From d44b6035c2107c39e55faa3941306f5699e84638 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri.vosandi@gmail.com>
Date: Sat, 8 Jul 2017 12:08:39 +0000
Subject: [PATCH] Embed OCSP responder URL in certificate

---
 certidude/config.py                    |  3 +-
 certidude/signer.py                    | 45 +++++++++++++++-----------
 certidude/templates/server/server.conf | 13 ++++++--
 3 files changed, 40 insertions(+), 21 deletions(-)

diff --git a/certidude/config.py b/certidude/config.py
index 7cd005c..b891e7a 100644
--- a/certidude/config.py
+++ b/certidude/config.py
@@ -67,7 +67,8 @@ REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allo
 CLIENT_CERTIFICATE_LIFETIME = cp.getint("signature", "client certificate lifetime")
 SERVER_CERTIFICATE_LIFETIME = cp.getint("signature", "server certificate lifetime")
 AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
-CERTIFICATE_CRL_URL = cp.get("signature", "revoked url")
+AUTHORITY_CRL_URL = cp.get("signature", "revoked url")
+AUTHORITY_OCSP_URL = cp.get("signature", "responder url")
 CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")
 
 REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")
diff --git a/certidude/signer.py b/certidude/signer.py
index 2556c68..3fc1666 100644
--- a/certidude/signer.py
+++ b/certidude/signer.py
@@ -99,6 +99,18 @@ class SignHandler(asynchat.async_chat):
                 extended_key_usage_flags.append( # OpenVPN client
                     ExtendedKeyUsageOID.CLIENT_AUTH)
 
+            aia = [
+                x509.AccessDescription(
+                    AuthorityInformationAccessOID.CA_ISSUERS,
+                    x509.UniformResourceIdentifier(config.AUTHORITY_CERTIFICATE_URL))
+            ]
+
+            if config.AUTHORITY_OCSP_URL:
+                aia.append(
+                    x509.AccessDescription(
+                        AuthorityInformationAccessOID.OCSP,
+                        x509.UniformResourceIdentifier(config.AUTHORITY_OCSP_URL)))
+
             builder = x509.CertificateBuilder(
                 ).subject_name(
                     x509.Name([common_name])
@@ -142,24 +154,7 @@ class SignHandler(asynchat.async_chat):
                         request.public_key()),
                     critical=False
                 ).add_extension(
-                    x509.AuthorityInformationAccess([
-                        x509.AccessDescription(
-                            AuthorityInformationAccessOID.CA_ISSUERS,
-                            x509.UniformResourceIdentifier(
-                                config.AUTHORITY_CERTIFICATE_URL)
-                        )
-                    ]),
-                    critical=False
-                ).add_extension(
-                    x509.CRLDistributionPoints([
-                        x509.DistributionPoint(
-                            full_name=[
-                                x509.UniformResourceIdentifier(
-                                    config.CERTIFICATE_CRL_URL)],
-                            relative_name=None,
-                            crl_issuer=None,
-                            reasons=None)
-                    ]),
+                    x509.AuthorityInformationAccess(aia),
                     critical=False
                 ).add_extension(
                     x509.AuthorityKeyIdentifier.from_issuer_public_key(
@@ -167,6 +162,20 @@ class SignHandler(asynchat.async_chat):
                     critical=False
                 )
 
+            if config.AUTHORITY_CRL_URL:
+                builder = builder.add_extension(
+                    x509.CRLDistributionPoints([
+                        x509.DistributionPoint(
+                            full_name=[
+                                x509.UniformResourceIdentifier(
+                                    config.AUTHORITY_CRL_URL)],
+                            relative_name=None,
+                            crl_issuer=None,
+                            reasons=None)
+                    ]),
+                    critical=False
+                )
+
             # OpenVPN uses CN while StrongSwan uses SAN
             if server_flags:
                 builder = builder.add_extension(
diff --git a/certidude/templates/server/server.conf b/certidude/templates/server/server.conf
index 02051c8..da53964 100644
--- a/certidude/templates/server/server.conf
+++ b/certidude/templates/server/server.conf
@@ -58,11 +58,14 @@ autosign subnets = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
 
 # Simple Certificate Enrollment Protocol enabled subnets
 scep subnets =
+;scep subnets = 0.0.0.0/0
 
 # Online Certificate Status Protocol enabled subnets
 ocsp subnets =
+;ocsp subnets = 0.0.0.0/0
 
 # Certificate Revocation lists can be accessed from anywhere by default
+;crl subnets =
 crl subnets = 0.0.0.0/0
 
 [logging]
@@ -92,10 +95,16 @@ revocation list lifetime = 24
 # URL where CA certificate can be fetched from
 authority certificate url = {{ certificate_url }}
 
-# Strongswan can be configured to automatically fetch CRL
-# in that case CRL URL has to be embedded in the certificate
+# Strongswan can automatically fetch CRL if
+# CRL distribution point extension is included in the certificate
+;revoked url =
 revoked url = {{ revoked_url }}
 
+# StrongSwan can automatically query OCSP responder if
+# AIA extension includes OCSP responder URL
+responder url =
+;responder url = {{ responder_url }}
+
 # If certificate renewal is allowed clients can request a certificate
 # for the same public key with extended lifetime
 renewal allowed = false