OCSPValidatorValve
Note
Valve for validating X.509 certificates using OCSP. Operates on the Current Item Set.
OCSP result is added to a property on the current item and can have one of the following values:
- GOOD
- REVOKED
- UNKNOWN
- ERROR
Properties
| Name | Description | Default value | Mandatory | Supports property expansion |
|---|---|---|---|---|
| source | Expression expanding to the certificate to validate. | Yes | Yes | |
| dest | Name of item property receiving the validation status. | oscp_status | No | No |
| ocsp_use_nonce | Flag indicating if nounce should be used. | true | No | No |
| ocsp_use_signature | Flag indicating if request should be signed. | true | No | No |
| ocsp_signature_algorithm | Name of algorithm to use for signing the request. | SHA1withRSA | No | No |
| issuer_keystore_path | Path to keystore containing issuer certificate. | Yes | No | |
| issuer_keystore_password | Issuer keystore password. | No | No | |
| issuer_keystore_type | Issuer keystore type. | No | No | |
| issuer_keystore_alias | Issuer keystore alias. | No | No | |
| signer_keystore_path | Path to keystore containing key/certificate for signing. | Yes, if ocsp_use_signature is true | No | |
| signer_keystore_password | Signer keystore password. | No | No | |
| signer_keystore_type | Signer keystore type. | No | No | |
| signer_keystore_alias | Signer keystore alias. | No | No |
Example Configuration
{
"name": "OCSPValidatorValve",
"enabled": "true",
"config": {
"source": "{{item.cert}}",
"dest":"ocsp_status",
"issuer_keystore_path": "ssl/ocsp_issuer.p12",
"issuer_keystore_password": "{enc}iLshlMBuAOrybFnFztw02GCgP385ptNkyNjMa7cu7Y0=",
"issuer_keystore_type": "PKCS12",
"issuer_keystore_alias": "1",
"ocsp_use_nonce": "false",
"ocsp_use_signature": "true",
"ocsp_signature_algorithm": "SHA256withRSA",
"signer_keystore_path": "ssl/ocsp_auth.p12",
"signer_keystore_password": "{enc}iLshlMBuAOrybFnFztw02GCgP385ptNkyNjMa7JJ7Y0=",
"signer_keystore_type": "PKCS12",
"signer_keystore_alias": "1"
}
}