Handra

Home | Blog | Disclaimer | Terms and conditions

Check Certificate Revocation Status via OCSP

In this post, we are going to learn on how to check certificate revocation status by using Online Certificate Status Protocol (OCSP). For revocation checking via CRL, you can refer to this blog post.

Background

People and the internet are becoming more conscious on securing their information online. One of the security mechanism that is very common and used everywhere on the internet is the use of TLS to secure the HTTP transport (HTTPS). Another common use case that is becoming more prevalent is to digitally sign a document using digital certificate. Signing a document using digital certificate instead of printing it and using hand-signature not only help in reducing the paper wastage but also in digitalising the workflow. Everyone, wherever and whenever they are, can now sign documents easily without the need to send papers everywhere. You may visit SigningCloud, one of the good digital signing solutions available on the internet.

The use of digital certificate though imposes another risk. Someone can use an abused digital certificate to be used on the internet. A TLS certificate might be mis-issued or the keys might be leaked, leading to the needs to revoke the certificate and stop it from being used further. It is the responsibility of the clients to check for the certificate revocation status before trusting the certificate for further usage. To do this, we can utilise Online Certificate Status Protocol (OCSP) that is updated regularly by the Certificate Authority (CA) with its OCSP responder.

OCSP

OCSP is a protocol that is based on HTTP and used to return the revocation status of a digital certificate. An OCSP responder may return the following statuses:

Good. This indicates that the certificate being checked is not revoked.
Revoked. This indicates that the certificate being checked is already revoked.
Unknown. This indicates that the certificate being checked is not known by the OCSP responder. Note though sometimes an OCSP responder might return Unauthorized instead for unknown certificates.

Scope

In this post, we are going to just see the OCSP handling which is located at HTTP server.

Get Through the Code

For this demo, I’ll be using the Go programming language. We will run through step by step from reading a certificate file and connecting to the OCSP responder itself to check for the certificate status.

Before we begin, I have downloaded an SSL certificate from a website https://spring.io/ (accessed: Dec 12, 2021). Below is the content of the SSL certificate.

I have the above certificate file saved as spring.io.pem.

I have as well downloaded the issuer certificate of the TLS certificate (accessed: Dec 12, 2021). Below is the content of the issuer certificate:

I have the above certificate file saved as DigiCert TLS RSA SHA256 2020 CA1.pem.

Helper Function to Read Certificate Data

First, let’s have a helper function that we can reuse to read certificate file data.

func readCertificate(file string) (*x509.Certificate, error) {
	// Read the certificate file content
	fc, err := os.ReadFile(file)
	if err != nil {
		return nil, err
	}

	// Decode the PEM file
	block, _ := pem.Decode(fc)
	if block == nil {
		return nil, fmt.Errorf("failed to decode certificate data")
	}

	// Parse the certificate data
	return x509.ParseCertificate(block.Bytes)
}

The function is fairly simple. It accepts the file name, read the file content and then parse the content as an X509 certificate. If it failes for whatever reason, it shall return an error.

Read Certificate Data

Now that we have the helper function ready, let’s create certificate objects for both the end entity certificate and the issuer certificate.

cert, err := readCertificate("spring.io.pem")
if err != nil {
    log.Printf("Failed to read end entity certificate: %s", err)
    return
}

issuerCert, err := readCertificate("DigiCert TLS RSA SHA256 2020 CA1.pem")
if err != nil {
    log.Printf("Failed to read issuer certificate: %s\n", err)
    return
}

From the above code, we are storing the end entity certificate into cert variable and the issuer certificate into issuerCert variable.

Create the OCSP Request

Before we do that, we need to add a dependency to our project. For OCSP, we can use dependency from golang.org/x/crypto/ocsp.

go get golang.org/x/crypto/ocsp

Now, we need to create the OCSP request data. This is the request that we will send to OCSP responder later. See the below snippet.

// Create the OCSP request.
ocspReq, err := ocsp.CreateRequest(cert, issuerCert, &ocsp.RequestOptions{Hash: crypto.SHA256})
if err != nil {
    log.Printf("Failed to create OCSP request: %s\n", err)
    return
}

As can be seen from the above code, to create the OCSP request, we just have to send the certificate that we want to check, the issuer of the certificate (this typically will be the signer of the OCSP response), and the OCSP request options.

Certificate Revocation Checking

In Go, it is very easy to retrieve the list of OCSP responder URL(s) stored inside the certificate. We can simply call the OCSPServer property of the certificate object. It returns slice of the OCSP URL(s).

ocspURLs := cert.OCSPServer

For OCSP request, we need to add a specific request headers to signify that the request is an OCSP request. Hence, first, we will create or own HTTP POST request to the OCSP URL.

// Build the OCSP request.
ocspHTTPReq, err := http.NewRequest(http.MethodPost, ocspURL, bytes.NewBuffer(ocspReq))
if err != nil {
    log.Printf("Failed to build OCSP HTTP request: %s\n", err)
    continue
}

After that, we add the necessary HTTP headers.

// Add the necessary headers.
ocspHTTPReq.Header.Add("Content-Type", "application/ocsp-request")
ocspHTTPReq.Header.Add("Accept", "application/ocsp-response")

Now that we have the HTTP request ready, we can simply use the built-in HTTP client provided by Go to send the OCSP HTTP request.

// Send the OCSP request.
ocspHTTPResp, err := http.DefaultClient.Do(ocspHTTPReq)
if err != nil {
    log.Printf("Failed to send OCSP request: %s\n", err)
    continue
}
defer ocspHTTPResp.Body.Close()

if ocspHTTPResp.StatusCode != http.StatusOK {
    log.Printf("Received HTTP code: %d\n", ocspHTTPResp.StatusCode)
    continue
}

If we received an OK status from the OCSP responder, the last thing we need to do is to parse the OCSP response data. This is also can be done faily easily as shown below.

// Read the OCSP response.
ocspResp, err := io.ReadAll(ocspHTTPResp.Body)
if err != nil {
    log.Printf("Failed to read OCSP response: %s\n", err)
    continue
}

// Parse the OCSP response.
resp, err := ocsp.ParseResponse(ocspResp, issuerCert)
if err != nil {
    log.Printf("Failed to parse OCSP response: %s\n", err)
    continue
}

Once we finished parsing the OCSP response, we can then check the status of the certificate by calling the Status property.

switch resp.Status {
case ocsp.Good:
    log.Println("Certificate status: GOOD")

case ocsp.Revoked:
    log.Println("Certificate status: REVOKED")

case ocsp.Unknown:
    log.Println("Certificate status: UNKNOWN")
}

That’s all. It is very easy and straight-forward.

I hope this is helpful and the source code for this is available at Github here.

Cheers

Copyright © 2020-2022 Handra. All Rights Reserved.