3scale · tkan145 · Oct 28, 2024 · Oct 29, 2024 · Nov 18, 2024 · Mar 3, 2025
@@ -8,3 +8,4 @@ lua_shared_dict limiter 1m;
 lua_shared_dict cached_auths 20m;
 lua_shared_dict batched_reports {{env.APICAST_POLICY_BATCHER_SHARED_MEMORY_SIZE | default: "20m"}};
 lua_shared_dict batched_reports_locks 1m;
+lua_shared_dict ocsp_cache 10m;
@@ -1,8 +1,9 @@
 # TLS Validation policy
 
-This policy can validate TLS Client Certificate against a whitelist.
+This policy can validate TLS Client Certificate against a whitelist and Certificate Revocation List (CRL)
 
 Whitelist expects PEM formatted CA or Client certificates.
+Revocation List expects PEM formatted certificates.
 It is not necessary to have the full certificate chain, just partial matches are allowed.
 For example you can add to the whitelist just leaf client certificates without the whole bundle with a CA certificate.
 
@@ -28,3 +29,50 @@ NOTE: This policy is not compatible with `APICAST_PATH_ROUTING` or `APICAST_PATH
   }
 }
 ```
+
+With Certificate Revocation List (CRL)
+
+```
+{
+  "name": "apicast.policy.tls_validation",
+  "configuration": {
+    "whitelist": [
+      { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+    ],
+    "revocation_check_type": "crl",
+    "revoke_list": [
+      { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+    ]
+  }
+}
+```
+
+Checking certificate status with Online Certificate Status Protocol (OCSP). The responder url is
+extracted from the certificate
+
+```
+{
+  "name": "apicast.policy.tls_validation",
+  "configuration": {
+    "whitelist": [
+      { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+    ],
+    "revocation_check_type": "ocsp",
+  }
+}
+```
+
+Overwrite OCSP responder URL
+
+```
+{
+  "name": "apicast.policy.tls_validation",
+  "configuration": {
+    "whitelist": [
+      { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+    ],
+    "revocation_check_type": "ocsp",
+    "ocsp_responder_url": "http://<ocsp-server>:<port>"
+  }
+}
+```
@@ -24,13 +24,99 @@
         "items": {
           "$ref": "#/definitions/certificate"
         }
+      },
+      "revoke": {
+        "$id": "#/definitions/revoke",
+        "type": "array",
+        "items": {
+          "$ref": "#/definitions/certificate"
+        }
       }
     },
     "properties": {
       "whitelist": {
         "$ref": "#/definitions/store",
         "title": "Certificate Whitelist",
         "description": "Individual certificates and CA certificates to be whitelisted."
+      },
+      "allow_partial_chain": {
+        "description": "Allow certificate verification with only an intermediate certificate",
+        "type": "boolean",
+        "default": true
+      },
+      "revocation_check_type": {
+        "title": "Certificate Revocation Check type",
+        "type": "string",
+        "oneOf": [
+          {
+            "enum": [
+              "ocsp"
+            ],
+            "title": "Enables OCSP validation of the client certificate."
+          },
+          {
+            "enum": [
+              "crl"
+            ],
+            "title": "Use certificates revocation list (CRL) in the PEM format to verify client certificates."
