From 5f3966fed628b25ffb73cb8750ba636fa487037d Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 29 Nov 2012 18:59:56 -0500
Subject: [PATCH] Improve logging of certificate authentication

---
 src/com/gitblit/GitBlit.java         |   14 ++++--
 src/com/gitblit/utils/HttpUtils.java |   42 +++++++-------------
 src/com/gitblit/utils/X509Utils.java |   39 +++++++++++++++++++
 3 files changed, 63 insertions(+), 32 deletions(-)

diff --git a/src/com/gitblit/GitBlit.java b/src/com/gitblit/GitBlit.java
index 6a3f98b..319f443 100644
--- a/src/com/gitblit/GitBlit.java
+++ b/src/com/gitblit/GitBlit.java
@@ -108,6 +108,7 @@
 import com.gitblit.utils.ObjectCache;
 import com.gitblit.utils.StringUtils;
 import com.gitblit.utils.TimeUtils;
+import com.gitblit.utils.X509Utils.X509Metadata;
 import com.gitblit.wicket.GitBlitWebSession;
 import com.gitblit.wicket.WicketUtils;
 
@@ -571,12 +572,15 @@
 		UserModel model = HttpUtils.getUserModelFromCertificate(httpRequest, checkValidity, oids);
 		if (model != null) {
 			// grab real user model and preserve certificate serial number
-			GitBlitWebSession session = GitBlitWebSession.get();
-			session.authenticationType = AuthenticationType.CERTIFICATE;
 			UserModel user = getUserModel(model.username);
-			logger.info(MessageFormat.format("{0} authenticated by client certificate from {1}",
-					user.username, httpRequest.getRemoteAddr()));
-			return user;
+			if (user != null) {
+				GitBlitWebSession session = GitBlitWebSession.get();
+				session.authenticationType = AuthenticationType.CERTIFICATE;
+				X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest);
+				logger.info(MessageFormat.format("{0} authenticated by client certificate {1} from {2}",
+						user.username, metadata.serialNumber, httpRequest.getRemoteAddr()));
+				return user;
+			}
 		}
 		
 		// try to authenticate by cookie
diff --git a/src/com/gitblit/utils/HttpUtils.java b/src/com/gitblit/utils/HttpUtils.java
index 68a3506..b40088c 100644
--- a/src/com/gitblit/utils/HttpUtils.java
+++ b/src/com/gitblit/utils/HttpUtils.java
@@ -20,14 +20,13 @@
 import java.security.cert.X509Certificate;
 import java.text.MessageFormat;
 import java.util.Date;
-import java.util.HashMap;
-import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
 
 import org.slf4j.LoggerFactory;
 
 import com.gitblit.models.UserModel;
+import com.gitblit.utils.X509Utils.X509Metadata;
 
 /**
  * Collection of utility methods for http requests.
@@ -145,21 +144,11 @@
 	 * @return
 	 */
 	public static UserModel getUserModelFromCertificate(X509Certificate cert, String... usernameOIDs) {
-		UserModel user = new UserModel(null);
-		user.isAuthenticated = false;
+		X509Metadata metadata = X509Utils.getMetadata(cert);
 		
-		// manually split DN into OID components
-		// this is instead of parsing with LdapName which:
-		// (1) I don't trust the order of values
-		// (2) it filters out values like EMAILADDRESS
-		String dn = cert.getSubjectDN().getName();
-		Map<String, String> oids = new HashMap<String, String>();
-		for (String kvp : dn.split(",")) {
-			String [] val = kvp.trim().split("=");
-			String oid = val[0].toUpperCase().trim();
-			String data = val[1].trim();
-			oids.put(oid, data);
-		}
+		UserModel user = new UserModel(metadata.commonName);
+		user.emailAddress = metadata.emailAddress;
+		user.isAuthenticated = false;
 		
 		if (usernameOIDs == null || usernameOIDs.length == 0) {
 			// use default usename<->CN mapping
@@ -169,24 +158,23 @@
 		// determine username from OID fingerprint
 		StringBuilder an = new StringBuilder();
 		for (String oid : usernameOIDs) {
-			String val = getOIDValue(oid.toUpperCase(), oids);
+			String val = metadata.getOID(oid.toUpperCase(), null);
 			if (val != null) {
 				an.append(val).append(' ');
 			}
 		}
-		user.username = an.toString().trim();
-		
-		// extract email address, if available
-		user.emailAddress = getOIDValue("E", oids);
-		if (user.emailAddress == null) {
-			user.emailAddress = getOIDValue("EMAILADDRESS", oids);
-		}		
+		user.username = an.toString().trim();		
 		return user;
 	}
 	
