r509-ocsp-responder 0.3.1

data/lib/r509/ocsp/responder/ocsp-config.rb

@@ -0,0 +1,35 @@
+module R509::Ocsp::Responder
+    class OcspConfig
+        def self.load_config
+            config_data = File.read("config.yaml")
+
+            Dependo::Registry[:config_pool] = R509::Config::CaConfigPool.from_yaml("certificate_authorities", config_data)
+
+            Dependo::Registry[:copy_nonce] = YAML.load(config_data)["copy_nonce"] || false
+
+            Dependo::Registry[:cache_headers] = YAML.load(config_data)["cache_headers"] || false
+
+            Dependo::Registry[:max_cache_age] = YAML.load(config_data)["max_cache_age"]
+
+            Dependo::Registry[:ocsp_signer] = R509::Ocsp::Signer.new(
+                :configs => Dependo::Registry[:config_pool],
+                :validity_checker => R509::Validity::Redis::Checker.new(Dependo::Registry[:redis]),
+                :copy_nonce => Dependo::Registry[:copy_nonce]
+            )
+        end
+
+        def self.print_config
+            Dependo::Registry[:log].warn "Config loaded"
+            Dependo::Registry[:log].warn "Copy Nonce: "+Dependo::Registry[:copy_nonce].to_s
+            Dependo::Registry[:log].warn "Cache Headers: "+Dependo::Registry[:cache_headers].to_s
+            Dependo::Registry[:log].warn "Max Cache Age: "+Dependo::Registry[:max_cache_age].to_s
+            Dependo::Registry[:config_pool].all.each do |config|
+                Dependo::Registry[:log].warn "Config: "
+                Dependo::Registry[:log].warn "CA Cert:"+config.ca_cert.subject.to_s
+                Dependo::Registry[:log].warn "OCSP Cert (may be the same as above):"+config.ocsp_cert.subject.to_s
+                Dependo::Registry[:log].warn "OCSP Validity Hours: "+config.ocsp_validity_hours.to_s
+                Dependo::Registry[:log].warn "\n"
+            end
+        end
+    end
+end

