Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1364

Audit OCSP certificate validation

    XMLWordPrintableJSON

    Details

      Description

      While upgrading the version of BouncyCastle libraries used, I had to re-write the OCSP certificate validation code because BC split the PKIX code into a separate module and renamed many classes & methods. During this re-write, I made the code compile using the new logic, but I am unsure that OCSP validation needs to occur outside of the SSL/TLS negotiation, or that the current mechanism is correct.

      Questions:

      • Can we use Java's built-in OCSP validation? [1][2]
      • Is the current mechanism correct, where a local cache is used with custom internal classes representing OCSP requests and statuses, and it queries a pre-specified OCSP responder as opposed to the per-certificate OCSP responder listed in each certificate's Authority Information Access OCSP URI [3]? I think this design decision stems from a legacy environment which may not apply to current use cases.

      More information: [4]

      [1] https://blogs.oracle.com/xuelei/entry/enable_ocsp_checking
      [2] https://stackoverflow.com/questions/8506661/check-x509-certificate-revocation-status-in-spring-security-before-authenticatin
      [3] https://blog.ivanristic.com/2014/02/checking-ocsp-revocation-using-openssl.html
      [4] https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                thenatog Nathan Gough
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h
                  2h