The CertificateAdapter allows TrustBuilder to validate X509-certificates based on their validity periods and a trusted store of signer certificates. In order to be valid: * the certificate's period must be valid * the signer must be found in the trust store and the certificate's signature must comply with the signer's public key.
Prerequisites
TrustStore
In order to validate the certificate a truststore is required (if one isn't provided fallback is done on the keystore) For more information about creating and/or using key- and truststores in trustbuilder refer to the KeyStore and TrustStore chapter.
Configuration
AdapterUniqueID
Unique name assigned to this adapter; the name is used to reference the adapter in the workflow. The ID has following requirements:
-
START with a letter or _ (underscore)
-
FOLLOWED by a combination of following characters: Letter, Number, '.' (dot), '-' (dash), '_' (underscore)
Workflow Settings
A request for the adapter is prepared by specifying the following properties/scripts in the adapter activity:
-
Input Property: the variable containing the instructions the adapter have to execute
-
Output Property: the variable the adapter will store the response in after execution
-
Before Adapter Script: script that will be executed before calling the adapter
-
After Adapter Script: script that will be executed after the adapter fulfilled its task
Request - API
certificateRequest The CertificateRequest allows clients check the X509 certificate's validity period and to validate its signature using a signer's public key.
certificateRequest(base64Certificate)
with parameters:
base64Certificate: Non-null, non-empty string; encoded in base64-format (may contain "-CERTIFICATE-" and "-END CERTIFICATE-" delimiters)
Response - API
Common Properties The response API can be applied to the variable specified in the "output property" (see "Workflow Settings"): to verify whether the action performed by the adapter was successful, to query for the data returned by the adapter.
All responses have four properties in common:
-
status Status flag indicating whether the response is ok (0) or not (1).
-
substatus Response specific number indicating what the problem was, eg. http status code
-
message Response specific message in case there was a problem (can be null)
-
rc Return Code, a human readable code based on the substatus
The status flag indicates whether a request was valid yes or no; consequently, the message or return code (rc) can be used to give the end-user a reasonable explanation or send the information to the underlying logging system.
Adapter Specific Properties
|
serialnumber |
Certificate serial number |
|
signature |
Signature |
|
subject |
Subject DN of the certificate |
|
getAki() |
Authority Key Identifier of the certificate |
|
getIssuer() |
Issuer DN of the certificate |
|
getKeyUsage() |
Object with boolean properties:
|
|
getPublicKeyInfo() |
Object containing following properties
|
|
getSki() |
Signer Key Identifier of the certificate |
|
getValidFrom() |
Date from which the certificate is valid from |
|
getValidTill() |
Date till which the certificate is valid to |
|
getVersion() |
Version of this certificate |
|
getCertificate() |
Gets the certificate in a base64 format |
|
getSigner() |
Object containing the same functions as the certificate, but all of them apply on the signer's certificate |
Response Codes
|
Status |
Sub status |
Description |
|---|---|---|
|
0 |
0 |
OK |
|
>0 |
1 |
Certificate not valid |
|
2 |
Certificate expired |
|
|
3 |
Certificate not yet valid |
|
|
4 |
No AKI or issuer |
|
|
5 |
Invalid AKI or issuer |
|
|
6 |
Signer certificate not found |
|
|
7 |
Keystore error |
|
|
8 |
Signature invalid |
|
|
9 |
Invalid Base64 |
Example
Request
function createCertificateRequest(workItem){
//workItem.certificate contains the base64 certificate request obtained through a header of direct as parameter
workItem.certrequest = tb.certificateRequest(workItem.certificate);
}
Response
function handleResponse(workItem){
if(certresponse.status == 0){
tb.log("Certificate is valid.");
return 'true';
}
return false;
}