During testing of a newer version of Payara 5, we noticed a log message as follows. (NB: I have edited to hide some specific details but can provide the full logs if required). After some investigation, this appears to be generated by nucleus/security/core/src/main/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java:194 and the log is output to warn that a certificate cannot be found to check.
[2023-06-28T14:40:00.106+0100] [Payara 5.2022.3] [WARNING] [] [javax.enterprise.system.core.security] [tid: _ThreadID=153 _ThreadName=http-thread-pool::jk-listener(12)] [timeMillis: 1687959600106]
[levelValue: 900] [[
No X509Certificate found(subject=Subject:
Principal: intranet
Public Credential: CN=client 68d7c7d2-fe79-44ba-84ed-aa387ab409d3
Public Credential: [[
[
Version: V3
Subject: CN=client 68d7c7d2-fe79-44ba-84ed-aa387ab409d3
Validity: [From: Tue May 30 08:44:46 BST 2023,
To: Sat Jul 29 08:44:46 BST 2023]
Issuer: CN=Client CA
]]
, principal=CN=client 68d7c7d2-fe79-44ba-84ed-aa387ab409d3)]]
This appears to be because the X500 principal CN=client 68d7c7d2-fe79-44ba-84ed-aa387ab409d3 (the subject of the certificate) is not also the issuer of the certificate (otherwise the x509 certificate would be returned by CertificateRealm.getCertificateFromSubject(Subject, X500Principal)).
Is this correct behaviour? This would seem to exclude any client certificate that is not self-signed.
For more context, we hold a root CA and an intermediate client CA (signed by root CA) and the client holds a client certificate (signed by client CA). Our application is configured so that any certificate signed by the client CA will be given the “intranet” role and this role is required to call web services.
The problem seems to be that getCertificateFromSubject is ultimately checking for if (principal.equals(certificate.getIssuerX500Principal())) {result = certificate;}. This seems incorrect and that the check should be against the certificate Subject X500Principal.