lemur/lemur/certificates/verify.py

"""
.. module: lemur.certificates.verify
    :platform: Unix
    :copyright: (c) 2018 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
"""
import requests
import subprocess
from flask import current_app
from requests.exceptions import ConnectionError, InvalidSchema
from cryptography import x509
from cryptography.hazmat.backends import default_backend

from lemur.utils import mktempfile
from lemur.common.utils import parse_certificate

crl_cache = {}


def ocsp_verify(cert, cert_path, issuer_chain_path):
    """
    Attempts to verify a certificate via OCSP. OCSP is a more modern version
    of CRL in that it will query the OCSP URI in order to determine if the
    certificate has been revoked

    :param cert:
    :param cert_path:
    :param issuer_chain_path:
    :return bool: True if certificate is valid, False otherwise
    """
    command = ["openssl", "x509", "-noout", "-ocsp_uri", "-in", cert_path]
    p1 = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    url, err = p1.communicate()

    if not url:
        current_app.logger.debug(
            "No OCSP URL in certificate {}".format(cert.serial_number)
        )
        return None

    p2 = subprocess.Popen(
        [
            "openssl",
            "ocsp",
            "-issuer",
            issuer_chain_path,
            "-cert",
            cert_path,
            "-url",
            url.strip(),
        ],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
    )

    message, err = p2.communicate()

    p_message = message.decode("utf-8")

    if "error" in p_message or "Error" in p_message:
        raise Exception("Got error when parsing OCSP url")

    elif "revoked" in p_message:
        current_app.logger.debug(
            "OCSP reports certificate revoked: {}".format(cert.serial_number)
        )
        return False

    elif "good" not in p_message:
        raise Exception("Did not receive a valid response")

    return True


def crl_verify(cert, cert_path):
    """
    Attempts to verify a certificate using CRL.

    :param cert:
    :param cert_path:
    :return: True if certificate is valid, False otherwise
    :raise Exception: If certificate does not have CRL
    """
    try:
        distribution_points = cert.extensions.get_extension_for_oid(
            x509.OID_CRL_DISTRIBUTION_POINTS
        ).value
    except x509.ExtensionNotFound:
        current_app.logger.debug(
            "No CRLDP extension in certificate {}".format(cert.serial_number)
        )
        return None

    for p in distribution_points:
        point = p.full_name[0].value

        if point not in crl_cache:
            current_app.logger.debug("Retrieving CRL: {}".format(point))
            try:
                response = requests.get(point)

                if response.status_code != 200:
                    raise Exception("Unable to retrieve CRL: {0}".format(point))
            except InvalidSchema:
                # Unhandled URI scheme (like ldap://); skip this distribution point.
                continue
            except ConnectionError:
                raise Exception("Unable to retrieve CRL: {0}".format(point))

            crl_cache[point] = x509.load_der_x509_crl(
                response.content, backend=default_backend()
            )
        else:
            current_app.logger.debug("CRL point is cached {}".format(point))

        for r in crl_cache[point]:
            if cert.serial_number == r.serial_number:
                try:
                    reason = r.extensions.get_extension_for_class(x509.CRLReason).value
                    # Handle "removeFromCRL" revoke reason as unrevoked;
                    # continue with the next distribution point.
                    # Per RFC 5280 section 6.3.3 (k):
                    #  https://tools.ietf.org/html/rfc5280#section-6.3.3
                    if reason == x509.ReasonFlags.remove_from_crl:
                        break
                except x509.ExtensionNotFound:
                    pass

                current_app.logger.debug(
                    "CRL reports certificate " "revoked: {}".format(cert.serial_number)
                )
                return False

    return True


def verify(cert_path, issuer_chain_path):
    """
    Verify a certificate using OCSP and CRL

    :param cert_path:
    :param issuer_chain_path:
    :return: True if valid, False otherwise
    """
    with open(cert_path, "rt") as c:
        try:
            cert = parse_certificate(c.read())
        except ValueError as e:
            current_app.logger.error(e)
            return None

    # OCSP is our main source of truth, in a lot of cases CRLs
    # have been deprecated and are no longer updated
    verify_result = ocsp_verify(cert, cert_path, issuer_chain_path)

    if verify_result is None:
        verify_result = crl_verify(cert, cert_path)

    if verify_result is None:
        current_app.logger.debug("Failed to verify {}".format(cert.serial_number))

    return verify_result


def verify_string(cert_string, issuer_string):
    """
    Verify a certificate given only it's string value

