Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
Fix: Possible Race Condition when Hashing Client Certificates (#254)
Browse files Browse the repository at this point in the history 
Co-authored-by: Felix Dittrich <[email protected]>
  • Loading branch information
@mschulte-tsi @f11h
mschulte-tsi and f11h authored Dec 15, 2021
1 parent 32735e3 commit 1f5cd07
Showing 1 changed file with 5 additions and 11 deletions.
16 changes: 5 additions & 11 deletions src/main/java/app/coronawarn/verification/config/MtlsSecurityConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,26 +21,23 @@

package app.coronawarn.verification.config;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.stream.Stream;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.codec.digest.DigestUtils;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.StrictHttpFirewall;
Expand Down Expand Up @@ -98,16 +95,13 @@ public UserDetailsService userDetailsService() {

private static class ThumbprintX509PrincipalExtractor implements X509PrincipalExtractor {

MessageDigest messageDigest;

private ThumbprintX509PrincipalExtractor() throws NoSuchAlgorithmException {
messageDigest = MessageDigest.getInstance("SHA-256");
}

@Override
public Object extractPrincipal(X509Certificate x509Certificate) {

try {
return String.valueOf(Hex.encode(messageDigest.digest(x509Certificate.getEncoded())));
String hash = DigestUtils.sha256Hex(x509Certificate.getEncoded());
log.debug("Accessed by Subject {} Hash {}", x509Certificate.getSubjectDN().getName(), hash);
return hash;
} catch (CertificateEncodingException e) {
log.error("Failed to extract bytes from certificate");
return null;
Expand Down

0 comments on commit 1f5cd07

Please sign in to comment.