Bug 4788 – [patch] add OCSP check to globus_i_gsi_callback_check_revoked()

Bug 4788 - [patch] add OCSP check to globus_i_gsi_callback_check_revoked()

Summary:

[patch] add OCSP check to globus_i_gsi_callback_check_revoked()

Status:	NEW

Product:	GSI C
Component:	Authorization
Version:	development
Platform:	All All

Importance:	P3 enhancement
Target Milestone:	---
Assigned To:	Joe Bester

URL:	http://www.globus.org/mail_archive/cs...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2006-10-17 14:33 by Jim Basney
Modified:	2008-08-11 14:50 (History)

Attachments
globus_gsi_callback patch to add basic OCSP support (30.84 KB, patch) 2006-10-17 14:37, Jim Basney	Details
globus_gsi_callback patch to add basic OCSP support (32.30 KB, patch) 2006-10-22 13:45, Jim Basney	Details
globus_gsi_callback patch to add basic OCSP support (32.35 KB, patch) 2006-10-23 11:24, Jim Basney	Details
globus_gsi_callback patch to add basic OCSP support (32.37 KB, patch) 2006-10-23 11:34, Jim Basney	Details
globus_gsi_callback patch to add basic OCSP support (34.33 KB, patch) 2006-10-23 18:40, Jim Basney	Details
Hide Obsolete (4) Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Jim Basney 2006-10-17 14:33:39

The following patch adds OCSP checking to globus_i_gsi_callback_check_revoked()
called by globus_gsi_callback_handshake_callback().  It uses OpenSSL's OCSP
support.  If a certificate contains an OCSP URI in the AuthorityInfoAccess
extension, the OCSP responder is queried for certificate status.  Errors
obtaining/validating the OCSP response are ignored.  Only a valid OCSP Revoked
response will cause certificate verification failure.  CRL checking is still
performed in any case.

The code is based on two BSD-licensed software modules from the Secure
Programming Cookbook for C and C++ by John Viega and Matt Messier
(http://www.secureprogramming.com/) and X.509 certificate support for OpenSSH
by Roumen Petrov (http://roumenpetrov.info/openssh/).

The code currently sends unsigned certificate requests.  (The code to sign the
requests if #ifdef'ed out.)  Both http and https URIs are supported.  The use
of OCSP nonces is disabled per the recommendation of [GridOCSP].  However, none
of the configurability discussed in [GridOCSP] is implemented.

I've tested using 'grid-proxy-init -debug -verify' against both an OpenSSL OCSP
responder and the CertiVeR IGTF responder [IGTF].  Set
$GLOBUS_OCSP_DEBUG_LEVEL=2 for debugging output.

I ran the OpenSSL OCSP responder like this:

$ openssl ocsp -index ~/.globus/simpleCA/index.txt \
      -port 8888 -rsigner ~/.globus/simpleCA/cacert.pem \
      -rkey ~/.globus/simpleCA/private/cakey.pem \
      -CA ~/.globus/simpleCA/cacert.pem -text -out ocsp.log

The code could use some more work.  Perhaps it should be a separate GPT
package.  The current API is very simplistic, and there aren't good error
messages.  It could certainly be much more configurable.  Still, perhaps this
is a useful first step in having OCSP support in the Globus C code, as OGRO
provides support for the Java code.

Perhaps we can discuss it on the csec-dev@globus.org list
(http://www.globus.org/mail_archive/csec-dev/2006/10/msg00001.html).

References:
[GridOCSP] OCSP Requirements for Grids. 
https://forge.gridforum.org/sf/go/doc4852
[OCSP] PKIX Online Certifiacte Status Protocol.
http://www.ietf.org/rfc/rfc2560.txt
[OGRO] The Open GRid Ocsp Java client API
http://globus-grid.certiver.com/info/ogro/
[IGTF] CertiVeR IGTF OCSP Responder http://tacar.certiver.com/info/
[OpenValidation.Org] http://www.openvalidation.org/

------- Comment #1 From Jim Basney 2006-10-17 14:37:11 -------

Created an attachment (id=1080) [details]
globus_gsi_callback patch to add basic OCSP support

To apply:

$ cd gsi/callback/source/library
$ patch -Np1 < globus_gsi_callback-ocsp.patch

------- Comment #2 From Jim Basney 2006-10-22 13:45:39 -------

Created an attachment (id=1098) [details]
globus_gsi_callback patch to add basic OCSP support

changes:
- even though globus_i_gsi_callback_check_revoked() shouldn't be
  called for a proxy certificate, add a check inside that function to
  make sure we don't check OCSP for proxies
- add GLOBUS_OCSP_RESPONDER_URL environment variable to set a locally
  trusted OCSP responder to override the AIA OCSP URL
- don't perform OCSP check if OCSP_noCheck extension is present in
  certificate
- fix handling of verify_cb function so we don't use GSI callback
  inside OCSP checking, because that causes recursion issues

------- Comment #3 From Jim Basney 2006-10-23 11:24:24 -------

Created an attachment (id=1101) [details]
globus_gsi_callback patch to add basic OCSP support

one-line change from previous patch adding SSL_CTX_set_verify() call in
globus_i_ocsp_connect_ssl() to verify the OCSP responder's SSL certificate.

------- Comment #4 From Jim Basney 2006-10-23 11:34:11 -------

Created an attachment (id=1102) [details]
globus_gsi_callback patch to add basic OCSP support

add check for NULL response from OCSP_sendreq_bio().

------- Comment #5 From Jim Basney 2006-10-23 18:40:08 -------

Created an attachment (id=1104) [details]
globus_gsi_callback patch to add basic OCSP support

added GLOBUS_OCSP_RESPONDER_CERT environment variable to specify path to file
containing explicitly trusted responder certificates.

Needed for http://amethyst.es.net/ responder (for example).