    :param cert_string:
    :param issuer_string:
    :return: True if valid, False otherwise
    """
    with mktempfile() as cert_tmp:
        with open(cert_tmp, "w") as f:
            f.write(cert_string)
        with mktempfile() as issuer_tmp:
            with open(issuer_tmp, "w") as f:
                f.write(issuer_string)
            status = verify(cert_tmp, issuer_tmp)
    return status
initial commit 2015-06-22 22:47:27 +02:00			`"""`
			`.. module: lemur.certificates.verify`
			`:platform: Unix`
Addressing comments. Updating copyrights. Added function to determine authorative name server 2018-05-29 19:18:16 +02:00			`:copyright: (c) 2018 by Netflix Inc., see AUTHORS for more`
initial commit 2015-06-22 22:47:27 +02:00			`:license: Apache, see LICENSE for more details.`
			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`
			`"""`
			`import requests`
			`import subprocess`
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`from flask import current_app`
CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 22:11:17 +01:00			`from requests.exceptions import ConnectionError, InvalidSchema`
cleaning up temporary file creation 2015-08-27 20:53:37 +02:00			`from cryptography import x509`
			`from cryptography.hazmat.backends import default_backend`
initial commit 2015-06-22 22:47:27 +02:00
Initial work on #125 2015-11-25 23:54:08 +01:00			`from lemur.utils import mktempfile`
migrating off of openssl (#539) 2016-11-29 20:30:44 +01:00			`from lemur.common.utils import parse_certificate`
cleaning up temporary file creation 2015-08-27 20:53:37 +02:00
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`crl_cache = {}`
initial commit 2015-06-22 22:47:27 +02:00
flake8 tweak 2018-09-27 15:28:21 +02:00
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`def ocsp_verify(cert, cert_path, issuer_chain_path):`
initial commit 2015-06-22 22:47:27 +02:00			`"""`
			`Attempts to verify a certificate via OCSP. OCSP is a more modern version`
			`of CRL in that it will query the OCSP URI in order to determine if the`
Various minor cleanups and fixes (#938) * Documentation fixes * Various docstring and help string fixes * Minor code cleanups * Removed redundant .gitignore entry, ignored package-lock.json. * 'return' statement in certificates.service.render was redundant * Split up too long line * Non-matching tags in templates 2017-09-26 00:33:42 +02:00			`certificate has been revoked`
initial commit 2015-06-22 22:47:27 +02:00
docstring update in verify.py 2018-09-27 16:11:13 +02:00			`:param cert:`
initial commit 2015-06-22 22:47:27 +02:00			`:param cert_path:`
			`:param issuer_chain_path:`
			`:return bool: True if certificate is valid, False otherwise`
			`"""`
Black lint all the things 2019-05-16 16:57:02 +02:00			`command = ["openssl", "x509", "-noout", "-ocsp_uri", "-in", cert_path]`
initial commit 2015-06-22 22:47:27 +02:00			`p1 = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)`
			`url, err = p1.communicate()`

Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`if not url:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`current_app.logger.debug(`
			`"No OCSP URL in certificate {}".format(cert.serial_number)`
			`)`
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`return None`

Black lint all the things 2019-05-16 16:57:02 +02:00			`p2 = subprocess.Popen(`
			`[`
			`"openssl",`
			`"ocsp",`
			`"-issuer",`
			`issuer_chain_path,`
			`"-cert",`
			`cert_path,`
			`"-url",`
			`url.strip(),`
			`],`
			`stdout=subprocess.PIPE,`
			`stderr=subprocess.PIPE,`
			`)`
initial commit 2015-06-22 22:47:27 +02:00
			`message, err = p2.communicate()`
migrating off of openssl (#539) 2016-11-29 20:30:44 +01:00
Black lint all the things 2019-05-16 16:57:02 +02:00			`p_message = message.decode("utf-8")`
migrating off of openssl (#539) 2016-11-29 20:30:44 +01:00
Black lint all the things 2019-05-16 16:57:02 +02:00			`if "error" in p_message or "Error" in p_message:`
initial commit 2015-06-22 22:47:27 +02:00			`raise Exception("Got error when parsing OCSP url")`

Black lint all the things 2019-05-16 16:57:02 +02:00			`elif "revoked" in p_message:`
			`current_app.logger.debug(`
			`"OCSP reports certificate revoked: {}".format(cert.serial_number)`
			`)`
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`return False`
initial commit 2015-06-22 22:47:27 +02:00
Black lint all the things 2019-05-16 16:57:02 +02:00			`elif "good" not in p_message:`
initial commit 2015-06-22 22:47:27 +02:00			`raise Exception("Did not receive a valid response")`

