All geek questions in one place

How can I get a client certificate in a Netty handler to authenticate a user?

I successfully run Netty with two-way SSL (see Configuring Netty with a Two-Way SSL Connection (Client and Server Certificate ).

However, in some of my handlers, I need to know about the user who is using the application. I found that I can’t figure out how to get information such as the user certificate DN in my handlers.

I think it will be available in ChannelHandlerContext somewhere, but it is not. Any suggestions?

I know that SSLEngine has access to it somewhere, but I don’t see anything about gaining access in the public SSLEngine API. I know that he has access to a handshake operation ... but how do I get it?

+4
source share
2 answers

SSLEngine.getSession().getPeerCertificateChain() . Zero entry is a proprietary certificate.

+7
source

SSLEngine can be retrieved through Pipline / ChannelHandlerContext

 ChannelHandlerContext ctx = ... SslHandler sslhandler = (SslHandler) ctx.channel().pipeline().get("ssl"); sslhandler.engine().getSession().getPeerCertificateChain()[0].getSubjectDN());

This allows you to obtain certificates in handler objects. Please note that SSL-Handshake needs to be completed when you do this. Otherwise you will receive

 javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

an exception. To avoid this, you can listen to userEvent (in our case, HandshakeCompletionEvent) in a handler, which might look like this:

 @Override public void userEventTriggered(ChannelHandlerContext ctx, Object evt) { logger.info("userEventTriggered: {0}, Class: {1}", evt.toString(), evt.getClass()); if (evt instanceof HandshakeCompletionEvent) { fetchCertificate(ctx); } }
+8
source

Source: https://habr.com/ru/post/1402317/

More articles:


All Articles