public void setX509UserIdentifierRetrieveField(String userIdentifierRetrieveField);

    public void setX509UserIdentifierRetrieveFieldPart(String userIdentifierRetrieveFieldPart);

    public void setX509UserIdentifierRetrieverClassName(String className);

/**

 * @author Michael Furman

 */

package org.apache.catalina.realm;

import java.security.cert.X509Certificate;

public interface UserIdentifierRetriever {

	String getUserIdentifier(X509Certificate clientCert);

}

/**

 * @author Michael Furman

 */

package org.apache.catalina.realm;

import java.security.cert.X509Certificate;

import java.util.List;

import javax.naming.InvalidNameException;

import javax.naming.ldap.LdapName;

import javax.naming.ldap.Rdn;

import org.apache.juli.logging.Log;

import org.apache.juli.logging.LogFactory;

public class SubjectDnRetriever implements UserIdentifierRetriever {

	/**

	 * Logger for this class

	 */

	protected final Log logger = LogFactory.getLog(getClass());	

	private String subjectDnAttribute = null;

	private String subjectDnAttributeConfiguration = null;

    protected SubjectDnRetriever() {

        setSubjectDnAttribute(null);

    }

    protected SubjectDnRetriever(String retrieveAttr) {

        setSubjectDnAttribute(retrieveAttr);

    }

    public String getUserIdentifier(X509Certificate clientCert) {

		if (logger.isDebugEnabled()) {

			logger.debug("getUserIdentifier(X509Certificate) - start");

		}

		String subject = getSubjectDN(clientCert);

		String userIdentifier = null;

		if (subject != null) {

			if (logger.isDebugEnabled()) {

				logger.debug("Subject is [" + subject + "].");

			}

			if (subjectDnAttribute == null) {

				if (logger.isDebugEnabled()) {

					logger.debug("subjectDnAttribute is null, so return the whole subject.");

				}

				userIdentifier = subject;

			} else {

				try {

					boolean foundUserIdentifier = false;

					LdapName ldapName = new LdapName(subject);

					List<Rdn> list = ldapName.getRdns();

					if (list != null) {

						for (Rdn rdn : list) {

							String type = rdn.getType();

							if (subjectDnAttribute.equalsIgnoreCase(type.toString()))  {

								Object value = rdn.getValue();

								if (value instanceof String) {

									userIdentifier = (String) value;

									foundUserIdentifier = true;									

									if (logger.isDebugEnabled()) {

										logger.debug("Success to retreive userIdentifier [" + userIdentifier + "].");

									}

									break;

								}		

							}

						}

					}					

					if (!foundUserIdentifier) {

						if (logger.isDebugEnabled()) {

							logger.debug("subject [" + subject + "] does not contain the required attribute [" + subjectDnAttributeConfiguration + "].");

						}	

					}

				} catch (InvalidNameException e) {					

					logger.info("subject [" + subject + "] is not valid name : [" + e.getMessage() + "].");

				}				

			}

		}

		if (logger.isDebugEnabled()) {

			logger.debug("getUserIdentifier(X509Certificate) - end; Ret is [" + userIdentifier + "].");

		}

        return userIdentifier;

    }

    private void setSubjectDnAttribute(String subjectDnAttributeConfiguration) {

		if (logger.isDebugEnabled()) {

			logger.debug("setSubjectDnAttribute(String) - start; subjectDnAttribute [" +  subjectDnAttributeConfiguration + "].");

		}

		this.subjectDnAttributeConfiguration = subjectDnAttributeConfiguration;

		subjectDnAttribute = mapSubjectDnAttribute(subjectDnAttributeConfiguration);

		if (logger.isDebugEnabled()) {

			logger.debug("setSubjectDnAttribute(String) - end; subjectDnAttribute [" +  subjectDnAttribute + "]; subjectDnAttributeConfiguration [" +  subjectDnAttributeConfiguration + "]");

		}

    }

	private String  mapSubjectDnAttribute(String subjectDnAttributeConfiguration) {

		String ret = null;

		if (subjectDnAttributeConfiguration != null) {

			if (ClientCertificateConstants.EmailOptions.contains(subjectDnAttributeConfiguration.toLowerCase()))  {

				ret = ClientCertificateConstants.EMAIL_SUBJECT_ATTR;				

			} else {

				ret = subjectDnAttributeConfiguration;

			}

		}

		return ret;

	}

	protected String getSubjectDN(X509Certificate clientCert) {

		if (logger.isDebugEnabled()) {

			logger.debug("getSubjectDN(X509Certificate) - start");

