certidude/certidude/api/ocsp.py

import falcon
import logging
import os
from asn1crypto.util import timezone
from asn1crypto import ocsp
from base64 import b64decode
from certidude import config, const
from datetime import datetime, timedelta
from oscrypto import asymmetric
from .utils import AuthorityHandler
from .utils.firewall import whitelist_subnets

logger = logging.getLogger(__name__)

class OCSPResource(AuthorityHandler):
    @whitelist_subnets(config.OCSP_SUBNETS)
    def __call__(self, req, resp):
        try:
            if req.method == "GET":
                _, _, _, tail = req.path.split("/", 3)
                body = b64decode(tail)
            elif req.method == "POST":
                body = req.stream.read(req.content_length or 0)
            else:
                raise falcon.HTTPMethodNotAllowed()
            ocsp_req = ocsp.OCSPRequest.load(body)
        except ValueError:
            raise falcon.HTTPBadRequest()

        fh = open(config.AUTHORITY_CERTIFICATE_PATH, "rb") # TODO: import from authority
        server_certificate = asymmetric.load_certificate(fh.read())
        fh.close()

        now = datetime.now(timezone.utc)
        response_extensions = []

        try:
            for ext in ocsp_req["tbs_request"]["request_extensions"]:
                if ext["extn_id"].native == "nonce":
                    response_extensions.append(
                        ocsp.ResponseDataExtension({
                            'extn_id': "nonce",
                            'critical': False,
                            'extn_value': ext["extn_value"]
                        })
                    )
        except ValueError: # https://github.com/wbond/asn1crypto/issues/56
            pass

        responses = []
        for item in ocsp_req["tbs_request"]["request_list"]:
            serial = item["req_cert"]["serial_number"].native
            assert serial > 0, "Serial number correctness check failed"

            try:
                link_target = os.readlink(os.path.join(config.SIGNED_BY_SERIAL_DIR, "%040x.pem" % serial))
                assert link_target.startswith("../")
                assert link_target.endswith(".pem")
                path, buf, cert, signed, expires = self.authority.get_signed(link_target[3:-4])
                if serial != cert.serial_number:
                    logger.error("Certificate store integrity check failed, %s refers to certificate with serial %040x", link_target, cert.serial_number)
                    raise EnvironmentError("Integrity check failed")
                logger.debug("OCSP responder queried from %s for %s with serial %040x, returned status 'good'",
                    req.context.get("remote_addr"), cert.subject.native["common_name"], serial)
                status = ocsp.CertStatus(name='good', value=None)
            except EnvironmentError:
                try:
                    path, buf, cert, signed, expires, revoked, reason = self.authority.get_revoked(serial)
                    logger.debug("OCSP responder queried from %s for %s with serial %040x, returned status 'revoked' due to %s",
                        req.context.get("remote_addr"), cert.subject.native["common_name"], serial, reason)
                    status = ocsp.CertStatus(
                        name='revoked',
                        value={
                            'revocation_time': revoked,
                            'revocation_reason': reason,
                        })
                except EnvironmentError:
                    logger.info("OCSP responder queried for unknown serial %040x from %s", serial, req.context.get("remote_addr"))
                    status = ocsp.CertStatus(name="unknown", value=None)

            responses.append({
                'cert_id': {
                    'hash_algorithm': {
                        'algorithm': "sha1"
                    },
                    'issuer_name_hash': server_certificate.asn1.subject.sha1,
                    'issuer_key_hash': server_certificate.public_key.asn1.sha1,
                    'serial_number': serial,
                },
                'cert_status': status,
                'this_update': now - const.CLOCK_SKEW_TOLERANCE,
                'next_update': now + timedelta(minutes=15) + const.CLOCK_SKEW_TOLERANCE,
                'single_extensions': []
            })

        response_data = ocsp.ResponseData({
            'responder_id': ocsp.ResponderId(name='by_key', value=server_certificate.public_key.asn1.sha1),
            'produced_at': now,
            'responses': responses,
            'response_extensions': response_extensions
        })

        resp.body = ocsp.OCSPResponse({
            'response_status': "successful",
            'response_bytes': {
                'response_type': "basic_ocsp_response",
                'response': {
                    'tbs_response_data': response_data,
                    'certs': [server_certificate.asn1],
                    'signature_algorithm': {'algorithm': "sha1_ecdsa" if self.authority.public_key.algorithm == "ec" else "sha1_rsa" },
                    'signature': (asymmetric.ecdsa_sign if self.authority.public_key.algorithm == "ec" else asymmetric.rsa_pkcs1v15_sign)(
                        self.authority.private_key,
                        response_data.dump(),
                        "sha1"
                    )
                }
            }
        }).dump()