data/lib/r509/ocsp/responder/server.rb

@@ -0,0 +1,169 @@
+require 'rubygems' if RUBY_VERSION < "1.9"
+require 'sinatra/base'
+require 'r509'
+require 'r509/ocsp/signer'
+require 'r509/validity/redis'
+require 'base64'
+require 'dependo'
+require 'logger'
+require 'time'
+require File.dirname(__FILE__)+'/ocsp-config.rb'
+
+# Capture USR2 calls so we can reload and print the config
+# I'd rather use HUP, but daemons like thin already capture that
+# so we can't use it.
+Signal.trap("USR2") do
+    R509::Ocsp::Responder::OcspConfig.load_config
+    R509::Ocsp::Responder::OcspConfig.print_config
+end
+
+
+module R509::Ocsp::Responder
+    #error for status checking
+    class StatusError < StandardError
+    end
+
+    class Server < Sinatra::Base
+        include Dependo::Mixin
+
+        configure do
+            mime_type :ocsp, 'application/ocsp-response'
+            disable :protection #disable Rack::Protection (for speed)
+            disable :logging
+            set :environment, :production
+        end
+
+        error do
+            log.error env["sinatra.error"].inspect
+            log.error env["sinatra.error"].backtrace.join("\n")
+            "Something is amiss with our OCSP responder. You should ... wait?"
+        end
+
+        error OpenSSL::OCSP::OCSPError do
+            "Invalid request"
+        end
+
+        error R509::Ocsp::Responder::StatusError do
+            "Down"
+        end
+
+        get '/favicon.ico' do
+            log.debug "go away. no children."
+            "go away. no children"
+        end
+
+        get '/status/?' do
+            begin
+                if Dependo::Registry[:ocsp_signer].validity_checker.is_available?
+                    "OK"
+                else
+                    raise R509::Ocsp::Responder::StatusError
+                end
+            rescue
+                raise R509::Ocsp::Responder::StatusError
+            end
+        end
+
+        get '/*' do
+            raw_request = params[:splat].join("/")
+            #remove any leading slashes (looking at you MS Crypto API)
+            raw_request.sub!(/^\/+/,"")
+            log.info { "GET Request: "+raw_request }
+            der = Base64.decode64(raw_request)
+            request_response = handle_ocsp_request(der, "GET")
+            build_headers(request_response)
+            request_response[:response].to_der
+        end
+
+        post '/' do
+            if request.media_type == 'application/ocsp-request'
+                der = request.env["rack.input"].read
+                log.info { "POST Request: "+Base64.encode64(der).gsub!(/\n/,"") }
+                request_response = handle_ocsp_request(der, "POST")
+                request_response[:response].to_der
+            end
+        end
+
+        private
+
+        def handle_ocsp_request(der, method)
+            begin
+                request_response = ocsp_signer.handle_request(der)
+
+                log_ocsp_response(request_response[:response],method)
+
+                content_type :ocsp
+                request_response
+            rescue StandardError => e
+                log.error "unexpected error #{e}"
+                raise e
+            end
+        end
+
+        def log_ocsp_response(ocsp_response, method="?")
+            if response.nil?
+                log.error "Something went horribly wrong"
+                return
+            end
+
+            case ocsp_response.status
+            when OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL
+                serial_data = ocsp_response.basic.status.map do |status|
+                    friendly_status = case status[1]
+                    when 0
+                        "VALID"
+                    when 1
+                        "REVOKED"
+                    when 2
+                        "UNKNOWN"
+                    end
+                    if ocsp_response.basic.status[0][0].respond_to?(:issuer_key_hash)
+                        config_used = ocsp_signer.request_checker.configs_hash[ocsp_response.basic.status[0][0].issuer_key_hash]
+                    else
+                        config_used = ocsp_signer.request_checker.configs.find do |config|
+                            #we need to create an OCSP::CertificateId object that has the right
+                            #issuer so we can pass it to #cmp_issuer. This is annoying because
+                            #CertificateId wants a cert and its issuer, but we don't want to
+                            #force users to provide an end entity cert just to make this comparison
+                            #work. So, we create a fake new cert and pass it in.
+                            ee_cert = OpenSSL::X509::Certificate.new
+                            ee_cert.issuer = config.ca_cert.cert.subject
+                            issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert)
+                            ocsp_response.basic.status[0][0].cmp_issuer(issuer_certid)
+                        end
+                    end
+                    stats.record(config_used.ca_cert.subject.to_s, status[0].serial.to_s, friendly_status) if Dependo::Registry.has_key?(:stats)
+                    status[0].serial.to_s+" Status: #{friendly_status}"
+                end
+                log.info { "#{method} Request For Serial(s): #{serial_data.join(",")} UserAgent: #{env["HTTP_USER_AGENT"]}" }
+            when OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED
+                log.info { "#{method} Request For Unauthorized CA. UserAgent: #{env["HTTP_USER_AGENT"]}" }
+            when OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST
+                log.info { "#{method} Malformed Request. UserAgent: #{env["HTTP_USER_AGENT"]}" }
+            end
+        end
+
+        def build_headers(request_response)
+            ocsp_response = request_response[:response]
+            ocsp_request = request_response[:request]
+
+            # cache_headers is injected via config.ru
+            # we only cache if it's a RESPONSE_STATUS_SUCCESSFUL response and there's no nonce.
+            if cache_headers and not ocsp_response.basic.nil? and ocsp_response.check_nonce(ocsp_request) == R509::Ocsp::Request::Nonce::BOTH_ABSENT
+                calculated_max_age =  ocsp_response.basic.status[0][5] - Time.now
+                #same with max_cache_age
+                if not max_cache_age or ( max_cache_age > calculated_max_age )
+                    max_age = calculated_max_age
+                else
+                    max_age = max_cache_age
+                end
+
+                response["Last-Modified"] = Time.now.httpdate
+                response["ETag"] = OpenSSL::Digest::SHA1.new(ocsp_response.to_der).to_s
+                response["Expires"] = ocsp_response.basic.status[0][5].httpdate
+                response["Cache-Control"] = "max-age=#{max_age.to_i}, public, no-transform, must-revalidate"
+            end
+        end
+
+    end
+end

data/lib/r509/ocsp/responder/version.rb

@@ -0,0 +1,7 @@
+module R509
+    module Ocsp
+        module Responder
+            VERSION="0.3.1"
+        end
+    end
+end

