Implement ocsp crl check method c #4545
Merged
Commits on Aug 16, 2023
-
Modify init order for OCSP subsystem
The init order for OCSP is modified to allow CRL retrieval before creating connection with DS or other services. Secure`connections will be verified against the CRL. Solve RHCS-4262
-
Add callback for CRL validation at application level
Add new field in CMS for a callback validation of certificate instantiated by PKISocketFactory. This is useful for OCSP where the OCSP protocol cannot be enabled and the verification is done on CRLs. Solve RHCS-4262
-
Make crl check for connection optional
Add a new parameter to enable the crl check for OCSP connection when acting as client. The new parameter is `ocsp.store.ldapStore.checkSubsystemConnection` and its default value is `false`. When set to `true` connection certificate are verified using the crl stored in the LDAP.
-
Add crl check for OCSP acting as server
When OCSP is acting as server certificate can be verified using CRL internally stored. To verify the certificates the `LDAPStore` has to be enabled with the variable `ocsp.store.ldapStore.checkSubsystemConnection` and the variable `auths.revocationChecking.enabled` both set to true. Solve RHCS-4262
-
Move callback reference from CMS to CMSEngine
Socket callback moved to CMSEngine to avoid dependencies on global variables.
-
OCSP default CRL check and CA cert validation
The parameter `ocsp.store.ldapStore.checkSubsystemConnection` default value has been modified to `true` so when LDAPStore is used certificates are verified against the CRL. Additionally, during the certificate verification the certificate signer is verified with the CA certificate providing the CRL to be sure it is the real issuer.
-
Rename checkSubsystemConnection to validateConnCertWithCRL
The option `ocsp.store.ldapStore.validateConnCertWithCRL` enables the revocation verification of peer certificates using the CRL stored in the LDAP shared with the CA. When it is set to `true` (default value), the peer certificate of all the outcome connections from the OCSP subsystem are verified with the CRL. If the option `auths.revocationChecking.enabled` is also set to `true` the peer certificate ot all the income connections to the OCSP subsystem are verified with the CRL.
-
Use AKI/SKI to match peer certificate with CA CRL
Identification of CRL issuing point done by matching Authority Key Identifier with Subject Key Identifier instead of DN matching. This should make more reliable the check because not affected of encoding or format changes in the DN.
-
-
-
Due to refactoring the engine object is not accessible using static reference from outside the declaring package. Therefore the callback reference have been stored globally in the `CMSEngine` class
Commits on Aug 17, 2023
-
Improve OCSP exception handling
Add stack trace for error logs when they are generated from internal error
-
Move the callback to PKISocketFactory and fix startup
Moving the callback to `PKISocketFactory` there is no need to have store it in a static variable. However, only OCSPEngine instances have a valid value so no other instances are used. The startup order has been fixed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.