SERVER-41121 Warn when a peer certificate is about to expire

Author: sgolemon-corp

jstests/ssl/x509_expiring.js

@@ -0,0 +1,45 @@
+// Verify a warning is emitted when a certificate is about to expire.
+
+(function() {
+'use strict';
+
+const SERVER_CERT = "jstests/libs/server.pem";
+const CA_CERT = "jstests/libs/ca.pem";
+const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
+
+function test(expiration, expect) {
+    const options = {
+        auth: '',
+        tlsMode: "requireTLS",
+        tlsCertificateKeyFile: SERVER_CERT,
+        tlsCAFile: CA_CERT,
+        setParameter: 'tlsX509ExpirationWarningThresholdDays=' + expiration,
+    };
+    const mongo = MongoRunner.runMongod(options);
+    const external = mongo.getDB("$external");
+
+    external.createUser({
+        user: CLIENT_USER,
+        roles: [
+            {'role': 'userAdminAnyDatabase', 'db': 'admin'},
+            {'role': 'readWriteAnyDatabase', 'db': 'admin'},
+            {'role': 'clusterMonitor', 'db': 'admin'},
+        ]
+    });
+
+    assert(external.auth({user: CLIENT_USER, mechanism: 'MONGODB-X509'}),
+           "authentication with valid user failed");
+
+    // Check that there's a "Successfully authenticated" message that includes the client IP
+    const log =
+        assert.commandWorked(external.getSiblingDB("admin").runCommand({getLog: "global"})).log;
+    const warning = `Peer certificate '${CLIENT_USER}' expires`;
+
+    assert.eq(log.some(line => line.includes(warning)), expect);
+
+    MongoRunner.stopMongod(mongo);
+}
+
+test(30, false);
+test(7300, true);  // Work so long as certs expire no more than 20 years from now
+})();

src/mongo/util/duration.cpp

@@ -67,6 +67,11 @@ Stream& streamPut(Stream& os, Hours hrs) {
     return os << hrs.count() << "hr";
 }
 
+template <typename Stream>
+Stream& streamPut(Stream& os, Days days) {
+    return os << days.count() << "d";
+}
+
 }  // namespace
 
 std::ostream& operator<<(std::ostream& os, Nanoseconds ns) {
@@ -92,6 +97,10 @@ std::ostream& operator<<(std::ostream& os, Hours h) {
     return streamPut(os, h);
 }
 
+std::ostream& operator<<(std::ostream& os, Days d) {
+    return streamPut(os, d);
+}
+
 template <typename Allocator>
 StringBuilderImpl<Allocator>& operator<<(StringBuilderImpl<Allocator>& os, Nanoseconds ns) {
     return streamPut(os, ns);
@@ -122,6 +131,11 @@ StringBuilderImpl<Allocator>& operator<<(StringBuilderImpl<Allocator>& os, Hours
     return streamPut(os, h);
 }
 
+template <typename Allocator>
+StringBuilderImpl<Allocator>& operator<<(StringBuilderImpl<Allocator>& os, Days d) {
+    return streamPut(os, d);
+}
+
 template StringBuilderImpl<StackAllocator>& operator<<(StringBuilderImpl<StackAllocator>&,
                                                        Nanoseconds);
 template StringBuilderImpl<StackAllocator>& operator<<(StringBuilderImpl<StackAllocator>&,

src/mongo/util/duration.h

@@ -55,6 +55,7 @@ using Milliseconds = Duration<std::milli>;
 using Seconds = Duration<std::ratio<1>>;
 using Minutes = Duration<std::ratio<60>>;
 using Hours = Duration<std::ratio<3600>>;
+using Days = Duration<std::ratio<86400>>;
 
 //
 // Streaming output operators for common duration types. Writes the numerical value followed by
@@ -70,6 +71,7 @@ std::ostream& operator<<(std::ostream& os, Milliseconds ms);
 std::ostream& operator<<(std::ostream& os, Seconds s);
 std::ostream& operator<<(std::ostream& os, Minutes m);
 std::ostream& operator<<(std::ostream& os, Hours h);
+std::ostream& operator<<(std::ostream& os, Days h);
 
 template <typename Allocator>
 StringBuilderImpl<Allocator>& operator<<(StringBuilderImpl<Allocator>& os, Nanoseconds ns);
@@ -89,6 +91,9 @@ StringBuilderImpl<Allocator>& operator<<(StringBuilderImpl<Allocator>& os, Minut
 template <typename Allocator>
 StringBuilderImpl<Allocator>& operator<<(StringBuilderImpl<Allocator>& os, Hours h);
 
+template <typename Allocator>
+StringBuilderImpl<Allocator>& operator<<(StringBuilderImpl<Allocator>& os, Days h);
+
 
 template <typename Duration1, typename Duration2>
 using HigherPrecisionDuration =

src/mongo/util/net/ssl_manager.cpp

@@ -1171,4 +1171,12 @@ bool hostNameMatchForX509Certificates(std::string nameToMatch, std::string certH
     }
 }
 
