feat(batch9): implement f4 ocsp peer validation hooks

2026-02-28 12:34:38 -05:00
parent 87b4363eeb
commit 41b01743fd
6 changed files with 573 additions and 0 deletions
--- a/dotnet/src/ZB.MOM.NatsNet.Server/Auth/Ocsp/OcspHandler.cs
+++ b/dotnet/src/ZB.MOM.NatsNet.Server/Auth/Ocsp/OcspHandler.cs
@@ -53,6 +53,110 @@ internal static class OcspHandler
        }
    }

+    internal static (OcspPeerConfig? config, Exception? error) ParseOCSPPeer(object? value)
+    {
+        if (value is not IDictionary<string, object?> map)
+        {
+            return (null, new InvalidOperationException(
+                string.Format(CultureInfo.InvariantCulture, OcspMessages.ErrIllegalPeerOptsConfig, value ?? "null")));
+        }
+
+        var config = OcspPeerConfig.Create();
+        foreach (var (key, raw) in map)
+        {
+            switch (key.ToLowerInvariant())
+            {
+                case "verify":
+                    if (raw is not bool verify)
+                    {
+                        return (null, new InvalidOperationException(
+                            string.Format(CultureInfo.InvariantCulture, OcspMessages.ErrParsingPeerOptFieldGeneric, key)));
+                    }
+                    config.Verify = verify;
+                    break;
+
+                case "allowed_clockskew":
+                    var (clockSkew, skewError) = ParsePeerDurationValue(raw);
+                    if (skewError != null)
+                    {
+                        return (null, skewError);
+                    }
+                    if (clockSkew >= 0)
+                    {
+                        config.ClockSkew = clockSkew;
+                    }
+                    break;
+
+                case "ca_timeout":
+                    var (timeout, timeoutError) = ParsePeerDurationValue(raw);
+                    if (timeoutError != null)
+                    {
+                        return (null, timeoutError);
+                    }
+                    if (timeout >= 0)
+                    {
+                        config.Timeout = timeout;
+                    }
+                    break;
+
+                case "cache_ttl_when_next_update_unset":
+                    var (ttl, ttlError) = ParsePeerDurationValue(raw);
+                    if (ttlError != null)
+                    {
+                        return (null, ttlError);
+                    }
+                    if (ttl >= 0)
+                    {
+                        config.TTLUnsetNextUpdate = ttl;
+                    }
+                    break;
+
+                case "warn_only":
+                    if (raw is not bool warnOnly)
+                    {
+                        return (null, new InvalidOperationException(
+                            string.Format(CultureInfo.InvariantCulture, OcspMessages.ErrParsingPeerOptFieldGeneric, key)));
+                    }
+                    config.WarnOnly = warnOnly;
+                    break;
+
+                case "unknown_is_good":
+                    if (raw is not bool unknownIsGood)
+                    {
+                        return (null, new InvalidOperationException(
+                            string.Format(CultureInfo.InvariantCulture, OcspMessages.ErrParsingPeerOptFieldGeneric, key)));
+                    }
+                    config.UnknownIsGood = unknownIsGood;
+                    break;
+
+                case "allow_when_ca_unreachable":
+                    if (raw is not bool allowWhenCaUnreachable)
+                    {
+                        return (null, new InvalidOperationException(
+                            string.Format(CultureInfo.InvariantCulture, OcspMessages.ErrParsingPeerOptFieldGeneric, key)));
