Re: sslinfo extension - add notbefore and notafter timestamps

From: Daniel Gustafsson <daniel(at)yesql(dot)se>
To: Cary Huang <cary(dot)huang(at)highgo(dot)ca>
Cc: PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: sslinfo extension - add notbefore and notafter timestamps
Date: 2023-07-25 14:21:42
Message-ID: F14BF1AC-A765-402E-B49F-A303A8B38C75@yesql.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> On 20 Jul 2023, at 17:24, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
>> On 17 Jul 2023, at 20:26, Cary Huang <cary(dot)huang(at)highgo(dot)ca> wrote:
>
>>>> Perhaps calling "tm2timestamp(&pgtm_time, 0, NULL, &ts)" without checking the return code would be just fine. I see some other usages of tm2timstamp() in other code areas also skip checking the return code.
>>>
>>> I think we want to know about any failures, btu we can probably make it into an
>>> elog() instead, as it should never fail.
>>
>> Yes, sure. I have corrected the error message to elog(ERROR, "timestamp out of range") on a rare tm2timestamp() failure.
>
> I went over this again and ended up pushing it along with a catversion bump.
> Due to a mistake in my testing I didn't however catch that it was using an API
> only present in OpenSSL 1.1.1 and higher, which caused buildfailures when using
> older OpenSSL versions, so I ended up reverting it again (leaving certificate
> changes in place) to keep the buildfarm green.
>
> Will look closer at an implementation which works across all supported versions
> of OpenSSL when I have more time.

Finally had some time, and have made an updated version of the patch.

OpenSSL 1.0.2 doens't expose a function for getting the timestamp, so the patch
instead resorts to the older trick of getting the timestamp by inspecing the
diff against the UNIX epoch. When doing this, OpenSSL internally use the same
function which later in 1.1.1 was exported for getting the timestamp.

The attached version passes ssl tests for me on 1.0.2 through OpenSSL Git HEAD.

--
Daniel Gustafsson

Attachment Content-Type Size
v7-0001-Add-notBefore-and-notAfter-to-SSL-cert-info-displ.patch application/octet-stream 27.0 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Ranier Vilela 2023-07-25 14:31:05 Avoid possible memory leak (src/common/rmtree.c)
Previous Message Aleksander Alekseev 2023-07-25 13:24:34 [PATCH] Small refactoring of inval.c and inval.h