ClickHouse/src/Storages/System/StorageSystemCertificates.cpp

#include <Common/config.h>
#include <DataTypes/DataTypeNullable.h>
#include <DataTypes/DataTypeString.h>
#include <DataTypes/DataTypesNumber.h>
#include <Storages/System/StorageSystemCertificates.h>
#include <re2/re2.h>
#include <boost/algorithm/string.hpp>
#include <filesystem>
#include "Poco/File.h"
#if USE_SSL
    #include <openssl/x509v3.h>
    #include "Poco/Net/SSLManager.h"
    #include "Poco/Crypto/X509Certificate.h"
#endif

namespace DB
{

NamesAndTypesList StorageSystemCertificates::getNamesAndTypes()
{
    return
    {
        {"version",         std::make_shared<DataTypeNumber<Int32>>()},
        {"serial_number",   std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},
        {"signature_algo",  std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},
        {"issuer",          std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},
        {"not_before",      std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},
        {"not_after",       std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},
        {"subject",         std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},
        {"pkey_algo",       std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},
        {"path",            std::make_shared<DataTypeString>()},
        {"default",         std::make_shared<DataTypeNumber<UInt8>>()}
    };
}

#if USE_SSL

static std::unordered_set<std::string> parse_dir(const std::string & dir)
{
    std::vector<std::string> dirs;
    boost::split(dirs, dir, boost::is_any_of(":"), boost::token_compress_on);

    std::unordered_set<std::string> ret;
    for (auto & d : dirs)
        ret.emplace(std::move(d));

    return ret;
}

static void populateTable(const X509 * cert, MutableColumns & res_columns, const std::string & path, bool def)
{
    BIO * b = BIO_new(BIO_s_mem());
    size_t col = 0;

    res_columns[col++]->insert(X509_get_version(cert) + 1);

    {
        char buf[1024] = {0};
        const ASN1_INTEGER * sn = cert->cert_info->serialNumber;
        BIGNUM * bnsn = ASN1_INTEGER_to_BN(sn, nullptr);
        if (BN_print(b, bnsn) > 0 && BIO_read(b, buf, sizeof(buf)) > 0)
            res_columns[col]->insert(buf);
        else
            res_columns[col]->insertDefault();
        BN_free(bnsn);
    }
    ++col;

    {
        const ASN1_BIT_STRING *sig = nullptr;
        const X509_ALGOR *al = nullptr;
        char buf[1024] = {0};
        X509_get0_signature(&sig, &al, cert);
        if (al)
        {
            OBJ_obj2txt(buf, sizeof(buf), al->algorithm, 0);
            res_columns[col]->insert(buf);
        }
        else
            res_columns[col]->insertDefault();
    }
    ++col;

    char * issuer = X509_NAME_oneline(cert->cert_info->issuer, nullptr, 0);
    if (issuer)
    {
        res_columns[col]->insert(issuer);
        OPENSSL_free(issuer);
    }
    else
        res_columns[col]->insertDefault();
    ++col;

    {
        char buf[1024] = {0};
        if (ASN1_TIME_print(b, X509_get_notBefore(cert)) && BIO_read(b, buf, sizeof(buf)) > 0)
            res_columns[col]->insert(buf);
        else
            res_columns[col]->insertDefault();
    }
    ++col;

    {
        char buf[1024] = {0};
        if (ASN1_TIME_print(b, X509_get_notAfter(cert)) && BIO_read(b, buf, sizeof(buf)) > 0)
            res_columns[col]->insert(buf);
        else
            res_columns[col]->insertDefault();
    }
    ++col;

    char * subject = X509_NAME_oneline(cert->cert_info->subject, nullptr, 0);
    if (subject)
    {
        res_columns[col]->insert(subject);
        OPENSSL_free(subject);
    }
    else
        res_columns[col]->insertDefault();
    ++col;

    if (X509_PUBKEY * pkey = X509_get_X509_PUBKEY(cert))
    {
        char buf[1024] = {0};
        ASN1_OBJECT *ppkalg = nullptr;
        const unsigned char *pk = nullptr;
        int ppklen = 0;
        X509_ALGOR *pa = nullptr;
        if (X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pkey) &&
            i2a_ASN1_OBJECT(b, ppkalg) > 0 && BIO_read(b, buf, sizeof(buf)) > 0)
                res_columns[col]->insert(buf);
        else
            res_columns[col]->insertDefault();
    }
    else
        res_columns[col]->insertDefault();
    ++col;

    res_columns[col++]->insert(path);
    res_columns[col++]->insert(def);