		}

		String subject = null;

		if (clientCert != null) {

			if ((clientCert.getSubjectDN()!= null) 

					&& (clientCert.getSubjectDN().getName() != null)) {

					subject = clientCert.getSubjectDN().getName();

			}  else {

				if (logger.isDebugEnabled()) {

					logger.debug("Can not getSubjectDN, SubjectDN is null");

				}

			}

		} else {

			if (logger.isDebugEnabled()) {

				logger.debug("Can not getSubjectDN, clientCert is null");

			}

		}			

		if (logger.isDebugEnabled()) {

			logger.debug("getSubjectDN(X509Certificate) - end; Ret is [" + subject + "].");

		}

        return subject;

	}

}

/**

 * @author Michael Furman

 */

package org.apache.catalina.realm;

import java.util.Arrays;

import java.util.List;

public class ClientCertificateConstants {

	public enum UserIdentifierRetrieveField {

		SubjectDN, SubjectAlternativeName;		

		public boolean equals(final String str) {

			return name().equals(str);

		}

	}	

	public static final String EMAIL_SUBJECT_ATTR = "emailAddress";

	public enum SubjectAlternativeNameGeneralNames {

		otherName, // byte arrays containing the ASN.1 DER encoded form 

		rfc822Name, // String

		dNSName, // String

		x400Address, // byte arrays containing the ASN.1 DER encoded form 

		directoryName, // String: RFC 2253 string format

		ediPartyName, // byte arrays containing the ASN.1 DER encoded form 

		uniformResourceIdentifier, // String

		iPAddress, // String: IPv4 address - dotted quad notation, IPv6 address - form "a1:a2:...:a8"

		registeredID;

		public boolean equals(final String str) {

			return name().equals(str);

		}

		public boolean equalsIgnoreCase(final String str) {

			return name().equalsIgnoreCase(str);

		}

	}

	// !!! important - set value only in lower case !!!

	// SubjectDN

	public static final List<String> EmailOptions = Arrays.asList(EMAIL_SUBJECT_ATTR.toLowerCase(), "e") ;

	// Subject Alternative Name

	public static final List<String> OtherNameOptions = Arrays.asList("other name", "principalname", "principal name", "microsoft principal name") ;

	public static final List<String> RFC822NameOptions = Arrays.asList("rfc822 name", "rfc822name", "emailaddress", "email address", "e-mail address", "e-mailaddress") ;

	public static final List<String> DNSNameOptions = Arrays.asList("dns name", "dnsname") ;

	// x400Address - empty

	public static final List<String> DirectoryNameOptions = Arrays.asList("directory address", "directory address", "x500 name", "x500name", "x.500 name", "x.500name") ;

	// ediPartyName - empty

	public static final List<String> UriOptions = Arrays.asList("url", "uri") ;

	public static final List<String> IPAddressOptions = Arrays.asList("ip address", "ipaddress");

	public static final List<String> RegisteredIDOptions = Arrays.asList("registered id", "registeredid","registered oid", "registeredoid");

}

/**

 * @author Michael Furman

 */

package org.apache.catalina.realm;

import java.security.cert.X509Certificate;

import org.apache.juli.logging.Log;

import org.apache.juli.logging.LogFactory;

public class DefaultSubjectDnRetriever implements UserIdentifierRetriever {

	/**

	 * Logger for this class

	 */

	protected final Log logger = LogFactory.getLog(getClass());	

    public String getUserIdentifier(X509Certificate clientCert) {

		if (logger.isDebugEnabled()) {

			logger.debug("getUserIdentifier(X509Certificate) - start");

		}

		String userIdentifier = clientCert.getSubjectDN().getName();

		if (logger.isDebugEnabled()) {

			logger.debug("getUserIdentifier(X509Certificate) - end; Ret is [" + userIdentifier + "].");

		}

        return userIdentifier;

    }

}

/**

 * @author Michael Furman

 */

package org.apache.catalina.realm;

import java.io.ByteArrayInputStream;

import java.security.cert.CertificateParsingException;

import java.security.cert.X509Certificate;

import java.util.Collection;

import java.util.Iterator;

import java.util.List;

import org.apache.juli.logging.Log;

import org.apache.juli.logging.LogFactory;

import org.bouncycastle.asn1.ASN1InputStream;

import org.bouncycastle.asn1.ASN1Sequence;

import org.bouncycastle.asn1.ASN1TaggedObject;

import org.bouncycastle.asn1.DERObject;

import org.bouncycastle.asn1.DERUTF8String;

public class SubjectAlternativeNameRetriever extends SubjectDnRetriever {

	private static final int NOT_EXISTING_TYPE = -1;

