NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit75ec5e7

committed

Add notBefore and notAfter to SSL cert info display

This adds the X509 attributes notBefore and notAfter to sslinfoas well as pg_stat_ssl to allow verifying and identifying thevalidity period of the current client certificate.Author: Cary Huang <cary.huang@highgo.ca>Discussion:https://postgr.es/m/182b8565486.10af1a86f158715.2387262617218380588@highgo.ca

1 parent40fad96 commit75ec5e7Copy full SHA for 75ec5e7

File tree

18 files changed

+246

-33

lines changed

contrib/sslinfo
doc/src/sgml
- monitoring.sgml
- sslinfo.sgml
src
- backend
  - catalog
    - system_views.sql
  - libpq
    - be-secure-openssl.c
  - utils
    - activity
      - backend_status.c
    - adt
      - pgstatfuncs.c
- include
  - catalog
    - catversion.h
    - pg_proc.dat
  - libpq
    - libpq-be.h
  - utils
    - backend_status.h
- test
  - regress/expected
    - rules.out
  - ssl/t
    - 001_ssltests.pl
    - 003_sslinfo.pl

18 files changed

+246

-33

lines changed

`‎contrib/sslinfo/Makefile‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ OBJS = \`
`6`	`6`	`sslinfo.o`
`7`	`7`
`8`	`8`	`EXTENSION = sslinfo`
`9`		`-DATA = sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql`
	`9`	`+DATA = sslinfo--1.2--1.3.sql sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql`
`10`	`10`	`PGFILEDESC = "sslinfo - information about client SSL certificate"`
`11`	`11`
`12`	`12`	`ifdefUSE_PGXS`

`‎contrib/sslinfo/meson.build‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ install_data(`
`26`	`26`	`'sslinfo--1.0--1.1.sql',`
`27`	`27`	`'sslinfo--1.1--1.2.sql',`
`28`	`28`	`'sslinfo--1.2.sql',`
	`29`	`+'sslinfo--1.2--1.3.sql',`
`29`	`30`	`'sslinfo.control',`
`30`	`31`	`kwargs: contrib_data_args,`
`31`	`32`	`)`

`‎contrib/sslinfo/sslinfo--1.2--1.3.sql‎`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,12 @@`
	`1`	`+/* contrib/sslinfo/sslinfo--1.2--1.3.sql*/`
	`2`	`+`
	`3`	`+-- complain if script is sourced in psql, rather than via CREATE EXTENSION`
	`4`	`+\echo Use"CREATE EXTENSION sslinfo" to load this file. \quit`
	`5`	`+`
	`6`	`+CREATEFUNCTIONssl_client_get_notbefore() RETURNStimestamp`
	`7`	`+AS'MODULE_PATHNAME','ssl_client_get_notbefore'`
	`8`	`+LANGUAGE C STRICT PARALLEL RESTRICTED;`
	`9`	`+`
	`10`	`+CREATEFUNCTIONssl_client_get_notafter() RETURNStimestamp`
	`11`	`+AS'MODULE_PATHNAME','ssl_client_get_notafter'`
	`12`	`+LANGUAGE C STRICT PARALLEL RESTRICTED;`

