Versions Compared

Old Version 1

changes.mady.by.user Arto Vainiolehto

Saved on

compared with

New Version Current

changes.mady.by.user Andrei Filippov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

PKI Policy defines the trusted issuer certificates Certificate Authority certificates (trust anchors) and CRL/OSCP OCSP endpoints used when validating certificates or certificate chains and attributes generated from subject and issuer certificates.

The user's certificate is defined to be included in a SAML Assertion or OpenID Connect id_token by defining the Subject element's KeyInfoConfirmationData attribute as true. User's certificate is used by SSO to write the audit log entry “certificate received”.

...

PKI Policy XML configuration file

An example PKI policy XML configuration file is shown below.

...

languagexml

...

On this page described:

Table of Contents
maxLevel6
minLevel1
include
outlinefalse
indent
exclude
stylenone
typelist
printabletrue
class

PKI Policy XML configuration file

An example PKI policy XML configuration file is shown below.

Code Block
languagexml
<?xml version="1.0" encoding="iso-8859-1"?>
<Policy 
    xmlns="http://ubisecure.com/schema/certagent.xsd">
  <PKI>
    <Trust crl="ldap://ldap.fineid.fi:389/cn%3dVRK%20Gov.%20CA%20for%20Citizen%20Qualified%20Certificates,ou%3dValtion%20kansalaisvarmenteet,o%3dVaestorekisterikeskus%20CA,dmdName%3dFINEID,c%3dFI?certificateRevocationList??objectClass=cRLDistributionPoint">
      MIIFjDCCBHSgAwIBAgIDAYiZMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYDVQQGEwJG
      STEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0ZXJpa2Vz
      a3VzIENBMSkwJwYDVQQLEyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBTZXJ2aWNl
      czEZMBcGA1UECxMQVmFybWVubmVwYWx2ZWx1dDEZMBcGA1UEAxMQVlJLIEdvdi4g
      Um9vdCBDQTAeFw0wMzAxMTAxMjU5MDVaFw0xOTAxMDkxMjU4MzBaMIGhMQswCQYD
      VQQGEwJGSTEQMA4GA1UECBMHRmlubGFuZDEhMB8GA1UEChMYVmFlc3RvcmVraXN0
      ZXJpa2Vza3VzIENBMSQwIgYDVQQLExtWYWx0aW9uIGthbnNhbGFpc3Zhcm1lbnRl
      ZXQxNzA1BgNVBAMTLlZSSyBHb3YuIENBIGZvciBDaXRpemVuIFF1YWxpZmllZCBD
      ZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Aj52
      7olxDHOtkQQU+BG1FUs0xOy8Qw2z3NmgV7yOkYRwi/C7aAbvaye712q8APGiDa+P
      f0N/XzQNynWWyzC2krv+fQq5YjGypRbnvciAtGbJQSXBoX58eV6sd5CWLKGMo1gH
      xsXNU6L9v9XlSWLUH4xbYvQt+oxfptgJbK5E+71OYC8DL0KU6xmlEfuPNQZ1Rf3p
      qqlEfmQjP24ubcgy3ZAHVTFBh7rT66pw+L5zAVPYBCyUG7rdXHS9hulRa4Y8w3BF
      RBxbChHsc7tuKk9kQmNGhQAJ7CdJx3V5kPsrxnuztOunimeBKoB5X3wgvk9f64n6
      0Jp0qumnY4l9V6oZAgMBAAGjggHHMIIBwzASBgNVHRMBAf8ECDAGAQH/AgEAMBEG
      CWCGSAGG+EIBAQQEAwIBBjCBywYDVR0gBIHDMIHAMIG9BgkqgXaEBQEKAQEwga8w
      gYQGCCsGAQUFBwICMHgadlZhcm1lbm5lcG9saXRpaWtrYSBvbiBzYWF0YXZpbGxh
      IC0gQ2VydGlmaWthdCBwb2xpY3kgZmlubnMgLSBDZXJ0aWZpY2F0ZSBwb2xpY3kg
      aXMgYXZhaWxhYmxlIGh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEwJgYIKwYBBQUH
      AgEWGmh0dHA6Ly93d3cuZmluZWlkLmZpL2NwczEvMEIGCCsGAQUFBwEBBDYwNDAy
      BggrBgEFBQcwAoYmaHR0cDovL3Byb3h5LmZpbmVpZC5maS9jYS92cmtyb290Yy5j
      cnQwDgYDVR0PAQH/BAQDAgHGMB8GA1UdIwQYMBaAFNvp4ZvS0SQL/KvjoGfqrpxL
      d/SwMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9wcm94eS5maW5laWQuZmkvYXJs
      L3Zya3Jvb3RhLmNybDAdBgNVHQ4EFgQUiFpvHUJHgob91+kNslfPTVAoBBcwDQYJ
      KoZIhvcNAQEFBQADggEBAEXit6ypQO+0RbVTK57SKT1jsqE8dUiwL8oevvdBiFpR
      4HxEZZy8e/OGAvF3Hc/Hjc8cOjlsYToqztg16cOFI4vHZ+yC8rWh4TpuWgvkS80h
      //jcweAayp6E/Z0z928vTNILBD34YJQvpU4u7jyhSaY3tzybKjlSAo5lahiI32a9
      MNZXGoNv+j+MKq1NJkpgpy6/VEa5Z4RdRx43/EZhs45WvxTfER+nUC1loQngFKOS
      jdWG3GhOAh13nM9jYASBtC7ONddvoByfzwUOQ+BOf08R2bvZA+2CDFI8PuYqxCFv
      BMCpQSCdVL6tEYxeWIQb+uIQsfAEfjC3AQuTNh/UiW8=
    </Trust>
  </PKI> 