+          },
+          {
+            "enum": [
+              "none"
+            ],
+            "title": "Do not check for certificate recovation status"
+          }
+        ],
+        "default": "none"
+      }
+    },
+    "dependencies": {
+      "revocation_check_type": {
+        "oneOf": [
+          {
+            "properties": {
+              "revocation_check_type": {
+                "enum": [
+                  "none"
+                ]
+              }
+            }
+          },
+          {
+            "properties": {
+              "revocation_check_type": {
+                "enum": [
+                  "crl"
+                ]
+              },
+              "revoke_list": {
+                "title": "Certificate RevokeList",
+                "description": "Individual certificates and CA certificates to be revoked.",
+                "$ref": "#/definitions/store"
+              }
+            }
+          },
+          {
+            "properties": {
+              "revocation_check_type": {
+                "enum": [
+                  "ocsp"
+                ]
+              },
+              "ocsp_responder_url": {
+                "title": "OCSP Responder URL ",
+                "description": "Overrides the URL of the OCSP responder specified in the “Authority Information Access” certificate extension for validation of client certificates. ",
+                "type": "string"
+              },
+              "cache_ttl": {
+                "title": "Max TTL for cached OCSP response",
+                "type": "integer",
+                "minimum": 1,
+                "maximum": 3600
+              }
+            }
+          }
+        ]
       }
     }
   }

@@ -0,0 +1,114 @@
+local user_agent = require "apicast.user_agent"
+local http_ng = require "resty.http_ng"
+local resty_env = require "resty.env"
+local tls = require "resty.tls"
+local ngx_ssl = require "ngx.ssl"
+local ocsp = require "ngx.ocsp"
+
+local _M = {}
+local ocsp_shm = ngx.shared.ocsp_cache
+
+local function do_ocsp_request(ocsp_url, ocsp_request)
+  -- TODO: set default timeout
+  local http_client = http_ng.new{
+    options = {
+      headers = {
+        ['User-Agent'] = user_agent()
+      },
+      ssl = { verify = resty_env.enabled('OPENSSL_VERIFY') }
+    }
+  }
+  local res, err = http_client.post{
+    ocsp_url,
+    ocsp_request,
+    headers= {
+      ["Content-Type"] = "application/ocsp-request"
+  }}
+  if err then
+    return nil, err
+  end
+
+  ngx.log(ngx.INFO, "fetching OCSP response from ", ocsp_url)
+
+  if not res then
+    return nil, "failed to send request to OCSP responder: " .. tostring(err)
+  end
+
+  if res.status ~= 200 then
+    return nil, "unexpected OCSP responder status code: " .. res.status
+  end
+
+  return res.body
+end
+
+function _M.check_revocation_status(ocsp_responder_url, digest, ttl)
+  -- Nginx supports leaf mode, that is only verify the client ceritificate, however
+  -- until we have a way to detect which CA certificate is being used to verify the
+  -- client certificate we need to get the full certificate chain here to construct
+  -- the OCSP request.
+  local cert_chain, err = tls.get_full_client_certificate_chain()
+  if not cert_chain then
+    return nil, err or "no client certificate"
+  end
+
+  local der_cert
+  der_cert, err = ngx_ssl.cert_pem_to_der(cert_chain)
+  if not der_cert then
+    return nil, "failed to convert certificate chain from PEM to DER " ..  err
+  end
+
+  local ocsp_resp
+  ocsp_resp = ocsp_shm:get(digest)
+
+  if ocsp_resp == nil then
+    ngx.log(ngx.INFO, "no ocsp resp cache found, fetch from ocsp responder")
+
+
+    -- TODO: check response cache
+    local ocsp_url
+    if ocsp_responder_url and ocsp_responder_url ~= "" then
+      ocsp_url = ocsp_responder_url
+    else
+      ocsp_url, err = ocsp.get_ocsp_responder_from_der_chain(der_cert)
+      if not ocsp_url then
+        return nil, err or ("could not extract OCSP responder URL, the client " ..
+                              "certificate may be missing the required extensions")
+      end
+    end
+
+    if not ocsp_url or ocsp_url == "" then
+      return nil, " invalid OCSP responder URL"
+    end
+
+    local ocsp_req
+    ocsp_req, err = ocsp.create_ocsp_request(der_cert)
+    if not ocsp_req then
+      return nil, "failed to create OCSP request: " .. err
+    end
+
+    ocsp_resp, err = do_ocsp_request(ocsp_url, ocsp_req)
+    if not ocsp_resp or #ocsp_resp == 0 then
+      return nil, "unexpected response from OCSP responder: empty body"
+    end
+
+    -- Use ttl, normally this should be (nextUpdate - thisUpdate), but current version
+    -- of openresty API does not expose those attributes. Support for this was added
+    -- in openrest-core v0.1.31, we either need to backport or upgrade the openresty
+    -- version.
