mirror of
https://github.com/postgres/postgres.git
synced 2025-06-14 18:42:34 +03:00
Add notBefore and notAfter to SSL cert info display
This adds the X509 attributes notBefore and notAfter to sslinfo as well as pg_stat_ssl to allow verifying and identifying the validity period of the current client certificate. Author: Cary Huang <cary.huang@highgo.ca> Discussion: https://postgr.es/m/182b8565486.10af1a86f158715.2387262617218380588@highgo.ca
This commit is contained in:
Daniel Gustafsson
@ -970,7 +970,9 @@ CREATE VIEW pg_stat_ssl AS
|
||||
S.sslbits AS bits,
|
||||
S.ssl_client_dn AS client_dn,
|
||||
S.ssl_client_serial AS client_serial,
|
||||
S.ssl_issuer_dn AS issuer_dn
|
||||
S.ssl_issuer_dn AS issuer_dn,
|
||||
S.ssl_not_before AS not_before,
|
||||
S.ssl_not_after AS not_after
|
||||
FROM pg_stat_get_activity(NULL) AS S
|
||||
WHERE S.client_port IS NOT NULL;
|
||||
|
||||
|
||||
@ -36,6 +36,7 @@
|
||||
#include "tcop/tcopprot.h"
|
||||
#include "utils/builtins.h"
|
||||
#include "utils/memutils.h"
|
||||
#include "utils/timestamp.h"
|
||||
|
||||
/*
|
||||
* These SSL-related #includes must come after all system-provided headers.
|
||||
@ -72,6 +73,7 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
|
||||
static const char *SSLerrmessage(unsigned long ecode);
|
||||
|
||||
static char *X509_NAME_to_cstring(X509_NAME *name);
|
||||
static Timestamp ASN1_TIME_to_timestamp(ASN1_TIME *time);
|
||||
|
||||
static SSL_CTX *SSL_context = NULL;
|
||||
static bool SSL_initialized = false;
|
||||
@ -1406,6 +1408,24 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)
|
||||
ptr[0] = '\0';
|
||||
}
|
||||
|
||||
void
|
||||
be_tls_get_peer_not_before(Port *port, Timestamp *ptr)
|
||||
{
|
||||
if (port->peer)
|
||||
*ptr = ASN1_TIME_to_timestamp(X509_get_notBefore(port->peer));
|
||||
else
|
||||
*ptr = 0;
|
||||
}
|
||||
|
||||
void
|
||||
be_tls_get_peer_not_after(Port *port, Timestamp *ptr)
|
||||
{
|
||||
if (port->peer)
|
||||
*ptr = ASN1_TIME_to_timestamp(X509_get_notAfter(port->peer));
|
||||
else
|
||||
*ptr = 0;
|
||||
}
|
||||
|
||||
void
|
||||
be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
|
||||
{
|
||||
@ -1549,6 +1569,33 @@ X509_NAME_to_cstring(X509_NAME *name)
|
||||
return result;
|
||||
}
|
||||
|
||||
/*
|
||||
* Convert an ASN1_TIME to a Timestamp
|
||||
*/
|
||||
static Timestamp
|
||||
ASN1_TIME_to_timestamp(ASN1_TIME * time)
|
||||
{
|
||||
struct tm tm_time;
|
||||
struct pg_tm pgtm_time;
|
||||
Timestamp ts;
|
||||
|
||||
ASN1_TIME_to_tm(time, &tm_time);
|
||||
|
||||
pgtm_time.tm_sec = tm_time.tm_sec;
|
||||
pgtm_time.tm_min = tm_time.tm_min;
|
||||
pgtm_time.tm_hour = tm_time.tm_hour;
|
||||
pgtm_time.tm_mday = tm_time.tm_mday;
|
||||
pgtm_time.tm_mon = tm_time.tm_mon + 1;
|
||||
pgtm_time.tm_year = tm_time.tm_year + 1900;
|
||||
|
||||
if (tm2timestamp(&pgtm_time, 0, NULL, &ts))
|
||||
ereport(ERROR,
|
||||
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
||||
errmsg("timestamp out of range")));
|
||||
|
||||
return ts;
|
||||
}
|
||||
|
||||
/*
|
||||
* Convert TLS protocol version GUC enum to OpenSSL values
|
||||
*
|
||||
|
||||
@ -367,6 +367,8 @@ pgstat_bestart(void)
|
||||
be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN);
|
||||
be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN);
|
||||
be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN);
|
||||
be_tls_get_peer_not_before(MyProcPort, &lsslstatus.ssl_not_before);
|
||||
be_tls_get_peer_not_after(MyProcPort, &lsslstatus.ssl_not_after);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@ -303,7 +303,7 @@ pg_stat_get_progress_info(PG_FUNCTION_ARGS)
|
||||
Datum
|
||||
pg_stat_get_activity(PG_FUNCTION_ARGS)
|
||||
{
|
||||
#define PG_STAT_GET_ACTIVITY_COLS 31
|
||||
#define PG_STAT_GET_ACTIVITY_COLS 33
|
||||
int num_backends = pgstat_fetch_stat_numbackends();
|
||||
int curr_backend;
|
||||
int pid = PG_ARGISNULL(0) ? -1 : PG_GETARG_INT32(0);
|
||||
@ -395,7 +395,7 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
|
||||
pfree(clipped_activity);
|
||||
|
||||
/* leader_pid */
|
||||
nulls[29] = true;
|
||||
nulls[31] = true;
|
||||
|
||||
proc = BackendPidGetProc(beentry->st_procpid);
|
||||
|
||||
@ -432,8 +432,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
|
||||
*/
|
||||
if (leader && leader->pid != beentry->st_procpid)
