Merge pull request #16087 from cockroachdb/marc/debug_certificates

UI: add /debug/certificates

pkg/cli/cert.go

@@ -19,6 +19,7 @@ package cli
 import (
 	"fmt"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/cockroachdb/cockroach/pkg/security"
@@ -170,10 +171,10 @@ func runListCerts(cmd *cobra.Command, args []string) error {
 
 	fmt.Fprintf(os.Stdout, "Certificate directory: %s\n", baseCfg.SSLCertsDir)
 
-	certTableHeaders := []string{"Usage", "Certificate File", "Key File", "Notes", "Expires", "Error"}
+	certTableHeaders := []string{"Usage", "Certificate File", "Key File", "Expires", "Notes", "Error"}
 	var rows [][]string
 
-	addRow := func(ci *security.CertInfo, name string) {
+	addRow := func(ci *security.CertInfo, notes string) {
 		var errString string
 		if ci.Error != nil {
 			errString = ci.Error.Error()
@@ -182,22 +183,39 @@ func runListCerts(cmd *cobra.Command, args []string) error {
 			ci.FileUsage.String(),
 			ci.Filename,
 			ci.KeyFilename,
-			name,
 			ci.ExpirationTime.Format("2006/01/02"),
+			notes,
 			errString,
 		})
 	}
 
-	if ca := cm.CACert(); ca != nil {
-		addRow(ca, "")
+	if cert := cm.CACert(); cert != nil {
+		addRow(cert, "")
 	}
 
-	if node := cm.NodeCert(); node != nil {
-		addRow(node, "")
+	if cert := cm.NodeCert(); cert != nil {
+		var addresses []string
+		if cert.Error == nil && len(cert.ParsedCertificates) > 0 {
+			addresses = cert.ParsedCertificates[0].DNSNames
+			for _, ip := range cert.ParsedCertificates[0].IPAddresses {
+				addresses = append(addresses, ip.String())
+			}
+		} else {
+			addresses = append(addresses, "<unknown>")
+		}
+
+		addRow(cert, fmt.Sprintf("addresses: %s", strings.Join(addresses, ",")))
 	}
 
-	for name, cert := range cm.ClientCerts() {
-		addRow(cert, fmt.Sprintf("user=%s", name))
+	for _, cert := range cm.ClientCerts() {
+		var user string
+		if cert.Error == nil && len(cert.ParsedCertificates) > 0 {
+			user = cert.ParsedCertificates[0].Subject.CommonName
+		} else {
+			user = "<unknown>"
+		}
+
+		addRow(cert, fmt.Sprintf("user: %s", user))
 	}
 
 	return printQueryOutput(os.Stdout, certTableHeaders, newRowSliceIter(rows), "", cliCtx.tableDisplayFormat)

pkg/security/certs.go

@@ -288,3 +288,24 @@ func CreateClientPair(
 
 	return nil
 }
+
+// PEMContentsToX509 takes raw pem-encoded contents and attempts to parse into
+// x509.Certificate objects.
+func PEMContentsToX509(contents []byte) ([]*x509.Certificate, error) {
+	derCerts, err := PEMToCertificates(contents)
+	if err != nil {
+		return nil, err
+	}
+
+	certs := make([]*x509.Certificate, len(derCerts))
+	for i, c := range derCerts {
+		x509Cert, err := x509.ParseCertificate(c.Bytes)
+		if err != nil {
+			return nil, err
+		}
+
+		certs[i] = x509Cert
+	}
+
+	return certs, nil
+}

pkg/security/utils.go

@@ -0,0 +1,88 @@
+// Copyright 2017 The Cockroach Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied. See the License for the specific language governing
+// permissions and limitations under the License.
+//
+// Author: Marc Berhault ([email protected])
+
+package security
+
+import "crypto/x509"
+
+// KeyUsageToString returns the list of key usages described by the bitmask.
+// This list may not up-to-date with https://golang.org/pkg/crypto/x509/#KeyUsage
+func KeyUsageToString(ku x509.KeyUsage) []string {
+	ret := make([]string, 0)
+	if ku&x509.KeyUsageDigitalSignature != 0 {
+		ret = append(ret, "DigitalSignature")
+	}
+	if ku&x509.KeyUsageContentCommitment != 0 {
+		ret = append(ret, "ContentCommitment")
+	}
+	if ku&x509.KeyUsageKeyEncipherment != 0 {
+		ret = append(ret, "KeyEncipherment")
+	}
+	if ku&x509.KeyUsageDataEncipherment != 0 {
+		ret = append(ret, "DataEncirpherment")
+	}
+	if ku&x509.KeyUsageKeyAgreement != 0 {
+		ret = append(ret, "KeyAgreement")
+	}
+	if ku&x509.KeyUsageCertSign != 0 {
+		ret = append(ret, "CertSign")
+	}
+	if ku&x509.KeyUsageCRLSign != 0 {
+		ret = append(ret, "CRLSign")
+	}
+	if ku&x509.KeyUsageEncipherOnly != 0 {
+		ret = append(ret, "EncipherOnly")
+	}
+	if ku&x509.KeyUsageDecipherOnly != 0 {
+		ret = append(ret, "DecipherOnly")
+	}
+
+	return ret
+}
+
+// ExtKeyUsageToString converts a x509.ExtKeyUsage to a string, returning "unknown" if
+// the list is not up-to-date.
+func ExtKeyUsageToString(eku x509.ExtKeyUsage) string {
+	switch eku {
+
+	case x509.ExtKeyUsageAny:
+		return "Any"
+	case x509.ExtKeyUsageServerAuth:
+		return "ServerAuth"
+	case x509.ExtKeyUsageClientAuth:
+		return "ClientAuth"
+	case x509.ExtKeyUsageCodeSigning:
+		return "CodeSigning"
+	case x509.ExtKeyUsageEmailProtection:
+		return "EmailProtection"
+	case x509.ExtKeyUsageIPSECEndSystem:
+		return "IPSECEndSystem"
+	case x509.ExtKeyUsageIPSECTunnel:
+		return "IPSECTunnel"
+	case x509.ExtKeyUsageIPSECUser:
+		return "IPSECUser"
+	case x509.ExtKeyUsageTimeStamping:
+		return "TimeStamping"
+	case x509.ExtKeyUsageOCSPSigning:
+		return "OCSPSigning"
+	case x509.ExtKeyUsageMicrosoftServerGatedCrypto:
+		return "MicrosoftServerGatedCrypto"
+	case x509.ExtKeyUsageNetscapeServerGatedCrypto:
+		return "NetscapeServerGatedCrypto"
+	default:
+		return "unknown"
+	}
+}

pkg/server/debug.go

@@ -155,6 +155,10 @@ func init() {
         <td>raft</td>
         <td><a href="/_status/raft">raft</a></td>
       </tr>
+      <tr>
+        <td>security</td>
+        <td><a href="/debug/certificates">certificates</a></td>
+      </tr>
       <tr>
         <td>pprof</td>
         <td>