+    local ok
+    ok, err = ocsp_shm:set(digest, ocsp_resp, ttl)
+    if not ok then
+      ngx.log(ngx.ERR, "could not save ocsp response to cache: ", err)
+    end
+  end
+
+  local ok
+  ok, err = ocsp.validate_ocsp_response(ocsp_resp, der_cert)
+  if not ok then
+    return false, "failed to validate OCSP response: " .. err
+  end
+
+  return true
+end
+
+return _M
@@ -4,7 +4,9 @@
 local _M = policy.new('tls_validation')
 local X509_STORE = require('resty.openssl.x509.store')
 local X509 = require('resty.openssl.x509')
+local X509_CRL = require('resty.openssl.x509.crl')
 local ngx_ssl = require "ngx.ssl"
+local ocsp = require ("ocsp_validation")
 
 local ipairs = ipairs
 local tostring = tostring
@@ -33,6 +35,29 @@
   return store
 end
 
+local function init_crl_list(store, crl_certificates)
+  local ok, err
+  local crl
+  for _, certificate in ipairs(crl_certificates) do
+    -- add crl to store, but skip setting the flag
+    crl, err = X509_CRL.new(certificate.pem_certificate)
+    if crl then
+      ok, err = store:add(crl)
+
+      if debug then
+        ngx.log(ngx.DEBUG, 'adding crl certificate to the tls validation ', tostring(crl:subject_name()), ' SHA1: ', crl:hexdigest('SHA1'))
+      end
+    else
+      ngx.log(ngx.WARN, 'failed to add crl certificate, err: ', err)
+
+      if debug then
+        ngx.log(ngx.DEBUG, 'certificate: ', certificate.pem_certificate)
+      end
+    end
+  end
+  return store
+end
+
 local new = _M.new
 --- Initialize a tls_validation
 -- @tparam[opt] table config Policy configuration.
@@ -42,20 +67,26 @@
 
   self.x509_store = init_trusted_store(store, config and config.whitelist or {})
   self.error_status = config and config.error_status or 400
+  self.allow_partial_chain = config and config.allow_partial_chain
+  self.revocation_type = config and config.revocation_check_type or "none"
+  if self.revocation_type == "crl" then
+    init_crl_list(store, config and config.revoke_list or {})
+  elseif self.revocation_type == "ocsp" then
+    self.ocsp_responder_url = config and config.ocsp_responder_url
+    self.cache_ttl = config and config.cache_ttl
+  end
 
   return self
 end
 
 function _M:ssl_certificate()
   -- Request client certificate
   --
-  -- We don't validate the certificate during the handshake, thus set `depth` to 0 (default is 1)
-  -- value here in order to save CPU cycles
-  --
   -- TODO:
   -- provide ca_certs: See https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#verify_client
   -- handle verify_depth
   --
+  -- TODO: OCSP stapling
   return ngx_ssl.verify_client()
 end
 
@@ -70,26 +101,40 @@
   local cert, err = X509.new(client_cert)
   if not cert then
     ngx.status = self.error_status
-    ngx.log(ngx.WARN, "Invalid TLS certificate, err: ", err)
+    ngx.log(ngx.WARN, "Unable to load client certificate, err: ", err)
     ngx.say("Invalid TLS certificate")
     return ngx.exit(ngx.status)
   end
 
   local store = self.x509_store
-  store:set_flags(store.verify_flags.X509_V_FLAG_PARTIAL_CHAIN)
+
+  if self.allow_partial_chain then
+    store:set_flags(store.verify_flags.X509_V_FLAG_PARTIAL_CHAIN)
+  end
 
   -- err is printed inside validate_cert method
   -- so no need capture the err here
-  local ok, err = store:verify(cert)
+  local chain, ok
+  chain, err = store:verify(cert, nil, true)
 
-  if not ok then
+  if not chain then
     ngx.status = self.error_status
-    ngx.log(ngx.INFO, "TLS certificate validation failed, err: ", err)
+    ngx.log(ngx.WARN, "TLS certificate validation failed, err: ", err)
     ngx.say("TLS certificate validation failed")
     return ngx.exit(ngx.status)
   end
 
-  return ok, nil
+  if self.revocation_type == "ocsp" then
+    ok, err = ocsp.check_revocation_status(self.ocsp_responder_url, cert.digest, self.cache_ttl)
+    if not ok then
+      ngx.status = self.error_status
+      ngx.log(ngx.WARN, "TLS certificate validation failed, err: ", err)
+      ngx.say("TLS certificate validation failed")
+      return ngx.exit(ngx.status)
+    end
+  end
+
+  return true, nil
 end
 
 return _M