Enable OCSP revocation check for trusted CA #3593
Conversation
kyberpunk
requested review from
kaniyan,
dejanb and
sophokles73
as code owners
kyberpunk
force-pushed
the
enable_revocation_check_for_trusted_ca
branch
2 times, most recently
from
4072e09 to
73472a4
Compare
...se/src/main/java/org/eclipse/hono/service/management/tenant/TrustedCertificateAuthority.java
Outdated
Show resolved
Hide resolved
|
@sophokles73 I was also thinking about integration tests - we are using OpenSSL OCSP server functionality for testing, so I can imagine using Testcontainers to setup OCSP responder for JUnit tests. Do you think it is good idea to do it this way? |
|
Hi @sophokles73 , I've incorporated your remarks and implemented comprehensive unit and integration tests. Can you please check it? There is currently just one remaining issue related to the decision of using just subject and public key for trust anchor. OCSP request defines issuerNameHash which is created from DER encoding of CA issuer name. We are storing subject just as string and by TrustAnchor it is interpreted internally as X500 name with UTF8String type, but in original certificate it can be (and usually is) PrintableString type. This leads to inconsistent hashes with original certificate. This can lead to incompatibility with some responders (e.g. OpenSSL implementation does not work properly). Can I add new field in TrustedCertificateAuthority for storing also the binary form of subject (similarly as pub key)? This would ensure correct compatibility according to specification. |
|
I hope to find the time to look into this more deeply next week. Sorry for the delay ... |
|
I've implemented also storing of DER encoded subject DN as mentioned, so now OCSP should work properly in most scenarios. |
|
Hi @sophokles73 , did you please have a chance to check it? |
|
not yet, sorry for the delay |
adapter-base/src/main/java/org/eclipse/hono/adapter/auth/device/x509/OCSPNonceExtension.java
Outdated
Show resolved
Hide resolved
adapter-base/src/main/java/org/eclipse/hono/adapter/auth/device/x509/OCSPNonceExtension.java
Outdated
Show resolved
Hide resolved
...ter-base/src/test/java/org/eclipse/hono/adapter/auth/device/x509/OCSPNonceExtensionTest.java
Outdated
Show resolved
Hide resolved
site/documentation/content/api/management/device-registry-v1.yaml
Outdated
Show resolved
Hide resolved
core/src/main/java/org/eclipse/hono/util/RevocableTrustAnchor.java
Outdated
Show resolved
Hide resolved
| @@ -0,0 +1,12 @@ | |||
| -----BEGIN CERTIFICATE----- | |||
| MIIBtTCCATugAwIBAgIBADAKBggqhkjOPQQDBDAaMRgwFgYDVQQDDA9pb3QuZWNs | |||
There was a problem hiding this comment.
will any of the tests fail if any of the ceriticates' validity period has expired?
There was a problem hiding this comment.
Yes it will, but validity of new certificates is set to 50 years so I hope it is sufficient countermeasure.
adapter-base/src/test/java/org/eclipse/hono/adapter/auth/device/x509/OCSPIntegrationTest.java
Outdated
Show resolved
Hide resolved
...ter-base/src/test/java/org/eclipse/hono/adapter/auth/device/x509/OCSPNonceExtensionTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Vit Holasek <[email protected]>
Signed-off-by: Vit Holasek <[email protected]>
…sted CA. Signed-off-by: Vit Holasek <[email protected]>
Signed-off-by: Vit Holasek <[email protected]>
Signed-off-by: Vit Holasek <[email protected]>
…ved methods for RevocableTrustAnchor setup. Signed-off-by: Vit Holasek <[email protected]>
Signed-off-by: Vit Holasek <[email protected]>
… inconsistent issuerNameHash in OCSP Signed-off-by: Vit Holasek <[email protected]>
kyberpunk
force-pushed
the
enable_revocation_check_for_trusted_ca
branch
from
9f49c91 to
44081c7
Compare
Signed-off-by: Vit Holasek <[email protected]>
kyberpunk
force-pushed
the
enable_revocation_check_for_trusted_ca
branch
from
44081c7 to
e16345b
Compare
| * Gets OCSP responder certificate which is used to verify OCSP response signature. If custom certificate is not | ||
| * set then issuing CA of client certificate is used instead. |
There was a problem hiding this comment.
IMHO this will only work, if the user also includes the trust anchor certificate in its request, because otherwise cert will always be null as we do not store the cert in the DB but only its public key and subject DN.
This means that we can not later enable OCSP using the trust anchor CA for this purpose on an already existing trust anchor, or am I mistaken?
There was a problem hiding this comment.
Technically yes. Since OCSP implementation requires full certificate, user must provide it either in cert or ocsp-responder-cert property. I may test what happens in such case, when you just enable it by PUT, but it should be handled by validation.
| X.509 certificate. If the `cert` property is used to provide | ||
| an X.509 certificate then the subject DN is determined from | ||
| the certificate and this property is ignored. | ||
| Otherwise this property is optional, but may be needed to |
There was a problem hiding this comment.
may be needed is very unspecific. Please be clear about when this property is required.
There was a problem hiding this comment.
Improved description
| type: string | ||
| description: | | ||
| Specifies the OCSP responder uri which will be used for OCSP revocation check of this trust | ||
| anchor. If URI is not set then certificate AIA extension value is used to obtain the values |
There was a problem hiding this comment.
... the AIA extension value of the certificate to check is used ...
| @@ -0,0 +1,6 @@ | |||
| -----BEGIN EC PRIVATE KEY----- | |||
There was a problem hiding this comment.
I am not happy with having these certificates in the code base which seem to have happened to just come out of nowhere.
Can you please include a script for creating them in the demo-certs folder or extend the existing script and then use the keys from the demo-certs artifact as we do in other modules?
There was a problem hiding this comment.
Ok, added second device certificate to demo script and now we fetch certificates and information from that package instead of extra static files. It just required small fix, to mark certificates as end entity by CA:FALSE in constrains, otherwise the Java implementations ignores them.
Signed-off-by: Vit Holasek <[email protected]>
…tantiation. Signed-off-by: Vit Holasek <[email protected]>
Signed-off-by: Vit Holasek <[email protected]>
Signed-off-by: Vit Holasek <[email protected]>
|
@sophokles73 I described the OCSP revocation check experimental feature in the documentation as you requested on open call. |
| response is then used to verify the client certificate's revocation status. Revocation check can be configured using the | ||
| [Tenant](/hono/docs/api/management/#/tenants) resource of Device Registry Management API. | ||
|
|
||
| OCSP revocation check is supported for HTTP, MQTT, AMQP and CoAP protocol adapters. |
There was a problem hiding this comment.
I guess it would be fair to say that it is supported with all protocol adapters, based on the way you have integrated it ...
| OCSP revocation check is supported for HTTP, MQTT, AMQP and CoAP protocol adapters. | ||
|
|
||
| {{% notice info %}} | ||
| This feature is experimental and may be subject to change in future releases. Current implementation checks the |
There was a problem hiding this comment.
... in future releases without further notice.
Signed-off-by: Vit Holasek <[email protected]>
sophokles73
added
Feature Request
Hello, based on issue #3588 I implemented OCSP revocation check support when using trusted CAs for device authentication in tenant.
PR contains following functionality:
To reconsider:
I'm looking forward to your feedback what would you change. Once you confirm that code changes are ok, I will can also extend tests and documentation. Currently the changes were tested just manually.
closes #3588