|
||||
{
|
||||
values[29] = Int32GetDatum(leader->pid);
|
||||
nulls[29] = false;
|
||||
values[31] = Int32GetDatum(leader->pid);
|
||||
nulls[31] = false;
|
||||
}
|
||||
else if (beentry->st_backendType == B_BG_WORKER)
|
||||
{
|
||||
@ -441,8 +441,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
|
||||
|
||||
if (leader_pid != InvalidPid)
|
||||
{
|
||||
values[29] = Int32GetDatum(leader_pid);
|
||||
nulls[29] = false;
|
||||
values[31] = Int32GetDatum(leader_pid);
|
||||
nulls[31] = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -587,35 +587,45 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
|
||||
values[24] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn);
|
||||
else
|
||||
nulls[24] = true;
|
||||
|
||||
if (beentry->st_sslstatus->ssl_not_before != 0)
|
||||
values[25] = TimestampGetDatum(beentry->st_sslstatus->ssl_not_before);
|
||||
else
|
||||
nulls[25] = true;
|
||||
|
||||
if (beentry->st_sslstatus->ssl_not_after != 0)
|
||||
values[26] = TimestampGetDatum(beentry->st_sslstatus->ssl_not_after);
|
||||
else
|
||||
nulls[26] = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
values[18] = BoolGetDatum(false); /* ssl */
|
||||
nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = true;
|
||||
nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = nulls[25] = nulls[26] = true;
|
||||
}
|
||||
|
||||
/* GSSAPI information */
|
||||
if (beentry->st_gss)
|
||||
{
|
||||
values[25] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */
|
||||
values[26] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ);
|
||||
values[27] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */
|
||||
values[28] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials
|
||||
values[27] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */
|
||||
values[28] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ);
|
||||
values[29] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */
|
||||
values[30] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials
|
||||
* delegated */
|
||||
}
|
||||
else
|
||||
{
|
||||
values[25] = BoolGetDatum(false); /* gss_auth */
|
||||
nulls[26] = true; /* No GSS principal */
|
||||
values[27] = BoolGetDatum(false); /* GSS Encryption not in
|
||||
values[27] = BoolGetDatum(false); /* gss_auth */
|
||||
nulls[28] = true; /* No GSS principal */
|
||||
values[29] = BoolGetDatum(false); /* GSS Encryption not in
|
||||
* use */
|
||||
values[28] = BoolGetDatum(false); /* GSS credentials not
|
||||
values[30] = BoolGetDatum(false); /* GSS credentials not
|
||||
* delegated */
|
||||
}
|
||||
if (beentry->st_query_id == 0)
|
||||
nulls[30] = true;
|
||||
nulls[32] = true;
|
||||
else
|
||||
values[30] = UInt64GetDatum(beentry->st_query_id);
|
||||
values[32] = UInt64GetDatum(beentry->st_query_id);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -645,6 +655,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
|
||||
nulls[28] = true;
|
||||
nulls[29] = true;
|
||||
nulls[30] = true;
|
||||
nulls[31] = true;
|
||||
nulls[32] = true;
|
||||
}
|
||||
|
||||
tuplestore_putvalues(rsinfo->setResult, rsinfo->setDesc, values, nulls);
|
||||
|
||||
@ -57,6 +57,6 @@
|
||||
*/
|
||||
|
||||
/* yyyymmddN */
|
||||
#define CATALOG_VERSION_NO 202307111
|
||||
#define CATALOG_VERSION_NO 202307201
|
||||
|
||||
#endif
|
||||
|
||||
@ -5413,9 +5413,9 @@
|
||||
proname => 'pg_stat_get_activity', prorows => '100', proisstrict => 'f',
|
||||
proretset => 't', provolatile => 's', proparallel => 'r',
|
||||
prorettype => 'record', proargtypes => 'int4',
|
||||
proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,bool,int4,int8}',
|
||||
proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',
|
||||
proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}',
|
||||
proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,timestamp,timestamp,bool,text,bool,bool,int4,int8}',
|
||||
proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',
|
||||
proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,ssl_not_before,ssl_not_after,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}',
|
||||
prosrc => 'pg_stat_get_activity' },
|
||||
{ oid => '3318',
|
||||
descr => 'statistics: information about progress of backends running maintenance command',
|
||||
|
||||
@ -298,6 +298,8 @@ extern const char *be_tls_get_cipher(Port *port);
