Certificate Attributes Context Variables

This section lists the variables that can be used to extract attributes from certificate variables.
gateway90
This section lists the variables that can be used to extract attributes from certificate variables.
In the tables below, "
${prefix}
" represents any prefix that references a credential certificate context variable. For example:
myCertificate.signatureAlgorithmName request.wss.signingcertificates.value.X.signatureAlgorithmName mySignature.token.attributes.signatureAlgorithmName
where "
X
" is the number for each count of certificates. (To retrieve the total number of signing certificates found in the target message, use: "
${<target>.wss.signingcertificates.count}
".)
In the example above, the prefix "myCertificate" is previously defined in the Set Context Variable assertion as:
Set myCertificate = ${request.wss.signingcertificates.value.1}
If a certificate contains EMAILADDRESS in the Subject DN and if EMAILADDRESS is used to sign the message using Issuer Name/Serial Number signature key reference, the
Layer7 API Gateway
cannot recognize this credential. In this case, use one of the other signature key reference options (BST or SKI). For more information on the signature key reference, see Sign Element assertion.
For each certificate variable (for example, request.wss.signingcertificates.value.1) the suffixes in the following table are available:
Variable
Description
${
<prefix>
.base64}
The BASE64 encoded certificate (without whitespace)
$
{
<prefix>
.certificatePolicies}
The certificate policies information. Each value is an entity ID.
$
{
<prefix>
.countryOfCitizenship}
An array of countries for which the certificate is reporting
$
{
<prefix>
.der}
The DER encoded certificate
$
{
<prefix>
.extendedKeyUsageCriticality}
Criticality of the extended key usage field (none, noncrit, critical)
${
<prefix>
.extendedKeyUsageValues}
The key usage information. Each value is an entity ID.
$
{
<prefix>
.issuer}
The Issuer DN (e.g., "CN=OASIS Interop Test CA, O=OASIS")
$
{
<prefix>
.issuer.canonical}
The Issuer DN in canonical format: for comparisons; limited subset of entity ID names; strict sorting, whitespace, and case rules
$
{
<prefix>
.issuer.rfc2253}
The Issuer DN in RFC 2253 format: for correct but still reasonably pretty output (only includes RFC 2253 entity ID names)
$
{
<prefix>
.issuer.dn.${key}}
An array of values for parts of the Issuer DN parts that have the key ${key}
$
{
<prefix>
.issuerAltNameEmail}
Email address (if any) for the Issuer Alternative Name (rfc288) (e.g., "[email protected]")
$
{
<prefix>
.issuerAltNameDNS}
DNS Name address (if any) for the Issuer Alternative Name (e.g., "ca.oasis-open.org")
$
{
<prefix>
.issuerAltNameOther}
The OTHER type for the Issuer Alternative Name, as a Base-64 encoded string.
${
<prefix>
.issuerAltNameURI}
Uniform Resource Identifier (if any) for the Issuer Alternative Name (e.g., "http://ca.oasis-open.org/")
$
{
<prefix>
.keyUsage.crlSign}
CRL Sign (true/false)
$
{
<prefix>
.keyUsage.dataEncipherment}
Data Encipherment (true/false)
$
{
<prefix>
.keyUsage.decipherOnly}
Decipher Only (true/false)
$
{
<prefix>
.keyUsage.digitalSignature}
Digital Signature (true/false)
$
{
<prefix>
.keyUsage.encipherOnly}
Encipher Only (true/false)
$
{
<prefix>
.keyUsage.keyAgreement}
Key Agreement (true/false)
$
{
<prefix>
.keyUsage.keyCertSign}
Key Certificate Sign (true/false)
$
{
<prefix>
.keyUsage.keyEncipherment}
Key Encipherment (true/false)
$
{
<prefix>
.keyUsage.nonRepudiation}
Non Repudiation (true/false)
$
{
<prefix>
.keyUsageCriticality}
Whether the extension is present; if so whether it is critical.The following values are used:
  • none = extension not present
  • noncrit = extension is present but not critical
  • critical = extension is present and critical
$
{
<prefix>
.notAfter}
