improved client certificate checks

hhund · hhund · commit c6d3698289a5 · 2026-03-23T21:04:20.000+01:00
diff --git a/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/auth/ClientCertificateAuthenticator.java b/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/auth/ClientCertificateAuthenticator.java
@@ -20,6 +20,8 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
 import java.util.Objects;
 import java.util.stream.Collectors;
 
@@ -67,13 +69,21 @@ public AuthenticationState validateRequest(Request request, Response response, C
 
 		if (certificates == null || certificates.length <= 0)
 		{
-			logger.warn("X509Certificate could not be retrieved, sending unauthorized");
+			logger.warn(
+					"Client certificate could not be retrieved from jakarta request attribute, sending unauthorized");
+			return null;
+		}
+
+		if (ZonedDateTime.now()
+				.isAfter(ZonedDateTime.ofInstant(certificates[0].getNotAfter().toInstant(), ZoneOffset.UTC)))
+		{
+			logger.warn("Client certificates expired, sending unauthorized");
 			return null;
 		}
 
 		try
 		{
-			x509TrustManager.checkClientTrusted(certificates, "RSA");
+			x509TrustManager.checkClientTrusted(certificates, "UNKNOWN");
 		}
 		catch (CertificateException e)
 		{

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@`
`20`	`20`	`import java.security.NoSuchAlgorithmException;`
`21`	`21`	`import java.security.cert.CertificateException;`
`22`	`22`	`import java.security.cert.X509Certificate;`
	`23`	`+import java.time.ZoneOffset;`
	`24`	`+import java.time.ZonedDateTime;`
`23`	`25`	`import java.util.Objects;`
`24`	`26`	`import java.util.stream.Collectors;`
`25`	`27`
`@@ -67,13 +69,21 @@ public AuthenticationState validateRequest(Request request, Response response, C`
`67`	`69`
`68`	`70`	`if (certificates == null \|\| certificates.length <= 0)`
`69`	`71`	`{`
`70`		`- logger.warn("X509Certificate could not be retrieved, sending unauthorized");`
	`72`	`+ logger.warn(`
	`73`	`+ "Client certificate could not be retrieved from jakarta request attribute, sending unauthorized");`
	`74`	`+ return null;`
	`75`	`+ }`
	`76`	`+`
	`77`	`+ if (ZonedDateTime.now()`
	`78`	`+ .isAfter(ZonedDateTime.ofInstant(certificates[0].getNotAfter().toInstant(), ZoneOffset.UTC)))`
	`79`	`+ {`
	`80`	`+ logger.warn("Client certificates expired, sending unauthorized");`
`71`	`81`	`return null;`
`72`	`82`	`}`
`73`	`83`
`74`	`84`	`try`
`75`	`85`	`{`
`76`		`- x509TrustManager.checkClientTrusted(certificates, "RSA");`
	`86`	`+ x509TrustManager.checkClientTrusted(certificates, "UNKNOWN");`
`77`	`87`	`}`
`78`	`88`	`catch (CertificateException e)`
`79`	`89`	`{`