dohertj2/natsnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(batch9): implement f4 ocsp peer validation hooks

Browse Source
This commit is contained in:
Joseph Doherty
2026-02-28 12:34:38 -05:00
parent 87b4363eeb
commit 41b01743fd
6 changed files with 573 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

233
dotnet/src/ZB.MOM.NatsNet.Server/NatsServer.Ocsp.cs
View File

@@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0
using System.Net.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using ZB.MOM.NatsNet.Server.Auth.CertificateIdentityProvider;
using ZB.MOM.NatsNet.Server.Auth.Ocsp;
@@ -397,4 +398,236 @@ public sealed partial class NatsServer
StartOCSPMonitoring();
return null;
}
internal (SslServerAuthenticationOptions? tlsConfig, bool plugged, Exception? error) PlugTLSOCSPPeer(OcspTlsConfig? config)
{
if (config == null || config.TlsConfig == null)
{
return (null, false, new InvalidOperationException(OcspMessages.ErrUnableToPlugTLSEmptyConfig));
}
var kind = config.Kind;
var isSpoke = config.IsLeafSpoke;
var tlsOptions = config.TlsOptions;
if (tlsOptions?.OcspPeerConfig == null || !tlsOptions.OcspPeerConfig.Verify)
{
return (config.TlsConfig, false, null);
}
Debugf(OcspMessages.DbgPlugTLSForKind, config.Kind);
if (kind == ClientKindName || (kind == LeafKindName && !isSpoke))
{
if (!tlsOptions.Verify)
{
return (null, false, new InvalidOperationException(OcspMessages.ErrMTLSRequired));
}
return PlugClientTLSOCSPPeer(config);
}
if (kind == LeafKindName && isSpoke)
{
return PlugServerTLSOCSPPeer(config);
}
return (config.TlsConfig, false, null);
}
internal (SslServerAuthenticationOptions? tlsConfig, bool plugged, Exception? error) PlugClientTLSOCSPPeer(OcspTlsConfig? config)
{
if (config?.TlsConfig == null || config.TlsOptions == null)
{
return (null, false, new InvalidOperationException(OcspMessages.ErrUnableToPlugTLSClient));
}
var tlsConfig = config.TlsConfig;
var tlsOptions = config.TlsOptions;
if (tlsOptions.OcspPeerConfig == null || !tlsOptions.OcspPeerConfig.Verify)
{
return (tlsConfig, false, null);
}
tlsConfig.RemoteCertificateValidationCallback = (_, _, chain, _) =>
{
if (chain?.ChainElements == null || chain.ChainElements.Count == 0)
{
return false;
}
var converted = chain.ChainElements
.Select(e => e.Certificate)
.OfType<X509Certificate2>()
.ToArray();
return TlsClientOCSPValid([converted], tlsOptions.OcspPeerConfig);
};
return (tlsConfig, true, null);
}
internal (SslServerAuthenticationOptions? tlsConfig, bool plugged, Exception? error) PlugServerTLSOCSPPeer(OcspTlsConfig? config)
{
if (config?.TlsConfig == null || config.TlsOptions == null)
{
return (null, false, new InvalidOperationException(OcspMessages.ErrUnableToPlugTLSServer));
}
var tlsConfig = config.TlsConfig;
var tlsOptions = config.TlsOptions;
if (tlsOptions.OcspPeerConfig == null || !tlsOptions.OcspPeerConfig.Verify)
{
return (tlsConfig, false, null);
}
tlsConfig.RemoteCertificateValidationCallback = (_, _, chain, _) =>
{
if (chain?.ChainElements == null || chain.ChainElements.Count == 0)
{
return false;
}
var converted = chain.ChainElements
.Select(e => e.Certificate)
.OfType<X509Certificate2>()
.ToArray();
return TlsServerOCSPValid([converted], tlsOptions.OcspPeerConfig);
};
return (tlsConfig, true, null);
}
