[THREESCALE-11404] Adding support for CRL and OCSP #1503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

tkan145 merged 12 commits into 3scale:master from tkan145:THREESCALE-11404-crl-and-ocsp

Mar 10, 2025

CHANGELOG.md

-Original file line number
+Diff line change
@@ Expand Up @@
     - Add `enable_extended_context` to allow JWT Claim Check access full request context [PR #1535](https://github.com/3scale/APIcast/pull/1535) [THREESCALE-9510](https://issues.redhat.com/browse/THREESCALE-9510)
     - JWT signature verification, support for ES256/ES512 [PR #1533](https://github.com/3scale/APIcast/pull/1533) [THREESCALE-11474](https://issues.redhat.com/browse/THREESCALE-11474)
     - JWT Parser policy [PR #1536](https://github.com/3scale/APIcast/pull/1536) [THREESCALE-10708](https://issues.redhat.com/browse/THREESCALE-10708)
+    - TLS Validation Policy - add support to validate client certificate with CRL and OCSP [PR #1503](https://github.com/3scale/APIcast/pull/1503) [THREESCALE-11404](https://issues.redhat.com/browse/THREESCALE-11404)
     ## [3.15.0] 2024-04-04
@@ Expand Down @@

gateway/http.d/shdict.conf

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,3 +8,4 @@ lua_shared_dict limiter 1m; @@
     lua_shared_dict cached_auths 20m;
     lua_shared_dict batched_reports {{env.APICAST_POLICY_BATCHER_SHARED_MEMORY_SIZE | default: "20m"}};
     lua_shared_dict batched_reports_locks 1m;
+    lua_shared_dict ocsp_cache 10m;

gateway/src/apicast/policy/tls_validation/README.md

-Original file line number
+Diff line change
@@ -1,10 +1,11 @@
     # TLS Validation policy
-    This policy can validate TLS Client Certificate against a whitelist.
+    This policy can validate TLS Client Certificate against a whitelist and Certificate Revocation List (CRL)
-    Whitelist expects PEM formatted CA or Client certificates.
-    It is not necessary to have the full certificate chain, just partial matches are allowed.
-    For example you can add to the whitelist just leaf client certificates without the whole bundle with a CA certificate.
+    * Whitelist expects PEM formatted CA or Client certificates.
+    * Revocation List expects PEM formatted certificates.
+    It is not necessary to have the full certificate chain, just partial matches are allowed. For example you can add to the whitelist just leaf client certificates without the whole bundle with a CA certificate. However, you can change this behaviour with `allow_partial_chain`
     ## Configuration
@@ Expand All @@
     ## Example
+    * Allow certificate verification with only an intermediate certificate.
+    ```
+    {
+      "name": "apicast.policy.tls_validation",
+      "configuration": {
+        "whitelist": [
+          { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+        ]
+      }
+    }
+    ```
+    * Use full certificate chain to verify client certificate
+    ```
+    {
+      "name": "apicast.policy.tls_validation",
+      "configuration": {
+        "whitelist": [
+          { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+        ],
+        "allow_partial_chain": false
+      }
+    }
+    ```
+    With Certificate Revocation List (CRL)
     ```
     {
       "name": "apicast.policy.tls_validation",
       "configuration": {
         "whitelist": [
           { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+        ],
+        "revocation_check_type": "crl",
+        "revoke_list": [
+          { "pem_certificate": ""-----BEGIN X509 CRL ----- XXXXXX -----END X509 CRL-----"}
         ]
       }
     }
     ```
+    Checking certificate status with Online Certificate Status Protocol (OCSP). The responder url is
+    extracted from the certificate.
+    NOTE: When validating a client certificate with OCSP, APIcast requires the client to send the certificate chain
+    (i.e. if the certificate is signed with an intermediate certificate, the client needs to send both the client certificate + the intermediate certificate)
+    ```
+    {
+      "name": "apicast.policy.tls_validation",
+      "configuration": {
+        "whitelist": [
+          { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+        ],
+        "revocation_check_type": "ocsp",
+      }
+    }
+    ```
+    Overwrite OCSP responder URL
+    ```
+    {
+      "name": "apicast.policy.tls_validation",
+      "configuration": {
+        "whitelist": [
+          { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+        ],
+        "revocation_check_type": "ocsp",
+        "ocsp_responder_url": "http://<ocsp-server>:<port>"
+      }
+    }
+    ```

