OCSP requests

[yschimke]

Working implementation of OCSP Client API and CLI checks.

Pro: If you are trying to work with certifikits, this is relevant particular if looking at behaviour with browsers which may do OCSP checks. Con: Adds a dependency on bouncycastle to certifikit-cli. We can work to remove that over time.

OpenJDK JSSE can do this with https://tersesystems.com/blog/2014/03/22/fixing-certificate-revocation/

  System.setProperty("jdk.tls.client.enableStatusRequestExtension", "true")
  System.setProperty("com.sun.net.ssl.checkRevocation", "true")
  System.setProperty("com.sun.security.enableCRLDP", "true")

But it's seemingly all or nothing, so will break other functionality.

[yschimke]

google.com

CN:     *.google.com
Pin:    sha256/cb2195483e8f601722fa673edaa01e3ac0a140774d8ee9aa1cfec10a0e886864
SAN:    *.google.com, *.android.com, *.appengine.google.com, *.bdn.dev, *.cloud.google.com, *.crowdsource.google.com, *.datacompute.google.com, *.g.co, *.gcp.gvt2.com, *.gcpcdn.gvt1.com, *.ggpht.cn, *.gkecnapps.cn, *.google-analytics.com, *.google.ca, *.google.cl, *.google.co.in, *.google.co.jp, *.google.co.uk, *.google.com.ar, *.google.com.au, *.google.com.br, *.google.com.co, *.google.com.mx, *.google.com.tr, *.google.com.vn, *.google.de, *.google.es, *.google.fr, *.google.hu, *.google.it, *.google.nl, *.google.pl, *.google.pt, *.googleadapis.com, *.googleapis.cn, *.googlecnapps.cn, *.googlecommerce.com, *.googlevideo.com, *.gstatic.cn, *.gstatic.com, *.gstaticcnapps.cn, *.gvt1.com, *.gvt2.com, *.metric.gstatic.com, *.urchin.com, *.url.google.com, *.wear.gkecnapps.cn, *.youtube-nocookie.com, *.youtube.com, *.youtubeeducation.com, *.youtubekids.com, *.yt.be, *.ytimg.com, android.clients.google.com, android.com, developer.android.google.cn, developers.android.google.cn, g.co, ggpht.cn, gkecnapps.cn, goo.gl, google-analytics.com, google.com, googlecnapps.cn, googlecommerce.com, source.android.google.cn, urchin.com, www.goo.gl, youtu.be, youtube.com, youtubeeducation.com, youtubekids.com, yt.be
Key Usage: DigitalSignature
Ext Key Usage: serverAuth
Authority Info Access:
    ocsp: http://ocsp.pki.goog/gts1o1core
    caIssuers: http://pki.goog/gsr2/GTS1O1.crt
Valid:  2020-09-03T06:36:33Z..2020-11-26T06:36:33Z (1 months)
CA: false

CN:     GTS CA 1O1
Pin:    sha256/6193e04d9fb0a0d0820885b72c7d82c5078bcc1ff59b8d907024c149d81aca3b
SAN:    <N/A>
Key Usage: DigitalSignature, KeyCertSign, CRLSign
Ext Key Usage: serverAuth, clientAuth
Authority Info Access:
    ocsp: http://ocsp.pki.goog/gsr2
Valid:  2017-06-15T00:00:42Z..2021-12-15T00:00:42Z (1 years)
CA: true Max Intermediate: 0

CN:     GlobalSign (signed by locally-trusted root)
Pin:    sha256/8a27b5557b4bec7cc0305fbf3d53d1f71cd3f34910c5d65e27ecddb82077ba3d
SAN:    <N/A>
OU:     GlobalSign Root CA - R2
Key Usage: KeyCertSign, CRLSign
Valid:  2006-12-15T08:00:00Z..2021-12-15T08:00:00Z (1 years)
CA: true

