Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I get the Client Certificate in Netty Handler to identify user?

I am successfully running Netty with 2-way SSL (see Set up Netty with 2-way SSL Handsake (client and server certificate)).

However, in some of my handlers, I need to know about the user who is using the application. I find that I can't figure out how to get information like the user certificate DN in my handlers.

I would think it would be available in the ChannelHandlerContext somewhere but it is not. Any suggestions?

I know the SSLEngine has access to it somewhere, but I don't see anything about obtaining access in the SSLEngine public API. I know it has access in the handshake operation.... but how do I get it?

like image 835
MeowCode Avatar asked Mar 19 '12 21:03

MeowCode


2 Answers

The SSLEngine can be fetched through the Pipline/ChannelHandlerContext

ChannelHandlerContext ctx = ...
SslHandler sslhandler = (SslHandler) ctx.channel().pipeline().get("ssl");
sslhandler.engine().getSession().getPeerCertificateChain()[0].getSubjectDN());

This allows you to get the certificates in the Handler Objects. Pay attention, that the SSL-Handshake needs to be finished when you do this. Otherwise you will get a

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

exception. To avoid this, you can listen for a userEvent (in our case HandshakeCompletionEvent) in the handler, which could look the following:

@Override
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
    logger.info("userEventTriggered: {0}, Class: {1}", evt.toString(), evt.getClass());

    if (evt instanceof HandshakeCompletionEvent) {
        fetchCertificate(ctx);
    }
} 
like image 174
geri-m Avatar answered Nov 08 '22 05:11

geri-m


SSLEngine.getSession().getPeerCertificateChain(). The zeroth entry is the peer's own certificate.

like image 42
user207421 Avatar answered Nov 08 '22 03:11

user207421