	/**

	 * Logger for this class

	 */

	protected final Log logger = LogFactory.getLog(getClass());

	private String alternativeIdentifierConfiguration = null; 

	private int alternativeIdentifierTypeValue = NOT_EXISTING_TYPE; 

    protected SubjectAlternativeNameRetriever(String alternativeIdentifierConfiguration) {

        setSubjectAlternativeNameGeneralName(alternativeIdentifierConfiguration);

    }

    @SuppressWarnings("unchecked")

	public String getUserIdentifier(X509Certificate clientCert) {

		if (logger.isDebugEnabled()) {

			logger.debug("getUserIdentifier(X509Certificate) - start");

		}

		String userIdentifier = null;

		if (clientCert != null) {

			if (alternativeIdentifierTypeValue != NOT_EXISTING_TYPE) {

				boolean foundUserIdentifier = false;

				try {

					if (clientCert.getSubjectAlternativeNames() != null) {

						Collection subjectAlternativeNames = clientCert.getSubjectAlternativeNames();

						Iterator iter = subjectAlternativeNames.iterator();

						while (iter.hasNext()) {

							List subjectAlternativeName = (List) iter.next();

							Integer type = (Integer) subjectAlternativeName.get(0);

							if (type.intValue() == alternativeIdentifierTypeValue) {

								Object subjectAlternativeNameValue = subjectAlternativeName.get(1);

								if (subjectAlternativeNameValue instanceof String) {

									userIdentifier = (String) subjectAlternativeNameValue;

									foundUserIdentifier = true;					

									break;

								} else if (subjectAlternativeNameValue instanceof byte[]) {

									byte[] subjectAlternativeNameValueBytes = (byte[]) subjectAlternativeNameValue;

									userIdentifier = getStringFromASNDerEncodedByteArray(subjectAlternativeNameValueBytes);

									if (userIdentifier != null) {

										foundUserIdentifier = true;

										break;

									}

								} else {

									if (logger.isInfoEnabled()) {

										logger.info("Can not get UserIdentifier, the subjectAlternativeName not supported [" + subjectAlternativeNameValue + "].");

									}

								}

							}

						}

					}

				} catch (CertificateParsingException e) {

					logger.info("Can not get UserIdentifier, can not get subjectAlternativeNames from certificate [" + e.getMessage() + "].");

				}				

				if (foundUserIdentifier) {

					if (logger.isDebugEnabled()) {

						logger.debug("Found userIdentifier [" + userIdentifier + "] from part of subjectAlternativeName [" + alternativeIdentifierConfiguration + "].");

					}

				} else {

					if (logger.isDebugEnabled()) {

						logger.debug("Can not found userIdentifier as part of subjectAlternativeName [" + alternativeIdentifierConfiguration + "].");

					}

				}

			} else {

				if (logger.isDebugEnabled()) {

					logger.debug("Can not get UserIdentifier, generalName is null");

				}

			}

		} else {

			if (logger.isDebugEnabled()) {

				logger.debug("Can not get UserIdentifier, clientCert is null");

			}

		}

		if (logger.isDebugEnabled()) {

			logger.debug("getUserIdentifier(X509Certificate) - end; Ret is [" + userIdentifier + "].");

		}

		return userIdentifier;

	}

    private void setSubjectAlternativeNameGeneralName(String alternativeIdentifierConfiguration) {

		if (logger.isDebugEnabled()) {

			logger.debug("setSubjectAlternativeNameGeneralName(String) - start; alternativeIdentifier [" +  alternativeIdentifierConfiguration + "].");

		}

		this.alternativeIdentifierConfiguration = null;

		alternativeIdentifierTypeValue = NOT_EXISTING_TYPE;

		if (alternativeIdentifierConfiguration != null) {

			this.alternativeIdentifierConfiguration = alternativeIdentifierConfiguration;

			String alternativeIdentifierConfigurationLowerCase = alternativeIdentifierConfiguration.toLowerCase();

			if ((ClientCertificateConstants.SubjectAlternativeNameGeneralNames.otherName.equalsIgnoreCase (alternativeIdentifierConfiguration)) 

					|| (ClientCertificateConstants.OtherNameOptions.contains(alternativeIdentifierConfigurationLowerCase))) {

				alternativeIdentifierTypeValue = ClientCertificateConstants.SubjectAlternativeNameGeneralNames.otherName.ordinal();				

