From 87c1d69bdb7d0e880cb7186faf2e26438038fe22 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 14 Mar 2024 14:25:48 +0100
Subject: [PATCH] System: Trust: Revocation -  work in progress for
 https://github.com/opnsense/core/issues/7248

add ocsp index.txt sample download to align with documentation (https://docs.opnsense.org/manual/certificates.html)
---
 .../OPNsense/Trust/Api/CrlController.php      | 52 ++++++++++++++++++-
 .../mvc/app/views/OPNsense/Trust/crl.volt     | 15 ++++++
 2 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CrlController.php b/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CrlController.php
index c575360cf..b9222d5f0 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CrlController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CrlController.php
@@ -371,9 +371,9 @@ class CrlController extends ApiControllerBase
     }
 
 
-    public function rawDumpAction($uuid)
+    public function rawDumpAction($caref)
     {
-        $payload = $this->getAction($uuid);
+        $payload = $this->getAction($caref);
         if (!empty($payload['crl'])) {
             if (!empty($payload['crl']['text'])) {
                 return CertStore::dumpCRL($payload['crl']['text']);
@@ -381,4 +381,52 @@ class CrlController extends ApiControllerBase
         }
         return [];
     }
+
+    /**
+     * for demonstration purposes, we need a CA index file as specified
+     * at https://pki-tutorial.readthedocs.io/en/latest/cadb.html
+     */
+    function getOcspInfoDataAction($caref)
+    {
+        $config = Config::getInstance()->object();
+
+        $revoked = [];
+        foreach ($config->crl as $crl) {
+            if ((string)$crl->caref == $caref) {
+                foreach ($crl->cert as $cert) {
+                    if (!empty((string)$cert->revoke_time)) {
+                        $dt = new \DateTime("@".$cert->revoke_time);
+                        $revoked[(string)$cert->refid] = $dt->format("ymdHis") . "Z";
+                    }
+                }
+            }
+        }
+        $result = '';
+        foreach ($config->cert as $cert) {
+            if ((string)$cert->caref == $caref) {
+                $refid = (string)$cert->refid;
+                $x509 = openssl_x509_parse(base64_decode($cert->crt));
+                $valid_to = date('Y-m-d H:i:s', $x509['validTo_time_t']);
+                $rev_date = '';
+                if (!empty($revoked[$refid])) {
+                    $status = 'R';
+                    $rev_date = $revoked[$refid];
+                } elseif ($x509['validTo_time_t'] < time()) {
+                    $status = 'E';
+                } else {
+                    $status = 'V';
+                }
+                $result .= sprintf(
+                    "%s\t%s\t%s\t%s\tunknown\t%s\n",
+                    $status,                    // Certificate status flag (V=valid, R=revoked, E=expired).
+                    $x509['validTo'],           // Certificate expiration date in YYMMDDHHMMSSZ format.
+                    $rev_date,                  // Certificate revocation date in YYMMDDHHMMSSZ[,reason] format.
+                    $x509['serialNumberHex'],   // Certificate serial number in hex.
+                    $x509['name']               // Certificate distinguished name.
+                );
+            }
+        }
+        return ['payload' => $result];
+    }
+
 }
diff --git a/src/opnsense/mvc/app/views/OPNsense/Trust/crl.volt b/src/opnsense/mvc/app/views/OPNsense/Trust/crl.volt
index 1fa72b7b3..631c88543 100644
--- a/src/opnsense/mvc/app/views/OPNsense/Trust/crl.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Trust/crl.volt
@@ -26,6 +26,8 @@
 
 <script>
     'use strict';
+
+
     $( document ).ready(function () {
         let grid_crl = $("#grid-crl").UIBootgrid({
             search:'/api/trust/crl/search/',
@@ -54,6 +56,19 @@
                 },
                 copy: {
                     classname: undefined
+                },
+                download: {
+                    method: function(event){
+                        let refid = $(this).data("row-id") !== undefined ? $(this).data("row-id") : '';
+                        ajaxGet('/api/trust/crl/get_ocsp_info_data/' + refid, {}, function(data, status){
+                            if (data.payload) {
+                                download_content(data.payload, 'index.txt', 'application/octet-stream');
+                            }
+                        });
+                    },
+                    classname: 'fa fa-fw fa-cloud-download',
+                    title: "{{ lang._('Download OCSP demo index') }}",
+                    sequence: 10
                 }
             }
         });