CertificateValidatorValve
Valve for validating X.509 certificates
Supports request/response and item iteration mode. In request/response mode, valve fails the pipe if certificate status is not GOOD. In item iteration mode, certificate status is added to the current item and the pipe must evaluate the result.
To validate a certificate, the issuer certificate and all intermediate certificates must be available in the trust store. The trust store can be located in configuration (as a resource) or in the file system. All certificates in the trust store are used.
Certificate validation consist of three steps:
- Local validation
- OCSP (if enabled)
- CRL (if enabled)
Local validation is always enabled and validates the following properties of the certificate:
- If the certificate is self signed (never allowed)
- Integrity (the certificate signature)
- Validity
- Path (trust)
If any of the above validations fails, the certificate validation fails.
Validation statuses:
- GOOD
- EXPIRED
- NOT_YET_VALID
- INVALID_SIGNATURE
- SELF_SIGNED
- INVALID_PATH
- CRL_STATUS_REVOKED
- CRL_MISSING
- CRL_ERROR
- OCSP_STATUS_REVOKED
- OCSP_STATUS_UNKNOWN
- OCSP_MISSING
- OCSP_ERROR
- INTERNAL_ERROR
Properties
Example Configuration
{ "name": "CertificateValidatorValve", "enabled": "true", "config": { "cert": "{{request.certificate}}", "trust_store_path": "ssl/trust.p12",
"trust_store_password":"{enc}iLshlMBuAOrybFnFztw02GCgP385ptNkyNjMa7cu7Y0=", "trust_store_type": "PKCS12" } }