From 0f602e5d7333944281c639e54f52844eb048184c Mon Sep 17 00:00:00 2001
From: Omar Khalil <O.Khalil@omkh.net>
Date: Sat, 28 Jul 2018 16:11:26 +0200
Subject: [PATCH] security/acme-client: Add Support for OCSP Must Staple
 generation

---
 .../OPNsense/AcmeClient/forms/dialogCertificate.xml         | 6 ++++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 4 ++++
 .../src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index f6d6a82db..f7ab3d93a 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -44,6 +44,12 @@
         <type>dropdown</type>
         <help><![CDATA[Specify the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.]]></help>
     </field>
+    <field>
+        <id>certificate.ocsp</id>
+        <label>OCSP Must Staple</label>
+        <type>checkbox</type>
+        <help>Generate and add OCSP Must Staple extension to the certificate.</help>
+    </field>
     <field>
         <id>certificate.restartActions</id>
         <label>Restart Actions</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 4ee6b1ff5..f3a6dd373 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -214,6 +214,10 @@
                         <key_ec384>ec-384</key_ec384>
                     </OptionValues>
                 </keyLength>
+                <ocsp type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </ocsp>
                 <restartActions type="ModelRelationField">
                     <Model>
                         <actions>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index e3d94cdae..509a6e5d7 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -809,6 +809,11 @@ function run_acme_validation($certObj, $valObj, $acctObj)
         $key_length = substr_replace($key_length, '-', 2, 0);
     }
 
+    // if OCSP Extension is turned on pass --ocsp parameter to acme client
+    if (isset($certObj->ocsp)) {
+        $acme_args[] = "--ocsp";
+    }
+
     // Run acme client
     // NOTE: We "export" certificates to our own directory, so we don't have to deal
     // with domain names in filesystem, but instead can use the ID of our certObj.