Certificate filtering for Smart ID authentication

This article describes how to set up certificate filtering for the Personal Mobile and Personal Desktop authentication methods in Digital Access. To do this, you add an extended property in the authentication method.

Prerequisites

The Personal Mobile and Personal Desktop authentication methods are set and enabled in Digital Access. Read more here: Set up Smart ID authentication.
A json is defined including the necessary information for the filtering. See examples in this article.

Step-by-step instruction to set up the filter

Log in to Digital Access Admin

Log in to Digital Access Admin with an administrator account.

Edit the Personal Mobile or the Personal Desktop authentication method

In Digital Access Admin, go to Manage System.
Click Authentication Methods.
Select the Personal Mobile or the Personal Desktop method in the list of Registered Authentication Methods.
Go to the Extended Properties tab.
Click Add Extended Property...
Select Certificate Filter. The value of this filter shall be a valid json constructed based on the type of filtering you want to achieve. More details about how to create the filter json can be found in the examples in this page.
Click Save.
Click Publish.

About the filter json with examples

Filter objects

Each filter object shall have an op parameter (operation), whose value signifies what type of filter operation it represents. If no operation is specified, the default operation and will be used.

Logical filter

The logical filter contains a list of operations. The value (value) in a logic filter is a list of more filters.

The logical filter operations are:

and
or
not

Value filter

The value filter contains one parameter (param) (which depends on the operation) and a value (value).

The value filter operations are:

eq (Equals)

nq (Not Equals)

co (Contains)

sw (Starts with)

ew (Ends with)

lt (Less than)

gt (Greater than)

lte (Less than or equal to)
'le' is implemented in the mobile apps
gte (Greater than or equal to)
'ge' is implemented in the mobile apps

Examples of a filter json

A simple filter json:

Example: A simple filter that requests a key with ID 'signer'

JS

{
  "op": "eq",
  "param": "cert.issuer.o",
  "value": "Example company"
}

A complex filter json:

Example: A more complex filter

JS

{
  "op":"and",
  "value":[
    {
      "param": "key.id",
      "op":"eq", 
      "value": "signing" 
    },
    {
      "param": "cert.subject.cn", 
      "op":"eq", 
      "value": "Samuel" 
    },
    {
     "op":"or",
     "value":[
       {
        "op":"and",
        "value":[
          {
            "param": "key.type",
            "op":"eq", 
            "value": "RSA" 
                                 },
          {
            "param": "key.size",
            "op":"gte",
            "value":2048
          }
        ]
      },
      {
       "op":"and",
       "value":[
         {
           "param": "key.type",
           "op":"eq",
           "value": "ECC"
         },
         {
           "param": "key.size",
           "op":"gte",
           "value":192
         }
       ]
      }
     ]
    }
  ]
}

Supported request filter parameters

These are the supported request filters in Smart ID Mobile App, Smart ID Desktop App and Personal Desktop Client.

Name:	acronym:	Note
Constructed Filters:		"value" is a list of other filters, "param" is null
AND	and
OR	or
NOT (implemented as NOR)	not	No filter is allowed to be true if the evaluation of this filter is true

Value Filters:		"value" is string or number, "param" is one of the strings in the list below
CONTAINS	co	only string param value
STARTS WITH	sw	only string param value
ENDS WITH	ew	only string param value
EQUALS	eq	string or number supported
NOT EQUALS	nq	string or number supported
LESS THAN	lt	string or number supported
GREATER THAN	gt	string or number supported
LESS OR EQUAL	le	string or number supported
GREATER OR EQUAL	ge	string or number supported

Filter Param 'keys':
ISSUER COUNTRY	cert.issuer.c
ISSUER COMMON NAME	cert.issuer.cn
ISSUER LOCALITY	cert.issuer.l
ISSUER ORGANISATION	cert.issuer.o
ISSUER ORGANISATIONAL UNIT	cert.issuer.ou	fixed in android now
ISSUER STATE	cert.issuer.st
ISSUER STATE variant	cert.issuer.s
ISSUER STREET	cert.issuer.street
ISSUER EMAIL	cert.issuer.email
ISSUER UID	cert.issuer.uid
KEY USAGE	cert.keyusage	Use primarily with contains. We are concatenating all of them into one string
SERIAL	cert.serial
SUBJECT COUNTRY	cert.subject.c
SUBJECT COMMON NAME	cert.subject.cn
SUBJECT LOCALITY	cert.subject.l
SUBJECT ORGANISATION	cert.subject.o
SUBJECT ORG UNIT	cert.subject.ou
SUBJECT STATE	cert.subject.st
SUBJECT STATE variant	cert.issuer.s
SUBJECT STREET	cert.subject.street
SUBJECT EMAIL	cert.subject.email
SUBEJCT UID	cert.subject.uid
KEY ID	key.id
KEY PUBLIC KEY	key.publickey	BASE64 encoded DER (no PEM headers or newlines)
KEY SIZE	key.size
KEY TYPE	key.type	always 'RSA' so far
TOKEN ID	token.id	Profile ID for Hermod profiles
TOKEN TYPE	token.type	'DIGITAL' and 'NFC' used in mobile. PDA version values: 'Microsoft Platform Crypto Provider', 'MICROSOFT BASE SMART CARD CRYPTO PROVIDER', 'MICROSOFT ENHANCED CRYPTOGRAPHIC PROVIDER V1.0', 'MICROSOFT SOFTWARE KEY STORAGE PROVIDER', 'MICROSOFT PASSPORT KEY STORAGE PROVIDER'
TOKEN USER ID	token.userid	username tied to the token
TOKEN PROFILE TYPE	token.profiletype	VSC, SW, PLATFORMTPM, YUBI, HYBRID, FILEP12SW, FILEP12TPM, FILETPMYUBI, LOCALID06, FILEP12VSC