| src/com/gitblit/GitBlit.java | ●●●●● patch | view | raw | blame | history | |
| src/com/gitblit/utils/HttpUtils.java | ●●●●● patch | view | raw | blame | history | |
| src/com/gitblit/utils/X509Utils.java | ●●●●● patch | view | raw | blame | history |
src/com/gitblit/GitBlit.java
@@ -108,6 +108,7 @@ import com.gitblit.utils.ObjectCache; import com.gitblit.utils.StringUtils; import com.gitblit.utils.TimeUtils; import com.gitblit.utils.X509Utils.X509Metadata; import com.gitblit.wicket.GitBlitWebSession; import com.gitblit.wicket.WicketUtils; @@ -571,13 +572,16 @@ UserModel model = HttpUtils.getUserModelFromCertificate(httpRequest, checkValidity, oids); if (model != null) { // grab real user model and preserve certificate serial number UserModel user = getUserModel(model.username); if (user != null) { GitBlitWebSession session = GitBlitWebSession.get(); session.authenticationType = AuthenticationType.CERTIFICATE; UserModel user = getUserModel(model.username); logger.info(MessageFormat.format("{0} authenticated by client certificate from {1}", user.username, httpRequest.getRemoteAddr())); X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest); logger.info(MessageFormat.format("{0} authenticated by client certificate {1} from {2}", user.username, metadata.serialNumber, httpRequest.getRemoteAddr())); return user; } } // try to authenticate by cookie Cookie[] cookies = httpRequest.getCookies(); src/com/gitblit/utils/HttpUtils.java
@@ -20,14 +20,13 @@ import java.security.cert.X509Certificate; import java.text.MessageFormat; import java.util.Date; import java.util.HashMap; import java.util.Map; import javax.servlet.http.HttpServletRequest; import org.slf4j.LoggerFactory; import com.gitblit.models.UserModel; import com.gitblit.utils.X509Utils.X509Metadata; /** * Collection of utility methods for http requests. @@ -145,21 +144,11 @@ * @return */ public static UserModel getUserModelFromCertificate(X509Certificate cert, String... usernameOIDs) { UserModel user = new UserModel(null); user.isAuthenticated = false; X509Metadata metadata = X509Utils.getMetadata(cert); // manually split DN into OID components // this is instead of parsing with LdapName which: // (1) I don't trust the order of values // (2) it filters out values like EMAILADDRESS String dn = cert.getSubjectDN().getName(); Map<String, String> oids = new HashMap<String, String>(); for (String kvp : dn.split(",")) { String [] val = kvp.trim().split("="); String oid = val[0].toUpperCase().trim(); String data = val[1].trim(); oids.put(oid, data); } UserModel user = new UserModel(metadata.commonName); user.emailAddress = metadata.emailAddress; user.isAuthenticated = false; if (usernameOIDs == null || usernameOIDs.length == 0) { // use default usename<->CN mapping @@ -169,24 +158,23 @@ // determine username from OID fingerprint StringBuilder an = new StringBuilder(); for (String oid : usernameOIDs) { String val = getOIDValue(oid.toUpperCase(), oids); String val = metadata.getOID(oid.toUpperCase(), null); if (val != null) { an.append(val).append(' '); } } user.username = an.toString().trim(); // extract email address, if available user.emailAddress = getOIDValue("E", oids); if (user.emailAddress == null) { user.emailAddress = getOIDValue("EMAILADDRESS", oids); } return user; } private static String getOIDValue(String oid, Map<String, String> oids) { if (oids.containsKey(oid)) { return oids.get(oid); public static X509Metadata getCertificateMetadata(HttpServletRequest httpRequest) { if (httpRequest.getAttribute("javax.servlet.request.X509Certificate") != null) { X509Certificate[] certChain = (X509Certificate[]) httpRequest .getAttribute("javax.servlet.request.X509Certificate"); if (certChain != null) { X509Certificate cert = certChain[0]; return X509Utils.getMetadata(cert); } } return null; } src/com/gitblit/utils/X509Utils.java
@@ -183,6 +183,9 @@ // displayname of user for README in bundle public String userDisplayname; // serialnumber of generated or read certificate public String serialNumber; public X509Metadata(String cn, String pwd) { if (StringUtils.isEmpty(cn)) { throw new RuntimeException("Common name required!"); @@ -562,6 +565,10 @@ saveKeyStore(targetStoreFile, serverStore, sslMetadata.password); x509log.log(MessageFormat.format("New SSL certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getSubjectDN().getName())); // update serial number in metadata object sslMetadata.serialNumber = cert.getSerialNumber().toString(); return cert; } catch (Throwable t) { throw new RuntimeException("Failed to generate SSL certificate!", t); @@ -622,6 +629,9 @@ saveKeyStore(storeFile, store, caMetadata.password); x509log.log(MessageFormat.format("New CA certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getIssuerDN().getName())); // update serial number in metadata object caMetadata.serialNumber = cert.getSerialNumber().toString(); return cert; } catch (Throwable t) { @@ -852,6 +862,9 @@ // save certificate after successfully creating the key stores saveCertificate(userCert, certFile); // update serial number in metadata object clientMetadata.serialNumber = userCert.getSerialNumber().toString(); return userCert; } catch (Throwable t) { throw new RuntimeException("Failed to generate client certificate!", t); @@ -1065,4 +1078,30 @@ } return false; } public static X509Metadata getMetadata(X509Certificate cert) { // manually split DN into OID components // this is instead of parsing with LdapName which: // (1) I don't trust the order of values // (2) it filters out values like EMAILADDRESS String dn = cert.getSubjectDN().getName(); Map<String, String> oids = new HashMap<String, String>(); for (String kvp : dn.split(",")) { String [] val = kvp.trim().split("="); String oid = val[0].toUpperCase().trim(); String data = val[1].trim(); oids.put(oid, data); } X509Metadata metadata = new X509Metadata(oids.get("CN"), "whocares"); metadata.oids.putAll(oids); metadata.serialNumber = cert.getSerialNumber().toString(); metadata.notAfter = cert.getNotAfter(); metadata.notBefore = cert.getNotBefore(); metadata.emailAddress = metadata.getOID("E", null); if (metadata.emailAddress == null) { metadata.emailAddress = metadata.getOID("EMAILADDRESS", null); } return metadata; } }
