Extracting x509v3 extensions from certificates

Article Id: 108734
Status: Published
Updated On: 31-07-2018 03:40
Products:
STARTER PACK-7 CA Rapid App Security CA API Gateway CA API Gateway
Issue/Introduction:



Using the CA API Gateway, we need to extract a number of attributes/fields from a x509 certificate. 
However, it seems it's not possible to extract x509v3 extensions, such as the qcStatements (OID 1.3.6.1.5.5.7.1.3) or its children. 

Can you provide us any guidelines on how, and whether it is possible, to access such x509v3 extensions from the policy logic? 

Additional information: 

Test certificates (attached): 
- psd2testcert.pem (test certificate with x509v3 extensions) 
- privkey.pem (private key of test certificate) 
- test_keystore.p12 (keystore containing both the test certificate and its private key) 
- ca.crt (issuer of test certificate) 

Using the "Extract Certificates from Certificates" the debugger is not showing any x509v3 extensions. 
When adding e.g. request.ssl.clientCertificate to the inspector of the debugger, you can see that the extensions are part of the object, but it's unclear how to actually access them from any policy logic. 

Data visible when inspecting request.ssl.clientCertificate: 

[1]: ObjectId: 1.3.6.1.5.5.7.1.3 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: 04 52 30 50 30 4E 06 06   04 00 81 98 27 02 30 44  .R0P0N......'.0D 
0010: 30 26 30 11 06 07 04 00   81 98 27 01 02 0C 06 50  0&0.......'....P 
0020: 53 50 5F 50 49 30 11 06   07 04 00 81 98 27 01 03  SP_PI0.......'.. 
0030: 0C 06 50 53 50 5F 41 49   0C 12 45 75 72 6F 70 65  ..PSP_AI..Europe 
0040: 61 6E 20 61 75 74 68 6F   72 69 74 79 0C 06 45 55  an authority..EU 
0050: 2D 4E 43 41                                        -NCA 

The ASN.1 structure of the x509v3 extension we are trying to read is the following: 

SEQUENCE(2 elem) 
OBJECT IDENTIFIER 1.3.6.1.5.5.7.1.3 qcStatements (PKIX private extension) 
OCTET STRING (1 elem) 
SEQUENCE (1 elem) 
SEQUENCE(2 elem) 
OBJECT IDENTIFIER 0.4.0.19495.2 
SEQUENCE (3 elem) 
SEQUENCE (2 elem) 
SEQUENCE (2 elem) 
OBJECT IDENTIFIER 0.4.0.19495.1.2 
UTF8String PSP_PI 
SEQUENCE (2 elem) 
OBJECT IDENTIFIER 0.4.0.19495.1.3 
UTF8String PSP_AI 
UTF8String European authority 
UTF8String EU-NCA

Environment:

API Gateway : 9.3

Resolution:

It looks like the current "Extract Attributes from Certificates" assertion does not support extracting arbitrary extensions out of x509 certificate. 

Looking at the assertion source code, what is exposed as per our docops page, had to be explicitly be extracted and exposed as context variable. 
It sounds like a custom assertion could be a good path for the customer. 

CA support doesn't implement the customer assertions; however, CA Services would do. If you want to engage CA services, you need to contact your account manager about their engagement. 

In order to obtain this file the layer7-api-*.jar, you need to download this component 
" CA API GATEWAY DEVELOPMENTTOOLS-9.3- CUSTOM ASSERTION DEV KIT, GATEWAY MANAGEMENT DEV KIT AND CLIENT, GATEWAY MIGRATION UTILITY - GMU 
GEN500000000000734.zip" from 
https://support.ca.com/us/download-center/product-files.html 

Furthermore, I have included a section how to create a custom assertion from API documentation, please see the link below : 
https://docops.ca.com/ca-api-gateway/9-3/en/policy-assertions/custom-assertions/create-custom-assertions