+                    }
+                    config.AllowWhenCAUnreachable = allowWhenCaUnreachable;
+                    break;
+
+                default:
+                    return (null, new InvalidOperationException(
+                        string.Format(CultureInfo.InvariantCulture, OcspMessages.ErrParsingPeerOptFieldGeneric, key)));
+            }
+        }
+
+        return (config, null);
+    }
+
+    internal static X509Certificate2? PeerFromVerifiedChains(X509Certificate2[][] chains)
+    {
+        if (chains.Length == 0 || chains[0].Length == 0)
+        {
+            return null;
+        }
+
+        return chains[0][0];
+    }
+
    internal static bool HasOCSPStatusRequest(X509Certificate2 cert)
    {
        foreach (var extension in cert.Extensions)
@@ -249,6 +353,33 @@ internal static class OcspHandler
        return false;
    }

+    private static (double value, Exception? error) ParsePeerDurationValue(object? value)
+    {
+        return value switch
+        {
+            null => (0, new InvalidOperationException(
+                string.Format(CultureInfo.InvariantCulture, OcspMessages.ErrParsingPeerOptFieldTypeConversion, "unexpected type"))),
+            int i => (i, null),
+            long l => (l, null),
+            float f => (f, null),
+            double d => (d, null),
+            string s => ParseDurationSeconds(s),
+            _ => (0, new InvalidOperationException(
+                string.Format(CultureInfo.InvariantCulture, OcspMessages.ErrParsingPeerOptFieldTypeConversion, "unexpected type"))),
+        };
+    }
+
+    private static (double value, Exception? error) ParseDurationSeconds(string duration)
+    {
+        if (TimeSpan.TryParse(duration, CultureInfo.InvariantCulture, out var parsed))
+        {
+            return (parsed.TotalSeconds, null);
+        }
+
+        return (0, new InvalidOperationException(
+            string.Format(CultureInfo.InvariantCulture, OcspMessages.ErrParsingPeerOptFieldTypeConversion, "unexpected type")));
+    }
+
    private sealed class SerializedOcspResponse
    {
        public int Status { get; set; }
--- a/dotnet/src/ZB.MOM.NatsNet.Server/NatsServer.Ocsp.cs
+++ b/dotnet/src/ZB.MOM.NatsNet.Server/NatsServer.Ocsp.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0

 using System.Net.Security;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using ZB.MOM.NatsNet.Server.Auth.CertificateIdentityProvider;
 using ZB.MOM.NatsNet.Server.Auth.Ocsp;
@@ -397,4 +398,236 @@ public sealed partial class NatsServer
        StartOCSPMonitoring();
        return null;
    }
+
+    internal (SslServerAuthenticationOptions? tlsConfig, bool plugged, Exception? error) PlugTLSOCSPPeer(OcspTlsConfig? config)
+    {
+        if (config == null || config.TlsConfig == null)
+        {
+            return (null, false, new InvalidOperationException(OcspMessages.ErrUnableToPlugTLSEmptyConfig));
+        }
+
+        var kind = config.Kind;
+        var isSpoke = config.IsLeafSpoke;
+        var tlsOptions = config.TlsOptions;
+        if (tlsOptions?.OcspPeerConfig == null || !tlsOptions.OcspPeerConfig.Verify)
+        {
+            return (config.TlsConfig, false, null);
+        }
+
+        Debugf(OcspMessages.DbgPlugTLSForKind, config.Kind);
+
+        if (kind == ClientKindName || (kind == LeafKindName && !isSpoke))
+        {
+            if (!tlsOptions.Verify)
+            {
+                return (null, false, new InvalidOperationException(OcspMessages.ErrMTLSRequired));
+            }
+
+            return PlugClientTLSOCSPPeer(config);
+        }
+
+        if (kind == LeafKindName && isSpoke)