OCSP status: GOOD

[yschimke]

revoked.badssl.com  Failed checking OCSP status (REVOKED) from http://ocsp.digicert.com/
self-signed.badssl.com  Failed checking OCSP status (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) from null
untrusted-root.badssl.com   Failed checking OCSP status (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) from null
incomplete-chain.badssl.com Failed checking OCSP status (PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) from null
badssl.com
www.digicert.com
google.com
youtube.com
tmall.com
baidu.com   Failed checking OCSP status (timeout) from null
qq.com  Failed checking OCSP status (timeout) from null
facebook.com
sohu.com
taobao.com
360.cn  Failed checking OCSP status (timeout) from null
yahoo.com
jd.com
amazon.com
wikipedia.org
sina.com.cn
weibo.com
zoom.us
reddit.com
live.com
netflix.com
xinhuanet.com   Failed checking OCSP status (timeout) from null
microsoft.com
okezone.com
vk.com
office.com
instagram.com
alipay.com  Failed checking OCSP status (timeout) from null
csdn.net
myshopify.com
microsoftonline.com Failed checking OCSP status (timeout) from null
yahoo.co.jp
bongacams.com
twitch.tv
zhanqi.tv
panda.tv    Failed checking OCSP status (timeout) from null
google.com.hk
naver.com
bing.com
ebay.com
aliexpress.com
amazon.in
tianya.cn
china.com.cn    Failed checking OCSP status (timeout) from null
google.co.in
apple.com
amazon.co.jp
tribunnews.com  Failed checking OCSP status (The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]) from null
livejasmin.com
adobe.com
chaturbate.com
twitter.com

[yschimke]

In secure mode, see https://social.technet.microsoft.com/Forums/office/en-US/c65e1784-39be-4732-a135-bfba7446ad05/should-the-ocsp-responder-service-be-running-http-80-or-https-443-?forum=winserversecurity

...
facebook.com    Failed checking OCSP status (Hostname ocsp.digicert.com not verified:
    certificate: sha256/FmOzznGDdA0RYwSUmhmw/svyyBpdLC2+BRlWjJhRmVA=
    DN: CN=www.digicert.com, O="DigiCert, Inc.", L=Lehi, ST=Utah, C=US
    subjectAltNames: [www.digicert.com, content.digicert.com, edge1.digicert.com, edge2.digicert.com, edge3.digicert.com, edge4.digicert.com, cacerts.digicert.com]) from https://ocsp.digicert.com/
[javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure, javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure, javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure, 
...

[yschimke]

Unclear if this is actually needed, can possibly use APIs and system properties

https://docs.oracle.com/en/java/javase/14/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-F15D190D-85A1-4012-8FE3-060DBD90E579

  System.setProperty("jdk.tls.client.enableStatusRequestExtension", "true")
  System.setProperty("com.sun.net.ssl.checkRevocation", "true")
  System.setProperty("com.sun.security.enableCRLDP", "true")

request failed
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Mon Oct 07 21:30:39 BST 2019, authority: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US, extension OIDs: []
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325)

login.live.com

[yschimke]

PS C:\Users\yuri\workspace\certifikit\certifikit-cli> .\build\graal\cft.exe --host revoked.badssl.com
CN:     revoked.badssl.com
Pin:    sha256/c6910d0ba9eddf593334149fedfe87385f37b625354bb4395c0ae2c8df48e17c
SAN:    revoked.badssl.com, www.revoked.badssl.com
Key Usage: DigitalSignature, KeyEncipherment
Ext Key Usage: serverAuth, clientAuth
Authority Info Access:
        ocsp: http://ocsp.digicert.com
        caIssuers: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
Valid:  2019-10-04T00:00:00Z..2021-10-08T12:00:00Z (11 months)
CA: false

CN:     DigiCert SHA2 Secure Server CA
Pin:    sha256/e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c
SAN:    <N/A>
Key Usage: DigitalSignature, KeyCertSign, CRLSign
Authority Info Access:
        ocsp: http://ocsp.digicert.com
Valid:  2013-03-08T12:00:00Z..2023-03-08T12:00:00Z (2 years)
CA: true Max Intermediate: 0

CN:     DigiCert Global Root CA (signed by locally-trusted root)
Pin:    sha256/aff988906dde12955d9bebbf928fdcc31cce328d5b9384f21c8941ca26e20391
SAN:    <N/A>
OU:     www.digicert.com
Key Usage: DigitalSignature, KeyCertSign, CRLSign
Valid:  2006-11-10T00:00:00Z..2031-11-10T00:00:00Z (11 years)
CA: true

Failed checking OCSP status (REVOKED) from http://ocsp.digicert.com/