Disable OCSP check for subCA certificates

[nknkgithub]

Since our peer certificate is lacking an OCSP URL in its certificate extension, we have configured OCSP URI in the authorities section.
And below are the configuration files.

strongswan.conf

 plugins {
            include strongswan.d/charon/*.conf
            revocation{
                        enable_ocsp = yes
                        enable_crl = no
                }

    }

swanctl.conf
revocation = ifuri is configured

connections {
  home2 {
             ...
                children {
                        home2-child {
                         ...
                        }
                }
                local-0 {
                        auth = pubkey
                        certs = <cert>.pem
                        id = <id>
                }
                remote-0 {
                        auth = pubkey
                        id = %any
                        revocation = ifuri
                }
        }
}

authorities {
    secgw {
        cacert=testocspawsroot.pem
        ocsp_uris=http://strongswan.com

        }
}

We performed swanctl --load-authorities, swanctl --load-conns and swanctl --initiate --child home3-child.
We are observing OCSP check is being done for subCA i.e. checking certificate status of "C=US, O=, OU=, CN=<Sub-CA 3>".
How can we disable OCSP check for subCA ?

Logs

[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1776 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR6 DNS6 DNS6 DNS6 DNS) SA TSi TSr ]
[IKE] received end entity cert "C=US, O=<O>, OU=<OU>, CN=<End entity cert>"
[CFG]   using certificate "C=US, O=<O>, OU=<OU>, CN=<End entity cert>"
[CFG]   using trusted intermediate ca certificate "C=US, O=<O>, OU=<OU>, CN=<Sub-CA 3>"
[CFG] checking certificate status of "C=US, O=<O>, OU=<OU>, CN=<End entity cert>"
[CFG]   using trusted ca certificate "C=US, O=<O>, OU=<OU>, CN=<Root CA>"
[CFG] checking certificate status of "C=US, O=<O>, OU=<OU>, CN=<Sub-CA 3>"
[CFG]   requesting ocsp status from 'http://strongswan.com' ...
[CFG] ocsp request to http://strongswan.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   reached self-signed root ca with a path length of 1
[IKE] authentication of 'C=US, O=<O>, OU=<OU>, CN=<End entity cert>' with RSA_EMSA_PKCS1_SHA2_256 successful
[CFG] constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED
[CFG] selected peer config 'home3' unacceptable: constraint checking failed
[CFG] no alternative config found
[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

[tobiasbrunner]

If you configure the OCSP URI for the root CA (which is what cacert=testocspawsroot.pem does), the URI will be used to check certificates issued by that CA (i.e. the intermediate CA certificate). So if you only want to check the validity of end-entity certificates via OCSP, you have to configure the intermediate CA certificate in the authority section.

[nknkgithub]

Thanks @tobiasbrunner .

As suggested we configured OCSP URI for the subcacertificate

authorities {
  secgw {
        cacert=testocspawssubca.pem
        ocsp_uris=http://strongswan.com

        }

swanctl --list-authorities --name secgw
secgw:
  cacert: C=US, O=<O>, OU=<OU>, CN=<Sub-CA 3>
  ocsp_uris: http://strongswan.com

But still could observe OCSP check logs for subca.
checking certificate status of "C=US, O=, OU=, CN=<Sub-CA 3>

Logs

 received end entity cert "C=US, O=<O>, OU=<OU>, CN=<End entity cert>"
[CFG]   using certificate "C=US, O=<O>, OU=<OU>, CN=<End entity cert>"
[CFG]   using trusted intermediate ca certificate "C=US, O=<O>, OU=<OU>, CN=<Sub-CA 3>"
[CFG] checking certificate status of "C=US, O=<O>, OU=<OU>, CN=<End entity cert>"
[CFG]   requesting ocsp status from 'http://strongswan.com' ...
[CFG] ocsp request to http://strongswan.com failed
[CFG] ocsp check failed, fallback to crl
[CFG]   using trusted ca certificate "C=US, O=<O>, OU=<OU>, CN=<Root CA>"
[CFG] checking certificate status of "C=US, O=<O>, OU=<OU>, CN=<Sub-CA 3>"
[CFG]   reached self-signed root ca with a path length of 1
[IKE] authentication of 'C=US, O=<O>, OU=<OU>, CN=<End entity cert>' with RSA_EMSA_PKCS1_SHA2_256 successful
[CFG] constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED
[CFG] constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED
[CFG] selected peer config 'home3' unacceptable: constraint checking failed
[CFG] no alternative config found
[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

[tobiasbrunner]

But still could observe OCSP check logs for subca.

Where to you see an OCSP check for that certificate? I don't see one in the log. I only se one for the end-entity certificate.

checking certificate status of "C=US, O=, OU=, CN=<Sub-CA 3>

This log message is logged for every certificate. Whether it actually will be checked via OCSP or CRL depends on the availability of appropriate cached credentials or URIs to fetch them.

[nknkgithub]

Thanks @tobiasbrunner .

If we doesnt have subca certificate beforehand, how to prevent the OCSP check of subca certificate?

[tobiasbrunner]

Prevent?

[nknkgithub]

We require OCSP validation exclusively for the peer device certificate. Our OCSP responder lacks information on the subCA certificate. Given that we don't possess peer subCA certificate to provide in the authority section beforehand, is there a method to conduct OCSP validation solely for the device certificate using a specified URI in the authority section?

[nknkgithub]

@tobiasbrunner , Can you please help?

[tobiasbrunner]

Given that we don't possess peer subCA certificate to provide in the authority section beforehand, is there a method to conduct OCSP validation solely for the device certificate using a specified URI in the authority section?

No, currently not. Either encode the the URI in the certificates, or distribute the intermediate CA certificate so you can manually configure the URI in an authority section.