The Certificate Not After Date (e.g., "2018-03-19T23:59:59.000Z")
$
{
<prefix>
.notBefore}
The Certificate Not Before Date (e.g., "2005-03-19T00:00:00.000Z")
$
{
<prefix>
.pem}
The PEM encoded certificate
$
{
<prefix>
.serial}
The Certificate Serial# (e.g., "68652640310044618358965661752471103641")
$
{
<prefix>
.signatureAlgorithmName}
The Name of the Signature Algorithm for the certificate (e.g., "SHA1withRSA")
${
<prefix>
.signatureAlgorithmOID}
The entity ID of the Signature Algorithm for the certificate (e.g., "1.2.840.113549.1.1.5")
$
{
<prefix>
.subject}
The Subject DN (e.g., "CN=Alice, OU=OASIS Interop Test Cert, O=OASIS")
$
{
<prefix>
.subject.canonical}
The Subject DN in canonical format: for comparisons; limited subset of entity ID names; strict sorting, whitespace, and case rules
$
{
<prefix>
.subject.dn.${key}}
An array of values for the subject DN parts that have the key ${key}
$
{
<prefix>
.subject.rfc2253}
The Subject DN in RFC 2253 format: for correct but still reasonably pretty output (only includes RFC 2253 entity ID names)
$
{
<prefix>
.subjectAltNameEmail}
EMail address (if any) for the Subject Alternative Name (rfc288) (e.g., "[email protected]")
$
{
<prefix>
.subjectAltNameDNS}
DNS Name address (if any) for the Subject Alternative Name (e.g., "example2.oasis-open.org")
$
{
<prefix>
.subjectAltNameOther}
The OTHER type for the Subject Alternative Name, as a Base-64 encoded string.
$
{
<prefix>
.subjectAltNameURI}
Uniform Resource Identifier (if any) for the Subject Alternative Name (e.g., "http://example2.oasis-open.org/")
$
{
<prefix>
.subjectKeyIdentifier}
The BASE64 encoded value of the subject key identifier (SKI) extension or the derived SKI if an extension is not present
$
{
<prefix>
.subjectPublicKey}
The Base64-encoded SubjectPublicKeyInfo structure from the certificate
$
{
<prefix>
.subjectPublicKeyAlgorithm}
The Name of the Algorithm used for the Subject's Public Key (e.g., "RSA")
$
{
<prefix>
.thumbprintSHA1}
The BASE64 encoded value of the SHA-1 hash for the DER encoded certificate
$
{
<prefix>
.thumbprintSHA256}
The BASE64 encoded value of the SHA-256 hash for the DER encoded certificate
Attributes for Subject/Issuer DN
To extract the attributes for the Subject DN or Issuer DN, the
Layer7 API Gateway
parses and groups them based on the type and/or position. Consider the following sample Subject DN:
             7 6 5 4 3 2 1 Position CN=fred, [email protected], OU=IT, OU=Services, DC=acme, DC=org, C=US        
The sample above will produce the following context variables, any of which can have multiple values:
Name
Value(s)
${
<prefix>
.subject.dn.c}
US
${
<prefix>
.subject.dn.cn}
fred
${
<prefix>
.subject.dn.email}
${
<prefix>
.subject.dn.dc}
acme, org
${
<prefix>
.subject.dn.ou}
support, IT, Services
${
<prefix>
.subject.dn.1}
C=US
${
<prefix>
.subject.dn.2}
DC=org
${
<prefix>
.subject.dn.3}
DC=acme
${
<prefix>
.subject.dn.4}
OU=Services
${
<prefix>
.subject.dn.5}
OU=IT
${
<prefix>
.subject.dn.6}
OU=support, [email protected]
${
<prefix>
.subject.dn.7}
CN=fred
${
<prefix>
.subject.dn.1.c}
US
${
<prefix>
.subject.dn.2.dc}
org
${
<prefix>
.subject.dn.3.dc}
acme
${
<prefix>
.subject.dn.4.ou}
Services
${
<prefix>
.subject.dn.5.ou}
IT
${
<prefix>
.subject.dn.6.email}
${
<prefix>
.subject.dn.6.ou}
support
${
<prefix>
.subject.dn.7.cn}
fred
(1) If the
Layer7 API Gateway
cannot recognize an attribute entity ID, it will use the name "oid.1.2.3", where "1.2.3" is the dotted-decimal entity ID of the attribute. If there is no string representation for an attribute value, the variable value will be set to the "#" encoding as defined in RFC 2253. (2) If there is no string representation for an attribute value (for example, "DC"), then it is simply encoded as an octothorpe character ('#' ASCII 35) followed by the hexadecimal representation of each of the bytes of the BER encoding as defined in RFC2253.