This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 309a3f59d1586c7b7818cc9ad2bb4e3957766bc7
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Feb 16 13:57:55 2023 +0000
Add dedicated logger for TLS certifcates
Allows debug logging to be enabled just for certificates
---
.../apache/tomcat/util/net/AbstractEndpoint.java | 55 +++++++++++++++++++++-
.../tomcat/util/net/AbstractJsseEndpoint.java | 2 +-
.../apache/tomcat/util/net/LocalStrings.properties | 2 +
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 7 +++
java/org/apache/tomcat/util/net/NioEndpoint.java | 7 +++
webapps/docs/changelog.xml | 6 +++
6 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index ac49fd7a20..c0f6ee9c44 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -22,6 +22,10 @@ import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
@@ -44,6 +48,7 @@ import javax.management.ObjectName;
import org.apache.juli.logging.Log;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.IntrospectionUtils;
+import org.apache.tomcat.util.buf.HexUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
import org.apache.tomcat.util.modeler.Registry;
import org.apache.tomcat.util.net.Acceptor.AcceptorState;
@@ -378,8 +383,50 @@ public abstract class AbstractEndpoint<S,U> {
trustStoreSource = sslHostConfig.getCaCertificatePath();
}
- getLog().info(sm.getString("endpoint.tls.info", getName(),
sslHostConfig.getHostName(), certificate.getType(),
- certificateSource, keyAlias, trustStoreSource));
+ getLogCertificate().info(sm.getString("endpoint.tls.info", getName(),
sslHostConfig.getHostName(),
+ certificate.getType(), certificateSource, keyAlias,
trustStoreSource));
+
+ if (getLogCertificate().isDebugEnabled()) {
+ String alias = certificate.getCertificateKeyAlias();
+ if (alias == null) {
+ alias = SSLUtilBase.DEFAULT_KEY_ALIAS;
+ }
+ X509Certificate[] x509Certificates =
certificate.getSslContext().getCertificateChain(alias);
+ if (x509Certificates != null && x509Certificates.length > 0) {
+
getLogCertificate().debug(generateCertificateDebug(x509Certificates[0]));
+ } else {
+
getLogCertificate().debug(sm.getString("endpoint.tls.cert.noCerts"));
+ }
+ }
+ }
+
+
+ protected String generateCertificateDebug(X509Certificate certificate) {
+ StringBuilder sb = new StringBuilder();
+ sb.append("\n[");
+ try {
+ byte[] certBytes = certificate.getEncoded();
+ // SHA-256 fingerprint
+ sb.append("\nSHA-256 fingerprint: ");
+ MessageDigest sha512Digest = MessageDigest.getInstance("SHA-256");
+ sha512Digest.update(certBytes);
+ sb.append(HexUtils.toHexString(sha512Digest.digest()));
+ // SHA-256 fingerprint
+ sb.append("\nSHA-1 fingerprint: ");
+ MessageDigest sha1Digest = MessageDigest.getInstance("SHA-1");
+ sha1Digest.update(certBytes);
+ sb.append(HexUtils.toHexString(sha1Digest.digest()));
+ } catch (CertificateEncodingException e) {
+
getLogCertificate().warn(sm.getString("endpoint.tls.cert.encodingError"), e);
+ } catch (NoSuchAlgorithmException e) {
+ // Unreachable code
+ // All JREs are required to support SHA-1 and SHA-256
+ throw new RuntimeException(e);
+ }
+ sb.append("\n");
+ sb.append(certificate);
+ sb.append("\n]");
+ return sb.toString();
}
@@ -1357,6 +1404,10 @@ public abstract class AbstractEndpoint<S,U> {
protected abstract Log getLog();
+ protected Log getLogCertificate() {
+ return getLog();
+ }
+
protected LimitLatch initializeConnectionLatch() {
if (maxConnections==-1) {
return null;
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index 261ed118c2..0aabf8403a 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -106,8 +106,8 @@ public abstract class AbstractJsseEndpoint<S,U> extends
AbstractEndpoint<S,U> {
throw new IllegalArgumentException(e.getMessage(), e);
}
- logCertificate(certificate);
certificate.setSslContext(sslContext);
+ logCertificate(certificate);
}
}
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index dc7b9b9361..8e845821bd 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -114,6 +114,8 @@ endpoint.setAttribute=Set [{0}] to [{1}]
endpoint.setAttributeError=Unable to set attribute [{0}] to [{1}]
endpoint.socketOptionsError=Error setting socket options
endpoint.timeout.err=Error processing socket timeout
+endpoint.tls.cert.encodingError=Certificate fingerprints not available
+endpoint.tls.cert.noCerts=Certificate details not available as the certificate
chain returned from the SSLContext was empty
endpoint.tls.info=Connector [{0}], TLS virtual host [{1}], certificate type
[{2}] configured from [{3}] using alias [{4}] and with trust store [{5}]
endpoint.unknownSslHostName=The SSL host name [{0}] is not recognised for this
endpoint
endpoint.warn.executorShutdown=The executor associated with thread pool [{0}]
has not fully shutdown. Some application threads may still be running.
diff --git a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
index 9875e3d406..f22c64abcc 100644
--- a/java/org/apache/tomcat/util/net/Nio2Endpoint.java
+++ b/java/org/apache/tomcat/util/net/Nio2Endpoint.java
@@ -59,6 +59,7 @@ public class Nio2Endpoint extends
AbstractJsseEndpoint<Nio2Channel,AsynchronousS
private static final Log log = LogFactory.getLog(Nio2Endpoint.class);
+ private static final Log logCertificate =
LogFactory.getLog(Nio2Endpoint.class.getName() + ".certificate");
private static final Log logHandshake =
LogFactory.getLog(Nio2Endpoint.class.getName() + ".handshake");
@@ -387,6 +388,12 @@ public class Nio2Endpoint extends
AbstractJsseEndpoint<Nio2Channel,AsynchronousS
}
+ @Override
+ protected Log getLogCertificate() {
+ return logCertificate;
+ }
+
+
@Override
protected SocketProcessorBase<Nio2Channel> createSocketProcessor(
SocketWrapperBase<Nio2Channel> socketWrapper, SocketEvent event) {
diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java
b/java/org/apache/tomcat/util/net/NioEndpoint.java
index d1864aec5a..5f9beb80c8 100644
--- a/java/org/apache/tomcat/util/net/NioEndpoint.java
+++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
@@ -83,6 +83,7 @@ public class NioEndpoint extends
AbstractJsseEndpoint<NioChannel,SocketChannel>
private static final Log log = LogFactory.getLog(NioEndpoint.class);
+ private static final Log logCertificate =
LogFactory.getLog(NioEndpoint.class.getName() + ".certificate");
private static final Log logHandshake =
LogFactory.getLog(NioEndpoint.class.getName() + ".handshake");
@@ -541,6 +542,12 @@ public class NioEndpoint extends
AbstractJsseEndpoint<NioChannel,SocketChannel>
}
+ @Override
+ protected Log getLogCertificate() {
+ return logCertificate;
+ }
+
+
@Override
protected SocketProcessorBase<NioChannel> createSocketProcessor(
SocketWrapperBase<NioChannel> socketWrapper, SocketEvent event) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ddf4189f80..5f10ca55b4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -169,6 +169,12 @@
connections from timing out when using a Connector configured with
<code>useAsyncIO=true</code> (the default). (markt)
</fix>
+ <add>
+ Provided dedicated loggers
+ (<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> /
+ <code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for
+ logging of configured TLS certificates. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
