From 6c9dcea0e9c3b9dd3a1b8979c84d2d2fe5b17e4c Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@yahooinc.com>
Date: Wed, 20 Jul 2022 13:36:27 +0200
Subject: Add to-string helper to ConnectionAuthContext

---
 .../yahoo/security/tls/ConnectionAuthContext.java  | 39 +++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

(limited to 'security-utils/src')

diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
index 821d41cfabe..e244d5ad23f 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java
@@ -1,9 +1,16 @@
 package com.yahoo.security.tls;
 
+import com.yahoo.security.SubjectAlternativeName;
+import com.yahoo.security.X509CertificateUtils;
+
 import java.security.cert.X509Certificate;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
+import static com.yahoo.security.SubjectAlternativeName.Type.URI;
+
 /**
  * @author bjorncs
  */
@@ -19,6 +26,36 @@ public record ConnectionAuthContext(List<X509Certificate> peerCertificateChain,
 
     public boolean authorized() { return !capabilities.hasNone(); }
 
-    public X509Certificate peerCertificate() { return peerCertificateChain.get(0); }
+    public Optional<X509Certificate> peerCertificate() {
+        return peerCertificateChain.isEmpty() ? Optional.empty() : Optional.of(peerCertificateChain.get(0));
+    }
+
+    public Optional<String> peerCertificateString() {
+        X509Certificate cert = peerCertificate().orElse(null);
+        if (cert == null) return Optional.empty();
+        StringBuilder b = new StringBuilder("X.509Cert{");
+        String cn = X509CertificateUtils.getSubjectCommonName(cert).orElse(null);
+        if (cn != null) {
+            b.append("CN='").append(cn).append("'");
+        }
+        var sans = X509CertificateUtils.getSubjectAlternativeNames(cert);
+        List<String> dnsNames = sans.stream()
+                .filter(s -> s.getType() == DNS)
+                .map(SubjectAlternativeName::getValue)
+                .toList();
+        if (!dnsNames.isEmpty()) {
+            if (cn != null) b.append(", ");
+            b.append("SAN_DNS=").append(dnsNames);
+        }
+        List<String> uris = sans.stream()
+                .filter(s -> s.getType() == URI)
+                .map(SubjectAlternativeName::getValue)
+                .toList();
+        if (!uris.isEmpty()) {
+            if (cn != null || !dnsNames.isEmpty()) b.append(", ");
+            b.append("SAN_URI=").append(uris);
+        }
+        return Optional.of(b.append("}").toString());
+    }
 
 }
-- 
cgit v1.2.3