X.509

Sample OGNL expressions

The X.509 Certificate Integration Kit allows you to use Object Graph Navigation Library (OGNL) expressions to map attributes from X.509 certificates.

Client certificates are available as java.security.cert.X509Certificate objects. This allows you to map certificate attributes by using methods that are defined in the Java Platform, Standard Edition API Specification. You can find a full list of available methods in the J2SE online javadoc.

To get the first client certificate in the chain as an X509Certificate object, you must use the ClientCertificateChain keyword within the OGNL expression. For example:

#this.get("ClientCertificateChain").getObjectValue()

To get the entire client certificate chain as an iterable collection of X509Certificate objects, use the getAllObjectValues() method in the OGNL expression. For example:

#this.get("ClientCertificateChain").getAllObjectValues()

The following table lists example OGNL expressions you can use to map certificate attributes during the setup or deployment of the X.509 Certificate Adapter. Learn more about using OGNL for attribute mapping in Attribute Mapping Expressions in the PingFederate documentation.

OGNL Expression Description 
#x509Cert = #this.get("ClientCertificateChain").getObjectValue(),
#hexEncoded = new String
(@org.apache.commons.codec.binary.Hex@encodeHex
(#x509Cert.getSignature()))

Returns a hex-encoded signature from the X.509 client certificate.

 
#x509Cert =
#this.get("ClientCertificateChain").getObjectValue(),
#hexEncoded = new String
(@org.apache.commons.codec.binary.Hex@encodeHex
(#x509Cert.getExtensionValue("2.16.840.1.113730.1.13")))

Extracts the comment certificate extension (Object Identifier (OID) 2.16.840.1.113730.1.13) from the X.509 client certificate, which is then hex encoded.

Other certificate extensions can be extracted by using the correct OID for the extension.