%Net.X509Certificate
class %Net.X509Certificate extends %Library.RegisteredObject
This class can be used to query the SSL PeerCertificate retrieved by %Net.HttpRequest when SSLCheckIdentityServer is enabled.It also contains convenience wrappers for %SYSTEM.Encryption X509 methods.
Passing all the validity checks in this class does not mean the SSL Peer Certificate is valid.
Property Inventory
Method Inventory
- Extension()
- Field()
- RetrievePeerCertUsingJSON()
- RetrievePeerCertificate()
- RunVerificationChecks()
- VerifyCertChain()
- VerifyLifeSpan()
- VerifyNotAfter()
- VerifyNotBefore()
Properties
property CAFile as %String);
CAFile - Name of a file containing trusted Certificate Authority certificates
Used by VerifyCertChain()
Used by VerifyCertChain()
Property methods: CAFileDisplayToLogical(), CAFileGet(), CAFileIsValid(), CAFileLogicalToDisplay(), CAFileLogicalToOdbc(), CAFileNormalize(), CAFileSet()
property CRLFile as %String);
CRLFile - Name of a file containing Certificate Revocation lists (optional)
Used by VerifyCertChain()
Property methods: CRLFileDisplayToLogical(), CRLFileGet(), CRLFileIsValid(), CRLFileLogicalToDisplay(), CRLFileLogicalToOdbc(), CRLFileNormalize(), CRLFileSet()
property CertChainCheck as %String);
Output from running $SYSTEM.Encryption.X509VerifyCertChain as
executed by VerifyCertChain() on Certificate with
CAFile and optional CRLFile
Property methods: CertChainCheckDisplayToLogical(), CertChainCheckGet(), CertChainCheckIsValid(), CertChainCheckLogicalToDisplay(), CertChainCheckLogicalToOdbc(), CertChainCheckNormalize(), CertChainCheckSet()
property Certificate as %Binary);
X.509 digital certificate
Property methods: CertificateGet(), CertificateIsValid()
property LifeSpanCheck as %Boolean;
Boolean test result of checking if the number of days between the ValidityNotBefore and
the ValidityNotBefore fields in Certificate is less than the maximum
number of days used by VerifyLifeSpan()
The default maximum days is set to 730.
The default maximum days is set to 730.
Property methods: LifeSpanCheckDisplayToLogical(), LifeSpanCheckGet(), LifeSpanCheckIsValid(), LifeSpanCheckLogicalToDisplay(), LifeSpanCheckNormalize(), LifeSpanCheckSet()
property NotAfterCheck as %Boolean;
Boolean test result of checking if ValidityNotAfter field in Certificate
is after or the same as the current time.
Property methods: NotAfterCheckDisplayToLogical(), NotAfterCheckGet(), NotAfterCheckIsValid(), NotAfterCheckLogicalToDisplay(), NotAfterCheckNormalize(), NotAfterCheckSet()
property NotBeforeCheck as %Boolean;
Boolean test result of checking if ValidityNotBefore field in Certificate
is before or the same as the current time.
Property methods: NotBeforeCheckDisplayToLogical(), NotBeforeCheckGet(), NotBeforeCheckIsValid(), NotBeforeCheckLogicalToDisplay(), NotBeforeCheckNormalize(), NotBeforeCheckSet()
property SSLCNCheck as %Status;
Status returned by %Net.HttpRequest CheckSSLCN
method when SSLCheckServerIdentity is true.
By examining the return from %Net.HttpRequest Send the RetrievePeerCertificate() will set this to $$$OK if the return from Send is $$$OK or the errors SSLCertificateNoMatch or SSLNoCertificate as returned by %Net.HttpRequest Send
If a different error is returned then SSLCNCheck is left as empty
By examining the return from %Net.HttpRequest Send the RetrievePeerCertificate() will set this to $$$OK if the return from Send is $$$OK or the errors SSLCertificateNoMatch or SSLNoCertificate as returned by %Net.HttpRequest Send
If a different error is returned then SSLCNCheck is left as empty
Property methods: SSLCNCheckGet(), SSLCNCheckIsValid(), SSLCNCheckLogicalToOdbc(), SSLCNCheckSet()
Methods
Call X509GetField on the Certificate for the
pX509Field
Returns in the pStatus status of the call.
See %SYSTEM.Encryption for documention on the X509GetField method.
Returns in the pStatus status of the call.
See %SYSTEM.Encryption for documention on the X509GetField method.
classmethod RetrievePeerCertUsingJSON(pHttpInfo As %DynamicObject, Output pHttpRequest As %Net.HttpRequest, Output pSSLPeerCert As %Net.X509Certificate) as %Status
Convenience method to call RetrievePeerCertificate() using a %Library.DynamicObject
to create the initial %Net.HttpRequest object and provide the other optional parameters.