`‎contrib/sslinfo/sslinfo.c‎`

Lines changed: 67 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@`
`18`	`18`	`#include"libpq/libpq-be.h"`
`19`	`19`	`#include"miscadmin.h"`
`20`	`20`	`#include"utils/builtins.h"`
	`21`	`+#include"utils/timestamp.h"`
`21`	`22`
`22`	`23`	`/*`
`23`	`24`	`* On Windows, <wincrypt.h> includes a #define for X509_NAME, which breaks our`
`@@ -34,6 +35,7 @@ PG_MODULE_MAGIC;`
`34`	`35`
`35`	`36`	`staticDatumX509_NAME_field_to_text(X509_NAMEname,textfieldName);`
`36`	`37`	`staticDatumASN1_STRING_to_text(ASN1_STRING*str);`
	`38`	`+staticDatumASN1_TIME_to_timestamp(ASN1_TIME*time);`
`37`	`39`
`38`	`40`	`/*`
`39`	`41`	`* Function context for data persisting over repeated calls.`
`@@ -225,6 +227,39 @@ X509_NAME_field_to_text(X509_NAME name, text fieldName)`
`225`	`227`	`}`
`226`	`228`
`227`	`229`
	`230`	`+/*`
	`231`	`+ * Converts OpenSSL ASN1_TIME structure into timestamp`
	`232`	`+ *`
	`233`	`+ * Parameter: time - OpenSSL ASN1_TIME structure.`
	`234`	`+ *`
	`235`	`+ * Returns Datum, which can be directly returned from a C language SQL`
	`236`	`+ * function.`
	`237`	`+ */`
	`238`	`+staticDatum`
	`239`	`+ASN1_TIME_to_timestamp(ASN1_TIME*time)`
	`240`	`+{`
	`241`	`+structtmtm_time;`
	`242`	`+structpg_tmpgtm_time;`
	`243`	`+Timestampts;`
	`244`	`+`
	`245`	`+ASN1_TIME_to_tm(time,&tm_time);`
	`246`	`+`
	`247`	`+pgtm_time.tm_sec=tm_time.tm_sec;`
	`248`	`+pgtm_time.tm_min=tm_time.tm_min;`
	`249`	`+pgtm_time.tm_hour=tm_time.tm_hour;`
	`250`	`+pgtm_time.tm_mday=tm_time.tm_mday;`
	`251`	`+pgtm_time.tm_mon=tm_time.tm_mon+1;`
	`252`	`+pgtm_time.tm_year=tm_time.tm_year+1900;`
	`253`	`+`
	`254`	`+if (tm2timestamp(&pgtm_time,0,NULL,&ts))`
	`255`	`+ereport(ERROR,`
	`256`	`+(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
	`257`	`+errmsg("failed to convert tm to timestamp")));`
	`258`	`+`
	`259`	`+PG_RETURN_TIMESTAMP(ts);`
	`260`	`+}`
	`261`	`+`
	`262`	`+`
`228`	`263`	`/*`
`229`	`264`	`* Returns specified field of client certificate distinguished name`
`230`	`265`	`*`
`@@ -482,3 +517,35 @@ ssl_extension_info(PG_FUNCTION_ARGS)`
`482`	`517`	`/* All done */`
`483`	`518`	`SRF_RETURN_DONE(funcctx);`
`484`	`519`	`}`
	`520`	`+`
	`521`	`+/*`
	`522`	`+ * Returns current client certificate notBefore timestamp in`
	`523`	`+ * timestamp data type`
	`524`	`+ */`
	`525`	`+PG_FUNCTION_INFO_V1(ssl_client_get_notbefore);`
	`526`	`+Datum`
	`527`	`+ssl_client_get_notbefore(PG_FUNCTION_ARGS)`
	`528`	`+{`
	`529`	`+X509*cert=MyProcPort->peer;`
	`530`	`+`
	`531`	`+if (!MyProcPort->ssl_in_use\|\| !MyProcPort->peer_cert_valid)`
	`532`	`+PG_RETURN_NULL();`
	`533`	`+`
	`534`	`+returnASN1_TIME_to_timestamp(X509_get_notBefore(cert));`
	`535`	`+}`
	`536`	`+`
	`537`	`+/*`
	`538`	`+ * Returns current client certificate notAfter timestamp in`
	`539`	`+ * timestamp data type`
	`540`	`+ */`
	`541`	`+PG_FUNCTION_INFO_V1(ssl_client_get_notafter);`
	`542`	`+Datum`
	`543`	`+ssl_client_get_notafter(PG_FUNCTION_ARGS)`
	`544`	`+{`
	`545`	`+X509*cert=MyProcPort->peer;`
	`546`	`+`
	`547`	`+if (!MyProcPort->ssl_in_use\|\| !MyProcPort->peer_cert_valid)`
	`548`	`+PG_RETURN_NULL();`
	`549`	`+`
	`550`	`+returnASN1_TIME_to_timestamp(X509_get_notAfter(cert));`
	`551`	`+}`

`‎contrib/sslinfo/sslinfo.control‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`# sslinfo extension`
`2`	`2`	`comment = 'information about SSL certificates'`
`3`		`-default_version = '1.2'`
	`3`	`+default_version = '1.3'`
`4`	`4`	`module_pathname = '$libdir/sslinfo'`
`5`	`5`	`relocatable = true`

