Certificate authentication provider authenticates the user by verifying that the password field contains the certificate as well as the certificate digest encrypted with the corresponding private key.
This provider authenticates the user by verifying that the password field contains the certificate as well as the certificate digest encrypted with the corresponding private key. Further, it compares the specified username with the subjectDN extracted from the certificate using the configured regular expression. After successfully validating the certificate, the provider stores the certificate in the shared context state indexed with the key ProviderConst.CERTIFICATE_SHARED_KEY so other providers in the security configuration can access it.
Upon successful authentication, the following a CertificateIDPrincipal with the specified username and a public credential CertificateCredential containing the certificate used for authentication with the configured credential name are added to the authenticated JAAS subject.
The provider expects the common name (from the certificate) as the username and the base64 encoded ASN.1 structure
CertBlob ::= SEQUENCE {
x509Cert OCTET STRING,
signature OCTET STRING,
algorithm INTEGER
}
in the password field.
The digest of the certificate is expected to be encrypted using the private key. The only supported value for the algorithm identifier in the ASN.1 sequence is "1". It corresponds to the algorithms, "SHA1" for computing the digest and "RSA/ECB/PKCS1Padding" for decrypting the encrypted digest.