+        {
+            return PlugServerTLSOCSPPeer(config);
+        }
+
+        return (config.TlsConfig, false, null);
+    }
+
+    internal (SslServerAuthenticationOptions? tlsConfig, bool plugged, Exception? error) PlugClientTLSOCSPPeer(OcspTlsConfig? config)
+    {
+        if (config?.TlsConfig == null || config.TlsOptions == null)
+        {
+            return (null, false, new InvalidOperationException(OcspMessages.ErrUnableToPlugTLSClient));
+        }
+
+        var tlsConfig = config.TlsConfig;
+        var tlsOptions = config.TlsOptions;
+        if (tlsOptions.OcspPeerConfig == null || !tlsOptions.OcspPeerConfig.Verify)
+        {
+            return (tlsConfig, false, null);
+        }
+
+        tlsConfig.RemoteCertificateValidationCallback = (_, _, chain, _) =>
+        {
+            if (chain?.ChainElements == null || chain.ChainElements.Count == 0)
+            {
+                return false;
+            }
+
+            var converted = chain.ChainElements
+                .Select(e => e.Certificate)
+                .OfType<X509Certificate2>()
+                .ToArray();
+            return TlsClientOCSPValid([converted], tlsOptions.OcspPeerConfig);
+        };
+
+        return (tlsConfig, true, null);
+    }
+
+    internal (SslServerAuthenticationOptions? tlsConfig, bool plugged, Exception? error) PlugServerTLSOCSPPeer(OcspTlsConfig? config)
+    {
+        if (config?.TlsConfig == null || config.TlsOptions == null)
+        {
+            return (null, false, new InvalidOperationException(OcspMessages.ErrUnableToPlugTLSServer));
+        }
+
+        var tlsConfig = config.TlsConfig;
+        var tlsOptions = config.TlsOptions;
+        if (tlsOptions.OcspPeerConfig == null || !tlsOptions.OcspPeerConfig.Verify)
+        {
+            return (tlsConfig, false, null);
+        }
+
+        tlsConfig.RemoteCertificateValidationCallback = (_, _, chain, _) =>
+        {
+            if (chain?.ChainElements == null || chain.ChainElements.Count == 0)
+            {
+                return false;
+            }
+
+            var converted = chain.ChainElements
+                .Select(e => e.Certificate)
+                .OfType<X509Certificate2>()
+                .ToArray();
+            return TlsServerOCSPValid([converted], tlsOptions.OcspPeerConfig);
+        };
+
+        return (tlsConfig, true, null);
+    }
+
+    internal bool TlsServerOCSPValid(X509Certificate2[][] chains, OcspPeerConfig options)
+    {
+        Debugf(OcspMessages.DbgNumServerChains, chains.Length);
+        return PeerOCSPValid(chains, options);
+    }
+
+    internal bool TlsClientOCSPValid(X509Certificate2[][] chains, OcspPeerConfig options)
+    {
+        Debugf(OcspMessages.DbgNumClientChains, chains.Length);
+        return PeerOCSPValid(chains, options);
+    }
+
+    internal bool PeerOCSPValid(X509Certificate2[][] chains, OcspPeerConfig options)
+    {
+        var peer = OcspHandler.PeerFromVerifiedChains(chains);
+        if (peer == null)
+        {
+            Errorf(OcspMessages.ErrPeerEmptyAutoReject);
+            return false;
+        }
+
+        for (var chainIndex = 0; chainIndex < chains.Length; chainIndex++)
+        {
+            var chain = chains[chainIndex];
+            Debugf(OcspMessages.DbgLinksInChain, chainIndex, chain.Length);
+
+            if (chain.Length == 1)
+            {
+                Debugf(OcspMessages.DbgSelfSignedValid, chainIndex);
+                return true;
+            }
+
+            var chainEligible = false;
+            var eligibleLinks = new List<ChainLink>();
+            for (var linkPos = 0; linkPos < chain.Length - 1; linkPos++)
+            {
