CertificateValidatorValve
Valve for validating X.509 certificates
Supports request/response and item iteration mode. In request/response mode, valve fails the pipe if certificate status is not GOOD.
In item iteration mode, certificate status is added to the current item and the pipe must evaluate the result (using for example FlowFailPipe).
To validate a certificate, the issuer certificate and all intermediate certificates must be available in the trust store. The trust store can be located in configuration (as a resource) or in the file system. All certificates in the trust store are used.
Certificate validation consist of three steps:
- Local validation
- OCSP (if enabled)
- CRL (if enabled)
Local validation is always enabled and validates the following properties of the certificate:
- If the certificate is self signed (never allowed)
- Integrity (the certificate signature)
- Validity
- Path (trust)
If any of the above validations fails, the certificate validation fails.
Validation statuses:
- GOOD
- EXPIRED
- NOT_YET_VALID
- INVALID_SIGNATURE
- SELF_SIGNED
- INVALID_PATH
- CRL_STATUS_REVOKED
- CRL_MISSING
- CRL_ERROR
- OCSP_STATUS_REVOKED
- OCSP_STATUS_UNKNOWN
- OCSP_MISSING
- OCSP_ERROR
- INTERNAL_ERROR
Properties
| Name | Description | Default value | Mandatory | Supports property expansion |
|---|---|---|---|---|
| cert | The certificate in PEM format | Yes | Yes | |
| trust_store_path | Path to trust store containing trusted issuers. | Yes (if not trust_store_ref is used) | No | |
| trust_store_ref | Id of trust store resource containing trusted issuers. | Yes (if not trust_store_path is used) | No | |
| trust_store_password | The trust store password. | No | No | |
| trust_store_type | The type of trust store. | JKS | No | No |
| status | The name of property receiving the status (if operating in item mode). | cert_status | No | No |
| enable_ocsp | Flag to enable/disable OCSP validation. If enabled, a OCSP validation will occur IF a OCSP endpoint is present on the certificate being validated. | false | No | No |
| enforce_ocsp | Enforces OCSP check and fails if no OCSP location is available. | false | No | No |
| ocsp_enable_nonce | Flag to enable/disable the use of OCSP nonce (to prevent replay of response). Only used if OCSP is enabled. | true | No | No |
| ocsp_responder_keystore_path | Path to key store containing OCSP responder certificate. Responder certificate is the certificate used by OCSP server to verify the response. If not supplied, certificate in OCSP response will be used. Note: issuer of responder certificate must be trusted. | No | No | |
| ocsp_responder_keystore_password | Responder key store password. | No | No | |
| ocsp_responder_keystore_type | Responder key store type (JKS/PKCS12). | pkcs12 | No | No |
| ocsp_responder_keystore_alias | Responder key store alias. | Yes | No | |
| enable_crl | Flag to enable/disable CRL validation. If enabled, a CRL validation will occur IF a CRL endpoint is present on the certificate being validated. | false | No | No |
| enforce_crl | Enforces CRL check and fails if no CRL info is available. | false | No | No |
| status_cache_max_size | Max size for certificate status cache. Statuses are kept in cache for as long as OCSP/CRL service specified. Or if not specified, for the amount of milliseconds specified by status_cache_ttl. Only used if OCSP/CRL is enabled. | 50 | No | No |
| status_cache_ttl | Time to live for cached statuses, if not specified by OCSP/CRL service. Only used if OCSP/CRL is enabled. | 3600000 | No | No |
Example Configuration
{
"name": "CertificateValidatorValve",
"enabled": "true",
"config": {
"cert": "{{request.certificate}}",
"trust_store_path": "ssl/trust.p12",
"trust_store_password":"{enc}iLshlMBuAOrybFnFztw02GCgP385ptNkyNjMa7cu7Y0=",
"trust_store_type": "PKCS12"
}
}