diff options
| author | Daniel Gustafsson | 2023-07-20 15:07:32 +0000 |
|---|---|---|
| committer | Daniel Gustafsson | 2023-07-20 15:07:32 +0000 |
| commit | 75ec5e7bec700577d39d653c316e3ae6c505842c (patch) | |
| tree | ef80345f4dd87eaa35745fafb11a7efe808b6c8a /src/test/ssl | |
| parent | 40fad96530caf190a3babf322ca705e744c393bb (diff) | |
Add notBefore and notAfter to SSL cert info display
This adds the X509 attributes notBefore and notAfter to sslinfo
as well as pg_stat_ssl to allow verifying and identifying the
validity period of the current client certificate.
Author: Cary Huang <cary.huang@highgo.ca>
Discussion: https://postgr.es/m/182b8565486.10af1a86f158715.2387262617218380588@highgo.ca
Diffstat (limited to 'src/test/ssl')
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 8 | ||||
| -rw-r--r-- | src/test/ssl/t/003_sslinfo.pl | 14 |
2 files changed, 18 insertions, 4 deletions
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 76442de063f..bad41cacc8a 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -543,8 +543,8 @@ command_like( "$common_connstr sslrootcert=invalid", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_,_null_,_null_\r?$}mx, 'pg_stat_ssl view without client certificate'); # Test min/max SSL protocol versions. @@ -745,8 +745,8 @@ command_like( '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E,\Q2023-06-29 01:01:01\E,\Q2050-01-01 01:01:01\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl index 5306aad8023..f050a6f4f96 100644 --- a/src/test/ssl/t/003_sslinfo.pl +++ b/src/test/ssl/t/003_sslinfo.pl @@ -167,6 +167,20 @@ is($result, 't', "ssl_issuer_field() for commonName"); $result = $node->safe_psql( "certdb", + "SELECT ssl_client_get_notbefore() = not_before, " + . "not_before = '2023-06-29 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't|t', "ssl_client_get_notbefore() for not_before timestamp"); + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_client_get_notafter() = not_after, " + . "not_after = '2050-01-01 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't|t', "ssl_client_get_notafter() for not_after timestamp"); + +$result = $node->safe_psql( + "certdb", "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", connstr => $common_connstr); is($result, 'CA:FALSE|t', 'extract extension from cert'); |