Revert "Add notBefore and notAfter to SSL cert info display"

This reverts commit 6acb0a6 since
LibreSSL didn't support ASN1_TIME_diff until OpenBSD 7.1, leaving
the older OpenBSD animals in the buildfarm complaining.

Per plover in the buildfarm.

Discussion: https://postgr.es/m/F0DF7102-192D-4C21-96AE-9A01AE153AD1@yesql.se

Author: danielgustafsson

contrib/sslinfo/Makefile

@@ -6,7 +6,7 @@ OBJS = \
 	sslinfo.o
 
 EXTENSION = sslinfo
-DATA = sslinfo--1.2--1.3.sql sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql
+DATA = sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql
 PGFILEDESC = "sslinfo - information about client SSL certificate"
 
 ifdef USE_PGXS

contrib/sslinfo/meson.build

@@ -26,7 +26,6 @@ install_data(
   'sslinfo--1.0--1.1.sql',
   'sslinfo--1.1--1.2.sql',
   'sslinfo--1.2.sql',
-  'sslinfo--1.2--1.3.sql',
   'sslinfo.control',
   kwargs: contrib_data_args,
 )

contrib/sslinfo/sslinfo--1.2--1.3.sql

@@ -14,12 +14,10 @@
 #include <openssl/asn1.h>
 
 #include "access/htup_details.h"
-#include "common/int.h"
 #include "funcapi.h"
 #include "libpq/libpq-be.h"
 #include "miscadmin.h"
 #include "utils/builtins.h"
-#include "utils/timestamp.h"
 
 /*
  * On Windows, <wincrypt.h> includes a #define for X509_NAME, which breaks our
@@ -36,7 +34,6 @@ PG_MODULE_MAGIC;
 
 static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
 static Datum ASN1_STRING_to_text(ASN1_STRING *str);
-static Datum ASN1_TIME_to_timestamptz(ASN1_TIME *time);
 
 /*
  * Function context for data persisting over repeated calls.
@@ -228,66 +225,6 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
 }
 
 
-/*
- * Converts OpenSSL ASN1_TIME structure into timestamptz
- *
- * OpenSSL 1.0.2 doesn't expose a function to convert an ASN1_TIME to a tm
- * struct, it's only available in 1.1.1 and onwards. Instead we can ask for the
- * difference between the ASN1_TIME and a known timestamp and get the actual
- * timestamp that way. Until support for OpenSSL 1.0.2 is retired we have to do
- * it this way.
- *
- * Parameter: time - OpenSSL ASN1_TIME structure.
- * Returns Datum, which can be directly returned from a C language SQL
- * function.
- */
-static Datum
-ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts)
-{
-	int			days;
-	int			seconds;
-	const char	postgres_epoch[] = "20000101000000Z";
-	ASN1_TIME  *ASN1_epoch;
-	int64		result_days;
-	int64		result_secs;
-	int64		result;
-
-	/* Create an epoch to compare against */
-	ASN1_epoch = ASN1_TIME_new();
-	if (!ASN1_epoch)
-		ereport(ERROR,
-				(errcode(ERRCODE_OUT_OF_MEMORY),
-				 errmsg("could not allocate memory for ASN1 TIME structure")));
-
-	/* Calculate the diff from the epoch to the certificate timestamp */
-	if (!ASN1_TIME_set_string(ASN1_epoch, postgres_epoch) ||
-		!ASN1_TIME_diff(&days, &seconds, ASN1_epoch, ASN1_cert_ts))
-		ereport(ERROR,
-				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				 errmsg("failed to read certificate validity")));
-
-	/*
-	 * Unlike when freeing other OpenSSL memory structures, there is no error
-	 * return on freeing ASN1 strings.
-	 */
-	ASN1_TIME_free(ASN1_epoch);
-
-	/*
-	 * Convert the reported date into usecs to be used as a TimestampTz. The
-	 * date should really not overflow an int64 but rather than trusting the
-	 * certificate we take overflow into consideration.
-	 */
-	if (pg_mul_s64_overflow(days, USECS_PER_DAY, &result_days) ||
-		pg_mul_s64_overflow(seconds, USECS_PER_SEC, &result_secs) ||
-		pg_add_s64_overflow(result_days, result_secs, &result))
-	{
-		return TimestampTzGetDatum(0);
-	}
-
-	return TimestampTzGetDatum(result);
-}
-
-
 /*
  * Returns specified field of client certificate distinguished name
  *
@@ -545,35 +482,3 @@ ssl_extension_info(PG_FUNCTION_ARGS)
 	/* All done */
 	SRF_RETURN_DONE(funcctx);
 }
-
-/*
- * Returns current client certificate notBefore timestamp in
- * timestamptz data type
- */
-PG_FUNCTION_INFO_V1(ssl_client_get_notbefore);
-Datum
-ssl_client_get_notbefore(PG_FUNCTION_ARGS)
-{
-	X509	   *cert = MyProcPort->peer;
-
-	if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
-		PG_RETURN_NULL();
-
-	return ASN1_TIME_to_timestamptz(X509_get_notBefore(cert));
-}
-
-/*
- * Returns current client certificate notAfter timestamp in
- * timestamptz data type
- */
-PG_FUNCTION_INFO_V1(ssl_client_get_notafter);
-Datum
-ssl_client_get_notafter(PG_FUNCTION_ARGS)
-{
-	X509	   *cert = MyProcPort->peer;
-
-	if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
-		PG_RETURN_NULL();
-
-	return ASN1_TIME_to_timestamptz(X509_get_notAfter(cert));
-}

