app-crypt/acme-client: New package.

[gentoo-draconx.git] / app-crypt / acme-client / files / acme-client-1.3.1-support-must-staple.patch

From 261275a2582deaf6682cb46b0c20385e698fb2bb Mon Sep 17 00:00:00 2001
From: Nick Bowler <nbowler@draconx.ca>
Date: Tue, 1 Nov 2022 23:03:30 -0400
Subject: [PATCH] Add support for OCSP must-staple.

---
 usr.sbin/acme-client/acme-client.conf.5 |  3 +++
 usr.sbin/acme-client/extern.h           |  2 +-
 usr.sbin/acme-client/keyproc.c          | 16 ++++++++++++++--
 usr.sbin/acme-client/main.c             |  2 +-
 usr.sbin/acme-client/parse.h            |  3 +++
 usr.sbin/acme-client/parse.y            | 10 +++++++++-
 6 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/usr.sbin/acme-client/acme-client.conf.5 b/usr.sbin/acme-client/acme-client.conf.5
index eb5f19e..113ed62 100644
--- a/usr.sbin/acme-client/acme-client.conf.5
+++ b/usr.sbin/acme-client/acme-client.conf.5
@@ -187,6 +187,9 @@ A backup with name
 is created if
 .Ar file
 exists.
+.It Ic domain muststaple
+The certificate signing request will include the status_request extension,
+which requires the use of OCSP stapling with the resulting certificate.
 .It Ic sign with Ar authority
 The certificate authority (as declared above in the
 .Sx AUTHORITIES
diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h
index a2426e9..e354868 100644
--- a/usr.sbin/acme-client/extern.h
+++ b/usr.sbin/acme-client/extern.h
@@ -219,7 +219,7 @@ int          revokeproc(int, const char *, int, int, const char *const *,
 int             fileproc(int, const char *, const char *, const char *,
                        const char *);
 int             keyproc(int, const char *, const char **, size_t,
-                       enum keytype);
+                       enum keytype, unsigned int);
 int             netproc(int, int, int, int, int, int, int,
                        struct authority_c *, const char *const *,
                        size_t);
diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c
index be3696d..f4dcdb5 100644
--- a/usr.sbin/acme-client/keyproc.c
+++ b/usr.sbin/acme-client/keyproc.c
@@ -76,7 +76,7 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char *value)
  */
 int
 keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
-    enum keytype keytype)
+    enum keytype keytype, unsigned int csrflags)
 {
        char            *der64 = NULL, *der = NULL, *dercp;
        char            *sans = NULL, *san = NULL;
@@ -215,7 +215,19 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
        if (!add_ext(exts, nid, sans)) {
                warnx("add_ext");
                goto out;
-       } else if (!X509_REQ_add_extensions(x, exts)) {
+       }
+
+       /*
+        * If requested, enable OCSP must-staple feature in CSR.
+        */
+       if (csrflags & DOMAIN_FLAG_MUSTSTAPLE) {
+               if (!add_ext(exts, NID_tlsfeature, "status_request")) {
+                       warnx("add_ext");
+                       goto out;
+               }
+       }
+
+       if (!X509_REQ_add_extensions(x, exts)) {
                warnx("X509_REQ_add_extensions");
                goto out;
        }
diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c
index c95ded1..7284ff0 100644
--- a/usr.sbin/acme-client/main.c
+++ b/usr.sbin/acme-client/main.c
@@ -246,7 +246,7 @@ main(int argc, char *argv[])
                close(file_fds[1]);
                c = keyproc(key_fds[0], domain->key,
                    (const char **)alts, altsz,
-                   domain->keytype);
+                   domain->keytype, domain->csrflags);
                exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
        }
 
diff --git a/usr.sbin/acme-client/parse.h b/usr.sbin/acme-client/parse.h
index 2179b2d..7551014 100644
--- a/usr.sbin/acme-client/parse.h
+++ b/usr.sbin/acme-client/parse.h
@@ -26,6 +26,8 @@
 #define AUTH_MAXLEN    120     /* max length of an authority_c name */
 #define DOMAIN_MAXLEN  255     /* max len of a domain name (rfc2181) */
 
+#define DOMAIN_FLAG_MUSTSTAPLE 1u /* Add OCSP must-staple extension to CSR */
+
 /*
  * XXX other size limits needed?
  * limit all paths to PATH_MAX
@@ -49,6 +51,7 @@ struct domain_c {
        TAILQ_ENTRY(domain_c)    entry;
        TAILQ_HEAD(, altname_c)  altname_list;
        int                      altname_count;
+       unsigned int             csrflags;
        enum keytype             keytype;
        char                    *handle;
        char                    *domain;
diff --git a/usr.sbin/acme-client/parse.y b/usr.sbin/acme-client/parse.y
index f8e76b2..fa87dd7 100644
--- a/usr.sbin/acme-client/parse.y
+++ b/usr.sbin/acme-client/parse.y
@@ -101,7 +101,7 @@ typedef struct {
 %}
 
 %token AUTHORITY URL API ACCOUNT CONTACT
-%token DOMAIN ALTERNATIVE NAME NAMES CERT FULL CHAIN KEY SIGN WITH CHALLENGEDIR
+%token DOMAIN ALTERNATIVE NAME NAMES CERT FULL CHAIN KEY SIGN WITH CHALLENGEDIR MUSTSTAPLE
 %token YES NO
 %token INCLUDE
 %token ERROR
@@ -393,6 +393,13 @@ domainoptsl        : ALTERNATIVE NAMES '{' altname_l '}'
                                err(EXIT_FAILURE, "strdup");
                        domain->challengedir = s;
                }
+               | DOMAIN MUSTSTAPLE {
+                       if (domain->csrflags & DOMAIN_FLAG_MUSTSTAPLE) {
+                               yyerror("duplicate muststaple");
+                               YYERROR;
+                       }
+                       domain->csrflags |= DOMAIN_FLAG_MUSTSTAPLE;
+               }
                ;
 
 altname_l      : altname comma altname_l
@@ -468,6 +475,7 @@ lookup(char *s)
                {"full",                FULL},
                {"include",             INCLUDE},
                {"key",                 KEY},
+               {"muststaple",          MUSTSTAPLE},
                {"name",                NAME},
                {"names",               NAMES},
                {"rsa",                 RSA},
-- 
2.37.4