Two certificates of the TPP are involved in NextGenPSD2:
- The signing certificate used to sign HTTP requests
- The client certificate used in the SSL/TLS handshake (also called "mutual TLS").
The plugin "HTTP Signature Verification Credential Extractor" provides the following features:
- Extract original HTTP request (using Airlock environment cookies).
- Check HTTP request signature
- Verify the signature itself: the set of headers that must be signed can be defined by the IAM configuration
- Verify the signature was created with a signing certificate issued by a trusted issuer
- Check CRLs and OCSPs to verify validity of the TPPs signing certificate
- Extract the client certificate for later authentication of the TPP
- Verify that the signing certificate and the client certificate have been issued for the same TPP.
- Every step may fail and result in the bank API request being blocked.