Add OCSP and CRL support to certificate verify

command/certificate/verify.go

@@ -1,15 +1,22 @@
 package certificate
 
 import (
+	"bytes"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
+	"fmt"
+	"io"
+	"net/http"
 	"os"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/flags"
+	"github.com/smallstep/cli/internal/crlutil"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
 	"go.step.sm/crypto/x509util"
+	"golang.org/x/crypto/ocsp"
 )
 
 func verifyCommand() cli.Command {
@@ -18,7 +25,10 @@ func verifyCommand() cli.Command {
 		Action: cli.ActionFunc(verifyAction),
 		Usage:  `verify a certificate`,
 		UsageText: `**step certificate verify** <crt-file> [**--host**=<host>]
-[**--roots**=<root-bundle>] [**--servername**=<servername>]`,
+[**--roots**=<root-bundle>] [**--servername**=<servername>]
+[**--issuing-ca**=<ca-cert-file>] [**--verbose**]
+[**--verify-ocsp**]] [**--ocsp-endpoint**]=url
+[**--verify-crl**] [**--crl-endpoint**]=url`,
 		Description: `**step certificate verify** executes the certificate path
 validation algorithm for x.509 certificates defined in RFC 5280. If the
 certificate is valid this command will return '0'. If validation fails, or if
@@ -65,7 +75,24 @@ Verify a certificate using a custom directory of root certificates for path vali
 '''
 $ step certificate verify ./certificate.crt --roots ./root-certificates/
 '''
-`,
+
+Verify a certificate including OCSP and CRL using CRL and OCSP defined in the certificate
+
+'''
+$ step certificate verify ./certificate.crt --verify-crl --verify-ocsp
+'''
+
+Verify a certificate including OCSP and specifying an OCSP server
+
+'''
+$ step certificate verify ./certificate.crt --verify-ocsp --ocsp-endpoint http://acme.com/ocsp
+'''
+
+Verify a certificate including CRL and specificing a CRL server and providing the issuing CA certificate
+
+'''
+$ step certificate verify ./certificate.crt --issuing-ca ./issuing_ca.pem  --verify-crl --crl-endpoint http://acme.com/crl
+'''`,
 		Flags: []cli.Flag{
 			cli.StringFlag{
 				Name:  "host",
@@ -87,7 +114,32 @@ authenticity of the remote server.
     **directory**
 	:  Relative or full path to a directory. Every PEM encoded certificate from each file in the directory will be used for path validation.`,
 			},
+			cli.StringFlag{
+				Name:  "issuing-ca",
+				Usage: `The certificate issuer CA <file> needed to communicate with OCSP and verify a CRL. By default the issuing CA will be taken from the cert Issuing Certificate URL extension.`,
+			},
+			cli.BoolFlag{
+				Name:  "verify-ocsp",
+				Usage: "Verify the certificate against it's OCSP.",
+			},
+			cli.StringFlag{
+				Name:  "ocsp-endpoint",
+				Usage: `The OCSP endpoint to use. If not provided step will attempt to check it against the certificate's OCSPServer AIA extension endpoints.`,
+			},
+			cli.BoolFlag{
+				Name:  "verify-crl",
+				Usage: "Verify the certificate against it's CRL.",
+			},
+			cli.StringFlag{
+				Name:  "crl-endpoint",
+				Usage: "The CRL endpoint to use. If not provided step will attempt to check it against the certificate's CRLDistributionPoints extension endpoints.",
+			},
+			cli.BoolFlag{
+				Name:  "verbose, v",
+				Usage: "Print result of certificate verification to stdout on success",
+			},
 			flags.ServerName,
+			flags.Insecure,
 		},
 	}
 }
@@ -102,9 +154,18 @@ func verifyAction(ctx *cli.Context) error {
 		host             = ctx.String("host")
 		serverName       = ctx.String("servername")
 		roots            = ctx.String("roots")
+		verifyOCSP       = ctx.Bool("verify-ocsp")
+		ocspEndpoint     = ctx.String("ocsp-endpoint")
+		verifyCRL        = ctx.Bool("verify-crl")
+		crlEndpoint      = ctx.String("crl-endpoint")
+		verbose          = ctx.Bool("verbose")
+		issuerFile       = ctx.String("issuing-ca")
+		insecure         = ctx.Bool("insecure")
 		intermediatePool = x509.NewCertPool()
 		rootPool         *x509.CertPool
 		cert             *x509.Certificate
+		issuer           *x509.Certificate
+		httpClient       *http.Client
 	)
 
