OCSP stapling support (#1820)

Author: chayim

redis/client.py

@@ -878,6 +878,7 @@ def __init__(
         ssl_ca_path=None,
         ssl_check_hostname=False,
         ssl_password=None,
+        ssl_validate_ocsp=False,
         max_connections=None,
         single_connection_client=False,
         health_check_interval=0,
@@ -956,6 +957,7 @@ def __init__(
                             "ssl_check_hostname": ssl_check_hostname,
                             "ssl_password": ssl_password,
                             "ssl_ca_path": ssl_ca_path,
+                            "ssl_validate_ocsp": ssl_validate_ocsp,
                         }
                     )
             connection_pool = ConnectionPool(**kwargs)

redis/connection.py

@@ -31,7 +31,7 @@
     TimeoutError,
 )
 from redis.retry import Retry
-from redis.utils import HIREDIS_AVAILABLE, str_if_bytes
+from redis.utils import CRYPTOGRAPHY_AVAILABLE, HIREDIS_AVAILABLE, str_if_bytes
 
 try:
     import ssl
@@ -907,6 +907,7 @@ def __init__(
         ssl_check_hostname=False,
         ssl_ca_path=None,
         ssl_password=None,
+        ssl_validate_ocsp=False,
         **kwargs,
     ):
         """Constructor
@@ -948,6 +949,7 @@ def __init__(
         self.ca_path = ssl_ca_path
         self.check_hostname = ssl_check_hostname
         self.certificate_password = ssl_password
+        self.ssl_validate_ocsp = ssl_validate_ocsp
 
     def _connect(self):
         "Wrap the socket with SSL support"
@@ -963,7 +965,18 @@ def _connect(self):
             )
         if self.ca_certs is not None or self.ca_path is not None:
             context.load_verify_locations(cafile=self.ca_certs, capath=self.ca_path)
-        return context.wrap_socket(sock, server_hostname=self.host)
+        sslsock = context.wrap_socket(sock, server_hostname=self.host)
+        if self.ssl_validate_ocsp is True and CRYPTOGRAPHY_AVAILABLE is False:
+            raise RedisError("cryptography is not installed.")
+        elif self.ssl_validate_ocsp is True and CRYPTOGRAPHY_AVAILABLE:
+            from .ocsp import OCSPVerifier
+
+            o = OCSPVerifier(sslsock, self.host, self.port, self.ca_certs)
+            if o.is_valid():
+                return sslsock
+            else:
+                raise ConnectionError("ocsp validation error")
+        return sslsock
 
 
 class UnixDomainSocketConnection(Connection):

redis/exceptions.py

@@ -17,6 +17,10 @@ class AuthenticationError(ConnectionError):
     pass
 
 
+class AuthorizationError(ConnectionError):
+    pass
+
+
 class BusyLoadingError(ConnectionError):
     pass
 