+                var cert = chain[linkPos];
+                var link = new ChainLink { Leaf = cert };
+                if (OcspUtilities.CertOCSPEligible(link))
+                {
+                    chainEligible = true;
+                    link.Issuer = chain[linkPos + 1];
+                    eligibleLinks.Add(link);
+                }
+            }
+
+            if (!chainEligible)
+            {
+                Debugf(OcspMessages.DbgValidNonOCSPChain, chainIndex);
+                return true;
+            }
+
+            Debugf(OcspMessages.DbgChainIsOCSPEligible, chainIndex, eligibleLinks.Count);
+            var chainValid = true;
+            foreach (var link in eligibleLinks)
+            {
+                var (reason, good) = CertOCSPGood(link, options);
+                if (good)
+                {
+                    continue;
+                }
+
+                Debugf(reason);
+                chainValid = false;
+                break;
+            }
+
+            if (chainValid)
+            {
+                Debugf(OcspMessages.DbgChainIsOCSPValid, chainIndex);
+                return true;
+            }
+        }
+
+        Debugf(OcspMessages.DbgNoOCSPValidChains);
+        return false;
+    }
+
+    internal (string reason, bool good) CertOCSPGood(ChainLink? link, OcspPeerConfig options)
+    {
+        if (link?.Leaf == null || link.Issuer == null || link.OcspWebEndpoints == null || link.OcspWebEndpoints.Count == 0)
+        {
+            return ("Empty chainlink found", false);
+        }
+
+        var log = new OcspLog
+        {
+            Debugf = (fmt, args) => Debugf(fmt, args),
+            Noticef = (fmt, args) => Noticef(fmt, args),
+            Warnf = (fmt, args) => Warnf(fmt, args),
+            Errorf = (fmt, args) => Errorf(fmt, args),
+        };
+
+        var fingerprint = Convert.ToHexString(SHA256.HashData(link.Leaf.RawData)).ToLowerInvariant();
+        var cached = _ocsprc?.Get(fingerprint);
+        if (cached is { Length: > 0 })
+        {
+            var (parsed, parseError) = OcspHandler.ParseOcspResponse(cached);
+            if (parseError == null && parsed != null && OcspUtilities.OCSPResponseCurrent(parsed, options, log))
+            {
+                if (parsed.Status == OcspStatusAssertion.Revoked ||
+                    (parsed.Status == OcspStatusAssertion.Unknown && !options.UnknownIsGood))
+                {
+                    if (options.WarnOnly)
+                    {
+                        Warnf("allowing OCSP peer due warn_only for [{0}]", link.Leaf.Subject);
+                        return (string.Empty, true);
+                    }
+
+                    return ($"OCSP response invalid status: {OcspStatusAssertionExtensions.GetStatusAssertionStr((int)parsed.Status)}", false);
+                }
+
+                Debugf(OcspMessages.DbgOCSPValidPeerLink, link.Leaf.Subject);
+                return (string.Empty, true);
+            }
+        }
+
+        if (options.AllowWhenCAUnreachable || options.WarnOnly)
+        {
+            if (options.WarnOnly)
+            {
+                Warnf("allowing OCSP peer due warn_only for [{0}]", link.Leaf.Subject);
+            }
+
+            if (options.AllowWhenCAUnreachable)
+            {
+                Warnf("allowing OCSP peer due unreachable CA for [{0}]", link.Leaf.Subject);
+            }
+
+            return (string.Empty, true);
+        }
+
+        return ("failed to fetch OCSP response", false);
+    }
 }
--- a/dotnet/src/ZB.MOM.NatsNet.Server/ServerOptionTypes.cs
+++ b/dotnet/src/ZB.MOM.NatsNet.Server/ServerOptionTypes.cs
@@ -118,6 +118,7 @@ public class TlsConfigOpts
    public List<string> CaCertsMatch { get; set; } = [];