`‎doc/src/sgml/monitoring.sgml‎`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2257,6 +2257,26 @@ SELECT pid, wait_event_type, wait_event FROM pg_stat_activity WHERE wait_event i`
`2257`	`2257`	`This field is truncated like <structfield>client_dn</structfield>.`
`2258`	`2258`	`</para></entry>`
`2259`	`2259`	`</row>`
	`2260`	`+`
	`2261`	`+ <row>`
	`2262`	`+ <entry role="catalog_table_entry"><para role="column_definition">`
	`2263`	`+ <structfield>not_before</structfield> <type>text</type>`
	`2264`	`+ </para>`
	`2265`	`+ <para>`
	`2266`	`+ Not before UTC timestamp of the client certificate, or NULL if no client`
	`2267`	`+ certificate was supplied.`
	`2268`	`+ </para></entry>`
	`2269`	`+ </row>`
	`2270`	`+`
	`2271`	`+ <row>`
	`2272`	`+ <entry role="catalog_table_entry"><para role="column_definition">`
	`2273`	`+ <structfield>not_after</structfield> <type>text</type>`
	`2274`	`+ </para>`
	`2275`	`+ <para>`
	`2276`	`+ Not after UTC timestamp of the client certificate, or NULL if no client`
	`2277`	`+ certificate was supplied.`
	`2278`	`+ </para></entry>`
	`2279`	`+ </row>`
`2260`	`2280`	`</tbody>`
`2261`	`2281`	`</tgroup>`
`2262`	`2282`	`</table>`

`‎doc/src/sgml/sslinfo.sgml‎`

Lines changed: 30 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -240,6 +240,36 @@ emailAddress`
`240`	`240`	`</para>`
`241`	`241`	`</listitem>`
`242`	`242`	`</varlistentry>`
	`243`	`+`
	`244`	`+ <varlistentry>`
	`245`	`+ <term>`
	`246`	`+ <function>ssl_client_get_notbefore() returns text</function>`
	`247`	`+ <indexterm>`
	`248`	`+ <primary>ssl_client_get_notbefore</primary>`
	`249`	`+ </indexterm>`
	`250`	`+ </term>`
	`251`	`+ <listitem>`
	`252`	`+ <para>`
	`253`	`+ Return the <structfield>not before</structfield> UTC timestamp of the client`
	`254`	`+ certificate.`
	`255`	`+ </para>`
	`256`	`+ </listitem>`
	`257`	`+ </varlistentry>`
	`258`	`+`
	`259`	`+ <varlistentry>`
	`260`	`+ <term>`
	`261`	`+ <function>ssl_client_get_notafter() returns text</function>`
	`262`	`+ <indexterm>`
	`263`	`+ <primary>ssl_client_get_notafter</primary>`
	`264`	`+ </indexterm>`
	`265`	`+ </term>`
	`266`	`+ <listitem>`
	`267`	`+ <para>`
	`268`	`+ Return the <structfield>not after</structfield> UTC timestamp of the client`
	`269`	`+ certificate.`
	`270`	`+ </para>`
	`271`	`+ </listitem>`
	`272`	`+ </varlistentry>`
`243`	`273`	`</variablelist>`
`244`	`274`	`</sect2>`
`245`	`275`

`‎src/backend/catalog/system_views.sql‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -970,7 +970,9 @@ CREATE VIEW pg_stat_ssl AS`
`970`	`970`	`S.sslbitsAS bits,`
`971`	`971`	`S.ssl_client_dnAS client_dn,`
`972`	`972`	`S.ssl_client_serialAS client_serial,`
`973`		`-S.ssl_issuer_dnAS issuer_dn`
	`973`	`+S.ssl_issuer_dnAS issuer_dn,`
	`974`	`+S.ssl_not_beforeAS not_before,`
	`975`	`+S.ssl_not_afterAS not_after`
`974`	`976`	`FROM pg_stat_get_activity(NULL)AS S`
`975`	`977`	`WHERES.client_portIS NOT NULL;`
`976`	`978`