        # Interestingly openssl's OCSP code doesn't care about content type
        resp.append_header("Content-Type", "application/ocsp-response")
tests: More explicit errors for OCSP and SCEP 2018-01-05 12:42:14 +00:00			`import falcon`
api: ocsp: Fix logger 2018-02-03 11:19:50 +00:00			`import logging`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`import os`
			`from asn1crypto.util import timezone`
api: ocsp: Drop unused imports 2018-02-03 11:22:12 +00:00			`from asn1crypto import ocsp`
			`from base64 import b64decode`
Several updates #4 * Improved offline install docs * Migrated token mechanism backend to SQL * Preliminary token mechanism frontend integration * Add clock skew tolerance for OCSP * Add 'ldap computer filter' support for Kerberized machine enroll * Include OCSP and CRL URL-s in certificates, controlled by profile.conf * Better certificate extension handling * Place DH parameters file in /etc/ssl/dhparam.pem * Always talk to CA over port 8443 for 'certidude enroll' * Hardened frontend nginx config * Separate log files for frontend nginx * Better provisioning heuristics * Add sample site.sh config for LEDE image builder * Add more device profiles for LEDE image builder * Various bugfixes and improvements 2018-05-15 07:45:29 +00:00			`from certidude import config, const`
			`from datetime import datetime, timedelta`
api: ocsp: Drop unused imports 2018-02-03 11:22:12 +00:00			`from oscrypto import asymmetric`
api: Use common AuthorityResource where possible 2018-02-03 11:10:45 +00:00			`from .utils import AuthorityHandler`
Move certidude.firewall to api.utils.firewall where it belongs 2018-02-03 12:30:47 +00:00			`from .utils.firewall import whitelist_subnets`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00
api: ocsp: Fix logger 2018-02-03 11:19:50 +00:00			`logger = logging.getLogger(__name__)`

api: Use common AuthorityResource where possible 2018-02-03 11:10:45 +00:00			`class OCSPResource(AuthorityHandler):`
tests: Add test for machine attribute updates 2017-07-07 21:07:25 +00:00			`@whitelist_subnets(config.OCSP_SUBNETS)`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`def __call__(self, req, resp):`
tests: More explicit errors for OCSP and SCEP 2018-01-05 12:42:14 +00:00			`try:`
			`if req.method == "GET":`
			`_, _, _, tail = req.path.split("/", 3)`
			`body = b64decode(tail)`
			`elif req.method == "POST":`
			`body = req.stream.read(req.content_length or 0)`
			`else:`
			`raise falcon.HTTPMethodNotAllowed()`
			`ocsp_req = ocsp.OCSPRequest.load(body)`
			`except ValueError:`
			`raise falcon.HTTPBadRequest()`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`fh = open(config.AUTHORITY_CERTIFICATE_PATH, "rb") # TODO: import from authority`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`server_certificate = asymmetric.load_certificate(fh.read())`
			`fh.close()`

