feat: adding OCSP revocation implementation

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/veraison/go-cose v1.0.0
+	golang.org/x/crypto v0.7.0
 )
 
 require github.com/x448/float16 v0.8.4 // indirect

go.sum

@@ -6,3 +6,5 @@ github.com/veraison/go-cose v1.0.0 h1:Jxirc0rl3gG7wUFgW+82tBQNeK8T8e2Bk1Vd298ob4
 github.com/veraison/go-cose v1.0.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=

revocation/errors.go

@@ -0,0 +1,44 @@
+package revocation
+
+import "fmt"
+
+// RevokedInOCSPError is returned when the certificate's status for OCSP is ocsp.Revoked
+type RevokedInOCSPError struct{}
+
+func (e RevokedInOCSPError) Error() string {
+	return "certificate is revoked via OCSP"
+}
+
+// UnknownInOCSPError is returned when the certificate's status for OCSP is ocsp.Unknown
+type UnknownInOCSPError struct{}
+
+func (e UnknownInOCSPError) Error() string {
+	return "certificate has unknown status via OCSP"
+}
+
+// CheckOCSPError is returned when there is an error during the OCSP revocation check, not necessarily a revocation
+type CheckOCSPError struct {
+	Err error
+}
+
+func (e CheckOCSPError) Error() string {
+	if e.Err != nil {
+		return fmt.Sprintf("error checking revocation via OCSP: %s", e.Err.Error())
+	} else {
+		return "error checking revocation via OCSP"
+	}
+}
+
+// NoOCSPServerError is returned when the OCSPServer is not specified or is not an HTTP URL.
+type NoOCSPServerError struct{}
+
+func (e NoOCSPServerError) Error() string {
+	return "no valid OCSPServer found"
+}
+
+// OCSPTimeoutError is returned when the connection attempt to an OCSP URL exceeds the specified threshold
+type OCSPTimeoutError struct{}
+
+func (e OCSPTimeoutError) Error() string {
+	return "exceeded timeout threshold for OCSP check"
+}

revocation/errors_test.go

@@ -0,0 +1,63 @@
+package revocation
+
+import (
+	"errors"
+	"testing"
+)
+
+func TestRevokedInOCSPError(t *testing.T) {
+	err := &RevokedInOCSPError{}
+	expectedMsg := "certificate is revoked via OCSP"
+
+	if err.Error() != expectedMsg {
+		t.Errorf("Expected %v but got %v", expectedMsg, err.Error())
+	}
+}
+
+func TestUnknownInOCSPError(t *testing.T) {
+	err := &UnknownInOCSPError{}
+	expectedMsg := "certificate has unknown status via OCSP"
+
+	if err.Error() != expectedMsg {
+		t.Errorf("Expected %v but got %v", expectedMsg, err.Error())
+	}
+}
+
+func TestCheckOCSPError(t *testing.T) {
+	t.Run("without_inner_error", func(t *testing.T) {
+		err := &CheckOCSPError{}
+		expectedMsg := "error checking revocation via OCSP"
+
+		if err.Error() != expectedMsg {
+			t.Errorf("Expected %v but got %v", expectedMsg, err.Error())
+		}
+	})
+
+	t.Run("with_inner_error", func(t *testing.T) {
+		err := &CheckOCSPError{Err: errors.New("inner error")}
+		expectedMsg := "error checking revocation via OCSP: inner error"
+
+		if err.Error() != expectedMsg {
+			t.Errorf("Expected %v but got %v", expectedMsg, err.Error())
+		}
+	})
+
+}
+
+func TestNoOCSPServerError(t *testing.T) {
+	err := &NoOCSPServerError{}
+	expectedMsg := "no valid OCSPServer found"
+
+	if err.Error() != expectedMsg {
+		t.Errorf("Expected %v but got %v", expectedMsg, err.Error())
+	}
+}
+
+func TestOCSPTimeoutError(t *testing.T) {
+	err := &OCSPTimeoutError{}
+	expectedMsg := "exceeded timeout threshold for OCSP check"
+
+	if err.Error() != expectedMsg {
+		t.Errorf("Expected %v but got %v", expectedMsg, err.Error())
+	}
+}