contrib/sslinfo/sslinfo.c

@@ -1,5 +1,5 @@
 # sslinfo extension
 comment = 'information about SSL certificates'
-default_version = '1.3'
+default_version = '1.2'
 module_pathname = '$libdir/sslinfo'
 relocatable = true

contrib/sslinfo/sslinfo.control

@@ -2292,26 +2292,6 @@ description | Waiting for a newly initialized WAL file to reach durable storage
        This field is truncated like <structfield>client_dn</structfield>.
       </para></entry>
      </row>
-
-     <row>
-      <entry role="catalog_table_entry"><para role="column_definition">
-       <structfield>not_before</structfield> <type>text</type>
-      </para>
-      <para>
-       Not before timestamp of the client certificate, or NULL if no client
-       certificate was supplied.
-      </para></entry>
-     </row>
-
-     <row>
-      <entry role="catalog_table_entry"><para role="column_definition">
-       <structfield>not_after</structfield> <type>text</type>
-      </para>
-      <para>
-       Not after timestamp of the client certificate, or NULL if no client
-       certificate was supplied.
-      </para></entry>
-     </row>
     </tbody>
    </tgroup>
   </table>

doc/src/sgml/monitoring.sgml

@@ -240,36 +240,6 @@ emailAddress
     </para>
     </listitem>
    </varlistentry>
-
-   <varlistentry>
-    <term>
-     <function>ssl_client_get_notbefore() returns timestamptz</function>
-     <indexterm>
-      <primary>ssl_client_get_notbefore</primary>
-     </indexterm>
-    </term>
-    <listitem>
-    <para>
-     Return the <structfield>not before</structfield> timestamp of the client
-     certificate.
-    </para>
-    </listitem>
-   </varlistentry>
-
-   <varlistentry>
-    <term>
-     <function>ssl_client_get_notafter() returns timestamptz</function>
-     <indexterm>
-      <primary>ssl_client_get_notafter</primary>
-     </indexterm>
-    </term>
-    <listitem>
-    <para>
-     Return the <structfield>not after</structfield> timestamp of the client
-     certificate.
-    </para>
-    </listitem>
-   </varlistentry>
   </variablelist>
  </sect2>
 

doc/src/sgml/sslinfo.sgml

@@ -992,9 +992,7 @@ CREATE VIEW pg_stat_ssl AS
             S.sslbits AS bits,
             S.ssl_client_dn AS client_dn,
             S.ssl_client_serial AS client_serial,
-            S.ssl_issuer_dn AS issuer_dn,
-            S.ssl_not_before AS not_before,
-            S.ssl_not_after AS not_after
+            S.ssl_issuer_dn AS issuer_dn
     FROM pg_stat_get_activity(NULL) AS S
     WHERE S.client_port IS NOT NULL;
 

src/backend/catalog/system_views.sql

@@ -27,7 +27,6 @@
 #include <netinet/tcp.h>
 #include <arpa/inet.h>
 
-#include "common/int.h"
 #include "common/string.h"
 #include "libpq/libpq.h"
 #include "miscadmin.h"
@@ -37,7 +36,6 @@
 #include "tcop/tcopprot.h"
 #include "utils/builtins.h"
 #include "utils/memutils.h"
-#include "utils/timestamp.h"
 