  <Subject KeyInfoConfirmationData="true"/> 

  <Attributes>
    <!-- Subject's SHA-1 fingerprint -->
    <Add name="subject.fingerprint">
      <Digest source="subject" algorithm="sha1" />
    </Add>
    <!-- Subject's distinguished name -->
    <Add name="subject.dn">
      <Field source="subject"/>
    </Add>
    <Add<!-- Issuer's distinguished name -->
    <Add name="aisissuer.dn">
      <Field source="subject" normalize="altSecurityIdentitiesissuer"/>
    </Add>
     <Add name="satu">
  <!-- Subject's attributes 2.5.4.4 (surname) and 
  <Attribute source="subject" oid="       2.5.4.5"/>
    </Add>42 (givenName) separated by space -->
    <Add name="subject.name">
      <Concat>
        <Attribute source="subject" oid="2.5.4.4"/>
        <Text content="&#32;" />
        <Attribute source="subject" oid="2.5.4.42"/>
      </Concat>
    </Add>
  </Attributes>
</Policy>

Trusted issuers Trust anchors are defined in the Trust elements enclosed in a PKI element. The corresponding CRL distribution point is defined in the crl attribute. Other trusted issuers may be added by defining a new Trust element for each trusted issuer.

In addition to certificate path validation tasks, this configuration also defines the contents of the SAML Assertion The subject certificate is defined to be included in a SubjectConfirmation of SAML Assertion by defining the Subject element's KeyInfoConfirmationData attribute as true. The subject certificate is used by SSO to write the audit log entry “certificate received”.

Attributes to be sent to SSO as SAML Assertion attributes and OpenID Connect id_token . For example, the user certificate may be included, specific attributes may be extracted from the certificate and relayed back to service provider, a fingerprint of the certificate may be computed with specified message digest algorithm, and several normalization schemes may be applied for extracted attributes.

The structure and data types of the configuration document are described in the following schema.

Schema Explanation

The <Policy/> element

...

claims are defined in the Attributes element. The name of the attribute is defined in the name attribute of the Add element. The content of the attribute is defined in the enclosed elements. In this example:

  • The attribute subject.fingerprintis defined as a SHA-1 digest (fingerprint) of the subject certificate.

  • The attribute subject.dn is defined as the distinguished name of the subject certificate.

  • The attribute issuer.dn is defined as the distinguished name of the issuer certificate.

  • The attribute subject.name is defined to be concatenated from attribute OID 2.5.4.4 (surname), &#32 (a space character) and attribute OID 2.5.4.42 (givenName).

The structure and data types of the configuration document are described in the following schema.

Schema Explanation

The <Policy/> element

Code Block
languagexml
<xs:element name="Policy" type="PolicyType" />
<xs:complexType name="PolicyType">
	<xs:sequence>
		<xs:element ref="PKI" />
		<xs:element ref="Subject" />
		<xs:element ref="Attributes" />
	</xs:sequence>
</xs:complexType>

The policy element defines three required child elements: PKI, Subject and Attributes.

The <PKI/> element

Code Block
languagexml
<xs:element name="PKI" type="PKIType" />
<xs:complexType name="PKIType">
	<xs:sequence minOccurs="1" maxOccurs="unbounded">
		<xs:element ref="Trust" />
	</xs:sequence>
</xs:complexType>

The PKI element encapsulates <Trust/> definitions. At least one certificate authority (CA) must be configured.

