Add crl check for OCSP acting as server

When OCSP is acting as server certificate can be verified using CRL internally stored. To verify the certificates the `LDAPStore` has to be enabled with the variable `ocsp.store.ldapStore.checkSubsystemConnection` and the variable `auths.revocationChecking.enabled` both set to true. Solve RHCS-4262
dogtagpki · Jul 28, 2023 · e1e85e5 · e1e85e5
1 parent e6a1e0c
commit e1e85e5
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 1 deletion.
diff --git a/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java b/base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
@@ -94,6 +94,8 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo {
     private String mCACertAttr = null;
     protected Hashtable<String, Long> mReqCounts = new Hashtable<>();
     private Hashtable<X509CertImpl, X509CRLImpl> mCRLs = new Hashtable<>();
+    private boolean mCheckConnection = false;
+
 
     /**
      * Constructs the default store.
@@ -137,6 +139,7 @@ public void init(IConfigStore config, DBSubsystem dbSubsystem) throws EBaseExcep
                     DEF_CA_CERT_ATTR);
         mByName = mConfig.getBoolean(PROP_BY_NAME, true);
 
+        mCheckConnection = mConfig.getBoolean(PROP_CHECK_SUBSYSTEM_CONNECTION, false);
     }
 
     /**
@@ -238,7 +241,7 @@ public void startup() throws EBaseException {
 
             updater.start();
         }
-        if(mConfig.getBoolean(PROP_CHECK_SUBSYSTEM_CONNECTION, false)) {
+        if(mCheckConnection) {
             CMS.setApprovalCallbask(new CRLLdapValidator(this));
         }
     }
@@ -493,6 +496,11 @@ public void setConfigParameters(NameValuePairs pairs)
             mConfig.put(key, pairs.get(key));
         }
     }
+
+    public boolean isCRLCheckAvailable() {
+        return mCheckConnection;
+    }
+
 }
 
 class CRLUpdater extends Thread {

diff --git a/base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java b/base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java
@@ -18,10 +18,21 @@
 
 package org.dogtagpki.server.ocsp;
 
+import java.security.cert.X509CRLEntry;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+
+import javax.security.auth.x500.X500Principal;
 import javax.servlet.annotation.WebListener;
 
+import org.mozilla.jss.netscape.security.x509.X509CRLImpl;
+import org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus;
+
+import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.ISubsystem;
+import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+import com.netscape.cms.ocsp.LDAPStore;
 import com.netscape.cmscore.apps.CMS;
 import com.netscape.cmscore.apps.CMSEngine;
 import com.netscape.cmscore.apps.EngineConfig;
@@ -113,5 +124,67 @@ protected void initSequence() throws Exception {
         initSecurityDomain();
     }
 
+    @Override
+    public boolean isRevoked(X509Certificate[] certificates) {
+        LDAPStore crlStore = null;
+        for (ISubsystem subsystem : subsystems.values()) {
+            if (subsystem instanceof OCSPAuthority) {
+                OCSPAuthority ocsp = (OCSPAuthority) subsystem;
+                if (ocsp.getDefaultStore() instanceof LDAPStore) {
+                    crlStore = (LDAPStore) ocsp.getDefaultStore();
+                }
+                break;
+            }
+        }
+
+        if (crlStore == null || !crlStore.isCRLCheckAvailable()) {
+            return super.isRevoked(certificates);
+        }
+
+        for (X509Certificate cert: certificates) {
+            if(crlCertValid(crlStore, cert, null)) {
+                return false;
+            }
+        }
+        return true;
+
+    }
+
+
+    private boolean crlCertValid(LDAPStore crlStore, X509Certificate certificate, ValidityStatus currentStatus) {
+        logger.info("OCSPEngine: validate of peer's certificate for the connection " + certificate.getSubjectX500Principal().toString());
+        ICRLIssuingPointRecord pt = null;
+        try {
+            Enumeration<ICRLIssuingPointRecord> eCRL = crlStore.searchAllCRLIssuingPointRecord(-1);
+            while (eCRL.hasMoreElements() && pt == null) {
+                ICRLIssuingPointRecord tPt = eCRL.nextElement();
+                logger.debug("OCSPEngine: CRL check issuer  " + tPt.getId());
+                if(certificate.getIssuerX500Principal().equals(new X500Principal(tPt.getId()))) {
+                    pt = tPt;
+                }
+            }
+        } catch (EBaseException e) {
+            logger.error("OCSPEngine: problem find CRL issuing point for " + certificate.getIssuerX500Principal().toString());
+            return false;
+        }
+        if (pt == null) {
+            logger.error("OCSPEngine: CRL issuing point not found for " + certificate.getIssuerX500Principal().toString());
+            return false;
+        }
+        try {
+            X509CRLImpl crl = new X509CRLImpl(pt.getCRL());
+            X509CRLEntry crlentry = crl.getRevokedCertificate(certificate.getSerialNumber());
+
+            if (crlentry == null) {
+                if (crlStore.isNotFoundGood()) {
+                    return true;
+                }
+            }
+        } catch (Exception e) {
+            logger.error("OCSPEngine: crl check error. " + e.getMessage());
+        }
+        logger.info("OCSPEngine: peer certificate not valid");
+        return false;
+    }
 
 }