+void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer) {
+    warning() << "Peer certificate '" << peer << "' expires soon";
+}
+
+void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer, Days days) {
+    warning() << "Peer certificate '" << peer << "' expires in " << days;
+}
+
 }  // namespace mongo

src/mongo/util/net/ssl_manager.h

@@ -320,6 +320,11 @@ StatusWith<TLSVersion> mapTLSVersion(SSLConnectionType conn);
  */
 void recordTLSVersion(TLSVersion version, const HostAndPort& hostForLogging);
 
+/**
+ * Emit a warning() explaining that a client certificate is about to expire.
+ */
+void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer);
+void tlsEmitWarningExpiringClientCertificate(const SSLX509Name& peer, Days days);
 
 }  // namespace mongo
 #endif  // #ifdef MONGO_CONFIG_SSL

src/mongo/util/net/ssl_manager_apple.cpp

@@ -53,6 +53,7 @@
 #include "mongo/util/net/ssl/apple.hpp"
 #include "mongo/util/net/ssl_manager.h"
 #include "mongo/util/net/ssl_options.h"
+#include "mongo/util/net/ssl_parameters_gen.h"
 
 using asio::ssl::apple::CFUniquePtr;
 
@@ -1534,9 +1535,10 @@ StatusWith<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate(
     }
 
     CFUniquePtr<::CFMutableArrayRef> oids(
-        ::CFArrayCreateMutable(nullptr, remoteHost.empty() ? 3 : 2, &::kCFTypeArrayCallBacks));
+        ::CFArrayCreateMutable(nullptr, remoteHost.empty() ? 4 : 3, &::kCFTypeArrayCallBacks));
     ::CFArrayAppendValue(oids.get(), ::kSecOIDX509V1SubjectName);
     ::CFArrayAppendValue(oids.get(), ::kSecOIDSubjectAltName);
+    ::CFArrayAppendValue(oids.get(), ::kSecOIDX509V1ValidityNotAfter);
     if (remoteHost.empty()) {
         ::CFArrayAppendValue(oids.get(), kMongoDBRolesOID);
     }
@@ -1556,18 +1558,37 @@ StatusWith<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate(
     const auto peerSubjectName = std::move(swPeerSubjectName.getValue());
     LOG(2) << "Accepted TLS connection from peer: " << peerSubjectName;
 
-    // If this is a server and client and server certificate are the same, log a warning.
-    if (_sslConfiguration.serverSubjectName() == peerSubjectName) {
-        warning() << "Client connecting with server's own TLS certificate";
-    }
-
+    // Server side.
     if (remoteHost.empty()) {
+        const auto exprThreshold = tlsX509ExpirationWarningThresholdDays;
+        if (exprThreshold > 0) {
+            auto swExpiration =
+                extractValidityDate(cfdict.get(), ::kSecOIDX509V1ValidityNotAfter, "valid-until");
+            if (!swExpiration.isOK()) {
+                return badCert("Unable to parse expiration date from certificate",
+                               _allowInvalidCertificates);
+            }
+            const auto expiration = swExpiration.getValue();
+            const auto now = Date_t::now();
+
+            if ((now + Days(exprThreshold)) > expiration) {
+                tlsEmitWarningExpiringClientCertificate(peerSubjectName,
+                                                        duration_cast<Days>(expiration - now));
+            }
+        }
+
+        // If client and server certificate are the same, log a warning.
+        if (_sslConfiguration.serverSubjectName() == peerSubjectName) {
+            warning() << "Client connecting with server's own TLS certificate";
+        }
+
         // If this is an SSL server context (on a mongod/mongos)
         // parse any client roles out of the client certificate.
         auto swPeerCertificateRoles = parsePeerRoles(cfdict.get());
         if (!swPeerCertificateRoles.isOK()) {
             return swPeerCertificateRoles.getStatus();
         }
+
         return SSLPeerInfo(peerSubjectName, sniName, std::move(swPeerCertificateRoles.getValue()));
     }
 

src/mongo/util/net/ssl_manager_openssl.cpp

@@ -59,6 +59,7 @@
 #include "mongo/util/net/private/ssl_expiration.h"
 #include "mongo/util/net/socket_exception.h"
 #include "mongo/util/net/ssl_options.h"
+#include "mongo/util/net/ssl_parameters_gen.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/scopeguard.h"
 #include "mongo/util/str.h"
@@ -240,10 +241,21 @@ IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(ASN1_SEQUENCE_ANY, ASN1_SET_ANY, ASN
 const STACK_OF(X509_EXTENSION) * X509_get0_extensions(const X509* peerCert) {
     return peerCert->cert_info->extensions;
 }
+
+inline ASN1_TIME* X509_get0_notAfter(const X509* cert) {
+    return X509_get_notAfter(cert);
+}
+
 inline int X509_NAME_ENTRY_set(const X509_NAME_ENTRY* ne) {
     return ne->set;
 }
 
