From 1f4f030233a895586aa7e114c92f4aa213250752 Mon Sep 17 00:00:00 2001
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Mon, 15 Jul 2024 06:40:07 -0700
Subject: [PATCH 2/2] WIP: move to OpenSSL-constructed index files

---
 src/test/ssl/conf/ocsp.config | 19 +++++++++
 src/test/ssl/sslfiles.mk      | 75 ++++++++++++++---------------------
 2 files changed, 48 insertions(+), 46 deletions(-)
 create mode 100644 src/test/ssl/conf/ocsp.config

diff --git a/src/test/ssl/conf/ocsp.config b/src/test/ssl/conf/ocsp.config
new file mode 100644
index 0000000000..831c2f681c
--- /dev/null
+++ b/src/test/ssl/conf/ocsp.config
@@ -0,0 +1,19 @@
+[ ca ]
+default_ca = ocsp
+
+# A shell of a CA, mostly duplicating the server CA, which is used only during
+# the OCSP index generation recipes.
+[ ocsp ]
+dir = ./ssl/
+
+# The database (or "index") is the main thing we want.
+database = ./ssl/ocsp-certindex
+
+# Everything else should all be unused, so we specify whatever's most
+# convenient. In particular there's no need to have a unique cert/key pair for
+# this.
+certificate = ./ssl/server_ca.crt
+private_key = ./ssl/server_ca.key
+serial = ./ssl/ocsp_ca.srl
+default_md = sha256
+policy = policy_match
diff --git a/src/test/ssl/sslfiles.mk b/src/test/ssl/sslfiles.mk
index 9ba88f0be9..bfefa6a33e 100644
--- a/src/test/ssl/sslfiles.mk
+++ b/src/test/ssl/sslfiles.mk
@@ -196,6 +196,7 @@ CLIENT_CERTS := $(CLIENTS:%=ssl/%.crt)
 root_ca_state_files := ssl/root_ca-certindex ssl/root_ca-certindex.attr ssl/root_ca.srl
 server_ca_state_files := ssl/server_ca-certindex ssl/server_ca-certindex.attr ssl/server_ca.srl
 client_ca_state_files := ssl/client_ca-certindex ssl/client_ca-certindex.attr ssl/client_ca.srl
+ocsp_ca_state_files := ssl/ocsp-certindex ssl/ocsp-certindex.attr ssl/ocsp_ca.srl
 
 # These are the workhorse recipes. `openssl ca` can't be safely run from
 # parallel processes, so we must mark the entire Makefile .NOTPARALLEL.
@@ -224,6 +225,7 @@ ssl/%.csr: ssl/%.key conf/%.config
 #
 
 .INTERMEDIATE: $(root_ca_state_files) $(server_ca_state_files) $(client_ca_state_files)
+.INTERMEDIATE: $(ocsp_ca_state_files)
 
 # OpenSSL requires a directory to put all generated certificates in. We don't
 # use this for anything, but we need a location.
@@ -245,68 +247,49 @@ ssl/%.srl:
 # OCSP
 #
 .INTERMEDIATE: $(OCSPS:%=ssl/%.idx)
+
 # given status 'V' without 'revocation date' to generate an ocsp response with status 'good' for 10000 days
-ssl/server-ocsp-good.idx: ssl/server-cn-only.crt
-	expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \
-	serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \
-	cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \
-	echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" > $@
+ssl/server-ocsp-good.idx: conf/ocsp.config ssl/server-cn-only.crt | $(ocsp_ca_state_files)
+	: > ssl/ocsp-certindex
+	openssl ca -config conf/ocsp.config -valid ssl/server-cn-only.crt
+	cp ssl/ocsp-certindex $@
 
 # given status 'R' and 'revocation date' to generate an ocsp response with status 'revoked' for 10000 days
-ssl/server-ocsp-revoked.idx: ssl/server-cn-only.crt
-	expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \
-	serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \
-	revocation_date=$$(date --utc +'%y%m%d%H%M%SZ'); \
-	cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \
-	echo "R\t$$expiration_date\t$$revocation_date\t$$serial_number\tunknown\t$$cert_subject" > $@
+ssl/server-ocsp-revoked.idx: conf/ocsp.config ssl/server-cn-only.crt | $(ocsp_ca_state_files)
+	: > ssl/ocsp-certindex
+	openssl ca -config conf/ocsp.config -revoke ssl/server-cn-only.crt
+	cp ssl/ocsp-certindex $@
 