The <Trust /> element

Code Block
languagexml
<xs:element name="Trust" type="TrustType" /> 
<xs:complexType name="TrustType">
  <xs:simpleContent>
    <xs:extension base="xs:base64Binary">
      <xs:attribute name="crl" type="xs:anyURI" use="optional" />
      <xs:attribute name="crlref" type="xs:IDREF" use="optional" />
      <xs:attribute name="ocsp" type="xs:anyURI" use="optional" />
      <xs:attribute name="ocspref" type="xs:IDREF" use="optional" />
    </xs:extension>
  </xs:simpleContent>
</xs:complexType>

The <Trust /> element represents a trusted certificate authority. The element contains a Base64-encoded certificate. The element may also contain crl attribute defining a CRL URL or ocsp attribute defining an OCSP URL.

Optionally CRL and OCSP URLs can be defined in a separate element <CRL /> and <OCSP /> as child element for <Trust /> element, and refer to them by their id in crlref and ocspref attribute in <Trust /> element.

The <CRL /> and <OCSP /> elements

Code Block
languagexml
<xs:element name="CRL" type="CRLType" />
<xs:element name="OCSP" type="OCSPType" />
<xs:complexType name="CRLType">
  <xs:complexContent>
    <xs:extension base="PropertiesType">
      <xs:attribute name="uri" type="xs:anyURI" use="required" />
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
<xs:complexType name="OCSPType">
  <xs:complexContent>
    <xs:extension base="PropertiesType">
      <xs:attribute name="uri" type="xs:anyURI" use="required" />
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
<xs:complexType name="PropertiesType" abstract="true">
  <xs:sequence minOccurs="0" maxOccurs="unbounded">
    <xs:element name="Property" type="PropertyType" />
  </xs:sequence>
  <xs:attribute name="id" type="xs:ID" use="optional" />
</xs:complexType>
<xs:complexType name="

...

PropertyType">

...

<xs:

...

simpleContent>
    <xs:

...

extension

...

base="

...

xs:string">
      <xs:attribute name="name" type="xs:string" use="required" />
    </xs:extension>
  </xs:simpleContent>
</xs:complexType>

The policy element defines three required child elements: PKI, Subject and Attributes.

The <PKI/> element

Code Block
<xs:element name="PKI" type="PKIType" />
<xs:complexType name="PKIType">
	<xs:sequence minOccurs="1" maxOccurs="unbounded">
		<xs:element ref="Trust" />
	</xs:sequence>
</xs:complexType>

The PKI element encapsulates <Trust/> definitions. At least one certificate authority (CA) must be configured.

The <Trust /> element

Code Block
<xs:element name="Trust" type="TrustType" /> 
<xs:complexType name="TrustType">
	<xs:simpleContent>
		<xs:extension base="xs:base64Binary">
			<xs:attribute name="crl" type="xs:anyURI" />
		</xs:extension>
	</xs:simpleContent>
</xs:complexType>

The <Trust /> element represents a trusted certificate authority. The element contains an attribute defining a CRL distribution URL and the element contains a Base64-encoded certificate.<CRL /> and the <OCSP /> element represent a CRL and OCSP endpoint. The endpoint URL is defined in uri attribute and an optional identifier in id attribute. The identifier can be used in a <Trust /> element as value for crlref or ocspref attribute to refer to <CRL /> or <OCSP /> element, in which case the CRL or OCSP endpoint is used only with that trust anchor. A <CRL /> or <OCSP /> element without id attribute is used with any trust anchor.

PKI Policy supports only one OCSP endpoint per trust anchor.

For example:

Code Block
languagexml
<Trust ocspref="gspersonalsign2g2">MIIEVz...7H34U=</Trust>
<OCSP uri="http://ocsp2.globalsign.com/gspersonalsign2g2" id="gspersonalsign2g2"/>

The <Subject /> element

Code Block
languagexml
<xs:element name="Subject" type="SubjectType" />
<xs:complexType name="SubjectType">
	<xs:attribute name="KeyInfoConfirmationData" type="xs:boolean" />
</xs:complexType>

...

The <Attributes /> element

Code Block
languagexml
<xs:element name="Attributes" type="AttributesType" />
<xs:complexType name="AttributesType">
	<xs:sequence minOccurs="0" maxOccurs="unbounded">
		<xs:element ref="Add" />
	</xs:sequence>
</xs:complexType>

...

The <Add /> element

Code Block
languagexml
<xs:element name="Add" type="AddType" />
<xs:complexType name="AddType">
	<xs:group ref="ValueGroup" />
	<xs:attribute name="name" type="xs:string" use="required" />
</xs:complexType>

This element is used to add response attributes to the assertion. Each <Add/> element can contain one of the child elements defined in ValueGroup.