+#if OPENSSL_VESION_NUMBER < 0x10002000L
+inline bool ASN1_TIME_diff(int*, int*, const ASN1_TIME*, const ASN1_TIME*) {
+    return false;
+}
+#endif
+
 int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g) {
     dh->p = p;
     dh->g = g;
@@ -1531,22 +1543,39 @@ StatusWith<SSLPeerInfo> SSLManagerOpenSSL::parseAndValidatePeerCertificate(
     auto peerSubject = getCertificateSubjectX509Name(peerCert);
     LOG(2) << "Accepted TLS connection from peer: " << peerSubject;
 
-    // If this is a server and client and server certificate are the same, log a warning.
-    if (remoteHost.empty() && _sslConfiguration.serverSubjectName() == peerSubject) {
-        warning() << "Client connecting with server's own TLS certificate";
-    }
-
     StatusWith<stdx::unordered_set<RoleName>> swPeerCertificateRoles = _parsePeerRoles(peerCert);
     if (!swPeerCertificateRoles.isOK()) {
         return swPeerCertificateRoles.getStatus();
     }
 
-    // If this is an SSL client context (on a MongoDB server or client)
-    // perform hostname validation of the remote server
+    // Server side.
     if (remoteHost.empty()) {
+        const auto exprThreshold = tlsX509ExpirationWarningThresholdDays;
+        if (exprThreshold > 0) {
+            const auto expiration = X509_get0_notAfter(peerCert);
+            time_t threshold = (Date_t::now() + Days(exprThreshold)).toTimeT();
+
+            if (X509_cmp_time(expiration, &threshold) < 0) {
+                int days = 0, secs = 0;
+                if (!ASN1_TIME_diff(&days, &secs, nullptr /* now */, expiration)) {
+                    tlsEmitWarningExpiringClientCertificate(peerSubject);
+                } else {
+                    tlsEmitWarningExpiringClientCertificate(peerSubject, Days(days));
+                }
+            }
+        }
+
+        // If client and server certificate are the same, log a warning.
+        if (_sslConfiguration.serverSubjectName() == peerSubject) {
+            warning() << "Client connecting with server's own TLS certificate";
+        }
+
         return SSLPeerInfo(peerSubject, sniName, std::move(swPeerCertificateRoles.getValue()));
     }
 
+    // If this is an SSL client context (on a MongoDB server or client)
+    // perform hostname validation of the remote server.
+
     // This is to standardize the IPAddress format for comparison.
     auto swCIDRRemoteHost = CIDR::parse(remoteHost);
 

src/mongo/util/net/ssl_manager_windows.cpp

@@ -58,6 +58,7 @@
 #include "mongo/util/net/socket_exception.h"
 #include "mongo/util/net/ssl.hpp"
 #include "mongo/util/net/ssl_options.h"
+#include "mongo/util/net/ssl_parameters_gen.h"
 #include "mongo/util/net/ssl_types.h"
 #include "mongo/util/str.h"
 #include "mongo/util/text.h"
@@ -1429,7 +1430,7 @@ unsigned long long FiletimeToEpocMillis(FILETIME ft) {
 
     uint64_t ns100 = ((static_cast<int64_t>(ft.dwHighDateTime) << 32) + ft.dwLowDateTime) -
         kOneHundredNanosecondsSinceEpoch;
-    return ns100 / 1000;
+    return ns100 / 10000;
 }
 
 // MongoDB wants RFC 2253 (LDAP) formatted DN names for auth purposes
@@ -1679,6 +1680,20 @@ Status validatePeerCertificate(const std::string& remoteHost,
     invariant(peerSubjectName);
     *peerSubjectName = swSubjectName.getValue();
 
+    if (remoteHost.empty()) {
+        const auto exprThreshold = tlsX509ExpirationWarningThresholdDays;
+        if (exprThreshold > 0) {
+            const auto now = Date_t::now();
+            const auto expiration =
+                Date_t::fromMillisSinceEpoch(FiletimeToEpocMillis(cert->pCertInfo->NotAfter));
+
+            if ((now + Days(exprThreshold)) > expiration) {
+                tlsEmitWarningExpiringClientCertificate(*peerSubjectName,
+                                                        duration_cast<Days>(expiration - now));
+            }
+        }
+    }
+
     // This means the certificate chain is not valid.
     // Ignore CRYPT_E_NO_REVOCATION_CHECK since most CAs lack revocation information especially test
     // certificates

src/mongo/util/net/ssl_parameters.idl

@@ -78,3 +78,14 @@ server_parameters:
     set_at: [startup, runtime]
     cpp_class: ClusterMemberDNOverride
 
+  tlsX509ExpirationWarningThresholdDays:
+    description: >-
+        If a client connects to the server using an X509 certificate expiring in less
+        than the configured number of days, a warning will be emitted to the server logs.
+        Set this value to 0 to disable the warning.
+    set_at: startup
+    cpp_vartype: std::int32_t
+    cpp_varname: "tlsX509ExpirationWarningThresholdDays"
+    default: 30
+    validator:
+        gte: 0