12.6.2.3.1. Plugin features

Two certificates of the TPP are involved in NextGenPSD2:

  • The signing certificate used to sign HTTP requests
  • The client certificate used in the SSL/TLS handshake (also called "mutual TLS").

The plugin "HTTP Signature Verification Credential Extractor" provides the following features:

  • Extract original HTTP request (using Airlock environment cookies).
  • Check HTTP request signature
    • Verify the signature itself: the set of headers that must be signed can be defined by the IAM configuration
    • Verify the signature was created with a signing certificate issued by a trusted issuer
    • Check CRLs and OCSPs to verify validity of the TPPs signing certificate
  • Extract the client certificate for later authentication of the TPP
  • Verify that the signing certificate and the client certificate have been issued for the same TPP.
  • Every step may fail and result in the bank API request being blocked.