revocation/revocation.go

@@ -0,0 +1,249 @@
+package revocation
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"sync"
+	"time"
+
+	"golang.org/x/crypto/ocsp"
+)
+
+// Revocation is an internal struct used for revocation checking
+type revocation struct {
+	httpClient      *http.Client
+	wg              sync.WaitGroup
+	mergeErrorsFunc func(errors []error) error
+}
+
+// NewRevocation constructs a revocation object and substitutes default values for any that are passed as nil
+func NewRevocation(httpClient *http.Client) *revocation {
+	if httpClient != nil {
+		return &revocation{httpClient: httpClient, wg: sync.WaitGroup{}, mergeErrorsFunc: defaultMergeErrors}
+	}
+	return &revocation{httpClient: http.DefaultClient, wg: sync.WaitGroup{}, mergeErrorsFunc: defaultMergeErrors}
+}
+
+// Validate checks OCSP, then CRL status, returns nil if all certs in the chain are not revoked.
+// If there is an error, it will return one of the errors defined in this package in errors.go.
+// (e.g. if a certificate in the chain is revoked by OCSP and there are no other errors, it will return revocation.RevokedInOCSPError)
+//
+// NOTE: Will only perform OCSP until CRL is implemented
+func (r *revocation) Validate(certChain []*x509.Certificate) error {
+	ocspErr := r.OCSPStatus(certChain)
+	if ocspErr != nil {
+		return ocspErr
+	}
+	return nil // This will eventually return the result of CRLStatus
+}
+
+// OCSPStatus checks OCSP, returns nil if all certs in the chain are not revoked.
+// If there is an error, it will return one of the errors defined in this package in errors.go.
+// (e.g. if a certificate in the chain is revoked by OCSP and there are no other errors, it will return revocation.RevokedInOCSPError)
+func (r *revocation) OCSPStatus(certChain []*x509.Certificate) error {
+	certResults := make([]error, len(certChain))
+	for i, cert := range certChain {
+		if i != (len(certChain) - 1) {
+			if !isCorrectIssuer(cert, certChain[i+1]) {
+				return CheckOCSPError{Err: errors.New("invalid chain: expected chain to be correct and complete with each cert issued by the next in the chain")}
+			}
+			r.wg.Add(1)
+			// Assume cert chain is accurate and next cert in chain is the issuer
+			go r.certOCSPStatus(cert, certChain[i+1], &certResults, i)
+		} else {
+			if !isCorrectIssuer(cert, cert) {
+				return CheckOCSPError{Err: errors.New("invalid chain: expected chain to end with root cert")}
+			}
+			// Last is root cert, which will never be revoked by OCSP
+			certResults[len(certChain)-1] = nil
+		}
+	}
+
+	r.wg.Wait()
+	return r.mergeErrorsFunc(certResults)
+}
+
+func isCorrectIssuer(subject *x509.Certificate, issuer *x509.Certificate) bool {
+	if err := subject.CheckSignatureFrom(issuer); err != nil {
+		return false
+	}
+	if !bytes.Equal(issuer.RawSubject, subject.RawIssuer) {
+		return false
+	}
+	return true
+}
+
+func (r *revocation) certOCSPStatus(cert *x509.Certificate, issuer *x509.Certificate, results *[]error, resultIndex int) error {
+	defer r.wg.Done()
+	var err error
+
+	ocspURLs := cert.OCSPServer
+	if len(ocspURLs) == 0 {
+		// OCSP not enabled for this certificate.
+		(*results)[resultIndex] = NoOCSPServerError{}
+		return NoOCSPServerError{}
+	}
+
+	serverErrs := make([]error, len(ocspURLs))
+	for serverIndex, server := range ocspURLs {
+		resp, err := r.ocspRequest(cert, issuer, server)
+		if err != nil {
+			// If there is a server error, attempt all servers before determining what to return to the user
+			serverErrs[serverIndex] = err
+			continue
+		}
+
+		if time.Now().After(resp.NextUpdate) {
+			err = errors.New("expired OCSP response")
+			serverErrs[serverIndex] = err
+			continue
+		}
+
+		foundNoCheck := false
+		pkixNoCheckOID := "1.3.6.1.5.5.7.48.1.5"
+		for _, extension := range resp.Extensions {
+			if !foundNoCheck && extension.Id.String() == pkixNoCheckOID {
+				foundNoCheck = true
+			}
+		}
+		if !foundNoCheck {
+			// This will be ignored until CRL is implemented
+			// If it isn't found, CRL should be used to verify the OCSP response
+			fmt.Printf("\n[WARNING] An ocsp signing cert is missing the id-pkix-ocsp-nocheck extension (%s)\n", pkixNoCheckOID)
+		}
+
+		if resp.Status == ocsp.Revoked {
