diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2021-06-14 12:58:13 +0200 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2021-06-14 14:08:31 +0200 |
commit | df5162430e6cc6ec126b2de027f17ccbe3c9d7f6 (patch) | |
tree | 877a03e28d0676318ab287200d534939963cfd42 /container-core | |
parent | e637ee84201362eca4f1221106b0991b3c3f6d3d (diff) |
Add san dns rfc822 cert field in connection log
Diffstat (limited to 'container-core')
4 files changed, 30 insertions, 2 deletions
diff --git a/container-core/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java b/container-core/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java index 5b30ce5963d..6f9d7840573 100644 --- a/container-core/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java +++ b/container-core/src/main/java/com/yahoo/container/logging/ConnectionLogEntry.java @@ -33,6 +33,7 @@ public class ConnectionLogEntry { private final Instant sslPeerNotAfter; private final String sslSniServerName; private final SslHandshakeFailure sslHandshakeFailure; + private final List<String> sslSubjectAlternativeNames; private final String httpProtocol; private final String proxyProtocolVersion; @@ -59,6 +60,7 @@ public class ConnectionLogEntry { this.sslPeerNotAfter = builder.sslPeerNotAfter; this.sslSniServerName = builder.sslSniServerName; this.sslHandshakeFailure = builder.sslHandshakeFailure; + this.sslSubjectAlternativeNames = builder.sslSubjectAlternativeNames; this.httpProtocol = builder.httpProtocol; this.proxyProtocolVersion = builder.proxyProtocolVersion; } @@ -88,6 +90,7 @@ public class ConnectionLogEntry { public Optional<Instant> sslPeerNotAfter() { return Optional.ofNullable(sslPeerNotAfter); } public Optional<String> sslSniServerName() { return Optional.ofNullable(sslSniServerName); } public Optional<SslHandshakeFailure> sslHandshakeFailure() { return Optional.ofNullable(sslHandshakeFailure); } + public List<String> sslSubjectAlternativeNames() { return sslSubjectAlternativeNames == null ? List.of() : sslSubjectAlternativeNames; } public Optional<String> httpProtocol() { return Optional.ofNullable(httpProtocol); } public Optional<String> proxyProtocolVersion() { return Optional.ofNullable(proxyProtocolVersion); } @@ -139,6 +142,7 @@ public class ConnectionLogEntry { private Instant sslPeerNotAfter; private String sslSniServerName; private SslHandshakeFailure sslHandshakeFailure; + private List<String> sslSubjectAlternativeNames; private String httpProtocol; private String proxyProtocolVersion; @@ -225,6 +229,10 @@ public class ConnectionLogEntry { this.sslHandshakeFailure = sslHandshakeFailure; return this; } + public Builder withSslSubjectAlternativeNames(List<String> sslSubjectAlternativeNames) { + this.sslSubjectAlternativeNames = sslSubjectAlternativeNames; + return this; + } public Builder withHttpProtocol(String protocol) { this.httpProtocol = protocol; return this; diff --git a/container-core/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java b/container-core/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java index dfdc5f1b55a..53aa79b9f8c 100644 --- a/container-core/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java +++ b/container-core/src/main/java/com/yahoo/container/logging/JsonConnectionLogWriter.java @@ -11,6 +11,7 @@ import java.io.IOException; import java.io.OutputStream; import java.time.Instant; import java.util.Arrays; +import java.util.List; import java.util.Objects; import java.util.Optional; @@ -68,6 +69,7 @@ class JsonConnectionLogWriter implements LogWriter<ConnectionLogEntry> { Instant sslPeerNotAfter = unwrap(record.sslPeerNotAfter()); String sslSniServerName = unwrap(record.sslSniServerName()); ConnectionLogEntry.SslHandshakeFailure sslHandshakeFailure = unwrap(record.sslHandshakeFailure()); + List<String> sslSubjectAlternativeNames = record.sslSubjectAlternativeNames(); if (isAnyValuePresent( sslProtocol, sslSessionId, sslCipherSuite, sslPeerSubject, sslPeerNotBefore, sslPeerNotAfter, @@ -95,7 +97,13 @@ class