			`return True`


Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`def crl_verify(cert, cert_path):`
initial commit 2015-06-22 22:47:27 +02:00			`"""`
			`Attempts to verify a certificate using CRL.`

docstring update in verify.py 2018-09-27 16:11:13 +02:00			`:param cert:`
initial commit 2015-06-22 22:47:27 +02:00			`:param cert_path:`
			`:return: True if certificate is valid, False otherwise`
			`:raise Exception: If certificate does not have CRL`
			`"""`
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`try:`
			`distribution_points = cert.extensions.get_extension_for_oid(`
flake8 tweak 2018-09-27 15:28:21 +02:00			`x509.OID_CRL_DISTRIBUTION_POINTS`
			`).value`
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`except x509.ExtensionNotFound:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`current_app.logger.debug(`
			`"No CRLDP extension in certificate {}".format(cert.serial_number)`
			`)`
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`return None`
migrating off of openssl (#539) 2016-11-29 20:30:44 +01:00
cleaning up temporary file creation 2015-08-27 20:53:37 +02:00			`for p in distribution_points:`
			`point = p.full_name[0].value`
migrating off of openssl (#539) 2016-11-29 20:30:44 +01:00
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`if point not in crl_cache:`
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`current_app.logger.debug("Retrieving CRL: {}".format(point))`
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`try:`
			`response = requests.get(point)`
migrating off of openssl (#539) 2016-11-29 20:30:44 +01:00
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`if response.status_code != 200:`
			`raise Exception("Unable to retrieve CRL: {0}".format(point))`
			`except InvalidSchema:`
			`# Unhandled URI scheme (like ldap://); skip this distribution point.`
			`continue`
			`except ConnectionError:`
migrating off of openssl (#539) 2016-11-29 20:30:44 +01:00			`raise Exception("Unable to retrieve CRL: {0}".format(point))`

Black lint all the things 2019-05-16 16:57:02 +02:00			`crl_cache[point] = x509.load_der_x509_crl(`
			`response.content, backend=default_backend()`
			`)`
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`else:`
			`current_app.logger.debug("CRL point is cached {}".format(point))`
migrating off of openssl (#539) 2016-11-29 20:30:44 +01:00
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00			`for r in crl_cache[point]:`
			`if cert.serial_number == r.serial_number:`
CRL verify: handle "Remove from CRL" status as not revoked (#1028) Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3 2018-01-02 22:39:02 +01:00			`try:`
			`reason = r.extensions.get_extension_for_class(x509.CRLReason).value`
More specific exception catch for cert parsing. line shortening. 2018-08-31 18:19:55 +02:00			`# Handle "removeFromCRL" revoke reason as unrevoked;`
			`# continue with the next distribution point.`
			`# Per RFC 5280 section 6.3.3 (k):`
			`# https://tools.ietf.org/html/rfc5280#section-6.3.3`
CRL verify: handle "Remove from CRL" status as not revoked (#1028) Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3 2018-01-02 22:39:02 +01:00			`if reason == x509.ReasonFlags.remove_from_crl:`
			`break`
			`except x509.ExtensionNotFound:`
			`pass`

Black lint all the things 2019-05-16 16:57:02 +02:00			`current_app.logger.debug(`
			`"CRL reports certificate " "revoked: {}".format(cert.serial_number)`
			`)`
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`return False`
migrating off of openssl (#539) 2016-11-29 20:30:44 +01:00
initial commit 2015-06-22 22:47:27 +02:00			`return True`


			`def verify(cert_path, issuer_chain_path):`
			`"""`
			`Verify a certificate using OCSP and CRL`

			`:param cert_path:`
			`:param issuer_chain_path:`
			`:return: True if valid, False otherwise`
			`"""`
Black lint all the things 2019-05-16 16:57:02 +02:00			`with open(cert_path, "rt") as c:`
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`try:`
			`cert = parse_certificate(c.read())`
			`except ValueError as e:`
			`current_app.logger.error(e)`
			`return None`

initial commit 2015-06-22 22:47:27 +02:00			`# OCSP is our main source of truth, in a lot of cases CRLs`
			`# have been deprecated and are no longer updated`
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`verify_result = ocsp_verify(cert, cert_path, issuer_chain_path)`
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00
			`if verify_result is None:`
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`verify_result = crl_verify(cert, cert_path)`
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00
			`if verify_result is None:`
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 19:34:55 +02:00			`current_app.logger.debug("Failed to verify {}".format(cert.serial_number))`
Reducing the stacked exceptions plus a bit of pep8 2018-08-31 18:01:49 +02:00
			`return verify_result`
initial commit 2015-06-22 22:47:27 +02:00

			`def verify_string(cert_string, issuer_string):`
			`"""`
			`Verify a certificate given only it's string value`

			`:param cert_string:`
			`:param issuer_string:`
			`:return: True if valid, False otherwise`
			`"""`
cleaning up temporary file creation 2015-08-27 20:53:37 +02:00			`with mktempfile() as cert_tmp:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`with open(cert_tmp, "w") as f:`
Cleaning up temporary file creation, and revocation checking 2015-09-02 18:12:05 +02:00			`f.write(cert_string)`
cleaning up temporary file creation 2015-08-27 20:53:37 +02:00			`with mktempfile() as issuer_tmp:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`with open(issuer_tmp, "w") as f:`
Cleaning up temporary file creation, and revocation checking 2015-09-02 18:12:05 +02:00			`f.write(issuer_string)`
			`status = verify(cert_tmp, issuer_tmp)`
initial commit 2015-06-22 22:47:27 +02:00			`return status`