Add issuer and fingerprint of peer certificate to connection log

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2022-01-27 16:20:19 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2022-01-27 16:20:19 +0100
commit: 2f1e67ec08a409f074b7f59975cb33ab6b9cf612 (patch)
tree: f5c0823ad857fa4b824159e1bdcbd18fb8ef9f73 /container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
parent: ba53a6b811628860306a9cbea0dce275c46875b1 (diff)
1 files changed, 21 insertions, 5 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
index 451a7dbf10d..4e3fd3f29b3 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
@@ -30,6 +30,9 @@ import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.StandardConstants;
 import java.net.InetSocketAddress;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.util.ArrayList;
@@ -227,7 +230,6 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
             throw new IllegalArgumentException("Unknown connection endpoint type: " + endpoint.getClass().getName());
         }
     }
-
     @FunctionalInterface private interface ListenerHandler { void run() throws Exception; }
 
     private static class ConnectionInfo {
@@ -249,6 +251,8 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
         private Date sslPeerNotBefore;
         private Date sslPeerNotAfter;
         private List<SNIServerName> sslSniServerNames;
+        private String sslPeerIssuerSubject;
+        private byte[] sslPeerEncodedCertificate;
         private SSLHandshakeException sslHandshakeException;
         private List<String> sslSubjectAlternativeNames;
         private String proxyProtocolVersion;
@@ -307,8 +311,9 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
                 this.sslSubjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(peerCertificate).stream()
                         .map(SubjectAlternativeName::getValue)
                         .collect(Collectors.toList());
-
-            } catch (SSLPeerUnverifiedException e) {
+                this.sslPeerIssuerSubject = peerCertificate.getIssuerDN().getName();
+                this.sslPeerEncodedCertificate = peerCertificate.getEncoded();
+            } catch (SSLPeerUnverifiedException | CertificateEncodingException e) {
                 // Throw if peer is not authenticated (e.g when client auth is disabled)
                 // JSSE provides no means of checking for client authentication without catching this exception
             }
@@ -365,10 +370,13 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
                         .findAny()
                         .ifPresent(builder::withSslSniServerName);
             }
-            if (sslPeerSubject != null && sslPeerNotAfter != null && sslPeerNotBefore != null) {
+            if (sslPeerSubject != null && sslPeerNotAfter != null && sslPeerNotBefore != null
+                    && sslPeerIssuerSubject != null && sslPeerEncodedCertificate != null) {
                 builder.withSslPeerSubject(sslPeerSubject)
+                        .withSslPeerIssuerSubject(sslPeerIssuerSubject)
                         .withSslPeerNotAfter(sslPeerNotAfter.toInstant())
-                        .withSslPeerNotBefore(sslPeerNotBefore.toInstant());
+                        .withSslPeerNotBefore(sslPeerNotBefore.toInstant())
+                        .withSslPeerFingerprint(certificateFingerprint(sslPeerEncodedCertificate));
             }
             if (sslSubjectAlternativeNames != null && !sslSubjectAlternativeNames.isEmpty()) {
                 builder.withSslSubjectAlternativeNames(sslSubjectAlternativeNames);
@@ -394,6 +402,14 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
             return builder.build();
         }
 
+        private static String certificateFingerprint(byte[] derEncoded) {
+            try {
+                return HexDump.toHexString(MessageDigest.getInstance("SHA-1").digest(derEncoded));
+            } catch (NoSuchAlgorithmException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
     }
 
 }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2022-01-27 16:20:19 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2022-01-27 16:20:19 +0100
commit	2f1e67ec08a409f074b7f59975cb33ab6b9cf612 (patch)
tree	f5c0823ad857fa4b824159e1bdcbd18fb8ef9f73 /container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
parent	ba53a6b811628860306a9cbea0dce275c46875b1 (diff)