|
||||
extern void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len);
|
||||
extern void be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len);
|
||||
extern void be_tls_get_peer_serial(Port *port, char *ptr, size_t len);
|
||||
extern void be_tls_get_peer_not_before(Port *port, Timestamp *ptr);
|
||||
extern void be_tls_get_peer_not_after(Port *port, Timestamp *ptr);
|
||||
|
||||
/*
|
||||
* Get the server certificate hash for SCRAM channel binding type
|
||||
|
||||
@ -61,6 +61,8 @@ typedef struct PgBackendSSLStatus
|
||||
char ssl_client_serial[NAMEDATALEN];
|
||||
|
||||
char ssl_issuer_dn[NAMEDATALEN];
|
||||
Timestamp ssl_not_before;
|
||||
Timestamp ssl_not_after;
|
||||
} PgBackendSSLStatus;
|
||||
|
||||
/*
|
||||
|
||||
@ -1760,7 +1760,7 @@ pg_stat_activity| SELECT s.datid,
|
||||
s.query_id,
|
||||
s.query,
|
||||
s.backend_type
|
||||
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
LEFT JOIN pg_database d ON ((s.datid = d.oid)))
|
||||
LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));
|
||||
pg_stat_all_indexes| SELECT c.oid AS relid,
|
||||
@ -1878,7 +1878,7 @@ pg_stat_gssapi| SELECT pid,
|
||||
gss_princ AS principal,
|
||||
gss_enc AS encrypted,
|
||||
gss_delegation AS credentials_delegated
|
||||
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
WHERE (client_port IS NOT NULL);
|
||||
pg_stat_io| SELECT backend_type,
|
||||
object,
|
||||
@ -2080,7 +2080,7 @@ pg_stat_replication| SELECT s.pid,
|
||||
w.sync_priority,
|
||||
w.sync_state,
|
||||
w.reply_time
|
||||
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid)))
|
||||
LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));
|
||||
pg_stat_replication_slots| SELECT s.slot_name,
|
||||
@ -2113,8 +2113,10 @@ pg_stat_ssl| SELECT pid,
|
||||
sslbits AS bits,
|
||||
ssl_client_dn AS client_dn,
|
||||
ssl_client_serial AS client_serial,
|
||||
ssl_issuer_dn AS issuer_dn
|
||||
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
ssl_issuer_dn AS issuer_dn,
|
||||
ssl_not_before AS not_before,
|
||||
ssl_not_after AS not_after
|
||||
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
|
||||
WHERE (client_port IS NOT NULL);
|
||||
pg_stat_subscription| SELECT su.oid AS subid,
|
||||
su.subname,
|
||||
|
||||
@ -543,8 +543,8 @@ command_like(
|
||||
"$common_connstr sslrootcert=invalid", '-c',
|
||||
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
|
||||
],
|
||||
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
|
||||
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx,
|
||||
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n
|
||||
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_,_null_,_null_\r?$}mx,
|
||||
'pg_stat_ssl view without client certificate');
|
||||
|
||||
# Test min/max SSL protocol versions.
|
||||
@ -745,8 +745,8 @@ command_like(
|
||||
'-c',
|
||||
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
|
||||
],
|
||||
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
|
||||
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
|
||||
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n
|
||||
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E,\Q2023-06-29 01:01:01\E,\Q2050-01-01 01:01:01\E\r?$}mx,
|
||||
'pg_stat_ssl with client certificate');
|
||||
|
||||
# client key with wrong permissions
|
||||
|
||||
@ -165,6 +165,20 @@ $result = $node->safe_psql(
|
||||
connstr => $common_connstr);
|
||||
is($result, 't', "ssl_issuer_field() for commonName");
|
||||
|
||||
$result = $node->safe_psql(
|
||||
"certdb",
|
||||
"SELECT ssl_client_get_notbefore() = not_before, "
|
||||
. "not_before = '2023-06-29 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();",
|
||||
connstr => $common_connstr);
|
||||
is($result, 't|t', "ssl_client_get_notbefore() for not_before timestamp");
|
||||
|
||||
$result = $node->safe_psql(
|
||||
"certdb",
|
||||
"SELECT ssl_client_get_notafter() = not_after, "
|
||||
. "not_after = '2050-01-01 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();",
|
||||
connstr => $common_connstr);
|
||||
is($result, 't|t', "ssl_client_get_notafter() for not_after timestamp");
|
||||
|
||||
$result = $node->safe_psql(
|
||||
"certdb",
|
||||
"SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';",
|
||||
|
||||
Reference in New Issue
Block a user