gateway/src/apicast/policy/tls_validation/apicast-policy.json

-Original file line number
+Diff line change
@@ Expand Up / @@ -31,6 +31,85 @@ @@
             "$ref": "#/definitions/store",
             "title": "Certificate Whitelist",
             "description": "Individual certificates and CA certificates to be whitelisted."
+          },
+          "allow_partial_chain": {
+            "description": "Allow certificate verification with only an intermediate certificate",
+            "type": "boolean",
+            "default": true
+          },
+          "revocation_check_type": {
+            "title": "Certificate Revocation Check type",
+            "type": "string",
+            "oneOf": [
+              {
+                "enum": [
+                  "ocsp"
+                ],
+                "title": "Enables OCSP validation of the client certificate."
+              },
+              {
+                "enum": [
+                  "crl"
+                ],
+                "title": "Use certificates revocation list (CRL) in the PEM format to verify client certificates."
+              },
+              {
+                "enum": [
+                  "none"
+                ],
+                "title": "Do not check for certificate recovation status"
+              }
+            ],
+            "default": "none"
+          }
+        },
+        "dependencies": {
+          "revocation_check_type": {
+            "oneOf": [
+              {
+                "properties": {
+                  "revocation_check_type": {
+                    "enum": [
+                      "none"
+                    ]
+                  }
+                }
+              },
+              {
+                "properties": {
+                  "revocation_check_type": {
+                    "enum": [
+                      "crl"
+                    ]
+                  },
+                  "revoke_list": {
+                    "title": "Certificate RevokeList",
+                    "description": "Individual certificates and CA certificates to be revoked.",
+                    "$ref": "#/definitions/store"
+                  }
+                }
+              },
+              {
+                "properties": {
+                  "revocation_check_type": {
+                    "enum": [
+                      "ocsp"
+                    ]
+                  },
+                  "ocsp_responder_url": {
+                    "title": "OCSP Responder URL ",
+                    "description": "Overrides the URL of the OCSP responder specified in the “Authority Information Access” certificate extension for validation of client certificates. ",
+                    "type": "string"
+                  },
+                  "cache_ttl": {
+                    "title": "Max TTL for cached OCSP response",
+                    "type": "integer",
+                    "minimum": 1,
+                    "maximum": 3600
+                  }
+                }
+              }
+            ]
           }
         }
       }
@@ Expand Down @@

gateway/src/apicast/policy/tls_validation/ocsp_validation.lua

-Original file line number
+Diff line change
@@ -0,0 +1,116 @@
+    local user_agent = require "apicast.user_agent"
+    local http_ng = require "resty.http_ng"
+    local resty_env = require "resty.env"
+    local tls = require "resty.tls"
+    local ngx_ssl = require "ngx.ssl"
+    local ocsp = require "ngx.ocsp"
+    local _M = {}
+    local ocsp_shm = ngx.shared.ocsp_cache
+    local function do_ocsp_request(ocsp_url, ocsp_request)
+      -- TODO: set default timeout
+      local http_client = http_ng.new{
+        options = {
+          headers = {
+            ['User-Agent'] = user_agent()
+          },
+          ssl = { verify = resty_env.enabled('OPENSSL_VERIFY') }
+        }
+      }
+      local res, err = http_client.post{
+        ocsp_url,
+        ocsp_request,
+        headers= {
+          ["Content-Type"] = "application/ocsp-request"
+      }}
+      if err then
+        return nil, err
+      end
+      ngx.log(ngx.INFO, "fetching OCSP response from ", ocsp_url)
+      if not res then
+        return nil, "failed to send request to OCSP responder: " .. tostring(err)
+      end
+      if res.status ~= 200 then
+        return nil, "unexpected OCSP responder status code: " .. res.status
+      end
+      return res.body
+    end
+    function _M.check_revocation_status(ocsp_responder_url, digest, ttl)
+      -- Nginx supports leaf mode, that is only verify the client ceritificate, however
+      -- until we have a way to detect which CA certificate is being used to verify the
+      -- client certificate we need to get the full certificate chain here to construct
+      -- the OCSP request.
+      local cert_chain, err = tls.get_full_client_certificate_chain()
+      if not cert_chain then
+        return nil, err or "no client certificate"
+      end
+      local der_cert
+      der_cert, err = ngx_ssl.cert_pem_to_der(cert_chain)
+      if not der_cert then
+        return nil, "failed to convert certificate chain from PEM to DER " ..  err
+      end
+      local ocsp_resp
+      ocsp_resp = ocsp_shm:get(digest)
+      if ocsp_resp == nil then
+        ngx.log(ngx.INFO, "no ocsp resp cache found, fetch from ocsp responder")
+        -- TODO: check response cache
+        local ocsp_url
+        if ocsp_responder_url and ocsp_responder_url ~= "" then
+          ocsp_url = ocsp_responder_url
+        else
+          ocsp_url, err = ocsp.get_ocsp_responder_from_der_chain(der_cert)
+          if not ocsp_url then
+            return nil, err or ("could not extract OCSP responder URL, the client " ..
+                                  "certificate may be missing the required extensions")
+          end
+        end
+        if not ocsp_url or ocsp_url == "" then
+          return nil, " invalid OCSP responder URL"
+        end
+        local ocsp_req
+        ocsp_req, err = ocsp.create_ocsp_request(der_cert)
+        if not ocsp_req then
+          return nil, "failed to create OCSP request: " .. err
+        end
+        ocsp_resp, err = do_ocsp_request(ocsp_url, ocsp_req)
+        if not ocsp_resp or #ocsp_resp == 0 then
+          return nil, "unexpected response from OCSP responder: empty body"
+        end
+        -- Use ttl, normally this should be (nextUpdate - thisUpdate), but current version
+        -- of openresty API does not expose those attributes. Support for this was added
+        -- in openrest-core v0.1.31, we either need to backport or upgrade the openresty
+        -- version.
+        local ok
+        ok, err = ocsp_shm:set(digest, ocsp_resp, ttl)
+        if not ok then
+          ngx.log(ngx.ERR, "could not save ocsp response to cache: ", err)
+        end
+      else
+        ngx.log(ngx.INFO, "using ocsp from cache")
+      end
+      local ok
+      ok, err = ocsp.validate_ocsp_response(ocsp_resp, der_cert)
+      if not ok then
+        return false, "failed to validate OCSP response: " .. err
+      end
+      return true
+    end
+    return _M

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[THREESCALE-11404] Adding support for CRL and OCSP #1503

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Codecov / codecov/patch

Uh oh!