			`now = datetime.now(timezone.utc)`
			`response_extensions = []`

Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`try:`
			`for ext in ocsp_req["tbs_request"]["request_extensions"]:`
			`if ext["extn_id"].native == "nonce":`
			`response_extensions.append(`
			`ocsp.ResponseDataExtension({`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`'extn_id': "nonce",`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`'critical': False,`
			`'extn_value': ext["extn_value"]`
			`})`
			`)`
			`except ValueError: # https://github.com/wbond/asn1crypto/issues/56`
			`pass`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00
			`responses = []`
			`for item in ocsp_req["tbs_request"]["request_list"]:`
			`serial = item["req_cert"]["serial_number"].native`
Fix certificate serial numbering 2018-04-13 07:57:49 +00:00			`assert serial > 0, "Serial number correctness check failed"`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00
			`try:`
Several updates * Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes 2018-04-27 07:48:15 +00:00			`link_target = os.readlink(os.path.join(config.SIGNED_BY_SERIAL_DIR, "%040x.pem" % serial))`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`assert link_target.startswith("../")`
			`assert link_target.endswith(".pem")`
api: ocsp: drop usage of global authority import 2018-02-03 10:45:07 +00:00			`path, buf, cert, signed, expires = self.authority.get_signed(link_target[3:-4])`
Migrate from cryptography.io to oscrypto 2017-08-16 20:25:16 +00:00			`if serial != cert.serial_number:`
Several updates * Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes 2018-04-27 07:48:15 +00:00			`logger.error("Certificate store integrity check failed, %s refers to certificate with serial %040x", link_target, cert.serial_number)`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`raise EnvironmentError("Integrity check failed")`
Several updates * Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes 2018-04-27 07:48:15 +00:00			`logger.debug("OCSP responder queried from %s for %s with serial %040x, returned status 'good'",`
			`req.context.get("remote_addr"), cert.subject.native["common_name"], serial)`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`status = ocsp.CertStatus(name='good', value=None)`
			`except EnvironmentError:`
			`try:`
Several updates * Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes 2018-04-27 07:48:15 +00:00			`path, buf, cert, signed, expires, revoked, reason = self.authority.get_revoked(serial)`
			`logger.debug("OCSP responder queried from %s for %s with serial %040x, returned status 'revoked' due to %s",`
			`req.context.get("remote_addr"), cert.subject.native["common_name"], serial, reason)`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`status = ocsp.CertStatus(`
			`name='revoked',`
			`value={`
			`'revocation_time': revoked,`
Several updates * Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes 2018-04-27 07:48:15 +00:00			`'revocation_reason': reason,`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`})`
			`except EnvironmentError:`
Several updates * Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes 2018-04-27 07:48:15 +00:00			`logger.info("OCSP responder queried for unknown serial %040x from %s", serial, req.context.get("remote_addr"))`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`status = ocsp.CertStatus(name="unknown", value=None)`

			`responses.append({`
			`'cert_id': {`
			`'hash_algorithm': {`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`'algorithm': "sha1"`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`},`
			`'issuer_name_hash': server_certificate.asn1.subject.sha1,`
			`'issuer_key_hash': server_certificate.public_key.asn1.sha1,`
			`'serial_number': serial,`
			`},`
			`'cert_status': status,`
Several updates #4 * Improved offline install docs * Migrated token mechanism backend to SQL * Preliminary token mechanism frontend integration * Add clock skew tolerance for OCSP * Add 'ldap computer filter' support for Kerberized machine enroll * Include OCSP and CRL URL-s in certificates, controlled by profile.conf * Better certificate extension handling * Place DH parameters file in /etc/ssl/dhparam.pem * Always talk to CA over port 8443 for 'certidude enroll' * Hardened frontend nginx config * Separate log files for frontend nginx * Better provisioning heuristics * Add sample site.sh config for LEDE image builder * Add more device profiles for LEDE image builder * Various bugfixes and improvements 2018-05-15 07:45:29 +00:00			`'this_update': now - const.CLOCK_SKEW_TOLERANCE,`
			`'next_update': now + timedelta(minutes=15) + const.CLOCK_SKEW_TOLERANCE,`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`'single_extensions': []`
			`})`

			`response_data = ocsp.ResponseData({`
			`'responder_id': ocsp.ResponderId(name='by_key', value=server_certificate.public_key.asn1.sha1),`
			`'produced_at': now,`
			`'responses': responses,`
			`'response_extensions': response_extensions`
			`})`

			`resp.body = ocsp.OCSPResponse({`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`'response_status': "successful",`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`'response_bytes': {`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`'response_type': "basic_ocsp_response",`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`'response': {`
			`'tbs_response_data': response_data,`
Migrate from cryptography.io to oscrypto 2017-08-16 20:25:16 +00:00			`'certs': [server_certificate.asn1],`
ocsp: Add EC support 2018-04-13 07:56:05 +00:00			`'signature_algorithm': {'algorithm': "sha1_ecdsa" if self.authority.public_key.algorithm == "ec" else "sha1_rsa" },`
			`'signature': (asymmetric.ecdsa_sign if self.authority.public_key.algorithm == "ec" else asymmetric.rsa_pkcs1v15_sign)(`
api: ocsp: drop usage of global authority import 2018-02-03 10:45:07 +00:00			`self.authority.private_key,`
Migrate from cryptography.io to oscrypto 2017-08-16 20:25:16 +00:00			`response_data.dump(),`
			`"sha1"`
			`)`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`}`
			`}`
			`}).dump()`

Grand unified snippets 2018-05-29 09:06:07 +00:00			`# Interestingly openssl's OCSP code doesn't care about content type`
			`resp.append_header("Content-Type", "application/ocsp-response")`