This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

PSD2- Client certificate validation using OCSPStapling

Posted on 07-01-2019 04:53 PM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Can anyone share a sample/sequence of usage of OCSPStapling in apigee. We have a need to validate client certificates using OCSP..

https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference

==

When enabled, an OCSP (Online Certificate Status Protocol) client sends a status request to an OCSP responder to determine if the certificate is valid. The response indicates if the certificate is valid and not revoked.

The default value is off. Set to on to enable OCSP. TLS must be enabled to enable OCSP. You can also use OCSP with two-way TLS.

==

Client -> Apigee(VH with OCSP enabled)

Want to understand internally what happens within the flow. Do we need to extract the Authority Information access endpoint and call the endpoint or Apigee internally take care of the verification during handshake?

Similar question is posted here..

https://community.apigee.com/questions/61869/validating-client-certificates-with-ocsp-andor-crl.html

Opened a case as well but still waiting for response.

Thanks.

1 5 852
Topic Labels
5 REPLIES 5

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

@ylesyuk @Dino-at-Google

Can you guide us on certification validation/revocation with in apigee?

https://www.etsi.org/deliver/etsi_ts/119400_119499/119495/01.01.02_60/ts_119495v010102p.pdf

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I have an understanding of how it works but not certain I am correct on all details. I am working to confirm. In the meantime, here is my understanding.

The OCSP stapling allows the server (in this case Apigee Edge) to send back a signed OCSP response in the TLS handshake. This allows the client (your app?) to skip the query to an OCSP server itself.

The "flow" for your clients is no different than the normal flow for any simple TLS handshake. Normally the client has a TLS library that is smart enough to understand the stapled OCSP response and can evaluate it and judge its validity. This is all done transparently. For example, if you use nodejs, the OCSP response is handled automatically, though your app can "listen" for the event that signifies that an OCSP Response has been received during the TLS handshake. Similar support is in Java since JDK 5. It's in .NET client libraries too, but I couldn't find a definitive statement. For other client-side https implementations, you're on your own.

The client library will throw an exception if the stapled OCSP response indicates that the cert for the server has been revoked. The question is: what happens when there is no stapled OCSP Response in the TLS handshake? the client library needs to be configured with an OCSP URL, or needs to use the URL contained in the cert, and it is the responsibility of the client to query that URL to check revocation status. In the case of an API hosted on Apigee Edge , the client is not under control of Apigee; your client needs to take care itself that it is checking CRLs.

All of the above discusses what the client needs to do, when verifying the server's cert.

On the other hand if you are looking to use 2-way TLS and you want Apigee Edge (the server in this case) to verify the client's cert, you will need to do that yourself, within your API proxy. To do that you need to get the certificate, extract the URL and call to that OCSP URL to retrieve the response and then assess the status of the client's cert.

You would do that in the Proxy Request flow. To get access to the cert in that layer you need to turn on Propagation of TLS information for your vhost.

0 Likes

Posted on --/--/---- --:-- AM
karolisbartkevi
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I've tried implementing OCSP on a proxy level, but I've encountered some issues:

- You can only propagate TLS client cert and I was not able to find a way to extract CA cert from Truststore;

- GET method is not supported on all responders, to make it reliable, POST with binary payload must be used;

- API proxy policies do not support binary manipulations, the only solution I found is to use NodeJs or Java to create OCSP request;

- Even if you create binary request on Java/Nodejs, it's still not possible to pass it back to proxy and make a call to the responder using ServiceCallout policy, you have to make request in Java/NodeJs itself, which makes this code stateful and creates another bunch of issues.

Lacking of client's OCSP makes Apigee unusable for PSD2. I was able to create a solution using Java and custom storage of the individual CA certs, but it's more of a hack than solution, not something I would be comfortable with using on production.

0 Likes

Posted on --/--/---- --:-- AM
frisoschutte
New Member
In response to karolisbartkevi
Reply posted on --/--/---- --:-- AM

I'm curious whether you found a nicer solution since we are facing similar issues. It is really surprising and disappointing that Apigee doesn't support this out of the box.

Since you got this working with a nodejs or java call out, do you mind sharing the code?

0 Likes

Posted on --/--/---- --:-- AM
Denis_KALITVI
Silver 2
Silver 2
In response to frisoschutte
Reply posted on --/--/---- --:-- AM

Did some1 got this working and can share? 🙂

0 Likes