Layer7 API Management

  • 1.  Read QC-Statements of a certificate

    Posted Jan 11, 2019 02:57 AM

    Hello,

     

    The EIDAS certificates used in client authentication for PSD2 have a field called 'Qualified Certificate Statements'

     

     

    This field contains information about the client which needs to be verified by the gateway. I am fetching fields like subject, thumbprint etc. using context variable ${request.ssl.clientCertificate.***}

     

    And I am also able to fetch a new attribute "Organisation Identifier' using its OID.

     

    ${request.ssl.clientCertificate.subject.dn.2.5.4.97}

     

    But I am not able to fetch QC-Statements using same logic. OID should be 1.3.6.1.5.5.7.1.3



  • 2.  Re: Read QC-Statements of a certificate

    Broadcom Employee
    Posted Jan 11, 2019 09:40 AM

    Hi , 

     

    I don't think this one is supported at the moment .

    The subject dn is listed in the documentation 

     

    Certificate Attributes Context Variables - CA API Gateway - 9.3 - CA Technologies Documentation 

    But i can not find the QC-Statements as valid certificate attribute 

     

    Regards 

    Dirk 



  • 3.  Re: Read QC-Statements of a certificate

    Posted Jan 14, 2019 12:44 PM

    Hi Dirk,

    Thank you for your reply. I guess we would have to create a custom assertion for this



  • 4.  Re: Read QC-Statements of a certificate

    Posted Apr 03, 2019 10:19 AM

    Hi sapsh01,

     

    Were you able to create a custom assertion for this? We do have the same requirement for retrieving QC-Statements. Are you able to share the code for it?



  • 5.  Re: Read QC-Statements of a certificate

    Posted Apr 03, 2019 10:37 AM

    Hi RemcoDekker

     

    We do have custom assertion made for reading QC-Statements. Unfortunately, I don't have the code available. From what I have heard, Gateway version 9.4 CR 1 is going to support this feature out of the box.



  • 6.  Re: Read QC-Statements of a certificate

    Posted Apr 03, 2019 03:18 PM

    Thanks sapsh01,

     

    The new 9.4 CR01 works splendid for the extensions. This is a great feature.

    Unfortunately the customer is on 9.2 and upgrading will take some time and it will not be ready before the requirement to verify the Qualified Certificate Statements which comes with PSD2.



  • 7.  Re: Read QC-Statements of a certificate

    Posted Mar 27, 2019 08:49 AM

    Hi Dirk,

     

    Can you please clarify the notes in the bottom of the docops page you are referring?

     

    It says:

    (1) If the CA API Gateway cannot recognize an attribute entity ID, it will use the name "oid.1.2.3", where "1.2.3" is the dotted-decimal entity ID of the attribute. If there is no string representation for an attribute value, the variable value will be set to the "#" encoding as defined in RFC 2253.

    My understanding was the unknown attributes can be addressed with <prefix>.oid.1.2.3

    So is it possible to find the unknown QC-Statements attribute this way?



  • 8.  Re: Read QC-Statements of a certificate

    Posted Apr 03, 2019 10:17 AM

    Reply so self: This is not possible.