i use a tomcat http connector with client-authentification. If a client start a new connection to my server and sends his certificate, can i get the certificate and read the common name from the incoming certificate out in my java code. If yes, how?
thanks adi
On
Credit to mazaneicha:
String cipherSuite = (String) req.getAttribute("javax.servlet.request.cipher_suite");
if (cipherSuite != null) {
X509Certificate certChain[] = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
if (certChain != null) {
for (int i = 0; i < certChaNin.length; i++) {
System.out.println ("Client Certificate [" + i + "] = "
+ certChain[i].toString());
}
}
}
You can get the client certificate chain by getting the
javax.servlet.request.X509Certificateattribute on yourHttpServletRequest. This is an array ofX509Certificates where the first one (position 0) is the actual client certificate (the rest of the chain may be present if intermediate CA certificates are required).You can then get the various RDNs (relative distinguished name) in this principal (e.g. CN) as described in this answer:
(You could also use BouncyCastle's
X509Nameto get each RDN.)In an X.509 certificate, the Subject DN is an ordered sequence of RDNs, each of which is a set of AVAs (Attribute Value Assertions), for example
CN=...orO=.... In principle, there can be multiple AVAs per RDN, which would cause problems here, but this is very rare. You can almost assume that there is only one AVA per RDN. (Perhaps this answer might be of interest.)