data/lib/r509/ocsp/signer.rb

@@ -0,0 +1,244 @@
+require 'openssl'
+require 'r509/exceptions'
+require 'r509/config'
+require 'dependo'
+
+# OCSP related classes (signing, response, request)
+module R509::Ocsp
+    # A class for signing OCSP responses
+    class Signer
+        attr_reader :validity_checker,:request_checker
+
+        # @option options [Boolean] :copy_nonce copy nonce from request to response?
+        # @option options [R509::Config::CaConfigPool] :configs CaConfigPool object
+        # possible OCSP issuance roots that we want to issue OCSP responses for
+        def initialize(options)
+            if options.has_key?(:validity_checker)
+                @validity_checker = options[:validity_checker]
+            else
+                @validity_checker = R509::Validity::DefaultChecker.new
+            end
+            @request_checker = Helper::RequestChecker.new(options[:configs], @validity_checker)
+            @response_signer = Helper::ResponseSigner.new(options)
+        end
+
+
+        # @param request [String,OpenSSL::OCSP::Request] OCSP request (string or parsed object)
+        # @return [Hash]
+        #   * :request [OpenSSL::OCSP::Request] parsed request object
+        #   * :response [OpenSSL::OCSP::Response] full response object
+        def handle_request(request)
+            begin
+                parsed_request = OpenSSL::OCSP::Request.new request
+            rescue
+                return {:response => @response_signer.create_response(OpenSSL::OCSP::RESPONSE_STATUS_MALFORMEDREQUEST), :request => nil}
+            end
+
+            statuses = @request_checker.check_statuses(parsed_request)
+            if not @request_checker.validate_statuses(statuses)
+                return {:response => @response_signer.create_response(OpenSSL::OCSP::RESPONSE_STATUS_UNAUTHORIZED), :request => nil}
+            end
+
+            basic_response = @response_signer.create_basic_response(parsed_request,statuses)
+
+            {:response => @response_signer.create_response(
+                OpenSSL::OCSP::RESPONSE_STATUS_SUCCESSFUL,
+                basic_response
+            ), :request => parsed_request}
+        end
+
+    end
+end
+
+#Helper module for OCSP handling
+module R509::Ocsp::Helper
+    # checks requests for validity against a set of configs
+    class RequestChecker
+        include Dependo::Mixin
+        attr_reader :configs,:configs_hash
+
+        # @param [R509::Config::CaConfigPool] configs CaConfigPool object
+        # @param [R509::Validity::Checker] validity_checker an implementation of the R509::Validity::Checker class
+        def initialize(configs, validity_checker)
+            unless configs.kind_of?(R509::Config::CaConfigPool)
+                raise R509::R509Error, "Must pass R509::Config::CaConfigPool object"
+            end
+            if configs.all.empty?
+                raise R509::R509Error, "Must be at least one R509::Config object"
+            end
+            @configs = configs.all
+            test_cid = OpenSSL::OCSP::CertificateId.new(OpenSSL::X509::Certificate.new,OpenSSL::X509::Certificate.new)
+            if test_cid.respond_to?(:issuer_key_hash)
+                @configs_hash = {}
+                @configs.each do |config|
+                    ee_cert = OpenSSL::X509::Certificate.new
+                    ee_cert.issuer = config.ca_cert.cert.subject
+                    # per RFC 5019
+                    # Clients MUST use SHA1 as the hashing algorithm for the
+                    # CertID.issuerNameHash and the CertID.issuerKeyHash values.
+                    # so we can safely assume that our inbound hashes will be SHA1
+                    issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert,OpenSSL::Digest::SHA1.new)
+                    @configs_hash[issuer_certid.issuer_key_hash] = config
+                end
+            end
+            @validity_checker = validity_checker
+            if @validity_checker.nil?
+                raise R509::R509Error, "Must supply a R509::Validity::Checker"
+            end
+            if not @validity_checker.respond_to?(:check)
+                raise R509::R509Error, "The validity checker must have a check method"
+            end
+        end
+
+        # Loads and checks a raw OCSP request
+        #
+        # @param request [OpenSSL::OCSP::Request] OpenSSL OCSP Request object
+        # @return [Hash] hash from the check_status method
+        def check_statuses(request)
+            request.certid.map { |certid|
+                if certid.respond_to?(:issuer_key_hash)
+                    validated_config = @configs_hash[certid.issuer_key_hash]
+                else
+                    validated_config = @configs.find do |config|
+                        #we need to create an OCSP::CertificateId object that has the right
+                        #issuer so we can pass it to #cmp_issuer. This is annoying because
+                        #CertificateId wants a cert and its issuer, but we don't want to
+                        #force users to provide an end entity cert just to make this comparison
+                        #work. So, we create a fake new cert and pass it in.
+                        ee_cert = OpenSSL::X509::Certificate.new
+                        ee_cert.issuer = config.ca_cert.cert.subject
+                        issuer_certid = OpenSSL::OCSP::CertificateId.new(ee_cert,config.ca_cert.cert)
+                        certid.cmp_issuer(issuer_certid)
+                    end
+                end
+
+                log.info "#{validated_config.ca_cert.subject.to_s} found for issuer" if validated_config