-	private static String getOIDValue(String oid, Map<String, String> oids) {
-		if (oids.containsKey(oid)) {
-			return oids.get(oid);
+	public static X509Metadata getCertificateMetadata(HttpServletRequest httpRequest) {
+		if (httpRequest.getAttribute("javax.servlet.request.X509Certificate") != null) {
+			X509Certificate[] certChain = (X509Certificate[]) httpRequest
+					.getAttribute("javax.servlet.request.X509Certificate");
+			if (certChain != null) {
+				X509Certificate cert = certChain[0];
+				return X509Utils.getMetadata(cert);
+			}
 		}
 		return null;
 	}
diff --git a/src/com/gitblit/utils/X509Utils.java b/src/com/gitblit/utils/X509Utils.java
index 24afb8d..1d14489 100644
--- a/src/com/gitblit/utils/X509Utils.java
+++ b/src/com/gitblit/utils/X509Utils.java
@@ -183,6 +183,9 @@
 		// displayname of user for README in bundle
 		public String userDisplayname;
 
+		// serialnumber of generated or read certificate
+		public String serialNumber;
+
 		public X509Metadata(String cn, String pwd) {
 			if (StringUtils.isEmpty(cn)) {
 				throw new RuntimeException("Common name required!");
@@ -562,6 +565,10 @@
 			saveKeyStore(targetStoreFile, serverStore, sslMetadata.password);
 			
 	        x509log.log(MessageFormat.format("New SSL certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getSubjectDN().getName()));
+	        
+	        // update serial number in metadata object
+	        sslMetadata.serialNumber = cert.getSerialNumber().toString();
+
 			return cert;
 		} catch (Throwable t) {
 			throw new RuntimeException("Failed to generate SSL certificate!", t);
@@ -622,6 +629,9 @@
 			saveKeyStore(storeFile, store, caMetadata.password);
 			
 			x509log.log(MessageFormat.format("New CA certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getIssuerDN().getName()));
+
+	        // update serial number in metadata object
+	        caMetadata.serialNumber = cert.getSerialNumber().toString();
 
 			return cert;
 		} catch (Throwable t) {
@@ -852,6 +862,9 @@
 	        // save certificate after successfully creating the key stores
 	        saveCertificate(userCert, certFile);
 	        
+	        // update serial number in metadata object
+	        clientMetadata.serialNumber = userCert.getSerialNumber().toString();
+	        
 	        return userCert;
 		} catch (Throwable t) {
 			throw new RuntimeException("Failed to generate client certificate!", t);
@@ -1065,4 +1078,30 @@
 		}
 		return false;
 	}
+	
+	public static X509Metadata getMetadata(X509Certificate cert) {
+		// manually split DN into OID components
+		// this is instead of parsing with LdapName which:
+		// (1) I don't trust the order of values
+		// (2) it filters out values like EMAILADDRESS
+		String dn = cert.getSubjectDN().getName();
+		Map<String, String> oids = new HashMap<String, String>();
+		for (String kvp : dn.split(",")) {
+			String [] val = kvp.trim().split("=");
+			String oid = val[0].toUpperCase().trim();
+			String data = val[1].trim();
+			oids.put(oid, data);
+		}
+		
+		X509Metadata metadata = new X509Metadata(oids.get("CN"), "whocares");
+		metadata.oids.putAll(oids);
+		metadata.serialNumber = cert.getSerialNumber().toString();
+		metadata.notAfter = cert.getNotAfter();
+		metadata.notBefore = cert.getNotBefore();
+		metadata.emailAddress = metadata.getOID("E", null);
+		if (metadata.emailAddress == null) {
+			metadata.emailAddress = metadata.getOID("EMAILADDRESS", null);
+		}
+		return metadata;
+	}
 }

--
Gitblit v1.9.1