 /*
  * These SSL-related #includes must come after all system-provided headers.
@@ -74,7 +72,6 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
 static const char *SSLerrmessage(unsigned long ecode);
 
 static char *X509_NAME_to_cstring(X509_NAME *name);
-static TimestampTz ASN1_TIME_to_timestamptz(ASN1_TIME *time);
 
 static SSL_CTX *SSL_context = NULL;
 static bool SSL_initialized = false;
@@ -1433,24 +1430,6 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)
 		ptr[0] = '\0';
 }
 
-void
-be_tls_get_peer_not_before(Port *port, TimestampTz *ptr)
-{
-	if (port->peer)
-		*ptr = ASN1_TIME_to_timestamptz(X509_get_notBefore(port->peer));
-	else
-		*ptr = 0;
-}
-
-void
-be_tls_get_peer_not_after(Port *port, TimestampTz *ptr)
-{
-	if (port->peer)
-		*ptr = ASN1_TIME_to_timestamptz(X509_get_notAfter(port->peer));
-	else
-		*ptr = 0;
-}
-
 void
 be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
 {
@@ -1594,63 +1573,6 @@ X509_NAME_to_cstring(X509_NAME *name)
 	return result;
 }
 
-/*
- * Convert an ASN1_TIME to a Timestamptz. OpenSSL 1.0.2 doesn't expose a function
- * to convert an ASN1_TIME to a tm struct, it's only available in 1.1.1 and
- * onwards. Instead we can ask for the difference between the ASN1_TIME and a
- * known timestamp and get the actual timestamp that way. Until support for
- * OpenSSL 1.0.2 is retired we have to do it this way.
- */
-static TimestampTz
-ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts)
-{
-	int			days;
-	int			seconds;
-	const char	postgres_epoch[] = "20000101000000Z";
-	ASN1_TIME  *ASN1_epoch;
-	int64		result_days;
-	int64		result_seconds;
-	int64		result;
-
-	/* Create an epoch to compare against */
-	ASN1_epoch = ASN1_TIME_new();
-	if (!ASN1_epoch)
-		ereport(ERROR,
-				(errcode(ERRCODE_OUT_OF_MEMORY),
-				 errmsg("could not allocate memory for ASN1 TIME structure")));
-
-	/*
-	 * Calculate the diff from the epoch to the certificate timestamp.
-	 * POSTGRES_EPOCH_JDATE cannot be used here since OpenSSL needs an epoch
-	 * in the ASN.1 format.
-	 */
-	if (!ASN1_TIME_set_string(ASN1_epoch, postgres_epoch) ||
-		!ASN1_TIME_diff(&days, &seconds, ASN1_epoch, ASN1_cert_ts))
-		ereport(ERROR,
-				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				 errmsg("failed to read certificate validity")));
-
-	/*
-	 * Unlike when freeing other OpenSSL memory structures, there is no error
-	 * return on freeing ASN1 strings.
-	 */
-	ASN1_TIME_free(ASN1_epoch);
-
-	/*
-	 * Convert the reported date into usecs to be used as a TimestampTz. The
-	 * date should really not overflow an int64 but rather than trusting the
-	 * certificate we take overflow into consideration.
-	 */
-	if (pg_mul_s64_overflow(days, USECS_PER_DAY, &result_days) ||
-		pg_mul_s64_overflow(seconds, USECS_PER_SEC, &result_seconds) ||
-		pg_add_s64_overflow(result_seconds, result_days, &result))
-	{
-		return 0;
-	}
-
-	return result;
-}
-
 /*
  * Convert TLS protocol version GUC enum to OpenSSL values
  *

src/backend/libpq/be-secure-openssl.c

@@ -348,8 +348,6 @@ pgstat_bestart(void)
 		be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN);
 		be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN);
 		be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN);
-		be_tls_get_peer_not_before(MyProcPort, &lsslstatus.ssl_not_before);
-		be_tls_get_peer_not_after(MyProcPort, &lsslstatus.ssl_not_after);
 	}
 	else
 	{