[Ticket parser] Print certificate fingerprint in debug message (#5650)

ydb-platform · Jun 20, 2024 · 58f6122 · 58f6122
1 parent f95d5a6
commit 58f6122
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 0 deletions.
diff --git a/ydb/core/security/certificate_check/cert_auth_processor.cpp b/ydb/core/security/certificate_check/cert_auth_processor.cpp
@@ -5,10 +5,12 @@
 #include <openssl/bio.h>
 #include <openssl/objects.h>
 #include <openssl/obj_mac.h>
+#include <openssl/sha.h>
 
 #include <util/generic/yexception.h>
 #include <util/generic/map.h>
 #include <util/generic/string.h>
+#include <util/string/hex.h>
 
 namespace NKikimr {
 
@@ -98,6 +100,15 @@ TVector<std::pair<TString, TString>> X509CertificateReader::ReadIssuerTerms(cons
     return ReadTerms(name);
 }
 
+TString X509CertificateReader::GetFingerprint(const X509Ptr& x509) {
+    static constexpr size_t FINGERPRINT_LENGTH = SHA_DIGEST_LENGTH;
+    unsigned char fingerprint[FINGERPRINT_LENGTH];
+    if (X509_digest(x509.get(), EVP_sha1(), fingerprint, nullptr) <= 0) {
+        return "";
+    }
+    return HexEncode(fingerprint, FINGERPRINT_LENGTH);
+}
+
 TCertificateAuthorizationParams::TCertificateAuthorizationParams(const TDN& dn, bool requireSameIssuer, const std::vector<TString>& groups)
     : SubjectDn(dn)
     , RequireSameIssuer(requireSameIssuer)

diff --git a/ydb/core/security/certificate_check/cert_auth_processor.h b/ydb/core/security/certificate_check/cert_auth_processor.h
@@ -63,6 +63,7 @@ struct X509CertificateReader {
     static TVector<std::pair<TString, TString>> ReadSubjectTerms(const X509Ptr& x509);
     static TVector<std::pair<TString, TString>> ReadAllSubjectTerms(const X509Ptr& x509);
     static TVector<std::pair<TString, TString>> ReadIssuerTerms(const X509Ptr& x509);
+    static TString GetFingerprint(const X509Ptr& x509);
 private:
     static std::pair<TString, TString> GetTermFromX509Name(X509_NAME* name, int nid);
     static TVector<std::pair<TString, TString>> ReadTerms(X509_NAME* name);

diff --git a/ydb/core/security/certificate_check/cert_auth_utils.cpp b/ydb/core/security/certificate_check/cert_auth_utils.cpp
@@ -529,4 +529,14 @@ TProps TProps::AsClientServer() {
 
 TProps& TProps::WithValid(TDuration duration) { SecondsValid = duration.Seconds(); return *this; }
 
+std::string GetCertificateFingerprint(const std::string& certificate) {
+    const static std::string defaultFingerprint = "certificate";
+    X509CertificateReader::X509Ptr x509Cert = X509CertificateReader::ReadCertAsPEM(certificate);
+    if (!x509Cert) {
+        return defaultFingerprint;
+    }
+    std::string fingerprint = X509CertificateReader::GetFingerprint(x509Cert);
+    return (fingerprint.empty() ? defaultFingerprint : fingerprint);
+}
+
 }  //namespace NKikimr
diff --git a/ydb/core/security/certificate_check/cert_auth_utils.h b/ydb/core/security/certificate_check/cert_auth_utils.h
@@ -50,4 +50,6 @@ TCertAndKey GenerateCA(const TProps& props);
 TCertAndKey GenerateSignedCert(const TCertAndKey& ca, const TProps& props);
 void VerifyCert(const std::string& cert, const std::string& caCert);
 
+std::string GetCertificateFingerprint(const std::string& certificate);
+
 } //namespace NKikimr
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
@@ -246,6 +246,9 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             if (Signature.AccessKeyId) {
                 return MaskTicket(Signature.AccessKeyId);
             }
+            if (TokenType == TDerived::ETokenType::Certificate) {
+                return GetCertificateFingerprint(Ticket);
+            }
             return MaskTicket(Ticket);
         }
     };