1
0
mirror of https://github.com/postgres/postgres.git synced 2025-07-28 23:42:10 +03:00

Add notBefore and notAfter to SSL cert info display

This adds the X509 attributes notBefore and notAfter to sslinfo
as well as pg_stat_ssl to allow verifying and identifying the
validity period of the current client certificate. OpenSSL has
APIs for extracting notAfter and notBefore, but they are only
supported in recent versions so we have to calculate the dates
by hand in order to make this work for the older versions of
OpenSSL that we still support.

Original patch by Cary Huang with additional hacking by Jacob
and myself.

Author: Cary Huang <cary.huang@highgo.ca>
Co-author: Jacob Champion <jacob.champion@enterprisedb.com>
Co-author: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://postgr.es/m/182b8565486.10af1a86f158715.2387262617218380588@highgo.ca
This commit is contained in:
Daniel Gustafsson
2024-03-22 21:25:25 +01:00
parent b670b93a66
commit 6acb0a628e
19 changed files with 308 additions and 34 deletions

View File

@ -2292,6 +2292,26 @@ description | Waiting for a newly initialized WAL file to reach durable storage
This field is truncated like <structfield>client_dn</structfield>.
</para></entry>
</row>
<row>
<entry role="catalog_table_entry"><para role="column_definition">
<structfield>not_before</structfield> <type>text</type>
</para>
<para>
Not before timestamp of the client certificate, or NULL if no client
certificate was supplied.
</para></entry>
</row>
<row>
<entry role="catalog_table_entry"><para role="column_definition">
<structfield>not_after</structfield> <type>text</type>
</para>
<para>
Not after timestamp of the client certificate, or NULL if no client
certificate was supplied.
</para></entry>
</row>
</tbody>
</tgroup>
</table>

View File

@ -240,6 +240,36 @@ emailAddress
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<function>ssl_client_get_notbefore() returns timestamptz</function>
<indexterm>
<primary>ssl_client_get_notbefore</primary>
</indexterm>
</term>
<listitem>
<para>
Return the <structfield>not before</structfield> timestamp of the client
certificate.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<function>ssl_client_get_notafter() returns timestamptz</function>
<indexterm>
<primary>ssl_client_get_notafter</primary>
</indexterm>
</term>
<listitem>
<para>
Return the <structfield>not after</structfield> timestamp of the client
certificate.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>