From f37e9ee6e1cf0b622ab7a7c0668c2bcf27b7003b Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Thu, 22 Jun 2023 13:17:17 +0200 Subject: [PATCH] Read IPs from SSLEngine session When SSLEngine is used IPs cannot be retrieved from the socket or stream proxies so they are stored into the SSLEngine session. This is an extension to the standard because the SSLEngine should be unaware of the underlying communication but it is needed for the audit. --- .../server/PKIServerSocketListener.java | 46 ++++++++++++++----- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java index 23ac157db78..2cf94e3759c 100644 --- a/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java +++ b/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java @@ -81,7 +81,7 @@ public void alertReceived(SSLAlertEvent event) { try { SSLSocket socket = event.getSocket(); - JSSEngine engine = event.getEngine(); + JSSEngine sslEngine = event.getEngine(); InetAddress clientAddress = null; InetAddress serverAddress = null; @@ -107,8 +107,8 @@ public void alertReceived(SSLAlertEvent event) { Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); subjectID = subjectDN == null ? "" : subjectDN.toString(); } else { - if(engine != null) { - JSSSession session = engine.getSession(); + if(sslEngine != null) { + JSSSession session = sslEngine.getSession(); if(session != null) { Certificate[] certs = session.getPeerCertificates(); if(certs != null) { @@ -117,6 +117,12 @@ public void alertReceived(SSLAlertEvent event) { subjectID = cert.getSubjectDN().toString(); } } + if(session.getRemoteAddr() != null) { + clientIP = session.getRemoteAddr(); + } + if(session.getLocalAddr() != null) { + serverIP = session.getLocalAddr(); + } } } } @@ -151,7 +157,7 @@ public void alertSent(SSLAlertEvent event) { try { SSLSocket socket = event.getSocket(); - JSSEngine engine = event.getEngine(); + JSSEngine sslEngine = event.getEngine(); int description = event.getDescription(); String reason = "serverAlertSent: " + SSLAlertDescription.valueOf(description).toString(); @@ -173,14 +179,20 @@ public void alertSent(SSLAlertEvent event) { serverIP = (String)info.get("serverIP"); subjectID = (String)info.get("subjectID"); } else { - if(engine != null) { - JSSSession session = engine.getSession(); + if(sslEngine != null) { + JSSSession session = sslEngine.getSession(); if(session != null) { Certificate[] certs = session.getPeerCertificates(); if(certs != null) { X509Certificate cert = (X509Certificate) certs[0]; subjectID = cert.getSubjectDN().toString(); } + if(session.getRemoteAddr() != null) { + clientIP = session.getRemoteAddr(); + } + if(session.getLocalAddr() != null) { + serverIP = session.getLocalAddr(); + } } } } @@ -205,8 +217,8 @@ public void alertSent(SSLAlertEvent event) { subjectID = subjectDN == null ? "" : subjectDN.toString(); } else { - if(engine != null) { - JSSSession session = engine.getSession(); + if(sslEngine != null) { + JSSSession session = sslEngine.getSession(); if(session != null) { Certificate[] certs = session.getPeerCertificates(); if(certs != null) { @@ -215,6 +227,12 @@ public void alertSent(SSLAlertEvent event) { subjectID = cert.getSubjectDN().toString(); } } + if(session.getRemoteAddr() != null) { + clientIP = session.getRemoteAddr(); + } + if(session.getLocalAddr() != null) { + serverIP = session.getLocalAddr(); + } } } } @@ -250,7 +268,7 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { try { SSLSocket socket = event.getSocket(); - JSSEngine engine = event.getEngine(); + JSSEngine sslEngine = event.getEngine(); InetAddress clientAddress = null; InetAddress serverAddress = null; @@ -278,8 +296,8 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { info.put("subjectID", subjectID); socketInfos.put(socket, info); } else { - if(engine != null) { - JSSSession session = engine.getSession(); + if(sslEngine != null) { + JSSSession session = sslEngine.getSession(); if(session != null) { Certificate[] certs = session.getPeerCertificates(); if(certs != null) { @@ -289,6 +307,12 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { } } } + if(session.getRemoteAddr() != null) { + clientIP = session.getRemoteAddr(); + } + if(session.getLocalAddr() != null) { + serverIP = session.getLocalAddr(); + } } } logger.debug("PKIServerSocketListener: Handshake completed:");