Enabling certificate verification using CRL-DP extension #1003
Conversation
fmarco76
force-pushed
the
CRL-DP_Enabled
branch
from
573ba47 to
ea808b8
Compare
| @@ -945,22 +945,22 @@ JSSL_verifyCertPKIXInternal(CERTCertificate *cert, | |||
| * we construct the policy ourselves. */ | |||
| PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = { | |||
| /* crl */ | |||
| CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD, | |||
| CERT_REV_M_TEST_USING_THIS_METHOD, | |||
There was a problem hiding this comment.
We probably should update the comment above this code since it's still saying Note that we disable CRL fetching as Dogtag doesn't support it.
| /* ocsp */ | ||
| CERT_REV_M_TEST_USING_THIS_METHOD | | ||
| CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | ||
| }; | ||
|
|
||
| CERTRevocationMethodIndex ocsp_Enabled_Hard_Policy_Method_Preference[1] = { | ||
| cert_revocation_method_ocsp | ||
| cert_revocation_method_crl |
There was a problem hiding this comment.
This line is under indented.
| public boolean getEnableRevocationCheck() { | ||
| return tomcatjss.getEnableRevocationCheck(); | ||
| } | ||
|
|
||
| public void setEnableOCSP(boolean enableOCSP) { | ||
| tomcatjss.setEnableOCSP(enableOCSP); | ||
| public void setEnableRevocationCheck(boolean enableRevocationCheck) { | ||
| tomcatjss.setEnableRevocationCheck(enableRevocationCheck); |
There was a problem hiding this comment.
As discussed on Slack, we should keep the enabledOCSP param for backward compatibility, but now the original getter/setter for that param should call TomcatJSS.enableRevocationCheck's getter/setter instead.
| String enableRevocationCheckProp = config.getProperty("enableRevocationCheck"); | ||
| if (enableRevocationCheckProp != null) | ||
| setEnableRevocationCheck(Boolean.parseBoolean(enableRevocationCheckProp)); |
There was a problem hiding this comment.
Similarly, we should also check enableOCSP param for backward compatibility.
| String enableRevocationCheckProp = connector.getAttribute("enableRevocationCheck"); | ||
| if (enableRevocationCheckProp != null) | ||
| setEnableRevocationCheck(Boolean.parseBoolean(enableRevocationCheckProp)); |
There was a problem hiding this comment.
Similarly, we should also check enableOCSP param for backward compatibility.
| == enableOCSP become enableRevocationCheck == | ||
|
|
||
| Since verification with CRL-DP is introduced and it is enabled using | ||
| this parameter in `server.xml` connector, the name is modified to be not related only to OCSP. |
There was a problem hiding this comment.
Since we're going to keep enableOCSP, I'd suggest to modify this to be something like:
Rename enableOCSP to enableRevocationCheck
The enableOCSP param has been deprecated. Use enableRevocationCheck instead.
Currently certificates can be validated only using OCSP with a configured responder or using the AIA certificate extension. If the responder cannot be used verification is not possible. This is the case for the startup certificates of the responder. The new policy add a verification using the CRL-DP extension defined in the certificate. If AIA extension is defined it has precedence over the CRLs and if no other check are performed. This new method takes place when OCSP is configured without a default responder and the PKIX verification method is adopted (with the policy OCSP_LEAF_AND_CHAIN_POLICY). At least a verification method, defined in the certificate, has to return success to accept the certificate.
Since verification with CRL-DP is introduced and it is enabled using this parameter the name is modified to be not related only to OCSP.
fmarco76
force-pushed
the
CRL-DP_Enabled
branch
from
ea808b8 to
332041b
Compare
| * - if AIA and CRL-DP are both presents only AIA is used and in case | ||
| * freshin formation cannot be retrieved it fails the validation; |
There was a problem hiding this comment.
I think there's a typo: fresh information.
With this PR what would be the verification order, CRL-DP first or AIA first?
If the AIA check is done first but the OCSP responder is not available, can we fallback to CRL-DP?
There was a problem hiding this comment.
JFTR, @fmarco76 explained that the order is defined in ocsp_Enabled_Hard_Policy_Method_Preference, and currently it's configured to do OCSP first (so CRL is implicitly the second).
Also, it seems like it's not possible to define a single validation policy that can fallback from OCSP to CRL without affecting individual OCSP or CRL validations. A possible workaround is to define separate policies based on which extensions are present in the cert itself, but this likely requires more significant changes.
Regardless, the description above correctly describes the policy based on the changes in this PR, so feel free to update/merge. Thanks!
| * | ||
| * When enabled the checking on the chained CA certificates. | ||
| * With this policy the verification process does: | ||
| * - if one between AIA and CRL-DP is present then it will be used; |
There was a problem hiding this comment.
suggestion to rephrase : "- if only an AIA or an CRL-DP is present, the respective validation method is used;"
fmarco76
force-pushed
the
CRL-DP_Enabled
branch
2 times, most recently
from
7d90b9f to
bf32a6f
Compare
| /* ocsp */ | ||
| CERT_REV_M_TEST_USING_THIS_METHOD | | ||
| CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | ||
| }; | ||
|
|
||
| PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = { | ||
| /* crl */ | ||
| CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD, | ||
| CERT_REV_M_TEST_USING_THIS_METHOD | | ||
| CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO, | ||
| /* ocsp */ | ||
| CERT_REV_M_TEST_USING_THIS_METHOD | | ||
| CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO | ||
| }; | ||
|
|
There was a problem hiding this comment.
for the following setting, it might help the reader to add a comment that says something like "/* if CRL-dp is present in the cert, disable CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO for ocsp */
There was a problem hiding this comment.
Comment added to the if where the flag is modified
| * - if only an AIA or an CRL-DP is present, the respective validation method is used; | ||
| * - if AIA and CRL-DP are both presents the execution order is: AIA first followed by | ||
| * CRL only in case OCSP endpoint does not provide fresh information; | ||
| * - it no AIA and CRL-DP are present no revocation check is performed.*/ |
There was a problem hiding this comment.
typo. "if" instead of "it"
|
I don't have any additional comments. Thanks for the updates! |
In case of CRLDP and AIA extensions available in the certificate the PKIX verification flags do not allow to implement a fallback mechanism because the fallback remain active also for certificate with only one extension with unexpected behaviour. A more dynamic approach is introduced verifying the presence of the CRLDP extension and setting the flags accordingly.
fmarco76
force-pushed
the
CRL-DP_Enabled
branch
from
bf32a6f to
ff5589a
Compare
|
Currently certificates can be validated only using OCSP with a configured responder or using the AIA certificate extension. If the responder cannot be used verification is not possible. This is the case for the startup certificates of the responder.
The new policy add a verification using the CRL-DP extension defined in the certificate. If this extension is defined it has precedence over the OCSP and if it pass no other check are performed. If CRL cannot be retrieved then the OCSP responder is used. This new method takes place when OCSP is configured without a default responder and the PKIX verification method is adopted (with the policy OCSP_LEAF_AND_CHAIN_POLICY).
At least a verification method has to return success to accept the certificate.
Additionally, the connector parameter
enableOCSPis renamed toenableRevocationChecksince this is used to enable CRL-DP and AIA based validation