From da5b772ba191677789e559d192d62a90e3333e1f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 4 Jan 2024 17:22:25 +0100
Subject: [PATCH] System: Trust: Revocation - add ocsp index.txt file download,
 needed for demonstration purposes
 (https://github.com/opnsense/core/issues/7114)

---
 src/www/system_crlmanager.php | 63 +++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/src/www/system_crlmanager.php b/src/www/system_crlmanager.php
index 47c08246a..d662318f2 100644
--- a/src/www/system_crlmanager.php
+++ b/src/www/system_crlmanager.php
@@ -210,6 +210,55 @@ function crl_update(&$crl)
     return true;
 }
 
+
+/**
+ * for demonstration purposes, we need a CA index file as specified
+ * at https://pki-tutorial.readthedocs.io/en/latest/cadb.html
+ */
+function get_ocsp_info_data($caref)
+{
+    global $config;
+    $result = '';
+    $revoked = [];
+    if (!empty($config['crl'])) {
+        foreach ($config['crl'] as $crl) {
+            if (!empty($crl['cert']) && !empty($crl['caref']) && $crl['caref'] == $caref) {
+                foreach ($crl['cert'] as $crt) {
+                    if (!empty($crt['revoke_time'])) {
+                        $dt = new \DateTime("@".$crt['revoke_time']);
+                        $revoked[$crt['refid']] = $dt->format("ymdHis") . "Z";
+                    }
+                }
+            }
+        }
+    }
+    foreach ($config['cert'] as $crt) {
+        if ($crt['caref'] == $caref) {
+            $x509 = openssl_x509_parse(base64_decode($crt['crt']));
+            $valid_to = date('Y-m-d H:i:s', $x509['validTo_time_t']);
+            $rev_date = '';
+            if (!empty($revoked[$crt['refid']])) {
+                $status = 'R';
+                $rev_date = $revoked[$crt['refid']];
+            } elseif ($x509['validTo_time_t'] < time()) {
+                $status = 'E';
+            } else {
+                $status = 'V';
+            }
+
+            $result .= sprintf(
+                "%s\t%s\t%s\tunknown\t%s\t%s\n",
+                $status,                    // Certificate status flag (V=valid, R=revoked, E=expired).
+                $x509['validTo'],           // Certificate expiration date in YYMMDDHHMMSSZ format.
+                $rev_date,                  // Certificate revocation date in YYMMDDHHMMSSZ[,reason] format. Empty if not revoked.
+                $x509['serialNumberHex'],   // Certificate serial number in hex.
+                $x509['name']               // Certificate distinguished name.
+            );
+        }
+    }
+    return $result;
+}
+
 // prepare config types
 $a_crl = &config_read_array('crl');
 $a_cert = &config_read_array('cert');
@@ -248,6 +297,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $pconfig['caref'] = !empty($_GET['caref']) ? $_GET['caref'] : null;
         $pconfig['lifetime'] = "9999";
         $pconfig['serial'] = "0";
+    } elseif ($act == "ocsp_index" && !empty($_GET['caref'])) {
+        $exp_data = get_ocsp_info_data($_GET['caref']);
+        $exp_size = strlen($exp_data);
+        header("Content-Type: application/octet-stream");
+        header("Content-Disposition: attachment; filename=index.txt");
+        header("Content-Length: $exp_size");
+        echo $exp_data;
+        exit;
     }
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
     $pconfig = $_POST;
@@ -788,6 +845,9 @@ include("head.inc");
                     <a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>" data-toggle="tooltip" title="<?= html_safe(sprintf(gettext('Add or Import CRL for %s'), $ca['descr'])) ?>" class="btn btn-default btn-xs">
                       <i class="fa fa-plus fa-fw"></i>
                     </a>
+                    <a href="system_crlmanager.php?act=ocsp_index&amp;caref=<?=$ca['refid'];?>" class="btn btn-default btn-xs">
+                        <i class="fa fa-file-code-o fa-fw" data-toggle="tooltip" title="<?=gettext("Export OCSP index.txt sample file") . " " . htmlspecialchars($tmpcrl['descr']);?>"></i>
+                    </a>
 <?php
                   else :?>
                     <a href="system_crlmanager.php?act=new&amp;caref=<?=$ca['refid']; ?>&amp;method=existing" data-toggle="tooltip" title="<?= html_safe(sprintf(gettext('Import CRL for %s'), $ca['descr'])) ?>" class="btn btn-default btn-xs">
@@ -814,6 +874,9 @@ include("head.inc");
                     </a>
 <?php
                   if ($internal) :?>
+                    <a href="system_crlmanager.php?act=ocsp_index&amp;caref=<?=$ca['refid'];?>" class="btn btn-default btn-xs">
+                        <i class="fa fa-file-code-o fa-fw" data-toggle="tooltip" title="<?=gettext("Export OCSP index.txt sample file") . " " . htmlspecialchars($tmpcrl['descr']);?>"></i>
+                    </a>
                     <a href="system_crlmanager.php?act=edit&amp;id=<?=$tmpcrl['refid'];?>" class="btn btn-default btn-xs">
                       <i class="fa fa-pencil fa-fw" data-toggle="tooltip" title="<?=gettext("Edit CRL") . " " . htmlspecialchars($tmpcrl['descr']);?>"></i>
                     </a>