Skip to content

Commit

Permalink
Add crl check for OCSP acting as server
Browse files Browse the repository at this point in the history
When OCSP is acting as server certificate can be verified using CRL
internally stored.

To verify the certificates the `LDAPStore` has to be enabled with the
variable `ocsp.store.ldapStore.checkSubsystemConnection` and the
variable `auths.revocationChecking.enabled` both set to true.

Solve RHCS-4262
  • Loading branch information
fmarco76 committed Jul 28, 2023
1 parent e6a1e0c commit e8ed05b
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 1 deletion.
10 changes: 9 additions & 1 deletion base/ocsp/src/main/java/com/netscape/cms/ocsp/LDAPStore.java
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,8 @@ public class LDAPStore implements IDefStore, IExtendedPluginInfo {
private String mCACertAttr = null;
protected Hashtable<String, Long> mReqCounts = new Hashtable<>();
private Hashtable<X509CertImpl, X509CRLImpl> mCRLs = new Hashtable<>();
private boolean mCheckConnection = false;


/**
* Constructs the default store.
Expand Down Expand Up @@ -137,6 +139,7 @@ public void init(IConfigStore config, DBSubsystem dbSubsystem) throws EBaseExcep
DEF_CA_CERT_ATTR);
mByName = mConfig.getBoolean(PROP_BY_NAME, true);

mCheckConnection = mConfig.getBoolean(PROP_CHECK_SUBSYSTEM_CONNECTION, false);
}

/**
Expand Down Expand Up @@ -238,7 +241,7 @@ public void startup() throws EBaseException {

updater.start();
}
if(mConfig.getBoolean(PROP_CHECK_SUBSYSTEM_CONNECTION, false)) {
if(mCheckConnection) {
CMS.setApprovalCallbask(new CRLLdapValidator(this));
}
}
Expand Down Expand Up @@ -493,6 +496,11 @@ public void setConfigParameters(NameValuePairs pairs)
mConfig.put(key, pairs.get(key));
}
}

public boolean isCRLCheckAvailable() {
return mCheckConnection;
}

}

class CRLUpdater extends Thread {
Expand Down
73 changes: 73 additions & 0 deletions base/ocsp/src/main/java/org/dogtagpki/server/ocsp/OCSPEngine.java
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,21 @@

package org.dogtagpki.server.ocsp;

import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Enumeration;

import javax.security.auth.x500.X500Principal;
import javax.servlet.annotation.WebListener;

import org.mozilla.jss.netscape.security.x509.X509CRLImpl;
import org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus;

import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.ISubsystem;
import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
import com.netscape.cms.ocsp.LDAPStore;
import com.netscape.cmscore.apps.CMS;
import com.netscape.cmscore.apps.CMSEngine;
import com.netscape.cmscore.apps.EngineConfig;
Expand Down Expand Up @@ -113,5 +124,67 @@ protected void initSequence() throws Exception {
initSecurityDomain();
}

@Override
public boolean isRevoked(X509Certificate[] certificates) {
LDAPStore crlStore = null;
for (ISubsystem subsystem : subsystems.values()) {
if (subsystem instanceof OCSPAuthority) {
OCSPAuthority ocsp = (OCSPAuthority) subsystem;
if (ocsp.getDefaultStore() instanceof LDAPStore) {
crlStore = (LDAPStore) ocsp.getDefaultStore();
}
break;
}
}

if (crlStore == null || !crlStore.isCRLCheckAvailable()) {
return super.isRevoked(certificates);
}

for (X509Certificate cert: certificates) {
if(crlCertValid(crlStore, cert, null)) {
return false;
}
}
return true;

}


private boolean crlCertValid(LDAPStore crlStore, X509Certificate certificate, ValidityStatus currentStatus) {
logger.info("OCSPEngine: validate of peer's certificate for the connection " + certificate.getSubjectX500Principal().toString());
ICRLIssuingPointRecord pt = null;
try {
Enumeration<ICRLIssuingPointRecord> eCRL = crlStore.searchAllCRLIssuingPointRecord(-1);
while (eCRL.hasMoreElements() && pt == null) {
ICRLIssuingPointRecord tPt = eCRL.nextElement();
logger.debug("OCSPEngine: CRL check issuer " + tPt.getId());
if(certificate.getIssuerX500Principal().equals(new X500Principal(tPt.getId()))) {
pt = tPt;
}
}
} catch (EBaseException e) {
logger.error("OCSPEngine: problem find CRL issuing point for " + certificate.getIssuerX500Principal().toString());
return false;
}
if (pt == null) {
logger.error("OCSPEngine: CRL issuing point not found for " + certificate.getIssuerX500Principal().toString());
return false;
}
try {
X509CRLImpl crl = new X509CRLImpl(pt.getCRL());
X509CRLEntry crlentry = crl.getRevokedCertificate(certificate.getSerialNumber());

if (crlentry == null) {
if (crlStore.isNotFoundGood()) {
return true;
}
}
} catch (Exception e) {
logger.error("OCSPEngine: crl check error. " + e.getMessage());
}
logger.info("OCSPEngine: peer certificate not valid");
return false;
}

}

0 comments on commit e8ed05b

Please sign in to comment.