Add san dns rfc822 cert field in connection log

author: Morten Tokle <mortent@verizonmedia.com> 2021-06-14 12:58:13 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2021-06-14 14:08:31 +0200
commit: df5162430e6cc6ec126b2de027f17ccbe3c9d7f6 (patch)
tree: 877a03e28d0676318ab287200d534939963cfd42 /container-core
parent: e637ee84201362eca4f1221106b0991b3c3f6d3d (diff)
4 files changed, 30 insertions, 2 deletions
diff --git a/container-core/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java b/container-core/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java
index 5b30ce5963d..6f9d7840573 100644
--- a/container-core/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java
+++ b/container-core/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java
@@ -33,6 +33,7 @@ public class ConnectionLogEntry {
     private final Instant sslPeerNotAfter;
     private final String sslSniServerName;
     private final SslHandshakeFailure sslHandshakeFailure;
+    private final List<String> sslSubjectAlternativeNames;
     private final String httpProtocol;
     private final String proxyProtocolVersion;
 
@@ -59,6 +60,7 @@ public class ConnectionLogEntry {
         this.sslPeerNotAfter = builder.sslPeerNotAfter;
         this.sslSniServerName = builder.sslSniServerName;
         this.sslHandshakeFailure = builder.sslHandshakeFailure;
+        this.sslSubjectAlternativeNames = builder.sslSubjectAlternativeNames;
         this.httpProtocol = builder.httpProtocol;
         this.proxyProtocolVersion = builder.proxyProtocolVersion;
     }
@@ -88,6 +90,7 @@ public class ConnectionLogEntry {
     public Optional<Instant> sslPeerNotAfter() { return Optional.ofNullable(sslPeerNotAfter); }
     public Optional<String> sslSniServerName() { return Optional.ofNullable(sslSniServerName); }
     public Optional<SslHandshakeFailure> sslHandshakeFailure() { return Optional.ofNullable(sslHandshakeFailure); }
+    public List<String> sslSubjectAlternativeNames() { return sslSubjectAlternativeNames == null ? List.of() : sslSubjectAlternativeNames; }
     public Optional<String> httpProtocol() { return Optional.ofNullable(httpProtocol); }
     public Optional<String> proxyProtocolVersion() { return Optional.ofNullable(proxyProtocolVersion); }
 
@@ -139,6 +142,7 @@ public class ConnectionLogEntry {
         private Instant sslPeerNotAfter;
         private String sslSniServerName;
         private SslHandshakeFailure sslHandshakeFailure;
+        private List<String> sslSubjectAlternativeNames;
         private String httpProtocol;
         private String proxyProtocolVersion;
 
@@ -225,6 +229,10 @@ public class ConnectionLogEntry {
             this.sslHandshakeFailure = sslHandshakeFailure;
             return this;
         }
+        public Builder withSslSubjectAlternativeNames(List<String> sslSubjectAlternativeNames) {
+            this.sslSubjectAlternativeNames = sslSubjectAlternativeNames;
+            return this;
+        }
         public Builder withHttpProtocol(String protocol) {
             this.httpProtocol = protocol;
             return this;
diff --git a/container-core/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java b/container-core/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java
index dfdc5f1b55a..53aa79b9f8c 100644
--- a/container-core/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java
+++ b/container-core/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java
@@ -11,6 +11,7 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.time.Instant;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
 
@@ -68,6 +69,7 @@ class JsonConnectionLogWriter implements LogWriter<ConnectionLogEntry> {
             Instant sslPeerNotAfter = unwrap(record.sslPeerNotAfter());
             String sslSniServerName = unwrap(record.sslSniServerName());
             ConnectionLogEntry.SslHandshakeFailure sslHandshakeFailure = unwrap(record.sslHandshakeFailure());
+            List<String> sslSubjectAlternativeNames = record.sslSubjectAlternativeNames();
 
