CertificateValidatorValve

Valve for validating X.509 certificates

Supports request/response and item iteration mode. In request/response mode, valve fails the pipe if certificate status is not GOOD.
In item iteration mode, certificate status is added to the current item and the pipe must evaluate the result (using for example FlowFailPipe).

To validate a certificate, the issuer certificate and all intermediate certificates must be available in the trust store. The trust store can be located in configuration (as a resource) or in the file system. All certificates in the trust store are used.

Certificate validation consist of three steps:

  1. Local validation
  2. OCSP (if enabled)
  3. CRL (if enabled)

Local validation is always enabled and validates the following properties of the certificate:

  • If the certificate is self signed (never allowed)
  • Integrity (the certificate signature)
  • Validity
  • Path (trust)

If any of the above validations fails, the certificate validation fails.

Validation statuses:

  • GOOD
  • EXPIRED
  • NOT_YET_VALID
  • INVALID_SIGNATURE
  • SELF_SIGNED
  • INVALID_PATH
  • CRL_STATUS_REVOKED
  • CRL_MISSING
  • CRL_ERROR
  • OCSP_STATUS_REVOKED
  • OCSP_STATUS_UNKNOWN
  • OCSP_MISSING
  • OCSP_ERROR
  • INTERNAL_ERROR

Properties

Name Description Default value Mandatory Supports property expansion
cert The certificate in PEM format Yes Yes
trust_store_path Path to trust store containing trusted issuers. Yes (if not trust_store_ref is used) No
trust_store_ref Id of trust store resource containing trusted issuers. Yes (if not trust_store_path is used) No
trust_store_password The trust store password. No No
trust_store_type The type of trust store. JKS No No
status The name of property receiving the status (if operating in item mode). cert_status No No
enable_ocsp Flag to enable/disable OCSP validation. If enabled, a OCSP validation will occur IF a OCSP endpoint is present on the certificate being validated. false No No
enforce_ocsp Enforces OCSP check and fails if no OCSP location is available. false No No
ocsp_enable_nonce Flag to enable/disable the use of OCSP nonce (to prevent replay of response). Only used if OCSP is enabled. true No No
ocsp_responder_keystore_path Path to key store containing OCSP responder certificate. Responder certificate is the certificate used by OCSP server to verify the response. If not supplied, certificate in OCSP response will be used. Note: issuer of responder certificate must be trusted. No No
ocsp_responder_keystore_password Responder key store password. No No
ocsp_responder_keystore_type Responder key store type (JKS/PKCS12). pkcs12 No No
ocsp_responder_keystore_alias Responder key store alias. Yes No
enable_crl Flag to enable/disable CRL validation. If enabled, a CRL validation will occur IF a CRL endpoint is present on the certificate being validated. false No No
enforce_crl Enforces CRL check and fails if no CRL info is available. false No No
status_cache_max_size Max size for certificate status cache. Statuses are kept in cache for as long as OCSP/CRL service specified. Or if not specified, for the amount of milliseconds specified by status_cache_ttl. Only used if OCSP/CRL is enabled. 50 No No
status_cache_ttl Time to live for cached statuses, if not specified by OCSP/CRL service. Only used if OCSP/CRL is enabled. 3600000 No No

Example Configuration 

{
  "name": "CertificateValidatorValve",
  "enabled": "true",
  "config": {
    "cert": "{{request.certificate}}",
    "trust_store_path": "ssl/trust.p12",
    "trust_store_password":"{enc}iLshlMBuAOrybFnFztw02GCgP385ptNkyNjMa7cu7Y0=",
    "trust_store_type": "PKCS12"
  }
}