You can use the Extract Certificate Attributes filter to extract the X.509 attributes from a certificate stored in a specified API Gateway message attribute.
Typically, this filter is used in conjunction with the
Find Certificate filter, which is found in the
Certificates category of message filters. In this case,
the Find Certificate filter can locate a certificate
from one of many possible sources (for example, the message itself, an
HTTP header, or the API Gateway certificate store), and store it in a message
attribute, which is usually the certificate
attribute.
The Extract Certificate Attributes filter can then retrieve this certificate and extract the X.509 attributes from it. For example, you can then use a Validate Message Attribute filter to check the values of the attributes.
The Extract Certificate Attributes filter extracts the X.509 certificate attributes and populates a number of API Gateway message attributes with their respective values. The following table lists the message attributes that are generated by this filter, and shows what each of these attributes contains after the filter has executed:
Generated Message Attribute | Contains |
---|---|
attribute.lookup.list |
This user attribute list contains an attribute for each Distinguished
Name (DName) attribute for the subject (cn , o ,
l , and so on). The user attributes are named cn ,
o , and so on.
|
attribute.subject.id |
The DName of the subject of the cert. |
attribute.subject.format |
Set to X509DName .
|
cert.basic.constraints |
If the subject is a Certificate Authority (CA), and the
BasicConstraints extension exists, this field gives
the maximum number of CA certificates that may follow this certificate
in a certification path. A value of zero indicates that only an
end-entity certificate may follow in the path. This contains the value of
pathLenConstraint if the BasicConstraints extension
is present in the certificate and the subject of the certificate is a CA,
otherwise its value is -1. If the subject of the certificate is a CA and
pathLenConstraint does not appear, there is no limit to the
allowed length of the certification path.
|
cert.extended.key.usage |
A String representing the OBJECT IDENTIFIERs of the
ExtKeyUsageSyntax field of the extended key usage
extension (OID = 2.5.29.37 ). It indicates a purpose for
which the certified public key may be used, in addition to, or instead
of, the basic purposes indicated in the key usage extension field.
|
cert.hash.md5 |
An MD5 hash of the certificate. |
cert.hash.sha1 |
A SHA1 hash of the certificate. |
cert.issuer.alternative.name |
An alternative name for the certificate issuer from the
IssuerAltName extension (OID = 2.5.29.18 ).
|
cert.issuer.id |
The DName of the issuer of the certificate. |
cert.issuer.id.c |
The c attribute of the issuer of the certificate, if it exists.
|
cert.issuer.id.cn |
The cn attribute of the issuer of the certificate, if it exists.
|
cert.issuer.id.emailaddress |
The email or emailaddress attribute of the issuer
of the certificate, if it exists.
|
cert.issuer.id.l |
The l attribute of the issuer of the certificate, if it exists.
|
cert.issuer.id.o |
The o attribute of the issuer of the certificate, if it exists.
|
cert.issuer.id.ou |
The ou attribute of the issuer of the certificate, if it exists.
|
cert.issuer.id.st |
The st attribute of the issuer of the certificate, if it exists.
|
cert.key.usage.cRLSign |
Set to true or false if the key can be used
for crlSign .
|
cert.key.usage.dataEncipherment |
Set to true or false if the key can be
used for dataEncipherment .
|
cert.key.usage.decipherOnly |
Set to true or false if the key can be
used for decipherOnly .
|
cert.key.usage.digitalSignature |
Set to true or false if the key can be
used for digital signature.
|
cert.key.usage.encipherOnly |
Set to true or false if the key can be
used for encipherOnly .
|
cert.key.usage.keyAgreement |
Set to true or false if the key can be
used for keyAgreement .
|
cert.key.usage.keyCertSign |
Set to true or false if the key can be
used for keyCertSign .
|
cert.key.usage.keyEncipherment |
Set to true or false if the key can be
used for keyEncipherment .
|
cert.key.usage.nonRepudiation |
Set to true or false if the key can be
used for non-repudiation.
|
cert.not.after |
Not after validity period date. |
cert.not.before |
Not before validity period date. |
cert.serial.number |
Certificate serial number. |
cert.signature.algorithm |
The signature algorithm for certificate signature. |
cert.subject.alternative.name |
An alternative name for the subject from the SubjectAltName
extension (OID = 2.5.29.17 ).
|
cert.subject.id |
The DName of the subject of the certificate. |
cert.subject.id.c |
The c attribute of the subject of the certificate, if it exists.
|
cert.subject.id.cn |
The cn attribute of the subject of the certificate, if it exists.
|
cert.subject.id.emailaddress |
The email or emailaddress attribute of the
subject of the certificate, if it exists.
|
cert.subject.id.l |
The l attribute of the subject of the certificate, if it exists.
|
cert.subject.id.o |
The o attribute of the subject of the certificate, if it exists.
|
cert.subject.id.ou |
The ou attribute of the subject of the certificate, if it exists.
|
cert.subject.id.st |
The st attribute of the subject of the certificate, if it exists.
|
cert.version |
The certificate version. |
Name:
Enter a name for the filter.
Certificate Attribute:
The Extract Certificate Attributes filter extracts the attributes from the certificate contained in the message attribute selected or entered here. The selected attribute must contain a single certificate only.
Include Distribution Points:
If the certificate contains CRL Distribution Point X.509 extension attributes (which point to the location of the certificate issuer's CRL), you can also extract these and store them in message attributes by selecting this check box. The extracted distribution points are stored in message attributes that are prefixed by:
distributionpoint.