             if (isAnyValuePresent(
                     sslProtocol, sslSessionId, sslCipherSuite, sslPeerSubject, sslPeerNotBefore, sslPeerNotAfter,
@@ -95,7 +97,13 @@ class JsonConnectionLogWriter implements LogWriter<ConnectionLogEntry> {
                     generator.writeStringField("type", sslHandshakeFailure.type());
                     generator.writeEndObject();
                 }
-
+                if (!sslSubjectAlternativeNames.isEmpty()) {
+                    generator.writeArrayFieldStart("san");
+                    for (String sanEntry : sslSubjectAlternativeNames) {
+                        generator.writeString(sanEntry);
+                    }
+                    generator.writeEndArray();
+                }
                 generator.writeEndObject();
             }
         }
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
index d337131b313..88e68e7f2e6 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java
@@ -6,6 +6,8 @@ import com.yahoo.container.logging.ConnectionLogEntry;
 import com.yahoo.container.logging.ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry;
 import com.yahoo.io.HexDump;
 import com.yahoo.jdisc.http.ServerConfig;
+import com.yahoo.security.SubjectAlternativeName;
+import com.yahoo.security.X509CertificateUtils;
 import org.eclipse.jetty.alpn.server.ALPNServerConnection;
 import org.eclipse.jetty.http2.server.HTTP2ServerConnection;
 import org.eclipse.jetty.io.Connection;
@@ -36,6 +38,7 @@ import java.util.List;
 import java.util.UUID;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.stream.Collectors;
 
 /**
  * Jetty integration for jdisc connection log ({@link ConnectionLog}).
@@ -247,6 +250,7 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
         private Date sslPeerNotAfter;
         private List<SNIServerName> sslSniServerNames;
         private SSLHandshakeException sslHandshakeException;
+        private List<String> sslSubjectAlternativeNames;
         private String proxyProtocolVersion;
         private String httpProtocol;
 
@@ -300,6 +304,10 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
                 X509Certificate peerCertificate = (X509Certificate) session.getPeerCertificates()[0];
                 this.sslPeerNotBefore = peerCertificate.getNotBefore();
                 this.sslPeerNotAfter = peerCertificate.getNotAfter();
+                this.sslSubjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(peerCertificate).stream()
+                        .map(SubjectAlternativeName::getValue)
+                        .collect(Collectors.toList());
+
             } catch (SSLPeerUnverifiedException e) {
                 // Throw if peer is not authenticated (e.g when client auth is disabled)
                 // JSSE provides no means of checking for client authentication without catching this exception
@@ -362,6 +370,9 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List
                         .withSslPeerNotAfter(sslPeerNotAfter.toInstant())
                         .withSslPeerNotBefore(sslPeerNotBefore.toInstant());
             }
+            if (sslSubjectAlternativeNames != null && !sslSubjectAlternativeNames.isEmpty()) {
+                builder.withSslSubjectAlternativeNames(sslSubjectAlternativeNames);
+            }
             if (sslHandshakeException != null) {
                 List<ExceptionEntry> exceptionChain = new ArrayList<>();
                 Throwable cause = sslHandshakeException;
diff --git a/container-core/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java b/container-core/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java
index 75bc0c915d3..66b3da06ff2 100644
--- a/container-core/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java
+++ b/container-core/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java
@@ -26,6 +26,7 @@ class JsonConnectionLogWriterTest {
                         List.of(
                                 new ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry("javax.net.ssl.SSLHandshakeException", "message"),
                                 new ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry("java.io.IOException", "cause message"))))
+                .withSslSubjectAlternativeNames(List.of("sandns", "sanemail"))
                 .build();
         String expectedJson = "{" +
                 "\"id\":\""+id.toString()+"\"," +
@@ -34,7 +35,7 @@ class JsonConnectionLogWriterTest {
                 "\"ssl\":{\"handshake-failure\":{\"exception\":[" +
                 "{\"cause\":\"javax.net.ssl.SSLHandshakeException\",\"message\":\"message\"}," +
                 "{\"cause\":\"java.io.IOException\",\"message\":\"cause message\"}" +
-                "],\"type\":\"UNKNOWN\"}}}";
+                "],\"type\":\"UNKNOWN\"},\"san\":[\"sandns\",\"sanemail\"]}}";
 
         JsonConnectionLogWriter writer = new JsonConnectionLogWriter();
         ByteArrayOutputStream out = new ByteArrayOutputStream();
author	Morten Tokle <mortent@verizonmedia.com>	2021-06-14 12:58:13 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2021-06-14 14:08:31 +0200
commit	df5162430e6cc6ec126b2de027f17ccbe3c9d7f6 (patch)
tree	877a03e28d0676318ab287200d534939963cfd42 /container-core
parent	e637ee84201362eca4f1221106b0991b3c3f6d3d (diff)