 	switch addr, isURL, err := trimURL(crtFile); {
@@ -180,5 +241,215 @@ func verifyAction(ctx *cli.Context) error {
 		return errors.Wrapf(err, "failed to verify certificate")
 	}
 
+	verboseMSG := "certificate validated against roots\n"
+	if host != "" {
+		verboseMSG += "certificate host name validated\n"
+	}
+
+	switch {
+	case (verifyCRL || verifyOCSP) && roots != "":
+		//nolint:gosec // using default configuration for 3rd party endpoints
+		tlsConfig := &tls.Config{
+			RootCAs: rootPool,
+		}
+
+		transport := &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+
+		httpClient = &http.Client{
+			Transport: transport,
+		}
+	case verifyCRL || verifyOCSP:
+		httpClient = &http.Client{}
+	default:
+	}
+
+	switch {
+	case (verifyCRL || verifyOCSP) && issuerFile == "":
+		if len(cert.IssuingCertificateURL) == 0 && issuerFile == "" {
+			return errors.Errorf("could not get the issuing CA from the cert and no issuing CA certificate provided")
+		}
+
+		resp, err := httpClient.Get(cert.IssuingCertificateURL[0])
+		if err != nil {
+			return errors.Errorf("failed to download the issuing CA")
+		}
+		defer resp.Body.Close()
+
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return errors.Errorf("failed to read the response body from the issuing CA url")
+		}
+
+		issuer, err = x509.ParseCertificate(body)
+		if err != nil {
+			return errors.Errorf("failed to parse the issuing CA")
+		}
+	case issuerFile != "":
+		issuerCertPEM, err := os.ReadFile(issuerFile)
+		if err != nil {
+			return errors.Errorf("unable to load the issuing CA certificate file")
+		}
+
+		issuerBlock, _ := pem.Decode(issuerCertPEM)
+		if issuerBlock == nil || issuerBlock.Type != "CERTIFICATE" {
+			return errors.Errorf("failed to decode the issuing CA certificate")
+		}
+
+		issuer, err = x509.ParseCertificate(issuerBlock.Bytes)
+		if err != nil {
+			return errors.Errorf("failed to parse the issuing CA certificate")
+		}
+	default:
+	}
+
+	if verifyCRL {
+		var endpoints []string
+		switch {
+		case crlEndpoint != "":
+			endpoints = []string{crlEndpoint}
+		case len(cert.CRLDistributionPoints) == 0:
+			return errors.Errorf("CRL distribution endpoint not found in certificate")
+		default:
+			endpoints = cert.CRLDistributionPoints
+		}
+
+		crlVerified := false
+		crlOut:
+		for _, endpoint := range endpoints {
+			respReceived, err := VerifyCRLEndpoint(endpoint, cert, issuer, httpClient, insecure)
+			switch {
+			case err == nil:
+				verboseMSG += fmt.Sprintf("certificate not revoked in CRL %s\n", endpoint)
+				crlVerified = true
+				break crlOut
+			case respReceived:
+				return err
+			case verbose:
+				fmt.Println(err)
+			default:
+			}
+		}
+
+		if !crlVerified {
+			return errors.Errorf("could not verify certificate against CRL distribution point(s)")
+		}
+	}
+
+	if verifyOCSP {
+		var endpoints []string
+		switch {
+		case ocspEndpoint != "":
+			endpoints = []string{ocspEndpoint}
+		case len(cert.OCSPServer) == 0:
+			return errors.Errorf("no OCSP AIA extension found")
+		default:
+			endpoints = cert.OCSPServer
+		}
+
+		ocspVerified := false