The structure of the pHttpInfo dynamic object is:
{"url":,
{"verb":},
{"request":{"properties of %Net.HttpRequest...","Server":"docs.intersystems.com","SSLConfiguration":"ClientSSLConfig"}}
The structure of the pHttpInfo dynamic object is:
{"url":
{"verb":
{"request":{"properties of %Net.HttpRequest...","Server":"docs.intersystems.com","SSLConfiguration":"ClientSSLConfig"}}
classmethod RetrievePeerCertificate(ByRef pHttpRequest As %Net.HttpRequest, pURL As %String = "/", pVerb As %String = "OPTIONS", Output pSSLPeerCert As %Net.X509Certificate) as %Status
Convenience method to make an HTTPS Request that will populate the SSLPeerCertificate
property of %Net.HttpRequest
using a pre-existing %Net.HttpRequest object and instantiate pSSLPeerCert
of type %Net.X509Certificate if the certificate was retrieved or Server identification check failed.
For convenience the property SSLCheckServerIdentity is set to true.
pURL defaults to /
pVerb defaults to OPTIONS
The status returned will be the status returned by the %Net.HttpRequest Send method unless the error is $$$SSLNoCertificate or $$$SSLCertificateNoMatch in which an $$$OK will be returned and the SSLCNCheck will contain SSL Server Identity Check error.
For convenience the property SSLCheckServerIdentity is set to true.
pURL defaults to /
pVerb defaults to OPTIONS
The status returned will be the status returned by the %Net.HttpRequest Send method unless the error is $$$SSLNoCertificate or $$$SSLCertificateNoMatch in which an $$$OK will be returned and the SSLCNCheck will contain SSL Server Identity Check error.
method RunVerificationChecks(pVerifyCertChain As %Boolean = 1, pLifeSpanMaxDays As %Integer = 730) as %Boolean
Run the methods:
VerifyCertChain() if pVerifyCertChains is true (the default is true)
VerifyLifeSpan() using pLifeSpanMaxDays (the default is 730 days)
VerifyNotBefore()
VerifyNotAfter()
This method returns true if the checks that were run passed and and if the initial SSL Server Identity check (SSLCNCheck) passed.
VerifyCertChain() if pVerifyCertChains is true (the default is true)
VerifyLifeSpan() using pLifeSpanMaxDays (the default is 730 days)
VerifyNotBefore()
VerifyNotAfter()
This method returns true if the checks that were run passed and and if the initial SSL Server Identity check (SSLCNCheck) passed.
method VerifyCertChain() as %String
Output from running $SYSTEM.Encryption.X509VerifyCertChain as
on Certificate with CAFile
and optional CRLFile.
Also populates return in CertChainCheck
Also populates return in CertChainCheck
Boolean test result of checking if the number of days between the ValidityNotBefore and
the ValidityNotBefore fields in Certificate is less than the maximum
number of days used by pMaxDays
The default maximum days is set to 730.
The result is also stored in LifeSpanCheck
If an error is encountered retrieving the value of ValidityNotBefore or ValidityNotAfter from the certificate the returned value is False.
The default maximum days is set to 730.
The result is also stored in LifeSpanCheck
If an error is encountered retrieving the value of ValidityNotBefore or ValidityNotAfter from the certificate the returned value is False.
method VerifyNotAfter() as %Boolean
Boolean test result of checking if ValidityNotAfter field in Certificate
is after or the same as the current time.
The result is also stored in NotBeforeAfter
If an error is encountered retrieving the value of ValidityNotAfter from the certificate the returned value is False.
The result is also stored in NotBeforeAfter
If an error is encountered retrieving the value of ValidityNotAfter from the certificate the returned value is False.
method VerifyNotBefore() as %Boolean
Boolean test result of checking if ValidityNotBefore field in Certificate
is before or the same as the current time.
The result is also stored in NotBeforeCheck
If an error is encountered retrieving the value of ValidityNotBefore from the certificate the returned value is False.
The result is also stored in NotBeforeCheck
If an error is encountered retrieving the value of ValidityNotBefore from the certificate the returned value is False.
Inherited Members
Inherited Methods
- %AddToSaveSet()
- %ClassIsLatestVersion()
- %ClassName()
- %ConstructClone()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Extends()
- %GetParameter()
- %IsA()
- %IsModified()
- %New()
- %NormalizeObject()
- %ObjectModified()
- %OriginalNamespace()
- %PackageName()
- %RemoveFromSaveSet()
- %SerializeObject()
- %SetModified()
- %ValidateObject()