Ref #1641 - Detect absence of OCSP in OCSP response evaluation

Author: mxsasha

checks/categories.py

@@ -1467,6 +1467,11 @@ def result_not_trusted(self):
         self.verdict = "detail web tls ocsp-stapling verdict bad"
         self.tech_data = "detail tech data no"
 
+    def result_not_in_cert(self):
+        self._status(STATUS_SUCCESS)
+        self.verdict = "detail web tls ocsp-stapling verdict not-in-cert"
+        self.tech_data = "detail tech data not-in-cert"
+
 
 class WebTlsKexHashFunc(Subtest):
     def __init__(self):

checks/models.py

@@ -86,6 +86,7 @@ class OcspStatus(Enum):
     ok = 0
     good = 1
     not_trusted = 2
+    not_in_cert = 3
 
 
 class ZeroRttStatus(Enum):

checks/tasks/tls/evaluation.py

@@ -1,12 +1,14 @@
 from dataclasses import dataclass
-from typing import List, Optional, Any, Set
+from typing import List, Optional, Any, Set, cast
 
+from cryptography.hazmat._oid import AuthorityInformationAccessOID, ExtensionOID
+from cryptography.x509 import AuthorityInformationAccess, ExtensionNotFound
 from nassl.ephemeral_key_info import EcDhEphemeralKeyInfo, DhEphemeralKeyInfo, OpenSslEvpPkeyEnum
-from sslyze import TlsVersionEnum, CipherSuiteAcceptedByServer, CipherSuite
+from sslyze import TlsVersionEnum, CipherSuiteAcceptedByServer, CipherSuite, CertificateDeploymentAnalysisResult
 from sslyze.plugins.openssl_cipher_suites.cipher_suites import _TLS_1_3_CIPHER_SUITES
 
 from checks import scoring
-from checks.models import KexHashFuncStatus, CipherOrderStatus
+from checks.models import KexHashFuncStatus, CipherOrderStatus, OcspStatus
 from checks.tasks.tls.tls_constants import (
     PROTOCOLS_GOOD,
     PROTOCOLS_SUFFICIENT,
@@ -197,6 +199,58 @@ def score(self) -> scoring.Score:
         return scoring.WEB_TLS_SUITES_BAD if self.ciphers_bad else scoring.WEB_TLS_SUITES_GOOD
 
 
+@dataclass(frozen=True)
+class TLSOCSPEvaluation:
+    """
+    Evaluate the OCSP setup, based on certificate info.
+    """
+
+    ocsp_in_cert: bool
+    has_ocsp_response: bool
+    ocsp_response_trusted: bool
+
+    GOOD_STATUSES = {OcspStatus.good, OcspStatus.not_in_cert}
+
+    @classmethod
+    def from_certificate_deployments(cls, certificate_deployment: CertificateDeploymentAnalysisResult):
+        leaf_cert = certificate_deployment.received_certificate_chain[0]
+        try:
+            aia_extension = leaf_cert.extensions.get_extension_for_oid(ExtensionOID.AUTHORITY_INFORMATION_ACCESS)
+            aia_value = cast(AuthorityInformationAccess, aia_extension.value)
+            ocsp_access = [ad for ad in aia_value if ad.access_method == AuthorityInformationAccessOID.OCSP]
+            ocsp_in_cert = len(ocsp_access) > 0
+        except ExtensionNotFound:
+            ocsp_in_cert = False
+
+        has_ocsp_response = certificate_deployment.ocsp_response is not None
+        ocsp_response_trusted = certificate_deployment.ocsp_response is True
+
+        return cls(
+            ocsp_in_cert=ocsp_in_cert,
+            has_ocsp_response=has_ocsp_response,
+            ocsp_response_trusted=ocsp_response_trusted,
+        )
+
+    @property
+    def status(self) -> OcspStatus:
+        if not self.ocsp_in_cert:
+            return OcspStatus.not_in_cert
+        if self.has_ocsp_response:
+            if self.ocsp_response_trusted:
+                return OcspStatus.good
+            else:
+                return OcspStatus.not_trusted
+        return OcspStatus.ok
+
+    @property
+    def score(self) -> scoring.Score:
+        return (
+            scoring.WEB_TLS_OCSP_STAPLING_GOOD
+            if self.status in self.GOOD_STATUSES
+            else scoring.WEB_TLS_OCSP_STAPLING_BAD
+        )
+
+
 @dataclass(frozen=True)
 class KeyExchangeHashFunctionEvaluation:
     """

checks/tasks/tls/scans.py

@@ -3,7 +3,7 @@
 from enum import Enum
 from pathlib import Path
 from ssl import match_hostname, CertificateError
-from typing import List, Tuple, Generator, Dict, Any, Optional
+from typing import Any, Dict, Generator, List, Optional, Tuple
 