+			if time.Now().After(resp.RevokedAt) {
+				(*results)[resultIndex] = RevokedInOCSPError{}
+				return RevokedInOCSPError{}
+			} else {
+				(*results)[resultIndex] = nil
+				return nil
+			}
+		} else if resp.Status == ocsp.Good {
+			(*results)[resultIndex] = nil
+			return nil
+		} else {
+			(*results)[resultIndex] = UnknownInOCSPError{}
+			return UnknownInOCSPError{}
+		}
+
+	}
+	// Errors in all server responses, determine the most pressing
+	err = r.mergeErrorsFunc(serverErrs)
+	(*results)[resultIndex] = err
+	return err
+}
+
+func (r *revocation) ocspRequest(cert, issuer *x509.Certificate, server string) (*ocsp.Response, error) {
+	ocspRequest, err := ocsp.CreateRequest(cert, issuer, &ocsp.RequestOptions{Hash: crypto.SHA1})
+	if err != nil {
+		return nil, err
+	}
+
+	var resp *http.Response
+	if len(ocspRequest) > 256 {
+		buf := bytes.NewBuffer(ocspRequest)
+		resp, err = r.httpClient.Post(server, "application/ocsp-request", buf)
+	} else {
+		reqURL := server + "/" + url.QueryEscape(base64.StdEncoding.EncodeToString(ocspRequest))
+		resp, err = r.httpClient.Get(reqURL)
+	}
+
+	if err != nil {
+		if urlErr, ok := err.(*url.Error); ok && urlErr.Timeout() {
+			return nil, OCSPTimeoutError{}
+		}
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		return nil, fmt.Errorf("failed to retrieve OSCP: response had status code %d", resp.StatusCode)
+	}
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	switch {
+	case bytes.Equal(body, ocsp.UnauthorizedErrorResponse):
+		return nil, errors.New("OSCP unauthorized")
+	case bytes.Equal(body, ocsp.MalformedRequestErrorResponse):
+		return nil, errors.New("OSCP malformed")
+	case bytes.Equal(body, ocsp.InternalErrorErrorResponse):
+		return nil, errors.New("OSCP internal error")
+	case bytes.Equal(body, ocsp.TryLaterErrorResponse):
+		return nil, errors.New("OSCP try later")
+	case bytes.Equal(body, ocsp.SigRequredErrorResponse):
+		return nil, errors.New("OSCP signature required")
+	}
+
+	return ocsp.ParseResponseForCert(body, cert, issuer)
+}
+
+// SetMergeErrorsFunction allows you to specify an alternative function to merge errors if the default does not fit your use case. You can also pass nil to reset it to the defaultMergeErrors function
+func (r *revocation) SetMergeErrorsFunction(mergeErrorsFunc func(errors []error) error) {
+	if mergeErrorsFunc == nil {
+		r.mergeErrorsFunc = defaultMergeErrors
+	} else {
+		r.mergeErrorsFunc = mergeErrorsFunc
+	}
+}
+
+// DefaultMergeErrors condenses errors for a list of errors (either for cert chain or OCSP servers) into one primary error
+func defaultMergeErrors(errorList []error) error {
+	var result error
+	if len(errorList) > 0 {
+		result = errorList[0]
+
+		for _, err := range errorList {
+			if err == nil {
+				continue
+			}
+			switch t := err.(type) {
+			case RevokedInOCSPError:
+				// There is a revoked certificate
+				// return since any cert being revoked means leaf is revoked
+				return t
+			case CheckOCSPError:
+				// There is an error checking
+				// return since any cert having error means chain has error (return earliest)
+				return t
+			case UnknownInOCSPError:
+				// A cert in the chain has status unknown
+				// will not return immediately (in case one is revoked or has error), but will override other chain errors
+				result = t
+			case NoOCSPServerError:
+				// A cert in the chain does not have OCSP enabled
+				// Still considered valid and not revoked
+				// will not return immediately (in case there is higher level error)
+				// will override OCSPTimeoutError and nil, but not UnknownInOCSPError (since a known unknown is worse than a cert without OCSP)
+				if _, ok := result.(UnknownInOCSPError); !ok || result == nil {
+					result = t
+				}
+			case OCSPTimeoutError:
+				// A cert in the chain timed out while checking OCSP
+				// will not return immediately (in case there is higher level error)
+				// will override nil, but not UnknownInOCSPError or NoOCSPServerError (since timeout should only be conveyed if that is the only issue)
+				if result == nil {
+					result = t
+				}
+			default:
+				return CheckOCSPError{Err: err}
+			}
+		}
+
+		return result
+	} else {
+		return nil
+	}
+}