Extract Subject from a PEM file of a JWKS

book

Article ID: 182913

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

We need to know if there is some policies that can help us to extract the "Subject" of a PEM file extracted of a given JWKS URL.

We can access the jwks uri and parse the JSON Keys,  but we don't know how to get through the "x5u" (or x5c) to obtain the certificate (*.pem file) and manipulate it to obtain the "Subject" information.

We need to validate the Subject of the key used to validate som JWS.

 

Below is an example of one of the KEYs obtained  

{
    "kid" : "c1CkkIkG4_c-iAccO87Um9CnMIk",
    "kty" : "RSA",
    "n" : "t_j4R-WXJx6zT30Utd7ocsOGtf3izEpxSGeW_NvCQDma8gMB9a-SLBMmIdwNgulYohPFDGs4Hyp8OaCF6jZSZm9mH40VDeowlIdj55CRnW02F1_KmY5cJ-6R8mzWO9ApXlEqUmTn-I5mmdjMbovkjqOB7YDTtc13PCiiOLL6mZn4V805sLDBMzgQJjH0oGt_A_cl2m_R6oQWGZZERMdFeaadC5AEZa0Enf891LSKvlJqWsVGKzUyOBESRpHCr8JFnjpwD71oeekxAkK2k57VrVyHWaX33puH3K4ku5YO7wou2smjPS-g10jC4TV4scQkfS70ownI6IiLYBnb6ffTiw",
    "e" : "AQAB",
    "use" : "sig",
    "x5c" : [ "MIIFLTCCBBWgAwIBAgIEWcWFyzANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJHQjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxLjAsBgNVBAMTJU9wZW5CYW5raW5nIFByZS1Qcm9kdWN0aW9uIElzc3VpbmcgQ0EwHhcNMTkwNTEzMTM1NzQ2WhcNMjAwNjEzMTQyNzQ2WjBhMQswCQYDVQQGEwJHQjEUMBIGA1UEChMLT3BlbkJhbmtpbmcxGzAZBgNVBAsTEjAwMTU4MDAwMDFaRVozaEFBSDEfMB0GA1UEAxMWNWZBVkZBc3J1ejJQc0VsRFNhS3RxMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf4+Efllyces099FLXe6HLDhrX94sxKcUhnlvzbwkA5mvIDAfWvkiwTJiHcDYLpWKITxQxrOB8qfDmgheo2UmZvZh+NFQ3qMJSHY+eQkZ1tNhdfypmOXCfukfJs1jvQKV5RKlJk5/iOZpnYzG6L5I6jge2A07XNdzwoojiy+pmZ+FfNObCwwTM4ECYx9KBrfwP3Jdpv0eqEFhmWRETHRXmmnQuQBGWtBJ3/PdS0ir5SalrFRis1MjgREkaRwq/CRZ46cA+9aHnpMQJCtpOe1a1ch1ml996bh9yuJLuWDu8KLtrJoz0voNdIwuE1eLHEJH0u9KMJyOiIi2AZ2+n304sCAwEAAaOCAfkwggH1MA4GA1UdDwEB/wQEAwIGwDAVBgNVHSUEDjAMBgorBgEEAYI3CgMMMIHgBgNVHSAEgdgwgdUwgdIGCysGAQQBqHWBBgFkMIHCMCoGCCsGAQUFBwIBFh5odHRwOi8vb2IudHJ1c3Rpcy5jb20vcG9saWNpZXMwgZMGCCsGAQUFBwICMIGGDIGDVXNlIG9mIHRoaXMgQ2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNjZXB0YW5jZSBvZiB0aGUgT3BlbkJhbmtpbmcgUm9vdCBDQSBDZXJ0aWZpY2F0aW9uIFBvbGljaWVzIGFuZCBDZXJ0aWZpY2F0ZSBQcmFjdGljZSBTdGF0ZW1lbnQwbQYIKwYBBQUHAQEEYTBfMCYGCCsGAQUFBzABhhpodHRwOi8vb2IudHJ1c3Rpcy5jb20vb2NzcDA1BggrBgEFBQcwAoYpaHR0cDovL29iLnRydXN0aXMuY29tL29iX3BwX2lzc3VpbmdjYS5jcnQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL29iLnRydXN0aXMuY29tL29iX3BwX2lzc3VpbmdjYS5jcmwwHwYDVR0jBBgwFoAUUHORxiFy03f0/gASBoFceXluP1AwHQYDVR0OBBYEFGeSE9TJeyxvA7nyNQ83o+LT2QHUMA0GCSqGSIb3DQEBCwUAA4IBAQBYExD2YDpTORVERzkxvPF81LTPVzrUW2CeMA9iBAZWPVaEOnzVebi0may9GAcldKRIUAw0m6zlgL6nvAow2b64tMgTDq9a3YDb4lLUA5qC0NmEe1hky0dYLtq9AePOh5nXYsKM3Rmrm364roI/TPC1VelFO6+dI2/NU9eOWZtJpOBg50Hpov9PwU4AOTLSvcReF6G67SyUuSMMcyd/On7I9EvpvGnIFUnpxTAtGELhVtXwL7R+/LQ6JOUeJ/XiuP4UamdEahtLLb+w7MxDop7WAIBUeo+JUER15Gl3OTSe96uYqqEwau+kA/7z/ukMDtNn5ilEPeQOuCG9GuGuP10U" ],
    "x5t" : "6KFsemvqjNv6Ooy_TRMWvd0ojMQ=",
    "x5u" : "https://keystore.openbankingtest.org.uk/0015800001ZEZ3hAAH/c1CkkIkG4_c-iAccO87Um9CnMIk.pem",
    "x5t#S256" : "D9znOGXHJhcVsFcPU-YTlSrVEsSgASPULsw8qd2g5jM="
  }
Thanks, 
(API Gateway 9.4 CR4)

Environment

Release : 9.4

Component : API GTW ENTERPRISE MANAGER

Resolution

"Extract Attributes from Certificates" assertion, and that helped us to get the subject.dn