From 2733c9f825e1a113d91e676a026156dded1047f6 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Mon, 28 Oct 2024 09:39:17 +0100 Subject: [PATCH v13] Add notBefore and notAfter to SSL cert info display This adds the X509 attributes notBefore and notAfter to sslinfo as well as pg_stat_ssl to allow verifying and identifying the validity period of the current client certificate. This has been previously committed and reverted due to SSL library compatibility issues which have since been resolved due to raising the minimum required version. Original patch by Cary Huang with additional hacking by Jacob and myself. Author: Cary Huang Co-author: Jacob Champion Co-author: Daniel Gustafsson Discussion: https://postgr.es/m/182b8565486.10af1a86f158715.2387262617218380588@highgo.ca --- contrib/sslinfo/Makefile | 2 +- contrib/sslinfo/meson.build | 1 + contrib/sslinfo/sslinfo--1.2--1.3.sql | 12 ++++ contrib/sslinfo/sslinfo.c | 71 +++++++++++++++++++++ contrib/sslinfo/sslinfo.control | 2 +- doc/src/sgml/monitoring.sgml | 20 ++++++ doc/src/sgml/sslinfo.sgml | 30 +++++++++ src/backend/catalog/system_views.sql | 4 +- src/backend/libpq/be-secure-openssl.c | 52 +++++++++++++++ src/backend/utils/activity/backend_status.c | 2 + src/backend/utils/adt/pgstatfuncs.c | 46 ++++++++----- src/include/catalog/pg_proc.dat | 6 +- src/include/libpq/libpq-be.h | 2 + src/include/utils/backend_status.h | 3 + src/test/regress/expected/rules.out | 12 ++-- src/test/ssl/t/001_ssltests.pl | 10 +-- src/test/ssl/t/003_sslinfo.pl | 14 ++++ 17 files changed, 256 insertions(+), 33 deletions(-) create mode 100644 contrib/sslinfo/sslinfo--1.2--1.3.sql diff --git a/contrib/sslinfo/Makefile b/contrib/sslinfo/Makefile index dd1ff83b16..78a5a83d5c 100644 --- a/contrib/sslinfo/Makefile +++ b/contrib/sslinfo/Makefile @@ -6,7 +6,7 @@ OBJS = \ sslinfo.o EXTENSION = sslinfo -DATA = sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql +DATA = sslinfo--1.2--1.3.sql sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql PGFILEDESC = "sslinfo - information about client SSL certificate" ifdef USE_PGXS diff --git a/contrib/sslinfo/meson.build b/contrib/sslinfo/meson.build index 39d49a1736..a4bcd21ea6 100644 --- a/contrib/sslinfo/meson.build +++ b/contrib/sslinfo/meson.build @@ -26,6 +26,7 @@ install_data( 'sslinfo--1.0--1.1.sql', 'sslinfo--1.1--1.2.sql', 'sslinfo--1.2.sql', + 'sslinfo--1.2--1.3.sql', 'sslinfo.control', kwargs: contrib_data_args, ) diff --git a/contrib/sslinfo/sslinfo--1.2--1.3.sql b/contrib/sslinfo/sslinfo--1.2--1.3.sql new file mode 100644 index 0000000000..424a11afe4 --- /dev/null +++ b/contrib/sslinfo/sslinfo--1.2--1.3.sql @@ -0,0 +1,12 @@ +/* contrib/sslinfo/sslinfo--1.2--1.3.sql */ + +-- complain if script is sourced in psql, rather than via CREATE EXTENSION +\echo Use "CREATE EXTENSION sslinfo" to load this file. \quit + +CREATE FUNCTION ssl_client_get_notbefore() RETURNS timestamptz +AS 'MODULE_PATHNAME', 'ssl_client_get_notbefore' +LANGUAGE C STRICT PARALLEL RESTRICTED; + +CREATE FUNCTION ssl_client_get_notafter() RETURNS timestamptz +AS 'MODULE_PATHNAME', 'ssl_client_get_notafter' +LANGUAGE C STRICT PARALLEL RESTRICTED; diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c index 5fd46b9874..cad275b4d2 100644 --- a/contrib/sslinfo/sslinfo.c +++ b/contrib/sslinfo/sslinfo.c @@ -18,6 +18,7 @@ #include "libpq/libpq-be.h" #include "miscadmin.h" #include "utils/builtins.h" +#include "utils/timestamp.h" /* * On Windows, includes a #define for X509_NAME, which breaks our @@ -34,6 +35,7 @@ PG_MODULE_MAGIC; static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName); static Datum ASN1_STRING_to_text(ASN1_STRING *str); +static Datum ASN1_TIME_to_timestamptz(ASN1_TIME *time); /* * Function context for data persisting over repeated