diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2023-07-20 17:07:32 +0200 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2023-07-20 17:07:32 +0200 |
| commit | 75ec5e7bec700577d39d653c316e3ae6c505842c (patch) | |
| tree | ef80345f4dd87eaa35745fafb11a7efe808b6c8a /src/backend/libpq/be-secure-openssl.c | |
| parent | 40fad96530caf190a3babf322ca705e744c393bb (diff) | |
| download | postgresql-75ec5e7bec700577d39d653c316e3ae6c505842c.tar.gz postgresql-75ec5e7bec700577d39d653c316e3ae6c505842c.zip | |
Add notBefore and notAfter to SSL cert info display
This adds the X509 attributes notBefore and notAfter to sslinfo
as well as pg_stat_ssl to allow verifying and identifying the
validity period of the current client certificate.
Author: Cary Huang <cary.huang@highgo.ca>
Discussion: https://postgr.es/m/182b8565486.10af1a86f158715.2387262617218380588@highgo.ca
Diffstat (limited to 'src/backend/libpq/be-secure-openssl.c')
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 658b09988d6..b3bbfb3c082 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -36,6 +36,7 @@ #include "tcop/tcopprot.h" #include "utils/builtins.h" #include "utils/memutils.h" +#include "utils/timestamp.h" /* * These SSL-related #includes must come after all system-provided headers. @@ -72,6 +73,7 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessage(unsigned long ecode); static char *X509_NAME_to_cstring(X509_NAME *name); +static Timestamp ASN1_TIME_to_timestamp(ASN1_TIME *time); static SSL_CTX *SSL_context = NULL; static bool SSL_initialized = false; @@ -1407,6 +1409,24 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len) } void +be_tls_get_peer_not_before(Port *port, Timestamp *ptr) +{ + if (port->peer) + *ptr = ASN1_TIME_to_timestamp(X509_get_notBefore(port->peer)); + else + *ptr = 0; +} + +void +be_tls_get_peer_not_after(Port *port, Timestamp *ptr) +{ + if (port->peer) + *ptr = ASN1_TIME_to_timestamp(X509_get_notAfter(port->peer)); + else + *ptr = 0; +} + +void be_tls_get_peer_serial(Port *port, char *ptr, size_t len) { if (port->peer) @@ -1550,6 +1570,33 @@ X509_NAME_to_cstring(X509_NAME *name) } /* + * Convert an ASN1_TIME to a Timestamp + */ +static Timestamp +ASN1_TIME_to_timestamp(ASN1_TIME * time) +{ + struct tm tm_time; + struct pg_tm pgtm_time; + Timestamp ts; + + ASN1_TIME_to_tm(time, &tm_time); + + pgtm_time.tm_sec = tm_time.tm_sec; + pgtm_time.tm_min = tm_time.tm_min; + pgtm_time.tm_hour = tm_time.tm_hour; + pgtm_time.tm_mday = tm_time.tm_mday; + pgtm_time.tm_mon = tm_time.tm_mon + 1; + pgtm_time.tm_year = tm_time.tm_year + 1900; + + if (tm2timestamp(&pgtm_time, 0, NULL, &ts)) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("timestamp out of range"))); + + return ts; +} + +/* * Convert TLS protocol version GUC enum to OpenSSL values * * This is a straightforward one-to-one mapping, but doing it this way makes |