    public List<TlsCertPairOpt> Certificates { get; set; } = [];
    public SslProtocols MinVersion { get; set; }
+    public Auth.CertificateIdentityProvider.OcspPeerConfig? OcspPeerConfig { get; set; }
 }

 /// <summary>
--- a/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Auth/CertificateIdentityProvider/CertificateIdentityProviderTests.cs
+++ b/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Auth/CertificateIdentityProvider/CertificateIdentityProviderTests.cs
@@ -1,4 +1,5 @@
 using Shouldly;
+using ZB.MOM.NatsNet.Server;
 using ZB.MOM.NatsNet.Server.Auth.CertificateIdentityProvider;

 namespace ZB.MOM.NatsNet.Server.Tests.Auth.CertificateIdentityProvider;
@@ -36,4 +37,18 @@ public sealed class CertificateIdentityProviderTests
        var decoded = Convert.FromBase64String(unescaped);
        decoded.ShouldBe(data);
    }
+
+    [Fact]
+    public void ParseOCSPPeer_UnknownField_ReturnsError()
+    {
+        Dictionary<string, object?> map = new()
+        {
+            ["unexpected"] = true,
+        };
+
+        var (config, err) = OcspHandler.ParseOCSPPeer(map);
+
+        config.ShouldBeNull();
+        err.ShouldNotBeNull();
+    }
 }
--- a/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Auth/OcspPeerValidationTests.cs
+++ b/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Auth/OcspPeerValidationTests.cs
@@ -0,0 +1,193 @@
+using System.Net.Security;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Shouldly;
+using ZB.MOM.NatsNet.Server;
+using ZB.MOM.NatsNet.Server.Auth.CertificateIdentityProvider;
+
+namespace ZB.MOM.NatsNet.Server.Tests.Auth;
+
+public sealed class OcspPeerValidationTests : IDisposable
+{
+    private readonly List<X509Certificate2> _certs = [];
+
+    [Fact]
+    public void ParseOCSPPeer_ValidMap_ReturnsConfig()
+    {
+        Dictionary<string, object?> map = new()
+        {
+            ["verify"] = true,
+            ["allowed_clockskew"] = 30.0,
+            ["ca_timeout"] = 5.0,
+            ["cache_ttl_when_next_update_unset"] = 120.0,
+            ["warn_only"] = true,
+            ["unknown_is_good"] = true,
+            ["allow_when_ca_unreachable"] = true,
+        };
+
+        var (config, err) = OcspHandler.ParseOCSPPeer(map);
+
+        err.ShouldBeNull();
+        config.ShouldNotBeNull();
+        config.Verify.ShouldBeTrue();
+        config.ClockSkew.ShouldBe(30.0);
+        config.Timeout.ShouldBe(5.0);
+        config.TTLUnsetNextUpdate.ShouldBe(120.0);
+        config.WarnOnly.ShouldBeTrue();
+        config.UnknownIsGood.ShouldBeTrue();
+        config.AllowWhenCAUnreachable.ShouldBeTrue();
+    }
+
+    [Fact]
+    public void PeerFromVerifiedChains_EmptyChains_ReturnsNull()
+    {
+        OcspHandler.PeerFromVerifiedChains([]).ShouldBeNull();
+    }
+
+    [Fact]
+    public void PeerFromVerifiedChains_NonEmptyChains_ReturnsFirstLeaf()
+    {
+        var cert = CreateSelfSignedCertificate("CN=peer-first");
+
+        var result = OcspHandler.PeerFromVerifiedChains([[cert]]);
+
+        result.ShouldNotBeNull();
+        result!.Subject.ShouldBe(cert.Subject);
+    }
+
+    [Fact]
+    public void PlugTLSOCSPPeer_ClientWithoutVerify_ReturnsError()
+    {
+        var server = NewServer();
+        var cert = CreateSelfSignedCertificate("CN=client-no-verify");
+        var config = new OcspTlsConfig
+        {
+            Kind = "client",
+            TlsConfig = new SslServerAuthenticationOptions { ServerCertificate = cert },
+            TlsOptions = new TlsConfigOpts
+            {
+                Verify = false,
+                OcspPeerConfig = new OcspPeerConfig { Verify = true },
+            },
+            Apply = _ => { },
