如何使用Python请求库检查OCSP客户端证书吊销?

2024-04-28 14:07:55 发布

您现在位置:Python中文网/ 问答频道 /正文
7344 3

如何使用Python请求库向EJBCA OSCP响应程序发出简单的证书吊销状态请求

示例:

# Determine if certificate has been revoked

    ocsp_url = req_cert.extensions[2].value[0].access_location.value
    ocsp_headers = {"whatGoes: here?"}
    ocsp_body = {"What goes here?"}
    ocsp_response = requests.get(ocsp_url, ocsp_headers, ocsp_body)

    if (ocsp_response == 'revoked'):
       return func.HttpResponse(
           "Certificate is not valid (Revoked)."
       )

Tags: 程序urlifherevalueresponse状态ejbca
1条回答
网友
1楼 · 发布于 2024-04-28 14:07:55

基本上包括以下步骤:

  • 检索主机名的相应证书
  • 如果证书中包含相应的条目,您可以通过AuthorityInformationAccessOID.CA_ISSUERS查询扩展,如果成功,它将为您提供指向颁发者证书的链接
  • 使用此链接检索颁发者证书
  • 同样,您可以通过AuthorityInformationAccessOID.OCSP获得相应的OCSP服务器
  • 有了这些关于当前证书、颁发者证书和ocsp服务器的信息,您可以向OCSPRequestBuilder提供创建ocsp请求的信息
  • 使用requests.get获取OCSP响应
  • 从OCSP响应中检索certificate_status

要检索主机名和端口的证书,可以使用以下精确答案:https://stackoverflow.com/a/49132495。Python中的OCSP处理记录在这里:https://cryptography.io/en/latest/x509/ocsp.html

代码

如果将上述各点转换为一个自包含的示例,则其如下所示:

import base64
import ssl
import requests
from urllib.parse import urljoin

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.hashes import SHA256
from cryptography.x509 import ocsp
from cryptography.x509.ocsp import OCSPResponseStatus
from cryptography.x509.oid import ExtensionOID, AuthorityInformationAccessOID


def get_cert_for_hostname(hostname, port):
    conn = ssl.create_connection((hostname, port))
    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
    sock = context.wrap_socket(conn, server_hostname=hostname)
    certDER = sock.getpeercert(True)
    certPEM = ssl.DER_cert_to_PEM_cert(certDER)
    return x509.load_pem_x509_certificate(certPEM.encode('ascii'), default_backend())


def get_issuer(cert):
    aia = cert.extensions.get_extension_for_oid(ExtensionOID.AUTHORITY_INFORMATION_ACCESS).value
    issuers = [ia for ia in aia if ia.access_method == AuthorityInformationAccessOID.CA_ISSUERS]
    if not issuers:
        raise Exception(f'no issuers entry in AIA')
    return issuers[0].access_location.value


def get_ocsp_server(cert):
    aia = cert.extensions.get_extension_for_oid(ExtensionOID.AUTHORITY_INFORMATION_ACCESS).value
    ocsps = [ia for ia in aia if ia.access_method == AuthorityInformationAccessOID.OCSP]
    if not ocsps:
        raise Exception(f'no ocsp server entry in AIA')
    return ocsps[0].access_location.value


def get_issuer_cert(ca_issuer):
    issuer_response = requests.get(ca_issuer)
    if issuer_response.ok:
        issuerDER = issuer_response.content
        issuerPEM = ssl.DER_cert_to_PEM_cert(issuerDER)
        return x509.load_pem_x509_certificate(issuerPEM.encode('ascii'), default_backend())
    raise Exception(f'fetching issuer cert  failed with response status: {issuer_response.status_code}')


def get_oscp_request(ocsp_server, cert, issuer_cert):
    builder = ocsp.OCSPRequestBuilder()
    builder = builder.add_certificate(cert, issuer_cert, SHA256())
    req = builder.build()
    req_path = base64.b64encode(req.public_bytes(serialization.Encoding.DER))
    return urljoin(ocsp_server + '/', req_path.decode('ascii'))


def get_ocsp_cert_status(ocsp_server, cert, issuer_cert):
    ocsp_resp = requests.get(get_oscp_request(ocsp_server, cert, issuer_cert))
    if ocsp_resp.ok:
        ocsp_decoded = ocsp.load_der_ocsp_response(ocsp_resp.content)
        if ocsp_decoded.response_status == OCSPResponseStatus.SUCCESSFUL:
            return ocsp_decoded.certificate_status
        else:
            raise Exception(f'decoding ocsp response failed: {ocsp_decoded.response_status}')
    raise Exception(f'fetching ocsp cert status failed with response status: {ocsp_resp.status_code}')


def get_cert_status_for_host(hostname, port):
    print('   hostname:', hostname, "port:", port)
    cert = get_cert_for_hostname(hostname, port)
    ca_issuer = get_issuer(cert)
    print('   issuer ->', ca_issuer)
    issuer_cert = get_issuer_cert(ca_issuer)
    ocsp_server = get_ocsp_server(cert)
    print('   ocsp_server ->', ocsp_server)
    return get_ocsp_cert_status(ocsp_server, cert, issuer_cert)

测试1:良好证书

具有良好证书的如下测试调用

status = get_cert_status_for_host('software7.com', 443)
print('software7.com:', status, '\n')

结果如下:

   hostname: software7.com port: 443
   issuer -> http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt
   ocsp_server -> http://ocsp.digicert.com
software7.com: OCSPCertStatus.GOOD

测试2:吊销的证书

当然,您还必须对吊销的证书进行反测试。这里reversed.badsl.com是首选:

status = get_cert_status_for_host('revoked.badssl.com', 443)
print('revoked.badssl.com:', status, '\n')

这将作为输出提供:

   hostname: revoked.badssl.com port: 443
   issuer -> http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
   ocsp_server -> http://ocsp.digicert.com
revoked.badssl.com: OCSPCertStatus.REVOKED

AIA检索发卡机构证书

证书关系的典型场景如下所示:

Certificate Relationship

服务器在TLS握手过程中提供服务器证书,通常还提供一个或多个中间证书。“通常”一词是有意使用的:一些服务器配置为不提供中间证书。浏览器然后使用AIA获取来构建认证链

证书颁发机构信息访问扩展中最多可以有两个条目:用于下载颁发者证书的条目和到OCSP服务器的链接

这些条目也可能丢失,但检查100个最流行服务器的证书的简短测试脚本显示,这些条目通常包含在公共证书颁发机构颁发的证书中

CA Issuers条目也可能丢失,但尽管有关OCSP服务器的信息可用,但可以使用自签名证书对其进行测试,例如使用OpenSSL:

Missing CA Issuers Entry

在这种情况下,您必须在TLS握手中从链中确定颁发者证书,该证书直接位于链中的服务器证书之后,另请参见上图

出于完整性考虑:有时会出现另一种情况,尤其是与自签名证书结合使用时:如果未使用中间证书,则必须将相应的根证书(例如,在本地信任存储中可用)用作颁发者证书

相关问题 更多 >

    编程相关推荐