *resp;
+	OCSP_BASICRESP *bs = NULL;
+	OCSP_SINGLERESP *sr;
+	OCSP_CERTID *id;
+	unsigned char *p = NULL;
+
+	if (!key_length)
+		return -1;
+
+	*key_length = 0;
+
+	if (!ckch_store->ckch->ocsp_response)
+		return 0;
+
+	p = (unsigned char *) ckch_store->ckch->ocsp_response->area;
+
+	resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p,
+				 ckch_store->ckch->ocsp_response->data);
+	if (!resp) {
+		goto end;
+	}
+
+	bs = OCSP_response_get1_basic(resp);
+	if (!bs) {
+		goto end;
+	}
+
+	sr = OCSP_resp_get0(bs, 0);
+	if (!sr) {
+		goto end;
+	}
+
+	id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
+
+	p = certid;
+	*key_length = i2d_OCSP_CERTID(id, &p);
+
+end:
+	return *key_length > 0;
+}
+#endif
+
+/*
+ * Dump the OCSP certificate key (if it exists) of certificate <ckch> into
+ * buffer <out>.
+ * Returns 0 in case of success.
+ */
+static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out)
+{
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+	unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
+	unsigned int key_length = 0;
+	int i;
+
+	if (ckch_store_build_certid(ckch_store, (unsigned char*)key, &key_length) >= 0) {
+		/* Dump the CERTID info */
+		chunk_appendf(out, "OCSP Response Key: ");
+		for (i = 0; i < key_length; ++i) {
+			chunk_appendf(out, "%02x", key[i]);
+		}
+		chunk_appendf(out, "\n");
+	}
+#endif
+
+	return 0;
+}
+
 
 /* IO handler of the details "show ssl cert <filename>" */
 static int cli_io_handler_show_cert_detail(struct appctx *appctx)
@@ -1509,6 +1583,8 @@
 	else if (retval)
 		goto end;
 
+	ckch_store_show_ocsp_certid(ckchs, out);
+
 end:
 	if (ci_putchk(si_ic(si), out) == -1) {
 		si_rx_room_blk(si);