From 4652fd4fcdea5792d0623d6e02bbfbb766c1b5e2 Mon Sep 17 00:00:00 2001
From: Sven-Torben Janus <sven-torben.janus@conciso.de>
Date: Fri, 4 Dec 2020 08:00:08 +0100
Subject: [PATCH] KEYCLOAK-16540 X.509 Authentication logs Exception when no
 client cert

When no client cert is present the variable clientCert is null. In this
case the log statement leads to a NPE which then gets logged as an
error.
---
 .../services/x509/NginxProxySslClientCertificateLookup.java | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/src/main/java/org/keycloak/services/x509/NginxProxySslClientCertificateLookup.java b/services/src/main/java/org/keycloak/services/x509/NginxProxySslClientCertificateLookup.java
index a27796f754..7448f7c7fe 100644
--- a/services/src/main/java/org/keycloak/services/x509/NginxProxySslClientCertificateLookup.java
+++ b/services/src/main/java/org/keycloak/services/x509/NginxProxySslClientCertificateLookup.java
@@ -123,10 +123,10 @@ public class NginxProxySslClientCertificateLookup extends AbstractClientCertific
 
         // Get the client certificate
         X509Certificate clientCert = getCertificateFromHttpHeader(httpRequest, sslClientCertHttpHeader);
-        log.debugf("End user certificate found : Subject DN=[%s]  SerialNumber=[%s]", clientCert.getSubjectDN().toString(), clientCert.getSerialNumber().toString() );
-        
+
         if (clientCert != null) {
-            
+            log.debugf("End user certificate found : Subject DN=[%s]  SerialNumber=[%s]", clientCert.getSubjectDN(), clientCert.getSerialNumber());
+
         	// Rebuilding the end user certificate chain using Keycloak Truststore
             X509Certificate[] certChain = buildChain(clientCert);
             if ( certChain == null || certChain.length == 0 ) {