Embed OCSP responder URL in certificate

2024-12-22 08:15:18 +00:00 · 2017-07-08 12:08:39 +00:00 · 2017-07-08 12:08:39 +00:00 · d44b6035c2
commit d44b6035c2
parent 47d2d37684
3 changed files with 40 additions and 21 deletions
--- a/certidude/config.py
+++ b/certidude/config.py
@ -67,7 +67,8 @@ REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allo
 CLIENT_CERTIFICATE_LIFETIME = cp.getint("signature", "client certificate lifetime")
 SERVER_CERTIFICATE_LIFETIME = cp.getint("signature", "server certificate lifetime")
 AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
-CERTIFICATE_CRL_URL = cp.get("signature", "revoked url")
+AUTHORITY_CRL_URL = cp.get("signature", "revoked url")
+AUTHORITY_OCSP_URL = cp.get("signature", "responder url")
 CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")

 REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")
--- a/certidude/signer.py
+++ b/certidude/signer.py
@ -99,6 +99,18 @@ class SignHandler(asynchat.async_chat):
                extended_key_usage_flags.append( # OpenVPN client
                    ExtendedKeyUsageOID.CLIENT_AUTH)

+            aia = [
+                x509.AccessDescription(
+                    AuthorityInformationAccessOID.CA_ISSUERS,
+                    x509.UniformResourceIdentifier(config.AUTHORITY_CERTIFICATE_URL))
+            ]
+
+            if config.AUTHORITY_OCSP_URL:
+                aia.append(
+                    x509.AccessDescription(
+                        AuthorityInformationAccessOID.OCSP,
+                        x509.UniformResourceIdentifier(config.AUTHORITY_OCSP_URL)))
+
            builder = x509.CertificateBuilder(
                ).subject_name(
                    x509.Name([common_name])
@ -142,24 +154,7 @@ class SignHandler(asynchat.async_chat):
                        request.public_key()),
                    critical=False
                ).add_extension(
-                    x509.AuthorityInformationAccess([
-                        x509.AccessDescription(
-                            AuthorityInformationAccessOID.CA_ISSUERS,
-                            x509.UniformResourceIdentifier(
-                                config.AUTHORITY_CERTIFICATE_URL)
-                        )
-                    ]),
-                    critical=False
-                ).add_extension(
-                    x509.CRLDistributionPoints([
-                        x509.DistributionPoint(
-                            full_name=[
-                                x509.UniformResourceIdentifier(
-                                    config.CERTIFICATE_CRL_URL)],
-                            relative_name=None,
-                            crl_issuer=None,
-                            reasons=None)
-                    ]),
+                    x509.AuthorityInformationAccess(aia),
                    critical=False
                ).add_extension(
                    x509.AuthorityKeyIdentifier.from_issuer_public_key(
@ -167,6 +162,20 @@ class SignHandler(asynchat.async_chat):
                    critical=False
                )

+            if config.AUTHORITY_CRL_URL:
+                builder = builder.add_extension(
+                    x509.CRLDistributionPoints([
+                        x509.DistributionPoint(
+                            full_name=[
+                                x509.UniformResourceIdentifier(
+                                    config.AUTHORITY_CRL_URL)],
+                            relative_name=None,
+                            crl_issuer=None,
+                            reasons=None)
+                    ]),
+                    critical=False
+                )
+
            # OpenVPN uses CN while StrongSwan uses SAN
            if server_flags:
                builder = builder.add_extension(
--- a/certidude/templates/server/server.conf
+++ b/certidude/templates/server/server.conf
@ -58,11 +58,14 @@ autosign subnets = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

 # Simple Certificate Enrollment Protocol enabled subnets
 scep subnets =
+;scep subnets = 0.0.0.0/0

 # Online Certificate Status Protocol enabled subnets
 ocsp subnets =
+;ocsp subnets = 0.0.0.0/0

 # Certificate Revocation lists can be accessed from anywhere by default
+;crl subnets =
 crl subnets = 0.0.0.0/0

 [logging]
@ -92,10 +95,16 @@ revocation list lifetime = 24
 # URL where CA certificate can be fetched from
 authority certificate url = {{ certificate_url }}

-# Strongswan can be configured to automatically fetch CRL
-# in that case CRL URL has to be embedded in the certificate
+# Strongswan can automatically fetch CRL if
+# CRL distribution point extension is included in the certificate
+;revoked url =
 revoked url = {{ revoked_url }}

+# StrongSwan can automatically query OCSP responder if
+# AIA extension includes OCSP responder URL
+responder url =
+;responder url = {{ responder_url }}
+
 # If certificate renewal is allowed clients can request a certificate
 # for the same public key with extended lifetime
 renewal allowed = false