    BIO_free(b);
}

static void enumCertificates(const std::string & dir, bool def, MutableColumns & res_columns)
{
    static const RE2 cert_name("^[a-fA-F0-9]{8}\\.\\d$");
    assert(cert_name.ok());

    const std::filesystem::path p(dir);

    for (auto const& dir_entry : std::filesystem::directory_iterator(p))
    {
        if (!dir_entry.is_regular_file() || !RE2::FullMatch(dir_entry.path().filename().string(), cert_name))
            continue;

        Poco::Crypto::X509Certificate cert(dir_entry.path());
        populateTable(cert.certificate(), res_columns, dir_entry.path(), def);
    }
}

#endif

void StorageSystemCertificates::fillData([[maybe_unused]] MutableColumns & res_columns, ContextPtr/* context*/, const SelectQueryInfo &) const
{
#if USE_SSL
    auto & ca_paths = Poco::Net::SSLManager::instance().defaultServerContext()->getCAPaths();

    if (!ca_paths.caLocation.empty())
    {
        Poco::File afile(ca_paths.caLocation);
        if (afile.exists())
        {
            if (afile.isDirectory())
            {
                auto dir_set = parse_dir(ca_paths.caLocation);
                for (const auto & entry : dir_set)
                    enumCertificates(entry, false, res_columns);
            }
            else
            {
                auto certs = Poco::Crypto::X509Certificate::readPEM(afile.path());
                for (const auto & cert : certs)
                    populateTable(cert.certificate(), res_columns, afile.path(), false);
            }
        }
    }

    if (!ca_paths.caDefaultDir.empty())
    {
        auto dir_set = parse_dir(ca_paths.caDefaultDir);
        for (const auto & entry : dir_set)
            enumCertificates(entry, true, res_columns);
    }

    if (!ca_paths.caDefaultFile.empty())
    {
        Poco::File afile(ca_paths.caDefaultFile);
        if (afile.exists())
        {
            auto certs = Poco::Crypto::X509Certificate::readPEM(ca_paths.caDefaultFile);
            for (const auto & cert : certs)
                populateTable(cert.certificate(), res_columns, ca_paths.caDefaultFile, true);
        }
    }
#endif
}

}
#if instead of #ifdef 2022-05-13 15:03:13 +00:00			`#include <Common/config.h>`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`#include <DataTypes/DataTypeNullable.h>`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`#include <DataTypes/DataTypeString.h>`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`#include <DataTypes/DataTypesNumber.h>`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`#include <Storages/System/StorageSystemCertificates.h>`
refactoring, test added 2022-05-16 17:31:28 +00:00			`#include <re2/re2.h>`
			`#include <boost/algorithm/string.hpp>`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`#include <filesystem>`
ifdef USE_SSL 2022-05-12 12:34:26 +00:00			`#include "Poco/File.h"`
#if instead of #ifdef 2022-05-13 15:03:13 +00:00			`#if USE_SSL`
use x509v3 2022-05-12 15:51:00 +00:00			`#include <openssl/x509v3.h>`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`#include "Poco/Net/SSLManager.h"`
ifdef USE_SSL 2022-05-12 12:34:26 +00:00			`#include "Poco/Crypto/X509Certificate.h"`
fix ifdef 2022-05-12 22:37:52 +00:00			`#endif`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`namespace DB`
			`{`

			`NamesAndTypesList StorageSystemCertificates::getNamesAndTypes()`
			`{`
			`return`
			`{`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`{"version", std::make_shared<DataTypeNumber<Int32>>()},`
			`{"serial_number", std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},`
			`{"signature_algo", std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},`
			`{"issuer", std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},`
			`{"not_before", std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},`
			`{"not_after", std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},`
			`{"subject", std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},`
			`{"pkey_algo", std::make_shared<DataTypeNullable>(std::make_shared<DataTypeString>())},`
			`{"path", std::make_shared<DataTypeString>()},`
			`{"default", std::make_shared<DataTypeNumber<UInt8>>()}`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`};`
			`}`

#if instead of #ifdef 2022-05-13 15:03:13 +00:00			`#if USE_SSL`
ifdef USE_SSL 2022-05-12 12:34:26 +00:00
system.certificates table is added 2022-05-12 06:55:35 +00:00			`static std::unordered_set<std::string> parse_dir(const std::string & dir)`
			`{`
refactoring, test added 2022-05-16 17:31:28 +00:00			`std::vector<std::string> dirs;`
			`boost::split(dirs, dir, boost::is_any_of(":"), boost::token_compress_on);`
system.certificates table is added 2022-05-12 06:55:35 +00:00
refactoring, test added 2022-05-16 17:31:28 +00:00			`std::unordered_set<std::string> ret;`
			`for (auto & d : dirs)`
			`ret.emplace(std::move(d));`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`return ret;`
			`}`

take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`static void populateTable(const X509 * cert, MutableColumns & res_columns, const std::string & path, bool def)`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`{`
			`BIO * b = BIO_new(BIO_s_mem());`
			`size_t col = 0;`

bugfix, refactoring 2022-05-14 19:45:07 +00:00			`res_columns[col++]->insert(X509_get_version(cert) + 1);`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`{`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`char buf[1024] = {0};`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`const ASN1_INTEGER * sn = cert->cert_info->serialNumber;`
			`BIGNUM * bnsn = ASN1_INTEGER_to_BN(sn, nullptr);`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`if (BN_print(b, bnsn) > 0 && BIO_read(b, buf, sizeof(buf)) > 0)`
			`res_columns[col]->insert(buf);`
			`else`
refactoring, test added 2022-05-16 17:31:28 +00:00			`res_columns[col]->insertDefault();`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`BN_free(bnsn);`
			`}`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`++col;`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`{`
			`const ASN1_BIT_STRING *sig = nullptr;`
			`const X509_ALGOR *al = nullptr;`
			`char buf[1024] = {0};`
			`X509_get0_signature(&sig, &al, cert);`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`if (al)`
			`{`
			`OBJ_obj2txt(buf, sizeof(buf), al->algorithm, 0);`
			`res_columns[col]->insert(buf);`
			`}`
			`else`
refactoring, test added 2022-05-16 17:31:28 +00:00			`res_columns[col]->insertDefault();`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`}`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`++col;`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`char * issuer = X509_NAME_oneline(cert->cert_info->issuer, nullptr, 0);`
			`if (issuer)`
			`{`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`res_columns[col]->insert(issuer);`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`OPENSSL_free(issuer);`
			`}`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`else`
refactoring, test added 2022-05-16 17:31:28 +00:00			`res_columns[col]->insertDefault();`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`++col;`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`{`
			`char buf[1024] = {0};`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`if (ASN1_TIME_print(b, X509_get_notBefore(cert)) && BIO_read(b, buf, sizeof(buf)) > 0)`
			`res_columns[col]->insert(buf);`
			`else`
refactoring, test added 2022-05-16 17:31:28 +00:00			`res_columns[col]->insertDefault();`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`}`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`++col;`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`{`
			`char buf[1024] = {0};`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`if (ASN1_TIME_print(b, X509_get_notAfter(cert)) && BIO_read(b, buf, sizeof(buf)) > 0)`
			`res_columns[col]->insert(buf);`
			`else`
refactoring, test added 2022-05-16 17:31:28 +00:00			`res_columns[col]->insertDefault();`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`}`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`++col;`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`char * subject = X509_NAME_oneline(cert->cert_info->subject, nullptr, 0);`
			`if (subject)`
			`{`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`res_columns[col]->insert(subject);`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`OPENSSL_free(subject);`
			`}`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`else`
refactoring, test added 2022-05-16 17:31:28 +00:00			`res_columns[col]->insertDefault();`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`++col;`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`if (X509_PUBKEY * pkey = X509_get_X509_PUBKEY(cert))`
			`{`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`char buf[1024] = {0};`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`ASN1_OBJECT *ppkalg = nullptr;`
			`const unsigned char *pk = nullptr;`
			`int ppklen = 0;`
			`X509_ALGOR *pa = nullptr;`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`if (X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pkey) &&`
			`i2a_ASN1_OBJECT(b, ppkalg) > 0 && BIO_read(b, buf, sizeof(buf)) > 0)`
			`res_columns[col]->insert(buf);`
			`else`
refactoring, test added 2022-05-16 17:31:28 +00:00			`res_columns[col]->insertDefault();`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`}`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`else`
refactoring, test added 2022-05-16 17:31:28 +00:00			`res_columns[col]->insertDefault();`
bugfix, refactoring 2022-05-14 19:45:07 +00:00			`++col;`
system.certificates table is added 2022-05-12 06:55:35 +00:00
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`res_columns[col++]->insert(path);`
			`res_columns[col++]->insert(def);`

system.certificates table is added 2022-05-12 06:55:35 +00:00			`BIO_free(b);`
			`}`

take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`static void enumCertificates(const std::string & dir, bool def, MutableColumns & res_columns)`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`{`
refactoring, test added 2022-05-16 17:31:28 +00:00			`static const RE2 cert_name("^[a-fA-F0-9]{8}\\.\\d$");`
			`assert(cert_name.ok());`
system.certificates table is added 2022-05-12 06:55:35 +00:00
			`const std::filesystem::path p(dir);`

			`for (auto const& dir_entry : std::filesystem::directory_iterator(p))`
			`{`
refactoring, test added 2022-05-16 17:31:28 +00:00			`if (!dir_entry.is_regular_file() \|\| !RE2::FullMatch(dir_entry.path().filename().string(), cert_name))`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`continue;`

			`Poco::Crypto::X509Certificate cert(dir_entry.path());`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`populateTable(cert.certificate(), res_columns, dir_entry.path(), def);`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`}`
			`}`

ifdef USE_SSL 2022-05-12 12:34:26 +00:00			`#endif`

maybe_unused 2022-05-13 15:31:42 +00:00			`void StorageSystemCertificates::fillData([[maybe_unused]] MutableColumns & res_columns, ContextPtr/* context*/, const SelectQueryInfo &) const`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`{`
#if instead of #ifdef 2022-05-13 15:03:13 +00:00			`#if USE_SSL`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`auto & ca_paths = Poco::Net::SSLManager::instance().defaultServerContext()->getCAPaths();`
system.certificates table is added 2022-05-12 06:55:35 +00:00
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`if (!ca_paths.caLocation.empty())`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`{`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`Poco::File afile(ca_paths.caLocation);`
variables naming fixed 2022-05-12 22:10:19 +00:00			`if (afile.exists())`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`{`
variables naming fixed 2022-05-12 22:10:19 +00:00			`if (afile.isDirectory())`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`{`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`auto dir_set = parse_dir(ca_paths.caLocation);`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`for (const auto & entry : dir_set)`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`enumCertificates(entry, false, res_columns);`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`}`
			`else`
			`{`
variables naming fixed 2022-05-12 22:10:19 +00:00			`auto certs = Poco::Crypto::X509Certificate::readPEM(afile.path());`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`for (const auto & cert : certs)`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`populateTable(cert.certificate(), res_columns, afile.path(), false);`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`}`
			`}`
			`}`

take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`if (!ca_paths.caDefaultDir.empty())`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`{`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`auto dir_set = parse_dir(ca_paths.caDefaultDir);`
			`for (const auto & entry : dir_set)`
			`enumCertificates(entry, true, res_columns);`
			`}`
defaul file uncommented 2022-05-12 07:03:59 +00:00
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`if (!ca_paths.caDefaultFile.empty())`
			`{`
			`Poco::File afile(ca_paths.caDefaultFile);`
			`if (afile.exists())`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`{`
take certificate path from poco Context 2022-05-13 20:48:34 +00:00			`auto certs = Poco::Crypto::X509Certificate::readPEM(ca_paths.caDefaultFile);`
			`for (const auto & cert : certs)`
			`populateTable(cert.certificate(), res_columns, ca_paths.caDefaultFile, true);`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`}`
			`}`
ifdef USE_SSL 2022-05-12 12:34:26 +00:00			`#endif`
system.certificates table is added 2022-05-12 06:55:35 +00:00			`}`

			`}`