From cd1d70e6352a9cf5de4e6755177b155199b91a96 Mon Sep 17 00:00:00 2001
From: An Tran <tkan145@gmail.com>
Date: Thu, 24 Oct 2024 20:39:30 +1000
Subject: [PATCH] [tls_validation] Make sure the client cert is present

---
 .../apicast/policy/tls_validation/tls_validation.lua | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/gateway/src/apicast/policy/tls_validation/tls_validation.lua b/gateway/src/apicast/policy/tls_validation/tls_validation.lua
index ce14e975f..151bd97c3 100644
--- a/gateway/src/apicast/policy/tls_validation/tls_validation.lua
+++ b/gateway/src/apicast/policy/tls_validation/tls_validation.lua
@@ -60,13 +60,21 @@ function _M:ssl_certificate()
 end
 
 function _M:access()
-  local cert = X509.new(ngx.var.ssl_client_raw_cert)
-  if not cert then
+  local client_cert = ngx.var.ssl_client_raw_cert
+  if not client_cert then
     ngx.status = self.error_status
     ngx.say("No required TLS certificate was sent")
     return ngx.exit(ngx.status)
   end
 
+  local cert, err = X509.new(client_cert)
+  if not cert then
+    ngx.status = self.error_status
+    ngx.log(ngx.WARN, "Invalid TLS certificate, err: ", err)
+    ngx.say("Invalid TLS certificate")
+    return ngx.exit(ngx.status)
+  end
+
   local store = self.x509_store
   store:set_flags(store.verify_flags.X509_V_FLAG_PARTIAL_CHAIN)