From 2f1e67ec08a409f074b7f59975cb33ab6b9cf612 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Thu, 27 Jan 2022 16:20:19 +0100 Subject: Add issuer and fingerprint of peer certificate to connection log --- .../http/server/jetty/JettyConnectionLogger.java | 26 +++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) (limited to 'container-core/src/main/java/com/yahoo/jdisc/http/server/jetty') diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java index 451a7dbf10d..4e3fd3f29b3 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/JettyConnectionLogger.java @@ -30,6 +30,9 @@ import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import javax.net.ssl.StandardConstants; import java.net.InetSocketAddress; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.time.Instant; import java.util.ArrayList; @@ -227,7 +230,6 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List throw new IllegalArgumentException("Unknown connection endpoint type: " + endpoint.getClass().getName()); } } - @FunctionalInterface private interface ListenerHandler { void run() throws Exception; } private static class ConnectionInfo { @@ -249,6 +251,8 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List private Date sslPeerNotBefore; private Date sslPeerNotAfter; private List sslSniServerNames; + private String sslPeerIssuerSubject; + private byte[] sslPeerEncodedCertificate; private SSLHandshakeException sslHandshakeException; private List sslSubjectAlternativeNames; private String proxyProtocolVersion; @@ -307,8 +311,9 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List this.sslSubjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(peerCertificate).stream() .map(SubjectAlternativeName::getValue) .collect(Collectors.toList()); - - } catch (SSLPeerUnverifiedException e) { + this.sslPeerIssuerSubject = peerCertificate.getIssuerDN().getName(); + this.sslPeerEncodedCertificate = peerCertificate.getEncoded(); + } catch (SSLPeerUnverifiedException | CertificateEncodingException e) { // Throw if peer is not authenticated (e.g when client auth is disabled) // JSSE provides no means of checking for client authentication without catching this exception } @@ -365,10 +370,13 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List .findAny() .ifPresent(builder::withSslSniServerName); } - if (sslPeerSubject != null && sslPeerNotAfter != null && sslPeerNotBefore != null) { + if (sslPeerSubject != null && sslPeerNotAfter != null && sslPeerNotBefore != null + && sslPeerIssuerSubject != null && sslPeerEncodedCertificate != null) { builder.withSslPeerSubject(sslPeerSubject) + .withSslPeerIssuerSubject(sslPeerIssuerSubject) .withSslPeerNotAfter(sslPeerNotAfter.toInstant()) - .withSslPeerNotBefore(sslPeerNotBefore.toInstant()); + .withSslPeerNotBefore(sslPeerNotBefore.toInstant()) + .withSslPeerFingerprint(certificateFingerprint(sslPeerEncodedCertificate)); } if (sslSubjectAlternativeNames != null && !sslSubjectAlternativeNames.isEmpty()) { builder.withSslSubjectAlternativeNames(sslSubjectAlternativeNames); @@ -394,6 +402,14 @@ class JettyConnectionLogger extends AbstractLifeCycle implements Connection.List return builder.build(); } + private static String certificateFingerprint(byte[] derEncoded) { + try { + return HexDump.toHexString(MessageDigest.getInstance("SHA-1").digest(derEncoded)); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } + } + } } -- cgit v1.2.3