Add OCSP and CRL support to certificate verify

Add args and functionality to certificate verify to check a CRL
and OCSP for a certificate based on the extensions. Users can pass
flags to enable verification of each (CRL, OCSP). The command will try
and get the CRL and OCSP server from the certifiacate and verify the
certificate against each.

Implements #845

Author: redrac

command/certificate/verify.go

@@ -3,13 +3,15 @@ package certificate
 import (
 	"crypto/x509"
 	"encoding/pem"
+	"net/http"
 	"os"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/flags"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
 	"go.step.sm/crypto/x509util"
+	"golang.org/x/crypto/ocsp"
 )
 
 func verifyCommand() cli.Command {
@@ -18,7 +20,8 @@ func verifyCommand() cli.Command {
 		Action: cli.ActionFunc(verifyAction),
 		Usage:  `verify a certificate`,
 		UsageText: `**step certificate verify** <crt-file> [**--host**=<host>]
-[**--roots**=<root-bundle>] [**--servername**=<servername>]`,
+[**--roots**=<root-bundle>] [**--servername**=<servername>]
+[**--verify-ocsp**] [**-verify-crl**]`,
 		Description: `**step certificate verify** executes the certificate path
 validation algorithm for x.509 certificates defined in RFC 5280. If the
 certificate is valid this command will return '0'. If validation fails, or if
@@ -88,6 +91,8 @@ authenticity of the remote server.
 	:  Relative or full path to a directory. Every PEM encoded certificate from each file in the directory will be used for path validation.`,
 			},
 			flags.ServerName,
+			flags.VerifyOCSP,
+			flags.VerifyCRL,
 		},
 	}
 }
@@ -102,6 +107,8 @@ func verifyAction(ctx *cli.Context) error {
 		host             = ctx.String("host")
 		serverName       = ctx.String("servername")
 		roots            = ctx.String("roots")
+		verifyOCSP       = ctx.Bool("verify-ocsp")
+		verifyCRL        = ctx.Bool("verify-crl")
 		intermediatePool = x509.NewCertPool()
 		rootPool         *x509.CertPool
 		cert             *x509.Certificate
@@ -180,5 +187,128 @@ func verifyAction(ctx *cli.Context) error {
 		return errors.Wrapf(err, "failed to verify certificate")
 	}
 
+	if verifyCRL {
+		crlIsVerified := false
+		// loop through CRL endpoints
+		// if any respond and the cert is not revoked == ok
+		// else not ok
+		if len(cert.CRLDistributionPoints) == 0 {
+			return errors.Errorf("CRL distribution endpoint not found in certificate")
+		}
+		for _, endpoint := range cert.CRLDistributionPoints {
+			// get CRL
+			resp, err := http.Get(endpoint)
+			if err != nil {
+				continue
+			}
+			defer resp.Body.Close()
+			crlPEM, err := ioutil.ReadAll(resp.Body)
+			if err != nil {
+				continue
+			}
+
+			// decode CRL
+			block, _ = pem.Decode(crlPEM)
+			if block == nil {
+				continue
+			}
+
+			// parse CRL
+			crl, err := x509.ParseCRL(block.Bytes)
+			if err != nil {
+				continue
+			}
+
+			// check if certificate is revoked
+			for _, revoked := range crl.TBSCertList.RevokedCertificates {
+				if cert.SerialNumber.Cmp(revoked.SerialNumber) == 0 {
+					return errors.Errorf("certificate marked as revoked in CRL '%s'", endpoint)
+				}
+			}
+			crlIsVerified = true
+			break
+		}
+
+		if !crlIsVerified {
+			return errors.Errorf("could not verify certificate against CRL")
+		}
+	}
+
+	var issuer *x509.Certificate
+	if verifyOCSP {
+		ocspIsVerified := false
+		if len(cert.OCSPServer) == 0 {
+			return errors.Errorf("no OCSP AIA extension found")
+		}
+		// TODO
+		// use the CAs fed in by users if available (issuer) else get it from the cert extension
+		if !issuer {
+			if len(cert.IssuingCertificateURL) == 0 {
+				return errors.Errorf("no Issuing Certificate URL extension found")
+			}
+			for _, endpoint := range cert.IssuingCertificateURL {
+				resp, err := http.Get(endpoint)
+				if err != nil {
+					continue
+				}
+				defer resp.Body.Close()
+				issuerPEM, err := ioutil.ReadAll(resp.Body)
+				if err != nil {
+					continue
+				}
+
+				block, _ = pem.Decode(issuerPEM)
+				if block == nil {
+					continue
+				}
+
+				issuer, err := x509.ParseCertificate(block.Bytes)
+				if err != nil {
+					continue
+				}
+			}
+		}
+		if !issuer {
+			return errors.Errorf("could not get issuer CA certificate")
+		}
+		// create OCSP request
+		req, err := ocsp.CreateRequest(cert, issuer, nil)
+		if err != nil {
+			return errors.Errorf("error creating OCSP request")
+		}
+		var resp ocsp.ParseResponse
+		// loop through OCSP servers
+		for _, endpoint := range cert.OCSPServer {
+			httpReq, err := http.NewRequest(http.MethodPost, endpoint, bytes.NewReader(req))
+			if err != nil {
+				continue
+			}
+			httpReq.Header.Add("Content-Type", "application/ocsp-request")
+			httpResp, err := http.DefaultClient.Do(httpReq)
+			if err != nil {
+				continue
+			}
+			defer httpResp.Body.Close()
+			respBytes, err := ioutil.ReadAll(httpResp.Body)
+			if err != nil {
+				continue
+			}
+
+			resp, err := ocsp.ParseResponse(respBytes, issuer)
+			if err != nil {
+				continue
+			}
+		}
+
+		// Check OCSP response
+		switch res.Status {
+		case ocsp.Revoked:
+			return errors.Errorf("certificate has been revoked according to OCSP")
+		case ocsp.Good:
+		default:
+			return errors.Errorf("certificate status is unknown")
+		}
+	}
+
 	return nil
 }

flags/flags.go

@@ -462,6 +462,16 @@ flag exists so it can be configured in $STEPPATH/config/defaults.json.`,
 		Name:  "attestation-uri",
 		Usage: "The KMS <uri> used for attestation.",
 	}
+
+	VerifyOCSP = cli.BoolFlag{
+		Name:  "verify-ocsp",
+		Usage: "Verify the certificate against it's OCSP if the certificate has the OCSP server is defined in the AIA extension.",
+	}
+
+	VerifyCRL = cli.BoolFlag{
+		Name:  "verify-crl",
+		Usage: "Verify the certificate against it's CRL if the certificate has a CRL Distribution Point defined",
+	}
 )
 
 // FingerprintFormatFlag returns a flag for configuring the fingerprint format.