diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-01-27 16:20:19 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-01-27 16:20:19 +0100 |
commit | 2f1e67ec08a409f074b7f59975cb33ab6b9cf612 (patch) | |
tree | f5c0823ad857fa4b824159e1bdcbd18fb8ef9f73 /container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java | |
parent | ba53a6b811628860306a9cbea0dce275c46875b1 (diff) |
Add issuer and fingerprint of peer certificate to connection log
Diffstat (limited to 'container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java')
-rw-r--r-- | container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java index 451a7dbf10d..4e3fd3f29b3 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java @@ -30,6 +30,9 @@ import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import javax.net.ssl.StandardConstants; import java.net.InetSocketAddress; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.time.Instant; import java.util.ArrayList; @@ -227,7 +230,6 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List throw new IllegalArgumentException("Unknown connection endpoint type: " + endpoint.getClass().getName()); } } - @FunctionalInterface private interface ListenerHandler { void run() throws Exception; } private static class ConnectionInfo { @@ -249,6 +251,8 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List private Date sslPeerNotBefore; private Date sslPeerNotAfter; private List<SNIServerName> sslSniServerNames; + private String sslPeerIssuerSubject; + private byte[] sslPeerEncodedCertificate; private SSLHandshakeException sslHandshakeException; private List<String> sslSubjectAlternativeNames; private String proxyProtocolVersion; @@ -307,8 +311,9 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List this.sslSubjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(peerCertificate).stream() .map(SubjectAlternativeName::getValue) .collect(Collectors.toList()); - - } catch (SSLPeerUnverifiedException e) { + this.sslPeerIssuerSubject = peerCertificate.getIssuerDN().getName(); + this.sslPeerEncodedCertificate = peerCertificate.getEncoded(); + } catch (SSLPeerUnverifiedException | CertificateEncodingException e) { // Throw if peer is not authenticated (e.g when client auth is disabled) // JSSE provides no means of checking for client authentication without catching this exception } @@ -365,10 +370,13 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List .findAny() .ifPresent(builder::withSslSniServerName); } - if (sslPeerSubject != null && sslPeerNotAfter != null && sslPeerNotBefore != null) { + if (sslPeerSubject != null && sslPeerNotAfter != null && sslPeerNotBefore != null + && sslPeerIssuerSubject != null && sslPeerEncodedCertificate != null) { builder.withSslPeerSubject(sslPeerSubject) + .withSslPeerIssuerSubject(sslPeerIssuerSubject) .withSslPeerNotAfter(sslPeerNotAfter.toInstant()) - .withSslPeerNotBefore(sslPeerNotBefore.toInstant()); + .withSslPeerNotBefore(sslPeerNotBefore.toInstant()) + .withSslPeerFingerprint(certificateFingerprint(sslPeerEncodedCertificate)); } if (sslSubjectAlternativeNames != null && !sslSubjectAlternativeNames.isEmpty()) { builder.withSslSubjectAlternativeNames(sslSubjectAlternativeNames); @@ -394,6 +402,14 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List return builder.build(); } + private static String certificateFingerprint(byte[] derEncoded) { + try { + return HexDump.toHexString(MessageDigest.getInstance("SHA-1").digest(derEncoded)); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } + } + } } |