SERVER-49131 SSL Info logging for Windows

author: Gabriel Marks <gabriel.marks@mongodb.com> 2020-07-13 23:09:23 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2020-07-16 23:19:31 +0000
commit: 550a9ee713078ec583621a0d6c368a6bc6ce43d2 (patch)
tree: 9ff59e867029521fe7e4af3e2c6a62b16bc476eb
parent: 67db847b2b833a6df876a951ec8c08872d567008 (diff)
download: mongo-550a9ee713078ec583621a0d6c368a6bc6ce43d2.tar.gz
1 files changed, 77 insertions, 6 deletions
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 6682ceb78e5..54faa8ec277 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -69,7 +69,6 @@
 
 namespace mongo {
 
-extern SSLManagerInterface* theSSLManager;
 extern SSLManagerCoordinator* theSSLManagerCoordinator;
 
 namespace {
@@ -1519,11 +1518,8 @@ unsigned long long FiletimeToEpocMillis(FILETIME ft) {
     return ns100 / 10000;
 }
 
-// MongoDB wants RFC 2253 (LDAP) formatted DN names for auth purposes
-StatusWith<SSLX509Name> getCertificateSubjectName(PCCERT_CONTEXT cert) {
-
-    auto swBlob =
-        decodeObject(X509_NAME, cert->pCertInfo->Subject.pbData, cert->pCertInfo->Subject.cbData);
+StatusWith<SSLX509Name> blobToName(CERT_NAME_BLOB blob) {
+    auto swBlob = decodeObject(X509_NAME, blob.pbData, blob.cbData);
 
     if (!swBlob.isOK()) {
         return swBlob.getStatus();
@@ -1585,6 +1581,11 @@ StatusWith<SSLX509Name> getCertificateSubjectName(PCCERT_CONTEXT cert) {
     return SSLX509Name(std::move(entries));
 }
 
+// MongoDB wants RFC 2253 (LDAP) formatted DN names for auth purposes
+StatusWith<SSLX509Name> getCertificateSubjectName(PCCERT_CONTEXT cert) {
+    return blobToName(cert->pCertInfo->Subject);
+}
+
 Status SSLManagerWindows::_validateCertificate(PCCERT_CONTEXT cert,
                                                SSLX509Name* subjectName,
                                                Date_t* serverCertificateExpirationDate) {
@@ -2049,8 +2050,78 @@ Future<SSLPeerInfo> SSLManagerWindows::parseAndValidatePeerCertificate(
     }
 }
 
+constexpr size_t kSHA1HashBytes = 20;
+
+Status getCertInfo(CertInformationToLog* info, PCCERT_CONTEXT cert) {
+    info->subject = uassertStatusOK(getCertificateSubjectName(cert));
+    info->issuer = uassertStatusOK(blobToName(cert->pCertInfo->Issuer));
+
+    DWORD bufSize = kSHA1HashBytes;
+    info->thumbprint.resize(kSHA1HashBytes);
+
+    if (!CertGetCertificateContextProperty(
+            cert, CERT_SHA1_HASH_PROP_ID, info->thumbprint.data(), &bufSize)) {
+        DWORD gle = GetLastError();
+        return Status(ErrorCodes::InvalidSSLConfiguration,
+                      str::stream() << "getCertInfo failed to get certificate thumbprint: "
+                                    << errnoWithDescription(gle));
+    }
+
+    info->validityNotBefore =
+        Date_t::fromMillisSinceEpoch(FiletimeToEpocMillis(cert->pCertInfo->NotBefore));
+    info->validityNotAfter =
+        Date_t::fromMillisSinceEpoch(FiletimeToEpocMillis(cert->pCertInfo->NotAfter));
+
+    return Status::OK();
+}
+
+Status getCRLInfo(CRLInformationToLog* info, PCCRL_CONTEXT crl) {
+    DWORD bufSize = kSHA1HashBytes;
+    info->thumbprint.resize(kSHA1HashBytes);
+
+    if (!CertGetCRLContextProperty(
+            crl, CERT_SHA1_HASH_PROP_ID, info->thumbprint.data(), &bufSize)) {
+        DWORD gle = GetLastError();
+        return Status(ErrorCodes::InvalidSSLConfiguration,
+                      str::stream() << "getCRLInfo failed to get CRL thumbprint: "
+                                    << errnoWithDescription(gle));
+    }
+
+    info->validityNotBefore =
+        Date_t::fromMillisSinceEpoch(FiletimeToEpocMillis(crl->pCrlInfo->ThisUpdate));
+    info->validityNotAfter =
+        Date_t::fromMillisSinceEpoch(FiletimeToEpocMillis(crl->pCrlInfo->NextUpdate));
+
+    return Status::OK();
+}
+
 SSLInformationToLog SSLManagerWindows::getSSLInformationToLog() const {
     SSLInformationToLog info;
+
+    auto serverCert = _serverCertificates[0];
+    if (serverCert != nullptr) {
+        uassertStatusOK(getCertInfo(&info.server, serverCert));
+    }
+
+    auto clientCert = _clientCertificates[0];
+    if (clientCert != nullptr) {
+        CertInformationToLog cluster;
+        uassertStatusOK(getCertInfo(&cluster, clientCert));
+        info.cluster = cluster;
+    }
+
+    if (_serverEngine.hasCRL) {
+        HCERTSTORE store = const_cast<UniqueCertStore&>(_serverEngine.CAstore);
+        DWORD flags = 0;
+        auto crl = CertGetCRLFromStore(store, nullptr, nullptr, &flags);
+        if (crl != nullptr) {
+            UniqueCRL crlHolder(crl);
+            CRLInformationToLog crlInfo;
+            uassertStatusOK(getCRLInfo(&crlInfo, crl));
+            info.crl = crlInfo;
+        }
+    }
+
     return info;
 }
author	Gabriel Marks <gabriel.marks@mongodb.com>	2020-07-13 23:09:23 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2020-07-16 23:19:31 +0000
commit	550a9ee713078ec583621a0d6c368a6bc6ce43d2 (patch)
tree	9ff59e867029521fe7e4af3e2c6a62b16bc476eb
parent	67db847b2b833a6df876a951ec8c08872d567008 (diff)
download	mongo-550a9ee713078ec583621a0d6c368a6bc6ce43d2.tar.gz