How can I get the Client Certificate in Netty Handler to identify user?

Question

I am successfully running Netty with 2-way SSL (see Set up Netty with 2-way SSL Handsake (client and server certificate)).

However, in some of my handlers, I need to know about the user who is using the application. I find that I can't figure out how to get information like the user certificate DN in my handlers.

I would think it would be available in the ChannelHandlerContext somewhere but it is not. Any suggestions?

I know the SSLEngine has access to it somewhere, but I don't see anything about obtaining access in the SSLEngine public API. I know it has access in the handshake operation.... but how do I get it?

Answer 1

The SSLEngine can be fetched through the Pipline/ChannelHandlerContext

ChannelHandlerContext ctx = ...
SslHandler sslhandler = (SslHandler) ctx.channel().pipeline().get("ssl");
sslhandler.engine().getSession().getPeerCertificateChain()[0].getSubjectDN());

This allows you to get the certificates in the Handler Objects. Pay attention, that the SSL-Handshake needs to be finished when you do this. Otherwise you will get a

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

exception. To avoid this, you can listen for a userEvent (in our case HandshakeCompletionEvent) in the handler, which could look the following:

@Override
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) {
    logger.info("userEventTriggered: {0}, Class: {1}", evt.toString(), evt.getClass());

    if (evt instanceof HandshakeCompletionEvent) {
        fetchCertificate(ctx);
    }
} 

Answer 2

SSLEngine.getSession().getPeerCertificateChain(). The zeroth entry is the peer's own certificate.