redis/ocsp.py

@@ -0,0 +1,159 @@
+import base64
+import ssl
+from urllib.parse import urljoin, urlparse
+
+import cryptography.hazmat.primitives.hashes
+import requests
+from cryptography import hazmat, x509
+from cryptography.hazmat import backends
+from cryptography.x509 import ocsp
+
+from redis.exceptions import AuthorizationError, ConnectionError
+
+
+class OCSPVerifier:
+    """A class to verify ssl sockets for RFC6960/RFC6961.
+
+    @see https://datatracker.ietf.org/doc/html/rfc6960
+    @see https://datatracker.ietf.org/doc/html/rfc6961
+    """
+
+    def __init__(self, sock, host, port, ca_certs=None):
+        self.SOCK = sock
+        self.HOST = host
+        self.PORT = port
+        self.CA_CERTS = ca_certs
+
+    def _bin2ascii(self, der):
+        """Convert SSL certificates in a binary (DER) format to ASCII PEM."""
+
+        pem = ssl.DER_cert_to_PEM_cert(der)
+        cert = x509.load_pem_x509_certificate(pem.encode(), backends.default_backend())
+        return cert
+
+    def components_from_socket(self):
+        """This function returns the certificate, primary issuer, and primary ocsp server
+        in the chain for a socket already wrapped with ssl.
+        """
+
+        # convert the binary certifcate to text
+        der = self.SOCK.getpeercert(True)
+        if der is False:
+            raise ConnectionError("no certificate found for ssl peer")
+        cert = self._bin2ascii(der)
+        return self._certificate_components(cert)
+
+    def _certificate_components(self, cert):
+        """Given an SSL certificate, retract the useful components for
+        validating the certificate status with an OCSP server.
+
+        Args:
+            cert ([bytes]): A PEM encoded ssl certificate
+        """
+
+        try:
+            aia = cert.extensions.get_extension_for_oid(
+                x509.oid.ExtensionOID.AUTHORITY_INFORMATION_ACCESS
+            ).value
+        except cryptography.x509.extensions.ExtensionNotFound:
+            raise ConnectionError("No AIA information present in ssl certificate")
+
+        # fetch certificate issuers
+        issuers = [
+            i
+            for i in aia
+            if i.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS
+        ]
+        try:
+            issuer = issuers[0].access_location.value
+        except IndexError:
+            raise ConnectionError("no issuers in certificate")
+
+        # now, the series of ocsp server entries
+        ocsps = [
+            i
+            for i in aia
+            if i.access_method == x509.oid.AuthorityInformationAccessOID.OCSP
+        ]
+
+        try:
+            ocsp = ocsps[0].access_location.value
+        except IndexError:
+            raise ConnectionError("no ocsp servers in certificate")
+
+        return cert, issuer, ocsp
+
+    def components_from_direct_connection(self):
+        """Return the certificate, primary issuer, and primary ocsp server
+        from the host defined by the socket. This is useful in cases where
+        different certificates are occasionally presented.
+        """
+
+        pem = ssl.get_server_certificate((self.HOST, self.PORT), ca_certs=self.CA_CERTS)
+        cert = x509.load_pem_x509_certificate(pem.encode(), backends.default_backend())
+        return self._certificate_components(cert)
+
+    def build_certificate_url(self, server, cert, issuer_cert):
+        """Return the complete url to the ocsp"""
+        orb = ocsp.OCSPRequestBuilder()
+
+        # add_certificate returns an initialized OCSPRequestBuilder
+        orb = orb.add_certificate(
+            cert, issuer_cert, cryptography.hazmat.primitives.hashes.SHA256()
+        )
+        request = orb.build()
+
+        path = base64.b64encode(
+            request.public_bytes(hazmat.primitives.serialization.Encoding.DER)
+        )
+        url = urljoin(server, path.decode("ascii"))
+        return url
+
+    def check_certificate(self, server, cert, issuer_url):
+        """Checks the validitity of an ocsp server for an issuer"""
+
+        r = requests.get(issuer_url)
+        if not r.ok:
+            raise ConnectionError("failed to fetch issuer certificate")
+        der = r.content
+        issuer_cert = self._bin2ascii(der)
+
+        ocsp_url = self.build_certificate_url(server, cert, issuer_cert)
+
+        # HTTP 1.1 mandates the addition of the Host header in ocsp responses
+        header = {
+            "Host": urlparse(ocsp_url).netloc,
+            "Content-Type": "application/ocsp-request",
+        }
+        r = requests.get(ocsp_url, headers=header)
+        if not r.ok:
+            raise ConnectionError("failed to fetch ocsp certificate")
+
+        ocsp_response = ocsp.load_der_ocsp_response(r.content)
+        if ocsp_response.response_status == ocsp.OCSPResponseStatus.UNAUTHORIZED:
+            raise AuthorizationError(
+                "you are not authorized to view this ocsp certificate"
+            )
+        if ocsp_response.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL:
+            if ocsp_response.certificate_status == ocsp.OCSPCertStatus.REVOKED:
+                return False
+            else:
+                return True
+        else:
+            return False
+
+    def is_valid(self):
+        """Returns the validity of the certificate wrapping our socket.
+        This first retrieves for validate the certificate, issuer_url,
+        and ocsp_server for certificate validate. Then retrieves the
+        issuer certificate from the issuer_url, and finally checks
+        the valididy of OCSP revocation status.
+        """
+
+        # validate the certificate
+        try:
+            cert, issuer_url, ocsp_server = self.components_from_socket()
+            return self.check_certificate(ocsp_server, cert, issuer_url)
+        except AuthorizationError:
+            cert, issuer_url, ocsp_server = self.components_from_direct_connection()
+            return self.check_certificate(ocsp_server, cert, issuer_url)

redis/utils.py

@@ -7,6 +7,13 @@
 except ImportError:
     HIREDIS_AVAILABLE = False
 
+try:
+    import cryptography  # noqa
+
+    CRYPTOGRAPHY_AVAILABLE = True
+except ImportError:
+    CRYPTOGRAPHY_AVAILABLE = False
+
 
 def from_url(url, **kwargs):
     """

setup.py

@@ -48,5 +48,6 @@
     ],
     extras_require={
         "hiredis": ["hiredis>=1.0.0"],
+        "cryptography": ["cryptography>=36.0.1", "requests>=2.26.0"],
     },
 )

tasks.py

@@ -65,7 +65,7 @@ def standalone_tests(c):
     with and without hiredis."""
     print("Starting Redis tests")
     _generate_keys()
-    run("tox -e standalone-'{plain,hiredis}'")
+    run("tox -e standalone-'{plain,hiredis,cryptography}'")
 
 
 @task

tests/conftest.py

@@ -170,6 +170,24 @@ def skip_ifnot_redis_enterprise():
     return pytest.mark.skipif(check, reason="Not running in redis enterprise")
 
 
+def skip_if_nocryptography():
+    try:
+        import cryptography  # noqa
+
+        return pytest.mark.skipif(False, reason="Cryptography dependency found")
+    except ImportError:
+        return pytest.mark.skipif(True, reason="No cryptography dependency")
+
+
+def skip_if_cryptography():
+    try:
+        import cryptography  # noqa
+
+        return pytest.mark.skipif(True, reason="Cryptography dependency found")
+    except ImportError:
+        return pytest.mark.skipif(False, reason="No cryptography dependency")
+
+
 def _get_client(
     cls, request, single_connection_client=True, flushdb=True, from_url=None, **kwargs
 ):