diff options
| author | Daniel Gustafsson | 2024-03-22 20:25:25 +0000 |
|---|---|---|
| committer | Daniel Gustafsson | 2024-03-22 20:25:25 +0000 |
| commit | 6acb0a628eccab8764e0306582c2b7e2a1441b9b (patch) | |
| tree | 35e13c67443d52319f7bc4c9d4c21e27aa01816d /src/test/ssl | |
| parent | b670b93a66fc554714e0fe8e51a944912bb9fd68 (diff) | |
Add notBefore and notAfter to SSL cert info display
This adds the X509 attributes notBefore and notAfter to sslinfo
as well as pg_stat_ssl to allow verifying and identifying the
validity period of the current client certificate. OpenSSL has
APIs for extracting notAfter and notBefore, but they are only
supported in recent versions so we have to calculate the dates
by hand in order to make this work for the older versions of
OpenSSL that we still support.
Original patch by Cary Huang with additional hacking by Jacob
and myself.
Author: Cary Huang <cary.huang@highgo.ca>
Co-author: Jacob Champion <jacob.champion@enterprisedb.com>
Co-author: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://postgr.es/m/182b8565486.10af1a86f158715.2387262617218380588@highgo.ca
Diffstat (limited to 'src/test/ssl')
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 10 | ||||
| -rw-r--r-- | src/test/ssl/t/003_sslinfo.pl | 14 |
2 files changed, 19 insertions, 5 deletions
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 94ff043c8ec..90a42304133 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -538,8 +538,8 @@ command_like( "$common_connstr sslrootcert=invalid", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_,_null_,_null_\r?$}mx, 'pg_stat_ssl view without client certificate'); # Test min/max SSL protocol versions. @@ -740,10 +740,10 @@ command_like( "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), '-c', - "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" + "SELECT ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before AT TIME ZONE 'UTC' AS not_before,not_after AT TIME ZONE 'UTC' AS not_after FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + qr{^ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n + ^t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs,2023-06-29 01:01:01,2050-01-01 01:01:01\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl index 2ae5724846b..4df3a941b5c 100644 --- a/src/test/ssl/t/003_sslinfo.pl +++ b/src/test/ssl/t/003_sslinfo.pl @@ -167,6 +167,20 @@ is($result, 't', "ssl_issuer_field() for commonName"); $result = $node->safe_psql( "certdb", + "SELECT ssl_client_get_notbefore() = not_before, " + . "not_before AT TIME ZONE 'UTC' = '2023-06-29 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't|t', "ssl_client_get_notbefore() for not_before timestamp"); + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_client_get_notafter() = not_after, " + . "not_after AT TIME ZONE 'UTC' = '2050-01-01 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't|t', "ssl_client_get_notafter() for not_after timestamp"); + +$result = $node->safe_psql( + "certdb", "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", connstr => $common_connstr); is($result, 'CA:FALSE|t', 'extract extension from cert'); |