+                check_status(certid, validated_config)
+            }
+        end
+
+        # Determines whether the statuses constitute a request that is compliant.
+        # No config means we don't know the CA, different configs means there are
+        # requests from two different CAs in there. Both are invalid.
+        #
+        # @param statuses [Array<Hash>] array of hashes from check_statuses
+        # @return [Boolean]
+        def validate_statuses(statuses)
+            validity = true
+            config = nil
+
+            statuses.each do |status|
+                if status[:config].nil?
+                    validity = false
+                end
+                if config.nil?
+                    config = status[:config]
+                end
+                if config != status[:config]
+                    validity = false
+                end
+            end
+
+            validity
+        end
+
+        private
+
+        # Checks the status of a certificate with the corresponding CA
+        # @param certid [OpenSSL::OCSP::CertificateId] The certId object from check_statuses
+        # @param validated_config [R509::Config]
+        def check_status(certid, validated_config)
+            if(validated_config == nil) then
+                return {
+                    :certid => certid,
+                    :config => nil
+                }
+            else
+                validity_status = @validity_checker.check(validated_config.ca_cert.subject.to_s,certid.serial)
+                return {
+                    :certid => certid,
+                    :status => validity_status.ocsp_status,
+                    :revocation_reason => validity_status.revocation_reason,
+                    :revocation_time => validity_status.revocation_time,
+                    :config => validated_config
+                }
+            end
+        end
+    end
+
+    #signs OCSP responses
+    class ResponseSigner
+        # @option options [Boolean] :copy_nonce
+        def initialize(options)
+            if options.has_key?(:copy_nonce)
+                @copy_nonce = options[:copy_nonce]
+            else
+                @copy_nonce = false
+            end
+        end
+
+        # It is UNWISE to call this method directly because it assumes that the request is
+        # validated. You probably want to take a look at R509::Ocsp::Signer#handle_request
+        #
+        # @param request [OpenSSL::OCSP::Request]
+        # @param statuses [Hash] hash from R509::Ocsp::Helper::RequestChecker#check_statuses
+        # @return [OpenSSL::OCSP::BasicResponse]
+        def create_basic_response(request,statuses)
+            basic_response = OpenSSL::OCSP::BasicResponse.new
+
+            basic_response.copy_nonce(request) if @copy_nonce
+
+            statuses.each do |status|
+                #revocation time is retarded and is relative to now, so
+                #let's figure out what that is.
+                if status[:status] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
+                    revocation_time = status[:revocation_time].to_i - Time.now.to_i
+                end
+                basic_response.add_status(status[:certid],
+                                        status[:status],
+                                        status[:revocation_reason],
+                                        revocation_time,
+                                        -1*status[:config].ocsp_start_skew_seconds,
+                                        status[:config].ocsp_validity_hours*3600,
+                                        [] #array of OpenSSL::X509::Extensions
+                                        )
+            end
+
+            #this method assumes the request data is validated by validate_request so all configs will be the same and
+            #we can choose to use the first one safely
+            config = statuses[0][:config]
+
+            #confusing, but R509::Cert contains R509::PrivateKey under #key. PrivateKey#key gives the OpenSSL object
+            #turns out BasicResponse#sign can take up to 4 params
+            #cert, key, array of OpenSSL::X509::Certificates, flags (not sure what the enumeration of those are)
+            basic_response.sign(config.ocsp_cert.cert,config.ocsp_cert.key.key,config.ocsp_chain)
+        end
+
+        # Builds final response.
+        #
+        # @param response_status [OpenSSL::OCSP::RESPONSE_STATUS_*] the primary response status
+        # @param basic_response [OpenSSL::OCSP::BasicResponse] an optional basic response object
+        # generated by create_basic_response
+        # @return [OpenSSL::OCSP::OCSPResponse]
+        def create_response(response_status,basic_response=nil)
+
+            # first arg is the response status code, comes from this list
+            # these can also be enumerated via OpenSSL::OCSP::RESPONSE_STATUS_*
+            #OCSPResponseStatus ::= ENUMERATED {
+            #    successful            (0),      --Response has valid confirmations
+            #    malformedRequest      (1),      --Illegal confirmation request
+            #    internalError         (2),      --Internal error in issuer
+            #    tryLater              (3),      --Try again later
+            #                       --(4) is not used
+            #    sigRequired           (5),      --Must sign the request
+            #    unauthorized          (6)       --Request unauthorized
+            #}
+            #
+            R509::Ocsp::Response.new(
+                OpenSSL::OCSP::Response.create(
+                    response_status, basic_response
+                )
+            )
+        end
+    end
+end