 # generate an ocsp response with status 'unknown' using a none-existing certificate serial number 1970010100000000
-ssl/server-ocsp-unknown.idx: ssl/server-cn-only.crt
-	expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \
-	serial_number="1970010100000000"; \
-	cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \
-	echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" > $@
+ssl/server-ocsp-unknown.idx:
+	touch $@
 
 # generate an ocsp response with status 'good' but nextUpdate 'expired' in only 1 minute
-ssl/server-ocsp-expired.idx: ssl/server-cn-only.crt
-	expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \
-	serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \
-	cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \
-	echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" > $@
+ssl/server-ocsp-expired.idx: ssl/server-ocsp-good.idx
+	cp $< $@
 
 # server-cn-only.crt (good), ocsp response for server_ca.crt in (good|revoked|unknown|expired)
 # good, good
-ssl/server-ca-ocsp-good.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx
-	expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \
-	serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \
-	cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \
-	cat ssl/server-ocsp-good.idx > $@; \
-	echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@
+ssl/server-ca-ocsp-good.idx: conf/ocsp.config ssl/server-cn-only.crt ssl/server_ca.crt | $(ocsp_ca_state_files)
+	: > ssl/ocsp-certindex
+	openssl ca -config conf/ocsp.config -valid ssl/server-cn-only.crt
+	openssl ca -config conf/ocsp.config -valid ssl/server_ca.crt
+	cp ssl/ocsp-certindex $@
 
 # good, revoked
-ssl/server-ca-ocsp-revoked.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx
-	expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \
-	serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \
-	revocation_date=$$(date --utc +'%y%m%d%H%M%SZ'); \
-	cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \
-	cat ssl/server-ocsp-good.idx > $@; \
-	echo "R\t$$expiration_date\t$$revocation_date\t$$serial_number\tunknown\t$$cert_subject" >> $@
+ssl/server-ca-ocsp-revoked.idx: conf/ocsp.config ssl/server-cn-only.crt ssl/server_ca.crt | $(ocsp_ca_state_files)
+	: > ssl/ocsp-certindex
+	openssl ca -config conf/ocsp.config -valid ssl/server-cn-only.crt
+	openssl ca -config conf/ocsp.config -revoke ssl/server_ca.crt
+	cp ssl/ocsp-certindex $@
 
 # good, unknown
-ssl/server-ca-ocsp-unknown.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx
-	expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \
-	serial_number="1970010100000001"; \
-	cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \
-	cat ssl/server-ocsp-good.idx > $@; \
-	echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@
+ssl/server-ca-ocsp-unknown.idx: ssl/server-ocsp-good.idx
+	cp $< $@
 
 # good, expired
-ssl/server-ca-ocsp-expired.idx: ssl/server_ca.crt ssl/server-ocsp-good.idx
-	expiration_date=$$($(OPENSSL) x509 -in $< -noout -dates | grep "notAfter" | cut -d "=" -f 2 | xargs -I {} date --date="{}" --utc +'%Y%m%d%H%M%S'Z); \
-	serial_number=$$($(OPENSSL) x509 -in $< -noout -serial | cut -d "=" -f 2); \
-	cert_subject=$$($(OPENSSL) x509 -in $< -noout -subject | sed 's/subject=OU = /\/OU=/' | sed 's/, CN = /\/CN=/'); \
-	cat ssl/server-ocsp-good.idx > $@; \
-	echo "V\t$$expiration_date\t\t$$serial_number\tunknown\t$$cert_subject" >> $@
+ssl/server-ca-ocsp-expired.idx: ssl/server-ca-ocsp-good.idx
+	cp $< $@
 
 # All of the responses have the server cert in the chain.
 OCSPCHAIN = -issuer ssl/server_ca.crt -cert ssl/server-cn-only.crt
-- 
2.34.1