PVS Server: Check CERT:STATUS:... of client

[kasemir]

In secure PVAccess, the certificate management service (PVACMS) issues certificates with a CERT:STATUS:... PV extension. PVACMS serves these CERT:STATUS:... PVs for each certificate that it created to provide updates on the certificate status.

This is most important for PVA servers. At face value, a client certificate may be valid for a long time (year?), but PVACMS allows administrators to revoke a certificate at any time. The secure socket (SSL, TLS) implementation in the JRE checks the certificate once at connection time, while the CERT:STATUS:.. allows continued verification for the duration of the TCP/TLS connection. The CERT:STATUS:.. PV will right away tell the PVA server on an IOC when a client certificate has been revoked. The IOC can then reconsider the authentication of the user, for example consider the user 'anonymous' and appropriately restrict write access because the certificate no longer provides authentication.

As the Java implementation of the PVA server can now be used with PVAiFY, this PR adds CERT:STATUS:... monitoring to the java PVA server. For now there is no meaningful authorization implemented, but writable PVs become read-only unless the CERT:STATUS:.. PV indicates a valid cert. Revoking a certificate will right away turn the client into a read-only state.

As an implementation detail, the CERT:STATUS:.. PV contains a recent OCSP response which allows the recipient to securely validate the certificate. The JDK, however, does not offer API to check OCSP responses. The BouncyCastle dependency was thus added to parse and check OCSP responses.

Checklist

• Testing:
  • The feature has automated tests
  • Tests were run

Easy manual test:

First, install PVXS as described in https://george-mcintyre.github.io/pvxs/spvaqstart.html

Terminal 1: Start fresh PVACMS

rm -rf  ~/.config/pva  ~/.local/share/pva
pvacms -v

Terminal 2: Handle certificates

# Create server.p12, note its CERT ID
authnstd -v --name ioc --cert-usage ioc

# Approve that CERT ID
EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/admin.p12  \
     pvxcert --approve c77c3ac7:18124547852410498497

# Create client.p12, note its CERT ID
authnstd -v

# Approve that CERT ID
EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/admin.p12  \
     pvxcert --approve c77c3ac7:00185768032390924155

Terminal 3: Run server

export EPICS_PVAS_TLS_KEYCHAIN=~/.config/pva/1.3/server.p12
./serverdemo

Terminal 4: Run client

export EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/client.p12
./pvaclient monitor demo3 -v 5
# Or run CSS, create a display with TextEntry for "pva://demo3"

Now, back in Terminal 2, revoke the client certificate:

EPICS_PVA_TLS_KEYCHAIN=~/.config/pva/1.3/admin.p12  \
     pvxcert --revoke c77c3ac7:00185768032390924155 

Note how the PV becomes read-only in CSS, and the pvaclient shows
a corresponding Received 'demo3' CID 2 access rights read-only (0x00)

• Documentation:
  • The feature is documented .. in the PVXS documentation of secure PVA
  • The documentation is up to date
  • Release notes:
    • Added an entry if the change is breaking or significant
    • Added an entry when adding a new feature