 import subprocess
 from cryptography.hazmat._oid import NameOID
@@ -54,7 +54,6 @@
     DaneStatus,
     ZeroRttStatus,
     KexHashFuncStatus,
-    OcspStatus,
     CipherOrderStatus,
 )
 from checks.tasks.shared import resolve_dane
@@ -65,6 +64,7 @@
     TLSCipherEvaluation,
     KeyExchangeHashFunctionEvaluation,
     TLSCipherOrderEvaluation,
+    TLSOCSPEvaluation,
 )
 from checks.tasks.tls.tls_constants import (
     CERT_SIGALG_GOOD,
@@ -728,18 +728,9 @@ def check_web_tls(url, af_ip_pair=None, *args, **kwargs):
         ),
     )
 
-    ocsp_status = OcspStatus.ok
-    if any(
-        [d.ocsp_response_is_trusted is True for d in result.scan_result.certificate_info.result.certificate_deployments]
-    ):
-        ocsp_status = OcspStatus.good
-    elif any(
-        [
-            d.ocsp_response_is_trusted is False
-            for d in result.scan_result.certificate_info.result.certificate_deployments
-        ]
-    ):
-        ocsp_status = OcspStatus.not_trusted
+    ocsp_evaluation = TLSOCSPEvaluation.from_certificate_deployments(
+        result.scan_result.certificate_info.result.certificate_deployments[0]
+    )
 
     probe_result = dict(
         tls_enabled=True,
@@ -787,10 +778,8 @@ def check_web_tls(url, af_ip_pair=None, *args, **kwargs):
             if result.scan_result.tls_1_3_early_data.result.supports_early_data
             else scoring.WEB_TLS_ZERO_RTT_GOOD
         ),
-        ocsp_stapling=ocsp_status,
-        ocsp_stapling_score=(
-            scoring.WEB_TLS_OCSP_STAPLING_GOOD if ocsp_status == OcspStatus.good else scoring.WEB_TLS_OCSP_STAPLING_BAD
-        ),
+        ocsp_stapling=ocsp_evaluation.status,
+        ocsp_stapling_score=ocsp_evaluation.score,
         kex_hash_func=key_exchange_hash_evaluation.status,
         kex_hash_func_score=key_exchange_hash_evaluation.score,
     )

checks/tasks/tls/tasks_reports.py

@@ -549,6 +549,8 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
                 category.subtests["ocsp_stapling"].result_not_trusted()
             elif dttls.ocsp_stapling == OcspStatus.ok:
                 category.subtests["ocsp_stapling"].result_ok()
+            elif dttls.ocsp_stapling == OcspStatus.not_in_cert:
+                category.subtests["ocsp_stapling"].result_not_in_cert()
 
             if dttls.kex_hash_func == KexHashFuncStatus.good:
                 category.subtests["kex_hash_func"].result_good()

integration_tests/batch/results.py

@@ -39,7 +39,7 @@
         "web_https_dane_valid": {"status": "not_tested", "verdict": "not-tested"},
         "web_https_tls_0rtt": {"status": "passed", "verdict": "good"},
         "web_https_tls_caa": {"status": "warning", "verdict": "bad"},
-        "web_https_tls_ocsp": {"status": "info", "verdict": "ok"},
+        "web_https_tls_ocsp": {"status": "passed", "verdict": "not-in-cert"},
         "web_https_tls_keyexchangehash": {"status": "passed", "verdict": "good"},
         "web_appsecpriv_x_frame_options": {"status": "passed", "verdict": "good"},
         "web_appsecpriv_referrer_policy": {"status": "passed", "verdict": "good"},
@@ -80,7 +80,7 @@
                 "secure_reneg": True,
                 "client_reneg": False,
                 "zero_rtt": "good",
-                "ocsp_stapling": "ok",
+                "ocsp_stapling": "not_in_cert",
                 "kex_hash_func": "good",
                 "https_redirect": "good",
                 "http_compression": False,
@@ -144,7 +144,7 @@
                 "secure_reneg": True,
                 "client_reneg": False,
                 "zero_rtt": "good",
-                "ocsp_stapling": "ok",
+                "ocsp_stapling": "not_in_cert",
                 "kex_hash_func": "good",
                 "https_redirect": "good",
                 "http_compression": False,

interface/batch/openapi.yaml

@@ -821,6 +821,7 @@ components:
             * `good` - OCSP is supported.
             * `ok` - OCSP is not supported,
             * `not_trusted` - OCSP is supported but the returned data is invalid.
+            * `not_in_cert` - OCSP not enabled in the certificate, therefore OCSP stapling is not required or possible.
 
         x_frame_options_enabled:
           type: boolean