[tls_validation] Add support for OCSP

3scale · Jan 30, 2025 · 9ee88d2 · 9ee88d2
1 parent 3bbe9f7
commit 9ee88d2
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 0 deletions.
diff --git a/gateway/src/apicast/policy/tls_validation/apicast-policy.json b/gateway/src/apicast/policy/tls_validation/apicast-policy.json
@@ -48,6 +48,12 @@
         "title": "Certificate Revocation Check type",
         "type": "string",
         "oneOf": [
+          {
+            "enum": [
+              "ocsp"
+            ],
+            "title": "Enables OCSP validation of the client certificate."
+          },
           {
             "enum": [
               "crl"
@@ -89,6 +95,45 @@
                 "$ref": "#/definitions/store"
               }
             }
+          },
+          {
+            "properties": {
+              "revocation_check_type": {
+                "enum": [
+                  "ocsp"
+                ]
+              },
+              "revocation_check_mode": {
+                "title": "Certificate Mode",
+                "description": "Certificate revocation check mode",
+                "type": "string",
+                "oneOf": [
+                  {
+                    "enum": [
+                      "ignore_error"
+                    ],
+                    "title": "Ignore Network Error: respects the revocation status when either OCSP or CRL URL is set, and doesn’t fail on network issues"
+                  },
+                  {
+                    "enum": [
+                      "strict"
+                    ],
+                    "title": "Strict: The certificate is valid only when it’s able to verify the revocation status."
+                  }
+                ],
+                "default": "strict"
+              },
+              "ocsp_responder_url": {
+                "title": "OCSP Responder URL ",
+                "description": "Overrides the URL of the OCSP responder specified in the “Authority Information Access” certificate extension for validation of client certificates. ",
+                "type": "string"
+              },
+              "cache_timeout": {
+                "title": " Cache timeout",
+                "description": "The length of time in milliseconds between refreshes of the revocation check status cache.",
+                "type": "integer"
+              }
+            }
           }
         ]
       }

diff --git a/gateway/src/apicast/policy/tls_validation/tls_validation.lua b/gateway/src/apicast/policy/tls_validation/tls_validation.lua
@@ -85,6 +85,7 @@ function _M:ssl_certificate()
   -- provide ca_certs: See https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#verify_client
   -- handle verify_depth
   --
+  -- TODO: OCSP stapling
   return ngx_ssl.verify_client()
 end