Bug 4788 - [patch] add OCSP check to globus_i_gsi_callback_check_revoked()
: [patch] add OCSP check to globus_i_gsi_callback_check_revoked()
Status: NEW
: GSI C
Authorization
: development
: All All
: P3 enhancement
: ---
Assigned To:
: http://www.globus.org/mail_archive/cs...
:
:
:
  Show dependency treegraph
 
Reported: 2006-10-17 14:33 by
Modified: 2008-08-11 14:50 (History)


Attachments
globus_gsi_callback patch to add basic OCSP support (30.84 KB, patch)
2006-10-17 14:37, Jim Basney
Details
globus_gsi_callback patch to add basic OCSP support (32.30 KB, patch)
2006-10-22 13:45, Jim Basney
Details
globus_gsi_callback patch to add basic OCSP support (32.35 KB, patch)
2006-10-23 11:24, Jim Basney
Details
globus_gsi_callback patch to add basic OCSP support (32.37 KB, patch)
2006-10-23 11:34, Jim Basney
Details
globus_gsi_callback patch to add basic OCSP support (34.33 KB, patch)
2006-10-23 18:40, Jim Basney
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2006-10-17 14:33:39
The following patch adds OCSP checking to globus_i_gsi_callback_check_revoked()
called by globus_gsi_callback_handshake_callback().  It uses OpenSSL's OCSP
support.  If a certificate contains an OCSP URI in the AuthorityInfoAccess
extension, the OCSP responder is queried for certificate status.  Errors
obtaining/validating the OCSP response are ignored.  Only a valid OCSP Revoked
response will cause certificate verification failure.  CRL checking is still
performed in any case.

The code is based on two BSD-licensed software modules from the Secure
Programming Cookbook for C and C++ by John Viega and Matt Messier
(http://www.secureprogramming.com/) and X.509 certificate support for OpenSSH
by Roumen Petrov (http://roumenpetrov.info/openssh/).

The code currently sends unsigned certificate requests.  (The code to sign the
requests if #ifdef'ed out.)  Both http and https URIs are supported.  The use
of OCSP nonces is disabled per the recommendation of [GridOCSP].  However, none
of the configurability discussed in [GridOCSP] is implemented.

I've tested using 'grid-proxy-init -debug -verify' against both an OpenSSL OCSP
responder and the CertiVeR IGTF responder [IGTF].  Set
$GLOBUS_OCSP_DEBUG_LEVEL=2 for debugging output.

I ran the OpenSSL OCSP responder like this:

$ openssl ocsp -index ~/.globus/simpleCA/index.txt \
      -port 8888 -rsigner ~/.globus/simpleCA/cacert.pem \
      -rkey ~/.globus/simpleCA/private/cakey.pem \
      -CA ~/.globus/simpleCA/cacert.pem -text -out ocsp.log

The code could use some more work.  Perhaps it should be a separate GPT
package.  The current API is very simplistic, and there aren't good error
messages.  It could certainly be much more configurable.  Still, perhaps this
is a useful first step in having OCSP support in the Globus C code, as OGRO
provides support for the Java code.

Perhaps we can discuss it on the csec-dev@globus.org list
(http://www.globus.org/mail_archive/csec-dev/2006/10/msg00001.html).

References:
[GridOCSP] OCSP Requirements for Grids. 
https://forge.gridforum.org/sf/go/doc4852
[OCSP] PKIX Online Certifiacte Status Protocol.
http://www.ietf.org/rfc/rfc2560.txt
[OGRO] The Open GRid Ocsp Java client API
http://globus-grid.certiver.com/info/ogro/
[IGTF] CertiVeR IGTF OCSP Responder http://tacar.certiver.com/info/
[OpenValidation.Org] http://www.openvalidation.org/
------- Comment #1 From 2006-10-17 14:37:11 -------
Created an attachment (id=1080) [details]
globus_gsi_callback patch to add basic OCSP support

To apply:

$ cd gsi/callback/source/library
$ patch -Np1 < globus_gsi_callback-ocsp.patch
------- Comment #2 From 2006-10-22 13:45:39 -------
Created an attachment (id=1098) [details]
globus_gsi_callback patch to add basic OCSP support

changes:
- even though globus_i_gsi_callback_check_revoked() shouldn't be
  called for a proxy certificate, add a check inside that function to
  make sure we don't check OCSP for proxies
- add GLOBUS_OCSP_RESPONDER_URL environment variable to set a locally
  trusted OCSP responder to override the AIA OCSP URL
- don't perform OCSP check if OCSP_noCheck extension is present in
  certificate
- fix handling of verify_cb function so we don't use GSI callback
  inside OCSP checking, because that causes recursion issues
------- Comment #3 From 2006-10-23 11:24:24 -------
Created an attachment (id=1101) [details]
globus_gsi_callback patch to add basic OCSP support

one-line change from previous patch adding SSL_CTX_set_verify() call in
globus_i_ocsp_connect_ssl() to verify the OCSP responder's SSL certificate.
------- Comment #4 From 2006-10-23 11:34:11 -------
Created an attachment (id=1102) [details]
globus_gsi_callback patch to add basic OCSP support

add check for NULL response from OCSP_sendreq_bio().
------- Comment #5 From 2006-10-23 18:40:08 -------
Created an attachment (id=1104) [details]
globus_gsi_callback patch to add basic OCSP support

added GLOBUS_OCSP_RESPONDER_CERT environment variable to specify path to file
containing explicitly trusted responder certificates.

Needed for http://amethyst.es.net/ responder (for example).