calls. @@ -225,6 +227,43 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName) } +/* + * Converts OpenSSL ASN1_TIME structure into timestamptz + * + * Parameter: ASN1_TIME timestamp from certificate + * + * Returns the ASN1_TIME timestamp as a timestamptz datum. + */ +static Datum +ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts) +{ + struct pg_tm pgtm; + struct tm tm; + int ret; + Timestamp ts; + + ret = ASN1_TIME_to_tm(ASN1_cert_ts, &tm); + if (!ret) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("failed to parse certificate validity"))); + + pgtm.tm_sec = tm.tm_sec; + pgtm.tm_min = tm.tm_min; + pgtm.tm_hour = tm.tm_hour; + pgtm.tm_mday = tm.tm_mday; + pgtm.tm_mon = tm.tm_mon + 1; + pgtm.tm_year = tm.tm_year + 1900; + + if (unlikely(tm2timestamp(&pgtm, 0, NULL, &ts) != 0)) + ereport(ERROR, + errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("timestamp out of range")); + + PG_RETURN_TIMESTAMP(ts); +} + + /* * Returns specified field of client certificate distinguished name * @@ -482,3 +521,35 @@ ssl_extension_info(PG_FUNCTION_ARGS) /* All done */ SRF_RETURN_DONE(funcctx); } + +/* + * Returns current client certificate notBefore timestamp in + * timestamptz data type + */ +PG_FUNCTION_INFO_V1(ssl_client_get_notbefore); +Datum +ssl_client_get_notbefore(PG_FUNCTION_ARGS) +{ + X509 *cert = MyProcPort->peer; + + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) + PG_RETURN_NULL(); + + return ASN1_TIME_to_timestamptz(X509_get_notBefore(cert)); +} + +/* + * Returns current client certificate notAfter timestamp in + * timestamptz data type + */ +PG_FUNCTION_INFO_V1(ssl_client_get_notafter); +Datum +ssl_client_get_notafter(PG_FUNCTION_ARGS) +{ + X509 *cert = MyProcPort->peer; + + if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid) + PG_RETURN_NULL(); + + return ASN1_TIME_to_timestamptz(X509_get_notAfter(cert)); +} diff --git a/contrib/sslinfo/sslinfo.control b/contrib/sslinfo/sslinfo.control index c7754f924c..b53e95b7da 100644 --- a/contrib/sslinfo/sslinfo.control +++ b/contrib/sslinfo/sslinfo.control @@ -1,5 +1,5 @@ # sslinfo extension comment = 'information about SSL certificates' -default_version = '1.2' +default_version = '1.3' module_pathname = '$libdir/sslinfo' relocatable = true diff --git a/doc/src/sgml/monitoring.sgml b/doc/src/sgml/monitoring.sgml index 331315f8d3..e28d8ecbd7 100644 --- a/doc/src/sgml/monitoring.sgml +++ b/doc/src/sgml/monitoring.sgml @@ -2373,6 +2373,26 @@ description | Waiting for a newly initialized WAL file to reach durable storage This field is truncated like client_dn. + + + + not_before text + + + Not before timestamp of the client certificate, or NULL if no client + certificate was supplied. + + + + + + not_after text + + + Not after timestamp of the client certificate, or NULL if no client + certificate was supplied. + + diff --git a/doc/src/sgml/sslinfo.sgml b/doc/src/sgml/sslinfo.sgml index 85d49f6653..2a6725cc1c 100644 --- a/doc/src/sgml/sslinfo.sgml +++ b/doc/src/sgml/sslinfo.sgml @@ -240,6 +240,36 @@ emailAddress + + + + ssl_client_get_notbefore() returns timestamptz + + ssl_client_get_notbefore + + + + + Return the not before timestamp of the client + certificate. + + + + + + + ssl_client_get_notafter() returns timestamptz + + ssl_client_get_notafter + + + + + Return the not after timestamp of the client + certificate. + + + diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index 3456b821bc..20c3c36c40 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -985,7 +985,9 @@ CREATE VIEW pg_stat_ssl AS S.sslbits AS bits, S.ssl_client_dn AS client_dn, S.ssl_client_serial AS client_serial, - S.ssl_issuer_dn AS issuer_dn + S.ssl_issuer_dn AS issuer_dn, + S.ssl_not_before AS not_before, + S.ssl_not_after AS not_after FROM