+        };
+
+        var (_, plugged, err) = server.PlugTLSOCSPPeer(config);
+
+        plugged.ShouldBeFalse();
+        err.ShouldNotBeNull();
+        err!.Message.ShouldContain("mTLS");
+    }
+
+    [Fact]
+    public void PlugTLSOCSPPeer_ClientWithVerify_ReturnsPlugged()
+    {
+        var server = NewServer();
+        var cert = CreateSelfSignedCertificate("CN=client-verify");
+        var config = new OcspTlsConfig
+        {
+            Kind = "client",
+            TlsConfig = new SslServerAuthenticationOptions { ServerCertificate = cert },
+            TlsOptions = new TlsConfigOpts
+            {
+                Verify = true,
+                OcspPeerConfig = new OcspPeerConfig { Verify = true },
+            },
+            Apply = _ => { },
+        };
+
+        var (tlsConfig, plugged, err) = server.PlugTLSOCSPPeer(config);
+
+        err.ShouldBeNull();
+        plugged.ShouldBeTrue();
+        tlsConfig.ShouldNotBeNull();
+        tlsConfig!.RemoteCertificateValidationCallback.ShouldNotBeNull();
+    }
+
+    [Fact]
+    public void PlugTLSOCSPPeer_LeafSpoke_ReturnsPlugged()
+    {
+        var server = NewServer();
+        var cert = CreateSelfSignedCertificate("CN=leaf-spoke");
+        var config = new OcspTlsConfig
+        {
+            Kind = "leaf",
+            IsLeafSpoke = true,
+            TlsConfig = new SslServerAuthenticationOptions { ServerCertificate = cert },
+            TlsOptions = new TlsConfigOpts
+            {
+                Verify = true,
+                OcspPeerConfig = new OcspPeerConfig { Verify = true },
+            },
+            Apply = _ => { },
+        };
+
+        var (_, plugged, err) = server.PlugTLSOCSPPeer(config);
+
+        err.ShouldBeNull();
+        plugged.ShouldBeTrue();
+    }
+
+    [Fact]
+    public void TlsServerOCSPValid_SelfSignedChain_ReturnsTrue()
+    {
+        var server = NewServer();
+        var cert = CreateSelfSignedCertificate("CN=selfsigned");
+        var opts = new OcspPeerConfig { Verify = true };
+
+        var valid = server.TlsServerOCSPValid([[cert]], opts);
+
+        valid.ShouldBeTrue();
+    }
+
+    [Fact]
+    public void TlsClientOCSPValid_EmptyChains_ReturnsFalse()
+    {
+        var server = NewServer();
+        var opts = new OcspPeerConfig { Verify = true };
+
+        var valid = server.TlsClientOCSPValid([], opts);
+
+        valid.ShouldBeFalse();
+    }
+
+    [Fact]
+    public void CertOCSPGood_EmptyChainLink_ReturnsFalse()
+    {
+        var server = NewServer();
+        var (reason, good) = server.CertOCSPGood(new ChainLink(), new OcspPeerConfig());
+
+        good.ShouldBeFalse();
+        reason.ShouldContain("Empty chainlink");
+    }
+
+    public void Dispose()
+    {
+        foreach (var cert in _certs)
+        {
+            cert.Dispose();
+        }
+    }
+
+    private NatsServer NewServer()
+    {
+        var (server, err) = NatsServer.NewServer(new ServerOptions());
+        err.ShouldBeNull();
+        return server!;
+    }
+
+    private X509Certificate2 CreateSelfSignedCertificate(string subject)
+    {
+        var request = new CertificateRequest(
+            subject,
+            RSA.Create(2048),
+            HashAlgorithmName.SHA256,
+            RSASignaturePadding.Pkcs1);
+        request.CertificateExtensions.Add(new X509BasicConstraintsExtension(false, false, 0, true));
+        request.CertificateExtensions.Add(new X509SubjectKeyIdentifierExtension(request.PublicKey, false));
+
+        var cert = request.CreateSelfSigned(DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(30));
+        _certs.Add(cert);
+        return cert;
+    }
+}
--- a/porting.db
+++ b/porting.db