CertificateValidatorValve

Valve for validating X.509 certificates

Performs the following validations:

  • Certificate integrity and validity (signature, not_before, not_after)
  • Trust (that the certificate is issued by a trusted party)
  • OCSP
  • CRL

Valve operates in dual mode – on request, when no item(s) exist and on item(s).

The status of validation is either returned as error detail or set on the item depending on the mode of operation.

Validation statuses:

  • GOOD
  • EXPIRED
  • NOT_YET_VALID
  • INVALID_SIGNATURE
  • SELF_SIGNED
  • INVALID_PATH
  • CRL_STATUS_REVOKED
  • CRL_MISSING
  • CRL_ERROR
  • OCSP_STATUS_REVOKED
  • OCSP_STATUS_UNKNOWN
  • OCSP_MISSING
  • OCSP_ERROR
  • INTERNAL_ERROR

Note: OCSP/CRL is experimental. Use with caution.

Note: The current CRL validation is trivial and does not cache CRLs.

 

Properties

Name Description Default value Mandatory Supports property expansion
cert The certificate in PEM format Yes Yes
trust_store_path Path to trust store containing trusted issuers Yes No
trust_store_password The trust store password No No
trust_store_type The type of trust store "JKS" No No
status The name of property receiving the status (if operating in item mode). "cert_status" No No
enable_ocsp Flag to enable/disable OCSP validation "false" No No
ocsp_enable_nonce Flag to enable/disable the use of OCSP nonce (to prevent replay of response). Only used if OCSP is enabled. "true" No No
enable_crl Flag to enable/disable CRL validation "false" No No

Example Configuration

{
  "name": "CertificateValidatorValve",
  "enabled": "true",
  "config": {
    "cert": "{{request.certificate}}",
    "trust_store_path": "ssl/trust.p12",
    "trust_store_type": "PKCS12"
  }
}