Add notBefore and notAfter to SSL cert info display

This adds the X509 attributes notBefore and notAfter to sslinfo as well as pg_stat_ssl to allow verifying and identifying the validity period of the current client certificate. Author: Cary Huang <cary.huang@highgo.ca> Discussion: https://postgr.es/m/182b8565486.10af1a86f158715.2387262617218380588@highgo.ca
2025-11-21 00:42:43 +03:00 · 2023-07-20 17:07:32 +02:00
parent 40fad96530
commit 75ec5e7bec
18 changed files with 246 additions and 33 deletions
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -36,6 +36,7 @@
 #include "tcop/tcopprot.h"
 #include "utils/builtins.h"
 #include "utils/memutils.h"
+#include "utils/timestamp.h"

 /*
 * These SSL-related #includes must come after all system-provided headers.
@@ -72,6 +73,7 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
 static const char *SSLerrmessage(unsigned long ecode);

 static char *X509_NAME_to_cstring(X509_NAME *name);
+static Timestamp ASN1_TIME_to_timestamp(ASN1_TIME *time);

 static SSL_CTX *SSL_context = NULL;
 static bool SSL_initialized = false;
@@ -1406,6 +1408,24 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)
 		ptr[0] = '\0';
 }

+void
+be_tls_get_peer_not_before(Port *port, Timestamp *ptr)
+{
+	if (port->peer)
+		*ptr = ASN1_TIME_to_timestamp(X509_get_notBefore(port->peer));
+	else
+		*ptr = 0;
+}
+
+void
+be_tls_get_peer_not_after(Port *port, Timestamp *ptr)
+{
+	if (port->peer)
+		*ptr = ASN1_TIME_to_timestamp(X509_get_notAfter(port->peer));
+	else
+		*ptr = 0;
+}
+
 void
 be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
 {
@@ -1549,6 +1569,33 @@ X509_NAME_to_cstring(X509_NAME *name)
 	return result;
 }

+/*
+ * Convert an ASN1_TIME to a Timestamp
+ */
+static Timestamp
+ASN1_TIME_to_timestamp(ASN1_TIME * time)
+{
+	struct tm	tm_time;
+	struct pg_tm pgtm_time;
+	Timestamp	ts;
+
+	ASN1_TIME_to_tm(time, &tm_time);
+
+	pgtm_time.tm_sec = tm_time.tm_sec;
+	pgtm_time.tm_min = tm_time.tm_min;
+	pgtm_time.tm_hour = tm_time.tm_hour;
+	pgtm_time.tm_mday = tm_time.tm_mday;
+	pgtm_time.tm_mon = tm_time.tm_mon + 1;
+	pgtm_time.tm_year = tm_time.tm_year + 1900;
+
+	if (tm2timestamp(&pgtm_time, 0, NULL, &ts))
+		ereport(ERROR,
+				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+				 errmsg("timestamp out of range")));
+
+	return ts;
+}
+
 /*
 * Convert TLS protocol version GUC enum to OpenSSL values
 *