JsonConnectionLogWriter implements LogWriter<ConnectionLogEntry> { generator.writeStringField("type", sslHandshakeFailure.type()); generator.writeEndObject(); } - + if (!sslSubjectAlternativeNames.isEmpty()) { + generator.writeArrayFieldStart("san"); + for (String sanEntry : sslSubjectAlternativeNames) { + generator.writeString(sanEntry); + } + generator.writeEndArray(); + } generator.writeEndObject(); } } diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java index d337131b313..88e68e7f2e6 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java @@ -6,6 +6,8 @@ import com.yahoo.container.logging.ConnectionLogEntry; import com.yahoo.container.logging.ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry; import com.yahoo.io.HexDump; import com.yahoo.jdisc.http.ServerConfig; +import com.yahoo.security.SubjectAlternativeName; +import com.yahoo.security.X509CertificateUtils; import org.eclipse.jetty.alpn.server.ALPNServerConnection; import org.eclipse.jetty.http2.server.HTTP2ServerConnection; import org.eclipse.jetty.io.Connection; @@ -36,6 +38,7 @@ import java.util.List; import java.util.UUID; import java.util.logging.Level; import java.util.logging.Logger; +import java.util.stream.Collectors; /** * Jetty integration for jdisc connection log ({@link ConnectionLog}). @@ -247,6 +250,7 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List private Date sslPeerNotAfter; private List<SNIServerName> sslSniServerNames; private SSLHandshakeException sslHandshakeException; + private List<String> sslSubjectAlternativeNames; private String proxyProtocolVersion; private String httpProtocol; @@ -300,6 +304,10 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List X509Certificate peerCertificate = (X509Certificate) session.getPeerCertificates()[0]; this.sslPeerNotBefore = peerCertificate.getNotBefore(); this.sslPeerNotAfter = peerCertificate.getNotAfter(); + this.sslSubjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(peerCertificate).stream() + .map(SubjectAlternativeName::getValue) + .collect(Collectors.toList()); + } catch (SSLPeerUnverifiedException e) { // Throw if peer is not authenticated (e.g when client auth is disabled) // JSSE provides no means of checking for client authentication without catching this exception @@ -362,6 +370,9 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List .withSslPeerNotAfter(sslPeerNotAfter.toInstant()) .withSslPeerNotBefore(sslPeerNotBefore.toInstant()); } + if (sslSubjectAlternativeNames != null && !sslSubjectAlternativeNames.isEmpty()) { + builder.withSslSubjectAlternativeNames(sslSubjectAlternativeNames); + } if (sslHandshakeException != null) { List<ExceptionEntry> exceptionChain = new ArrayList<>(); Throwable cause = sslHandshakeException; diff --git a/container-core/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java b/container-core/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java index 75bc0c915d3..66b3da06ff2 100644 --- a/container-core/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java +++ b/container-core/src/test/java/com/yahoo/container/logging/JsonConnectionLogWriterTest.java @@ -26,6 +26,7 @@ class JsonConnectionLogWriterTest { List.of( new ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry("javax.net.ssl.SSLHandshakeException", "message"), new ConnectionLogEntry.SslHandshakeFailure.ExceptionEntry("java.io.IOException", "cause message")))) + .withSslSubjectAlternativeNames(List.of("sandns", "sanemail")) .build(); String expectedJson = "{" + "\"id\":\""+id.toString()+"\"," + @@ -34,7 +35,7 @@ class JsonConnectionLogWriterTest { "\"ssl\":{\"handshake-failure\":{\"exception\":[" + "{\"cause\":\"javax.net.ssl.SSLHandshakeException\",\"message\":\"message\"}," + "{\"cause\":\"java.io.IOException\",\"message\":\"cause message\"}" + - "],\"type\":\"UNKNOWN\"}}}"; + "],\"type\":\"UNKNOWN\"},\"san\":[\"sandns\",\"sanemail\"]}}"; JsonConnectionLogWriter writer = new JsonConnectionLogWriter(); ByteArrayOutputStream out = new ByteArrayOutputStream(); |