Code Block
languagexml
<xs:group name="ValueGroup">
	<xs:choice>
		<xs:element ref="Attribute" />
		<xs:element ref="Concat" />
		<xs:element ref="Digest" />
		<xs:element ref="Field" />
		<xs:element ref="Text" />
	</xs:choice>
</xs:group>

The <Attribute /> element

Code Block
languagexml
<xs:element name="Attribute" type="AttributeType" />
<xs:complexType name="AttributeType">
	<xs:complexContent>
		<xs:attribute name="source" type="SourceAttributeType" use="required" />
		<xs:attribute name="oid" type="xs:string" use="required" />
	</xs:complexContent>
</xs:complexType>

...

The <Concat /> element

Code Block
languagexml
	<xs:element name="Concat" type="ConcatType" />
	<xs:complexType name="ConcatType">
		<xs:complexContent>
			<xs:group ref="ValueGroup" maxOccurs="unbounded" />
		</xs:complexContent>
	</xs:complexType>

The <Concat/> element concatenates information defined by elements of the ValueGroup definition. Each defined element is individually parsed to a textual representation and concatenated with each other to form a single string.

Code Block
languagexml
<xs:group name="ValueGroup">
	<xs:choice>
		<xs:element ref="Attribute" />
		<xs:element ref="Concat" />
		<xs:element ref="Digest" />
		<xs:element ref="Field" />
		<xs:element ref="Text" />
	</xs:choice>
</xs:group>

The <Digest /> element

Code Blockcode
languagexml
<xs:element name="Digest" type="DigestType" />
<xs:complexType name="DigestType">
	<xs:complexContent>
		<xs:attribute name="source" type="SourceAttributeType" use="required" />
		<xs:attribute name="algorithm" use="required">
			<xs:simpleType>
				<xs:restriction base="xs:string">
					<xs:enumeration value="md5" />
					<xs:enumeration value="sha1" />
				</xs:restriction>
			</xs:simpleType> 
		</xs:attribute>
	</xs:complexContent>
</xs:complexType>

...

The <Field /> element

Code Block
languagexml
<xs:element name="Field" type="FieldType" /> 
<xs:complexType name="FieldType">
<xs:complexContent>
<xs:attribute name="source" type="SourceAttributeType" use="required" />
<xs:attribute name="normalize" type="xs:string" use="optional" />
</xs:complexContent>
</xs:complexType>

The <Field /> element allows submitting either the subject's or CAissuer's distinguished name. The names' string representations are, by default, serialized by the JDK X500Principal.toString() –method. The normalization routine can be controlled by defining one of the following values:

)

Value

Description

RFC1779

http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String)
This value is case insensitive

RFC2253

http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String)
This value is case insensitive

CANONICAL

http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String)
This value is case insensitive

altSecurityIdentities

https://msdn.microsoft.com/en-us/library/ms675221(v=vs.85).aspx
This value is case sensitive. The normalization routine features reversing the subject's and issuer's DNs, replacing DN component names by a certain scheme and finally concatenating them to the form "<I>issuer dn<S>subject dn"
The component name normalization scheme (Active Directory with Windows 2003 Service Pack 1)

Code Block
Code Block
OID.2.5.4.3=CN 
OID.2.5.4.6=C 
OID.2.5.4.7=L 
OID.2.5.4.8=S 
OID.2.5.4.310=CNO 
OID.2.5.4.611=COU 
OID.2.5.4.712=LT 
OID.2.5.4.84=SSN 
OID.2.5.4.1042=OG 
OID.2.5.4.11=OU 
OID.2.5.4.12=T 
OID.2.5.4.4=SN 
OID.2.5.4.42=G 
OID.2.5.4.5=SERIALNUMBER

The <Text /> element

Code Block
<xs:element name="Text" type="TextType" />
<xs:complexType name="TextType">
	<xs:complexContent>
		<xs:attribute name="content" type="xs:string" />
	</xs:complexContent>
</xs:complexType>

...

5=SERIALNUMBER

The <Text /> element

Code Block
languagexml
<xs:element name="Text" type="TextType" />
<xs:complexType name="TextType">
	<xs:complexContent>
		<xs:attribute name="content" type="xs:string" />
	</xs:complexContent>
</xs:complexType>

This element can be used to include arbitrary text in the response attributes or use the text in concatenation with other elements.

The source attribute

Code Block
languagexml
<xs:simpleType name="SourceAttributeType">
    <xs:restriction base="xs:string">
        <xs:enumeration value="subject" />
        <xs:enumeration value="issuer" />
    </xs:restriction>
</xs:simpleType>

The value of source attribute for Attribute, Field and Digest elements can be either subject or issuer. It denotes the source certificate for the element being either the subject certificate, or the issuer of subject certificate.