			} else if ((ClientCertificateConstants.SubjectAlternativeNameGeneralNames.rfc822Name.equalsIgnoreCase (alternativeIdentifierConfiguration)) 

					|| (ClientCertificateConstants.RFC822NameOptions.contains(alternativeIdentifierConfigurationLowerCase))) {

				alternativeIdentifierTypeValue = ClientCertificateConstants.SubjectAlternativeNameGeneralNames.rfc822Name.ordinal();				

			} else if ((ClientCertificateConstants.SubjectAlternativeNameGeneralNames.dNSName.equalsIgnoreCase (alternativeIdentifierConfiguration)) 

					|| (ClientCertificateConstants.DNSNameOptions.contains(alternativeIdentifierConfigurationLowerCase))) {

				alternativeIdentifierTypeValue = ClientCertificateConstants.SubjectAlternativeNameGeneralNames.dNSName.ordinal();				

			} else if (ClientCertificateConstants.SubjectAlternativeNameGeneralNames.x400Address.equalsIgnoreCase (alternativeIdentifierConfiguration)) {

				alternativeIdentifierTypeValue = ClientCertificateConstants.SubjectAlternativeNameGeneralNames.x400Address.ordinal();				

			} else if ((ClientCertificateConstants.SubjectAlternativeNameGeneralNames.directoryName.equalsIgnoreCase (alternativeIdentifierConfiguration)) 

					|| (ClientCertificateConstants.DirectoryNameOptions.contains(alternativeIdentifierConfigurationLowerCase))) {

				alternativeIdentifierTypeValue = ClientCertificateConstants.SubjectAlternativeNameGeneralNames.directoryName.ordinal();				

			} else if (ClientCertificateConstants.SubjectAlternativeNameGeneralNames.ediPartyName.equalsIgnoreCase (alternativeIdentifierConfiguration)) {

				alternativeIdentifierTypeValue = ClientCertificateConstants.SubjectAlternativeNameGeneralNames.ediPartyName.ordinal();				

			} else if ((ClientCertificateConstants.SubjectAlternativeNameGeneralNames.uniformResourceIdentifier.equalsIgnoreCase (alternativeIdentifierConfiguration)) 

					|| (ClientCertificateConstants.UriOptions.contains(alternativeIdentifierConfigurationLowerCase))) {				

				alternativeIdentifierTypeValue = ClientCertificateConstants.SubjectAlternativeNameGeneralNames.uniformResourceIdentifier.ordinal();				

			} else if ((ClientCertificateConstants.SubjectAlternativeNameGeneralNames.iPAddress.equalsIgnoreCase (alternativeIdentifierConfiguration)) 

					|| (ClientCertificateConstants.IPAddressOptions.contains(alternativeIdentifierConfigurationLowerCase))) {					

				alternativeIdentifierTypeValue = ClientCertificateConstants.SubjectAlternativeNameGeneralNames.iPAddress.ordinal();				

			} else if ((ClientCertificateConstants.SubjectAlternativeNameGeneralNames.registeredID.equalsIgnoreCase (alternativeIdentifierConfiguration)) 

				|| (ClientCertificateConstants.RegisteredIDOptions.contains(alternativeIdentifierConfigurationLowerCase))) {									

				alternativeIdentifierTypeValue = ClientCertificateConstants.SubjectAlternativeNameGeneralNames.registeredID.ordinal();				

			} else {

				try {

					alternativeIdentifierTypeValue = (new Integer(alternativeIdentifierConfiguration)).intValue();

				}catch (NumberFormatException e) {

					alternativeIdentifierTypeValue = NOT_EXISTING_TYPE;

				}

			}

		}

		if (logger.isDebugEnabled()) {

			logger.debug("setSubjectAlternativeNameGeneralName(String) - end; alternativeIdentifier [" +  alternativeIdentifierConfiguration + "], alternativeIdentifierType [" +  alternativeIdentifierTypeValue + "].");

		}

    }

	private String getStringFromASNDerEncodedByteArray(byte[] byteArray) {

		if (logger.isDebugEnabled()) {

			logger.debug("getStringFromASNDerEncodedByteArray(byte[]) - start");

		}

		String ret = null;

		try {	

			ASN1InputStream asn1InputStream = new ASN1InputStream(new ByteArrayInputStream(byteArray));

			DERObject derObject = asn1InputStream.readObject();

			ASN1Sequence asn1Sequence = ASN1Sequence.getInstance(derObject);

			Object objectValue = asn1Sequence.getObjectAt(1);

			if (objectValue instanceof ASN1TaggedObject) {

				ASN1TaggedObject asn1TaggedObject = (ASN1TaggedObject) objectValue;

				try {

					if (logger.isDebugEnabled()) {

						logger.debug("Try to get string from DERUTF8String.");

