Log client's security info

kasemir · kasemir · commit bf91b3748fdc · 2025-09-02T16:19:15.000-04:00
diff --git a/core/pva/src/main/java/org/epics/pva/common/SecureSockets.java b/core/pva/src/main/java/org/epics/pva/common/SecureSockets.java
@@ -191,7 +191,7 @@ public static Socket createClientSocket(final InetSocketAddress address, final b
                 //
                 // #1: ObjectId: 1.3.6.1.4.1.37427.1 Criticality=false
                 // 0000: 43 45 52 54 3A 53 54 41   54 55 53 3A 64 30 62 62  CERT:STATUS:d0bb...
-               //
+                //
                 // Certificate[2]:
                 // Owner: OU=EPICS Certificate Authority, O=ca.epics.org, C=US, CN=EPICS Root CA
                 // Issuer: OU=EPICS Certificate Authority, O=ca.epics.org, C=US, CN=EPICS Root CA
diff --git a/core/pva/src/main/java/org/epics/pva/server/ServerTCPHandler.java b/core/pva/src/main/java/org/epics/pva/server/ServerTCPHandler.java
@@ -12,14 +12,20 @@
 import java.net.InetSocketAddress;
 import java.net.Socket;
 import java.nio.ByteBuffer;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.util.Objects;
 import java.util.logging.Level;
 
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+
 import org.epics.pva.common.CommandHandlers;
 import org.epics.pva.common.PVAAuth;
 import org.epics.pva.common.PVAHeader;
 import org.epics.pva.common.RequestEncoder;
 import org.epics.pva.common.SearchResponse;
+import org.epics.pva.common.SecureSockets;
 import org.epics.pva.common.SecureSockets.TLSHandshakeInfo;
 import org.epics.pva.common.TCPHandler;
 import org.epics.pva.data.PVASize;
@@ -68,6 +74,30 @@ public ServerTCPHandler(final PVAServer server, final Socket client, final TLSHa
         this.server = Objects.requireNonNull(server);
         this.tls_info = tls_info;
 
+        // Log client's security info
+        if (tls_info != null  &&
+            client instanceof SSLSocket socket  &&
+            logger.isLoggable(Level.FINE))
+        {
+            final SSLSession session = socket.getSession();
+            logger.log(Level.FINE, "Client name: '" + SecureSockets.getPrincipalCN(session.getPeerPrincipal()) + "'");
+            for (Certificate cert : session.getPeerCertificates())
+                if (cert instanceof X509Certificate x509)
+                {
+                    logger.log(Level.FINE, "* " + x509.getSubjectX500Principal());
+                    if (session.getPeerPrincipal().equals(x509.getSubjectX500Principal()))
+                        logger.log(Level.FINE, "  - Client CN");
+                    if (x509.getBasicConstraints() >= 0)
+                        logger.log(Level.FINE, "  - Certificate Authority");
+                    logger.log(Level.FINE, "  - Expires " + x509.getNotAfter());
+                    if (x509.getSubjectX500Principal().equals(x509.getIssuerX500Principal()))
+                        logger.log(Level.FINE, "  - Self-signed");
+
+                    byte[] value = x509.getExtensionValue("1.3.6.1.4.1.37427.1");
+                    logger.log(Level.FINE, "  - Status PV: " + SecureSockets.decodeDERString(value));
+                }
+        }
+
         server.register(this);
         startReceiver();
         startSender();
