0
65

Written by

Oliver Wilms
Integration Engineer at Cognosante
Follow
Question Oliver Wilms · Jan 23

X509 Certificate - how to save it?

#InterSystems IRIS for Health #XML

Given a sting beginning with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----", how do I save the string as X509 certificate in ObjectScript?

Product version: IRIS 2024.1
Discussion (6)2
Log in or sign up to continue

Comments

Enrico Parisi · Jan 24

Usually in IRIS X509 certificate are configured in Management Portal:
System Administration -> Security -> X.509 Credentials

To configure it there the certificate must be stored in a file.

How/where you need to use the X509 certificate?

0
Oliver Wilms  Jan 24 to Enrico Parisi

Enrico, I got a python script for SAML Assertion Validation. I want to convert it to ObjectScript. I am working on Certificate Chain and Signature validation. I have a certificate bundle in a crt file. I will save the certificates to individual files and then use management portal or a class method to configure or import into IRIS.

0
Oliver Wilms  Jan 24 to Enrico Parisi

I was able to use the LoadCertificate() method. I am working on converting python code to ObjectScript.

0
Oliver Wilms  Jan 24 to Enrico Parisi

def verify_chain(signer_cert, ca_bundle_path): """Verify that the signer certificate chains up to a trusted CA in the bundle.""" # Load trusted CAs ca_store = crypto.X509Store()

with open(ca_bundle_path, "rb") as f:
    pem_data = f.read()

# Split bundle into individual certs
for chunk in pem_data.split(b"-----END CERTIFICATE-----"):
    block = chunk.strip()
    if not block:
        continue
    block += b"\n-----END CERTIFICATE-----\n"
    try:
        ca = crypto.load_certificate(crypto.FILETYPE_PEM, block)
        ca_store.add_cert(ca)
    except Exception:
        # Skip things that aren't PEMs
        continue

# Convert cryptography.x509.Certificate -> OpenSSL.crypto.X509
signer_pem = signer_cert.public_bytes(encoding=serialization.Encoding.PEM)
signer_x509 = crypto.load_certificate(crypto.FILETYPE_PEM, signer_pem)

# Now verify
store_ctx = crypto.X509StoreContext(ca_store, signer_x509)
try:
    store_ctx.verify_certificate()
    print("✔ Certificate chain validation passed.")
except Exception as e:
    raise ValueError(f"Certificate chain validation failed: {e}")
0
Enrico Parisi · Jan 24

To verify a certificate against a CA Certificate Chain you can use:

Set Result=$SYSTEM.Encryption.X509VerifyCertChain(Certificate, CAChainFileName)

See X509VerifyCertChain() documentation for details.

To verify the validity of a signature you can use:

Set SignIsValid=$system.Encryption.RSASHAVerify(Bitlength,Payload,Signature,SignCertificate)

See RSASHAVerify() documentation for details.

0