					}

					DERObject derTaggedObject = asn1TaggedObject.getObject();

					DERUTF8String derUtf8String = DERUTF8String.getInstance(derTaggedObject);

					ret = derUtf8String.getString();

				} catch (IllegalArgumentException e) {

					if (logger.isDebugEnabled()) {

						logger.debug("Can not get String From DERUTF8String, [" + e.getMessage() + "].");

					}

				}				

			}

		} catch (Exception e) {

			if (logger.isInfoEnabled()) {

				logger.info("Can not get String From ASNDerEncoded ByteArray, [" + e.getMessage() + "].");

			}

		}

		if (logger.isDebugEnabled()) {

			logger.debug("getStringFromASNDerEncodedByteArray(byte[]) - end. Ret is [" + ret + "].");

		}

		return ret;

	}

}

import org.apache.catalina.realm.ClientCertificateConstants.UserIdentifierRetrieveField;

    private UserIdentifierRetriever userIdentifierRetriever = null;

	private String x509UserIdentifierRetrieveField = null;

	private String x509UserIdentifierRetrieveFieldPart = null;

	private String x509UserIdentifierRetrieverClassName;

	public void setX509UserIdentifierRetrieveFieldPart(String userIdentifierRetrieveFieldPart) {

		this.x509UserIdentifierRetrieveFieldPart = userIdentifierRetrieveFieldPart;

	}

	public void setX509UserIdentifierRetrieveField(String userIdentifierRetrieveField) {

		this.x509UserIdentifierRetrieveField = userIdentifierRetrieveField;	

	}

	public void setX509UserIdentifierRetrieverClassName(String className) {

		 this.x509UserIdentifierRetrieverClassName = className;

	}

	private void createUserIdentifierRetriever() {

		if (userIdentifierRetriever == null) {

			boolean created = createUserIdentifierRetrieverFromClassName();				

			if (!created) {

				if (UserIdentifierRetrieveField.SubjectDN.equals(x509UserIdentifierRetrieveField)) {

					if (x509UserIdentifierRetrieveFieldPart == null) {

					     userIdentifierRetriever = new SubjectDnRetriever();		    			

					} else {

						userIdentifierRetriever = new SubjectDnRetriever(x509UserIdentifierRetrieveFieldPart);

					}			

				} else if (UserIdentifierRetrieveField.SubjectAlternativeName.equals(x509UserIdentifierRetrieveField)) {						

					if (x509UserIdentifierRetrieveFieldPart == null) {

						userIdentifierRetriever = new SubjectDnRetriever();				

						String warnString = "Can not create userIdentifierRetriever : userIdentifierRetrieveFieldPart is null when userIdentifierRetrieveField is [" + x509UserIdentifierRetrieveField + "]. userIdentifierRetriever is created for SubjectDn field.";

						log.warn(warnString);				

					} else {

						userIdentifierRetriever = new SubjectAlternativeNameRetriever(x509UserIdentifierRetrieveFieldPart);

					}

				} else {

					userIdentifierRetriever = new DefaultSubjectDnRetriever();

				}

			}

		}

	}

	@SuppressWarnings("unchecked")

	private boolean createUserIdentifierRetrieverFromClassName() {

		boolean created = false;

		if ((x509UserIdentifierRetrieverClassName != null) && (x509UserIdentifierRetrieverClassName != "")) {

			Class<? extends UserIdentifierRetriever> x509UserIdentifierRetrieverClass = null;

			try {

				x509UserIdentifierRetrieverClass = (Class<? extends UserIdentifierRetriever>) Class.forName(x509UserIdentifierRetrieverClassName);

				userIdentifierRetriever = x509UserIdentifierRetrieverClass.newInstance(); 

				created = true;

			} catch (ClassCastException e) {

				String warnString = "Class [" + x509UserIdentifierRetrieverClassName + "] is not instance of  [" + UserIdentifierRetriever.class.getSimpleName() + "].";  

				log.warn(warnString);

			} catch (ClassNotFoundException e) {

				String warnString = "Class [" + x509UserIdentifierRetrieverClassName + "] was not found.";  

				log.warn(warnString, e);

			} catch (InstantiationException e) {

				String warnString = "Cannot instantiate class [" + x509UserIdentifierRetrieverClassName + "].";  

				log.warn(warnString);

			} catch (IllegalAccessException e) {

				String warnString = "Cannot instantiate class [" + x509UserIdentifierRetrieverClassName + "].";  

				log.warn(warnString);

			}

		}

		return created;

	}