X-Git-Url: https://git.draconx.ca/gitweb/gentoo-draconx.git/blobdiff_plain/c426d54b7f1c8f10dd8348014f502407c035f592..28e10d7f50f49e164a3605d53948973eb0f0f327:/app-crypt/acme-client/files/acme-client-1.3.1-support-must-staple.patch diff --git a/app-crypt/acme-client/files/acme-client-1.3.1-support-must-staple.patch b/app-crypt/acme-client/files/acme-client-1.3.1-support-must-staple.patch new file mode 100644 index 0000000..2cebcb2 --- /dev/null +++ b/app-crypt/acme-client/files/acme-client-1.3.1-support-must-staple.patch @@ -0,0 +1,147 @@ +From 261275a2582deaf6682cb46b0c20385e698fb2bb Mon Sep 17 00:00:00 2001 +From: Nick Bowler +Date: Tue, 1 Nov 2022 23:03:30 -0400 +Subject: [PATCH] Add support for OCSP must-staple. + +--- + usr.sbin/acme-client/acme-client.conf.5 | 3 +++ + usr.sbin/acme-client/extern.h | 2 +- + usr.sbin/acme-client/keyproc.c | 16 ++++++++++++++-- + usr.sbin/acme-client/main.c | 2 +- + usr.sbin/acme-client/parse.h | 3 +++ + usr.sbin/acme-client/parse.y | 10 +++++++++- + 6 files changed, 31 insertions(+), 5 deletions(-) + +diff --git a/usr.sbin/acme-client/acme-client.conf.5 b/usr.sbin/acme-client/acme-client.conf.5 +index eb5f19e..113ed62 100644 +--- a/usr.sbin/acme-client/acme-client.conf.5 ++++ b/usr.sbin/acme-client/acme-client.conf.5 +@@ -187,6 +187,9 @@ A backup with name + is created if + .Ar file + exists. ++.It Ic domain muststaple ++The certificate signing request will include the status_request extension, ++which requires the use of OCSP stapling with the resulting certificate. + .It Ic sign with Ar authority + The certificate authority (as declared above in the + .Sx AUTHORITIES +diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h +index a2426e9..e354868 100644 +--- a/usr.sbin/acme-client/extern.h ++++ b/usr.sbin/acme-client/extern.h +@@ -219,7 +219,7 @@ int revokeproc(int, const char *, int, int, const char *const *, + int fileproc(int, const char *, const char *, const char *, + const char *); + int keyproc(int, const char *, const char **, size_t, +- enum keytype); ++ enum keytype, unsigned int); + int netproc(int, int, int, int, int, int, int, + struct authority_c *, const char *const *, + size_t); +diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c +index be3696d..f4dcdb5 100644 +--- a/usr.sbin/acme-client/keyproc.c ++++ b/usr.sbin/acme-client/keyproc.c +@@ -76,7 +76,7 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char *value) + */ + int + keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, +- enum keytype keytype) ++ enum keytype keytype, unsigned int csrflags) + { + char *der64 = NULL, *der = NULL, *dercp; + char *sans = NULL, *san = NULL; +@@ -215,7 +215,19 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, + if (!add_ext(exts, nid, sans)) { + warnx("add_ext"); + goto out; +- } else if (!X509_REQ_add_extensions(x, exts)) { ++ } ++ ++ /* ++ * If requested, enable OCSP must-staple feature in CSR. ++ */ ++ if (csrflags & DOMAIN_FLAG_MUSTSTAPLE) { ++ if (!add_ext(exts, NID_tlsfeature, "status_request")) { ++ warnx("add_ext"); ++ goto out; ++ } ++ } ++ ++ if (!X509_REQ_add_extensions(x, exts)) { + warnx("X509_REQ_add_extensions"); + goto out; + } +diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c +index c95ded1..7284ff0 100644 +--- a/usr.sbin/acme-client/main.c ++++ b/usr.sbin/acme-client/main.c +@@ -246,7 +246,7 @@ main(int argc, char *argv[]) + close(file_fds[1]); + c = keyproc(key_fds[0], domain->key, + (const char **)alts, altsz, +- domain->keytype); ++ domain->keytype, domain->csrflags); + exit(c ? EXIT_SUCCESS : EXIT_FAILURE); + } + +diff --git a/usr.sbin/acme-client/parse.h b/usr.sbin/acme-client/parse.h +index 2179b2d..7551014 100644 +--- a/usr.sbin/acme-client/parse.h ++++ b/usr.sbin/acme-client/parse.h +@@ -26,6 +26,8 @@ + #define AUTH_MAXLEN 120 /* max length of an authority_c name */ + #define DOMAIN_MAXLEN 255 /* max len of a domain name (rfc2181) */ + ++#define DOMAIN_FLAG_MUSTSTAPLE 1u /* Add OCSP must-staple extension to CSR */ ++ + /* + * XXX other size limits needed? + * limit all paths to PATH_MAX +@@ -49,6 +51,7 @@ struct domain_c { + TAILQ_ENTRY(domain_c) entry; + TAILQ_HEAD(, altname_c) altname_list; + int altname_count; ++ unsigned int csrflags; + enum keytype keytype; + char *handle; + char *domain; +diff --git a/usr.sbin/acme-client/parse.y b/usr.sbin/acme-client/parse.y +index f8e76b2..fa87dd7 100644 +--- a/usr.sbin/acme-client/parse.y ++++ b/usr.sbin/acme-client/parse.y +@@ -101,7 +101,7 @@ typedef struct { + %} + + %token AUTHORITY URL API ACCOUNT CONTACT +-%token DOMAIN ALTERNATIVE NAME NAMES CERT FULL CHAIN KEY SIGN WITH CHALLENGEDIR ++%token DOMAIN ALTERNATIVE NAME NAMES CERT FULL CHAIN KEY SIGN WITH CHALLENGEDIR MUSTSTAPLE + %token YES NO + %token INCLUDE + %token ERROR +@@ -393,6 +393,13 @@ domainoptsl : ALTERNATIVE NAMES '{' altname_l '}' + err(EXIT_FAILURE, "strdup"); + domain->challengedir = s; + } ++ | DOMAIN MUSTSTAPLE { ++ if (domain->csrflags & DOMAIN_FLAG_MUSTSTAPLE) { ++ yyerror("duplicate muststaple"); ++ YYERROR; ++ } ++ domain->csrflags |= DOMAIN_FLAG_MUSTSTAPLE; ++ } + ; + + altname_l : altname comma altname_l +@@ -468,6 +475,7 @@ lookup(char *s) + {"full", FULL}, + {"include", INCLUDE}, + {"key", KEY}, ++ {"muststaple", MUSTSTAPLE}, + {"name", NAME}, + {"names", NAMES}, + {"rsa", RSA}, +-- +2.37.4 +