Get client's cert status PV name into TLSHandshakeInfo

kasemir · kasemir · commit 889d79db4195 · 2025-09-03T16:07:33.000-04:00
diff --git a/core/pva/src/main/java/org/epics/pva/common/SecureSockets.java b/core/pva/src/main/java/org/epics/pva/common/SecureSockets.java
@@ -276,6 +276,14 @@ public static class TLSHandshakeInfo
         /** Host of the peer */
         public String hostname;
 
+        /** PV for client certificate status */
+        public String status_pv_name;
+
+        @Override
+        public String toString()
+        {
+            return "Name " + name + ", host " + hostname + ", cert status PV " + status_pv_name;
+        }
 
         /** Get TLS/SSH info from socket
          *  @param socket {@link SSLSocket}
@@ -296,9 +304,40 @@ public static TLSHandshakeInfo fromSocket(final SSLSocket socket) throws Excepti
 
             try
             {
+                // Log certificate chain, grep cert status PV name
+                String status_pv_name = "";
+                final SSLSession session = socket.getSession();
+                logger.log(Level.FINER, "Client name: '" + SecureSockets.getPrincipalCN(session.getPeerPrincipal()) + "'");
+                for (Certificate cert : session.getPeerCertificates())
+                    if (cert instanceof X509Certificate x509)
+                    {
+                        // Is this the cert for the client principal, or one of the authorities?
+                        boolean is_principal_cert = false;
+
+                        logger.log(Level.FINER, "* " + x509.getSubjectX500Principal());
+                        if (session.getPeerPrincipal().equals(x509.getSubjectX500Principal()))
+                        {
+                            logger.log(Level.FINER, "  - Client CN");
+                            is_principal_cert = true;
+                        }
+                        if (x509.getBasicConstraints() >= 0)
+                            logger.log(Level.FINER, "  - Certificate Authority");
+                        logger.log(Level.FINER, "  - Expires " + x509.getNotAfter());
+                        if (x509.getSubjectX500Principal().equals(x509.getIssuerX500Principal()))
+                            logger.log(Level.FINER, "  - Self-signed");
+
+                        byte[] value = x509.getExtensionValue("1.3.6.1.4.1.37427.1");
+                        String pv_name = SecureSockets.decodeDERString(value);
+                        logger.log(Level.FINER, "  - Status PV: " + pv_name);
+
+                        if (is_principal_cert  &&  pv_name != null  &&  !pv_name.isBlank())
+                            status_pv_name = pv_name;
+                    }
+
+
                 // No way to check if there is peer info (certificates, principal, ...)
                 // other then success vs. exception..
-                final Principal principal = socket.getSession().getPeerPrincipal();
+                final Principal principal = session.getPeerPrincipal();
                 String name = getPrincipalCN(principal);
                 if (name == null)
                 {
@@ -309,6 +348,7 @@ public static TLSHandshakeInfo fromSocket(final SSLSocket socket) throws Excepti
                 final TLSHandshakeInfo info = new TLSHandshakeInfo();
                 info.name = name;
                 info.hostname = socket.getInetAddress().getHostName();
+                info.status_pv_name = status_pv_name;
 
                 return info;
             }
diff --git a/core/pva/src/main/java/org/epics/pva/server/ServerTCPHandler.java b/core/pva/src/main/java/org/epics/pva/server/ServerTCPHandler.java
@@ -12,20 +12,14 @@
 import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.nio.ByteBuffer;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
 import java.util.Objects;
 import java.util.logging.Level;
 
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-
 import org.epics.pva.common.CommandHandlers;
 import org.epics.pva.common.PVAAuth;
 import org.epics.pva.common.PVAHeader;
 import org.epics.pva.common.RequestEncoder;
 import org.epics.pva.common.SearchResponse;
-import org.epics.pva.common.SecureSockets;
 import org.epics.pva.common.SecureSockets.TLSHandshakeInfo;
 import org.epics.pva.common.TCPHandler;
 import org.epics.pva.data.PVASize;
@@ -74,30 +68,6 @@ public ServerTCPHandler(final PVAServer server, final Socket client, final TLSHa
         this.server = Objects.requireNonNull(server);
         this.tls_info = tls_info;
 
-        // Log client's security info
-        if (tls_info != null  &&
-            client instanceof SSLSocket socket  &&
-            logger.isLoggable(Level.FINE))
-        {
-            final SSLSession session = socket.getSession();
-            logger.log(Level.FINE, "Client name: '" + SecureSockets.getPrincipalCN(session.getPeerPrincipal()) + "'");
-            for (Certificate cert : session.getPeerCertificates())
-                if (cert instanceof X509Certificate x509)
-                {
-                    logger.log(Level.FINE, "* " + x509.getSubjectX500Principal());
-                    if (session.getPeerPrincipal().equals(x509.getSubjectX500Principal()))
-                        logger.log(Level.FINE, "  - Client CN");
-                    if (x509.getBasicConstraints() >= 0)
-                        logger.log(Level.FINE, "  - Certificate Authority");
-                    logger.log(Level.FINE, "  - Expires " + x509.getNotAfter());
-                    if (x509.getSubjectX500Principal().equals(x509.getIssuerX500Principal()))
-                        logger.log(Level.FINE, "  - Self-signed");
-
-                    byte[] value = x509.getExtensionValue("1.3.6.1.4.1.37427.1");
-                    logger.log(Level.FINE, "  - Status PV: " + SecureSockets.decodeDERString(value));
-                }
-        }
-
         server.register(this);
         startReceiver();
         startSender();
diff --git a/core/pva/src/main/java/org/epics/pva/server/ServerTCPListener.java b/core/pva/src/main/java/org/epics/pva/server/ServerTCPListener.java
@@ -228,6 +228,10 @@ private void listen()
                             try
                             {
                                 tls_info = TLSHandshakeInfo.fromSocket((SSLSocket) client);
+                                logger.log(Level.FINE, "Client TLS info: " + tls_info);
+                                // TODO Monitor status PV, close connection when PV shows expired/revoked cert
+                                // if (! tls_info.status_pv_name.isEmpty()  /* &&  PVASettings.CHECK_CERT_STATUS */)
+                                //    logger.log(Level.INFO, "Should check " + tls_info.status_pv_name);
                             }
                             catch (SSLHandshakeException ssl)
                             {

Original file line number	Diff line number	Diff line change
`@@ -228,6 +228,10 @@ private void listen()`
`228`	`228`	`try`
`229`	`229`	`{`
`230`	`230`	`tls_info = TLSHandshakeInfo.fromSocket((SSLSocket) client);`
	`231`	`+ logger.log(Level.FINE, "Client TLS info: " + tls_info);`
	`232`	`+ // TODO Monitor status PV, close connection when PV shows expired/revoked cert`
	`233`	`+ // if (! tls_info.status_pv_name.isEmpty() /* && PVASettings.CHECK_CERT_STATUS */)`
	`234`	`+ // logger.log(Level.INFO, "Should check " + tls_info.status_pv_name);`
`231`	`235`	`}`
`232`	`236`	`catch (SSLHandshakeException ssl)`
`233`	`237`	`{`