pg_stat_get_activity(NULL) AS S WHERE S.client_port IS NOT NULL; diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 469be36e76..781a4f99a3 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -36,6 +36,7 @@ #include "tcop/tcopprot.h" #include "utils/builtins.h" #include "utils/memutils.h" +#include "utils/timestamp.h" /* * These SSL-related #includes must come after all system-provided headers. @@ -80,6 +81,7 @@ static const char *SSLerrmessageExt(unsigned long ecode, const char *replacement static const char *SSLerrmessage(unsigned long ecode); static char *X509_NAME_to_cstring(X509_NAME *name); +static TimestampTz ASN1_TIME_to_timestamptz(ASN1_TIME *time); static SSL_CTX *SSL_context = NULL; static bool dummy_ssl_passwd_cb_called = false; @@ -1558,6 +1560,24 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len) ptr[0] = '\0'; } +void +be_tls_get_peer_not_before(Port *port, TimestampTz *ptr) +{ + if (port->peer) + *ptr = ASN1_TIME_to_timestamptz(X509_get_notBefore(port->peer)); + else + *ptr = 0; +} + +void +be_tls_get_peer_not_after(Port *port, TimestampTz *ptr) +{ + if (port->peer) + *ptr = ASN1_TIME_to_timestamptz(X509_get_notAfter(port->peer)); + else + *ptr = 0; +} + void be_tls_get_peer_serial(Port *port, char *ptr, size_t len) { @@ -1701,6 +1721,38 @@ X509_NAME_to_cstring(X509_NAME *name) return result; } +/* + * Convert an ASN1_TIME to a PostgreSQL Timestamp datum. + */ +static TimestampTz +ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts) +{ + struct pg_tm pgtm; + struct tm tm; + int ret; + TimestampTz ts; + + ret = ASN1_TIME_to_tm(ASN1_cert_ts, &tm); + if (!ret) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("failed to parse certificate validity"))); + + pgtm.tm_sec = tm.tm_sec; + pgtm.tm_min = tm.tm_min; + pgtm.tm_hour = tm.tm_hour; + pgtm.tm_mday = tm.tm_mday; + pgtm.tm_mon = tm.tm_mon + 1; + pgtm.tm_year = tm.tm_year + 1900; + + if (unlikely(tm2timestamp(&pgtm, 0, NULL, &ts) != 0)) + ereport(ERROR, + errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("timestamp out of range")); + + return ts; +} + /* * Convert TLS protocol version GUC enum to OpenSSL values * diff --git a/src/backend/utils/activity/backend_status.c b/src/backend/utils/activity/backend_status.c index 34a55e2177..a820049be8 100644 --- a/src/backend/utils/activity/backend_status.c +++ b/src/backend/utils/activity/backend_status.c @@ -348,6 +348,8 @@ pgstat_bestart(void) be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN); be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN); be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN); + be_tls_get_peer_not_before(MyProcPort, &lsslstatus.ssl_not_before); + be_tls_get_peer_not_after(MyProcPort, &lsslstatus.ssl_not_after); } else { diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index f7b50e0b5a..db09d1b1b7 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -302,7 +302,7 @@ pg_stat_get_progress_info(PG_FUNCTION_ARGS) Datum pg_stat_get_activity(PG_FUNCTION_ARGS) { -#define PG_STAT_GET_ACTIVITY_COLS 31 +#define PG_STAT_GET_ACTIVITY_COLS 33 int num_backends = pgstat_fetch_stat_numbackends(); int curr_backend; int pid = PG_ARGISNULL(0) ? -1 : PG_GETARG_INT32(0); @@ -394,7 +394,7 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) pfree(clipped_activity); /* leader_pid */ - nulls[29] = true; + nulls[31] = true; proc = BackendPidGetProc(beentry->st_procpid); @@ -431,8 +431,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) */ if (leader && leader->pid != beentry->st_procpid) { - values[29] = Int32GetDatum(leader->pid); - nulls[29] = false; + values[31] = Int32GetDatum(leader->pid); + nulls[31] = false; } else if (beentry->st_backendType == B_BG_WORKER) { @@ -440,8 +440,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) if (leader_pid != InvalidPid) { - values[29] = Int32GetDatum(leader_pid); - nulls[29] = false; + values[31] = Int32GetDatum(leader_pid); + nulls[31] = false; } } } @@ -586,35 +586,45 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) values[24] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn); else nulls[24] = true; + + if (beentry->st_sslstatus->ssl_not_before != 0) + values[25] = TimestampTzGetDatum(beentry->st_sslstatus->ssl_not_before); + else + nulls[25] = true; + + if (beentry->st_sslstatus->ssl_not_after != 0) + values[26] = TimestampTzGetDatum(beentry->st_sslstatus->ssl_not_after); + else + nulls[26] = true; } else { values[18] = BoolGetDatum(false); /* ssl */ - nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = true; + nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = nulls[25] = nulls[26] = true; } /* GSSAPI information */ if (beentry->st_gss) { - values[25] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ - values[26] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); - values[27] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ - values[28] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials + values[27] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ + values[28] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); + values[29] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ + values[30] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials * delegated */ } else { - values[25] = BoolGetDatum(false); /* gss_auth */ - nulls[26] = true; /* No GSS principal */ - values[27] = BoolGetDatum(false); /* GSS Encryption not in + values[27] = BoolGetDatum(false); /* gss_auth */ + nulls[28] = true; /* No GSS principal */ + values[29] = BoolGetDatum(false); /* GSS Encryption not in * use */ - values[28] = BoolGetDatum(false); /* GSS credentials not + values[30] = BoolGetDatum(false); /* GSS credentials not * delegated */ } if (beentry->st_query_id == 0) - nulls[30] = true; + nulls[32] = true; else - values[30] = UInt64GetDatum(beentry->st_query_id); + values[32] = UInt64GetDatum(beentry->st_query_id); } else { @@ -644,6 +654,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) nulls[28] = true; nulls[29] = true; nulls[30] = true; + nulls[31] = true; + nulls[32] = true; } tuplestore_putvalues(rsinfo->setResult, rsinfo->setDesc, values, nulls); diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat index 1ec0d6f6b5..09b7623ac5 100644 --- a/src/include/catalog/pg_proc.dat +++ b/src/include/catalog/pg_proc.dat @@ -5546,9 +5546,9 @@ proname => 'pg_stat_get_activity', prorows => '100', proisstrict => 'f', proretset => 't', provolatile => 's', proparallel => 'r', prorettype => 'record', proargtypes => 'int4', - proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,bool,int4,int8}', - proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', - proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}', + proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,timestamptz,timestamptz,bool,text,bool,bool,int4,int8}', + proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', + proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,ssl_not_before,ssl_not_after,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}', prosrc => 'pg_stat_get_activity' }, { oid => '6318', descr => 'describe wait events', proname => 'pg_get_wait_events', procost => '10', prorows => '250', diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index d97d1e5f6b..8b74b45583 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -309,6 +309,8 @@ extern const char *be_tls_get_cipher(Port *port); extern void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len); extern void be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len); extern void be_tls_get_peer_serial(Port *port, char *ptr, size_t len); +extern void be_tls_get_peer_not_before(Port *port, TimestampTz *ptr); +extern void be_tls_get_peer_not_after(Port *port, TimestampTz *ptr); /* * Get the server certificate hash for SCRAM channel binding type diff --git a/src/include/utils/backend_status.h b/src/include/utils/backend_status.h index 97874300c3..1b14a3464f 100644 --- a/src/include/utils/backend_status.h +++ b/src/include/utils/backend_status.h @@ -61,6 +61,9 @@ typedef struct PgBackendSSLStatus char ssl_client_serial[NAMEDATALEN]; char ssl_issuer_dn[NAMEDATALEN]; + /* Certificate validity in postgres epoch format */ + TimestampTz ssl_not_before; + TimestampTz ssl_not_after; } PgBackendSSLStatus; /* diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index 2b47013f11..c382619205 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -1762,7 +1762,7 @@ pg_stat_activity| SELECT s.datid, s.query_id, s.query, s.backend_type - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) LEFT JOIN pg_database d ON ((s.datid = d.oid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_all_indexes| SELECT c.oid AS relid, @@ -1884,7 +1884,7 @@ pg_stat_gssapi| SELECT pid, gss_princ AS principal, gss_enc AS encrypted, gss_delegation AS credentials_delegated - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_io| SELECT backend_type, object, @@ -2088,7 +2088,7 @@ pg_stat_replication| SELECT s.pid, w.sync_priority, w.sync_state, w.reply_time - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_replication_slots| SELECT s.slot_name, @@ -2121,8 +2121,10 @@ pg_stat_ssl| SELECT pid, sslbits AS bits, ssl_client_dn AS client_dn, ssl_client_serial AS client_serial, - ssl_issuer_dn AS issuer_dn - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + ssl_issuer_dn AS issuer_dn, + ssl_not_before AS not_before, + ssl_not_after AS not_after + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_subscription| SELECT su.oid AS subid, su.subname, diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 131460a1fe..0f19db3e63 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -550,8 +550,8 @@ command_like( "$common_connstr sslrootcert=invalid", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_,_null_,_null_\r?$}mx, 'pg_stat_ssl view without client certificate'); # Test min/max SSL protocol versions. @@ -752,10 +752,10 @@ command_like( "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), '-c', - "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" + "SELECT ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before AT TIME ZONE 'UTC' AS not_before,not_after AT TIME ZONE 'UTC' AS not_after FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + qr{^ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n + ^t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs,2023-06-29 01:01:01,2050-01-01 01:01:01\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl index b6cfa5d0b0..9f979ce3bf 100644 --- a/src/test/ssl/t/003_sslinfo.pl +++ b/src/test/ssl/t/003_sslinfo.pl @@ -165,6 +165,20 @@ $result = $node->safe_psql( connstr => $common_connstr); is($result, 't', "ssl_issuer_field() for commonName"); +$result = $node->safe_psql( + "certdb", + "SELECT ssl_client_get_notbefore() = not_before, " + . "not_before AT TIME ZONE 'UTC' = '2023-06-29 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't|t', "ssl_client_get_notbefore() for not_before timestamp"); + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_client_get_notafter() = not_after, " + . "not_after AT TIME ZONE 'UTC' = '2050-01-01 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't|t', "ssl_client_get_notafter() for not_after timestamp"); + $result = $node->safe_psql( "certdb", "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", -- 2.39.3 (Apple Git-146)