`‎src/backend/libpq/be-secure-openssl.c‎`

Lines changed: 47 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@`
`36`	`36`	`#include"tcop/tcopprot.h"`
`37`	`37`	`#include"utils/builtins.h"`
`38`	`38`	`#include"utils/memutils.h"`
	`39`	`+#include"utils/timestamp.h"`
`39`	`40`
`40`	`41`	`/*`
`41`	`42`	`* These SSL-related #includes must come after all system-provided headers.`
`@@ -72,6 +73,7 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);`
`72`	`73`	`staticconstchar*SSLerrmessage(unsigned longecode);`
`73`	`74`
`74`	`75`	`staticcharX509_NAME_to_cstring(X509_NAMEname);`
	`76`	`+staticTimestampASN1_TIME_to_timestamp(ASN1_TIME*time);`
`75`	`77`
`76`	`78`	`staticSSL_CTX*SSL_context=NULL;`
`77`	`79`	`staticboolSSL_initialized= false;`
`@@ -1406,6 +1408,24 @@ be_tls_get_peer_issuer_name(Port port, char ptr, size_t len)`
`1406`	`1408`	`ptr[0]='\0';`
`1407`	`1409`	`}`
`1408`	`1410`
	`1411`	`+void`
	`1412`	`+be_tls_get_peer_not_before(Portport,Timestampptr)`
	`1413`	`+{`
	`1414`	`+if (port->peer)`
	`1415`	`+*ptr=ASN1_TIME_to_timestamp(X509_get_notBefore(port->peer));`
	`1416`	`+else`
	`1417`	`+*ptr=0;`
	`1418`	`+}`
	`1419`	`+`
	`1420`	`+void`
	`1421`	`+be_tls_get_peer_not_after(Portport,Timestampptr)`
	`1422`	`+{`
	`1423`	`+if (port->peer)`
	`1424`	`+*ptr=ASN1_TIME_to_timestamp(X509_get_notAfter(port->peer));`
	`1425`	`+else`
	`1426`	`+*ptr=0;`
	`1427`	`+}`
	`1428`	`+`
`1409`	`1429`	`void`
`1410`	`1430`	`be_tls_get_peer_serial(Portport,charptr,size_tlen)`
`1411`	`1431`	`{`
`@@ -1549,6 +1569,33 @@ X509_NAME_to_cstring(X509_NAME *name)`
`1549`	`1569`	`returnresult;`
`1550`	`1570`	`}`
`1551`	`1571`
	`1572`	`+/*`
	`1573`	`+ * Convert an ASN1_TIME to a Timestamp`
	`1574`	`+ */`
	`1575`	`+staticTimestamp`
	`1576`	`+ASN1_TIME_to_timestamp(ASN1_TIME*time)`
	`1577`	`+{`
	`1578`	`+structtmtm_time;`
	`1579`	`+structpg_tmpgtm_time;`
	`1580`	`+Timestampts;`
	`1581`	`+`
	`1582`	`+ASN1_TIME_to_tm(time,&tm_time);`
	`1583`	`+`
	`1584`	`+pgtm_time.tm_sec=tm_time.tm_sec;`
	`1585`	`+pgtm_time.tm_min=tm_time.tm_min;`
	`1586`	`+pgtm_time.tm_hour=tm_time.tm_hour;`
	`1587`	`+pgtm_time.tm_mday=tm_time.tm_mday;`
	`1588`	`+pgtm_time.tm_mon=tm_time.tm_mon+1;`
	`1589`	`+pgtm_time.tm_year=tm_time.tm_year+1900;`
	`1590`	`+`
	`1591`	`+if (tm2timestamp(&pgtm_time,0,NULL,&ts))`
	`1592`	`+ereport(ERROR,`
	`1593`	`+(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
	`1594`	`+errmsg("timestamp out of range")));`
	`1595`	`+`
	`1596`	`+returnts;`
	`1597`	`+}`
	`1598`	`+`
`1552`	`1599`	`/*`
`1553`	`1600`	`* Convert TLS protocol version GUC enum to OpenSSL values`
`1554`	`1601`	`*`

`‎src/backend/utils/activity/backend_status.c‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -367,6 +367,8 @@ pgstat_bestart(void)`
`367`	`367`	`be_tls_get_peer_subject_name(MyProcPort,lsslstatus.ssl_client_dn,NAMEDATALEN);`
`368`	`368`	`be_tls_get_peer_serial(MyProcPort,lsslstatus.ssl_client_serial,NAMEDATALEN);`
`369`	`369`	`be_tls_get_peer_issuer_name(MyProcPort,lsslstatus.ssl_issuer_dn,NAMEDATALEN);`
	`370`	`+be_tls_get_peer_not_before(MyProcPort,&lsslstatus.ssl_not_before);`
	`371`	`+be_tls_get_peer_not_after(MyProcPort,&lsslstatus.ssl_not_after);`
`370`	`372`	`}`
`371`	`373`	`else`
`372`	`374`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit75ec5e7

File tree

18 files changed

18 files changed

`‎contrib/sslinfo/Makefile‎`

`‎contrib/sslinfo/meson.build‎`

`‎contrib/sslinfo/sslinfo--1.2--1.3.sql‎`

`‎contrib/sslinfo/sslinfo.c‎`

`‎contrib/sslinfo/sslinfo.control‎`

`‎doc/src/sgml/monitoring.sgml‎`

`‎doc/src/sgml/sslinfo.sgml‎`

`‎src/backend/catalog/system_views.sql‎`

`‎src/backend/libpq/be-secure-openssl.c‎`

`‎src/backend/utils/activity/backend_status.c‎`

0 commit comments