+		ocspOut:
+		for _, endpoint := range endpoints {
+			respReceived, err := VerifyOCSPEndpoint(endpoint, cert, issuer, httpClient)
+			switch {
+			case err == nil:
+				verboseMSG += fmt.Sprintf("certificate status is good according OCSP %s\n", endpoint)
+				ocspVerified = true
+				break ocspOut
+			case respReceived:
+				return err
+			case verbose:
+				fmt.Println(err)
+			default:
+			}
+		}
+
+		if !ocspVerified {
+			return errors.Errorf("could not verify certificate against OCSP server(s)")
+		}
+	}
+
+	if verbose {
+		fmt.Println(verboseMSG + "certficiate is valid")
+	}
 	return nil
 }
+
+func VerifyOCSPEndpoint(endpoint string, cert, issuer *x509.Certificate, httpClient *http.Client) (bool, error) {
+	req, err := ocsp.CreateRequest(cert, issuer, nil)
+	if err != nil {
+		return false, errors.Errorf("error creating OCSP request")
+	}
+
+	httpReq, err := http.NewRequest(http.MethodPost, endpoint, bytes.NewReader(req))
+	if err != nil {
+		return false, errors.Errorf("error contacting OCSP server: %s", endpoint)
+	}
+	httpReq.Header.Add("Content-Type", "application/ocsp-request")
+	httpResp, err := httpClient.Do(httpReq)
+	if err != nil {
+		return false, errors.Errorf("error contacting OCSP server: %s", endpoint)
+	}
+	defer httpResp.Body.Close()
+	respBytes, err := io.ReadAll(httpResp.Body)
+	if err != nil {
+		return false, errors.Errorf("error reading response from OCSP server: %s", endpoint)
+	}
+
+	resp, err := ocsp.ParseResponse(respBytes, issuer)
+	if err != nil {
+		return false, errors.Errorf("error parsing response from OCSP server: %s", endpoint)
+	}
+
+	switch resp.Status {
+	case ocsp.Revoked:
+		return true, errors.Errorf("certificate has been revoked according to OCSP %s", endpoint)
+	case ocsp.Good:
+		return true, nil
+	default:
+		return true, errors.Errorf("certificate status is unknown according to OCSP %s", endpoint)
+	}
+}
+
+func VerifyCRLEndpoint(endpoint string, cert, issuer *x509.Certificate, httpClient *http.Client, insecure bool) (bool, error) {
+	resp, err := httpClient.Get(endpoint)
+	if err != nil {
+		return false, errors.Wrap(err, "error downloading crl")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode >= 400 {
+		return false, errors.Errorf("error downloading crl: status code %d", resp.StatusCode)
+	}
+
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return false, errors.Wrap(err, "error downloading crl")
+	}
+
+	crl, err := x509.ParseRevocationList(b)
+	if err != nil {
+		return false, errors.Wrap(err, "error parsing crl")
+	}
+
+	crlJSON, err := crlutil.ParseCRL(b)
+	if err != nil {
+		return false, errors.Wrap(err, "error parsing crl into json")
+	}
+
+	if issuer != nil && !insecure {
+		err = crl.CheckSignatureFrom(issuer)
+		if err != nil {
+			return false, errors.Wrap(err, "error validating the CRL against the CA issuer")
+		}
+	}
+
+	for _, revoked := range crlJSON.RevokedCertificates {
+		if cert.SerialNumber.String() == revoked.SerialNumber {
+			return true, errors.Errorf("certificate marked as revoked in CRL %s", endpoint)
+		}
+	}
+
+	return true, nil
+}