internal bool TlsServerOCSPValid(X509Certificate2[][] chains, OcspPeerConfig options)
{
Debugf(OcspMessages.DbgNumServerChains, chains.Length);
return PeerOCSPValid(chains, options);
}
internal bool TlsClientOCSPValid(X509Certificate2[][] chains, OcspPeerConfig options)
{
Debugf(OcspMessages.DbgNumClientChains, chains.Length);
return PeerOCSPValid(chains, options);
}
internal bool PeerOCSPValid(X509Certificate2[][] chains, OcspPeerConfig options)
{
var peer = OcspHandler.PeerFromVerifiedChains(chains);
if (peer == null)
{
Errorf(OcspMessages.ErrPeerEmptyAutoReject);
return false;
}
for (var chainIndex = 0; chainIndex < chains.Length; chainIndex++)
{
var chain = chains[chainIndex];
Debugf(OcspMessages.DbgLinksInChain, chainIndex, chain.Length);
if (chain.Length == 1)
{
Debugf(OcspMessages.DbgSelfSignedValid, chainIndex);
return true;
}
var chainEligible = false;
var eligibleLinks = new List<ChainLink>();
for (var linkPos = 0; linkPos < chain.Length - 1; linkPos++)
{
var cert = chain[linkPos];
var link = new ChainLink { Leaf = cert };
if (OcspUtilities.CertOCSPEligible(link))
{
chainEligible = true;
link.Issuer = chain[linkPos + 1];
eligibleLinks.Add(link);
}
}
if (!chainEligible)
{
Debugf(OcspMessages.DbgValidNonOCSPChain, chainIndex);
return true;
}
Debugf(OcspMessages.DbgChainIsOCSPEligible, chainIndex, eligibleLinks.Count);
var chainValid = true;
foreach (var link in eligibleLinks)
{
var (reason, good) = CertOCSPGood(link, options);
if (good)
{
continue;
}
Debugf(reason);
chainValid = false;
break;
}
if (chainValid)
{
Debugf(OcspMessages.DbgChainIsOCSPValid, chainIndex);
return true;
}
}
Debugf(OcspMessages.DbgNoOCSPValidChains);
return false;
}
internal (string reason, bool good) CertOCSPGood(ChainLink? link, OcspPeerConfig options)
{
if (link?.Leaf == null || link.Issuer == null || link.OcspWebEndpoints == null || link.OcspWebEndpoints.Count == 0)
{
return ("Empty chainlink found", false);
}
var log = new OcspLog
{
Debugf = (fmt, args) => Debugf(fmt, args),
Noticef = (fmt, args) => Noticef(fmt, args),
Warnf = (fmt, args) => Warnf(fmt, args),
Errorf = (fmt, args) => Errorf(fmt, args),
};
var fingerprint = Convert.ToHexString(SHA256.HashData(link.Leaf.RawData)).ToLowerInvariant();
var cached = _ocsprc?.Get(fingerprint);
if (cached is { Length: > 0 })
{
var (parsed, parseError) = OcspHandler.ParseOcspResponse(cached);
if (parseError == null && parsed != null && OcspUtilities.OCSPResponseCurrent(parsed, options, log))
{
if (parsed.Status == OcspStatusAssertion.Revoked ||
(parsed.Status == OcspStatusAssertion.Unknown && !options.UnknownIsGood))
{
if (options.WarnOnly)
{
Warnf("allowing OCSP peer due warn_only for [{0}]", link.Leaf.Subject);
return (string.Empty, true);
}
return ($"OCSP response invalid status: {OcspStatusAssertionExtensions.GetStatusAssertionStr((int)parsed.Status)}", false);
}
Debugf(OcspMessages.DbgOCSPValidPeerLink, link.Leaf.Subject);
return (string.Empty, true);
}
}
if (options.AllowWhenCAUnreachable || options.WarnOnly)
{
if (options.WarnOnly)
{
Warnf("allowing OCSP peer due warn_only for [{0}]", link.Leaf.Subject);
}
if (options.AllowWhenCAUnreachable)
{
Warnf("allowing OCSP peer due unreachable CA for [{0}]", link.Leaf.Subject);
}
return (string.Empty, true);
}
return ("failed to fetch OCSP response", false);
}
}