diff options
| author | tjpcc <tjp@ctrl-c.club> | 2023-05-03 19:37:26 -0600 |
|---|---|---|
| committer | tjpcc <tjp@ctrl-c.club> | 2023-05-03 19:50:56 -0600 |
| commit | 91218665d27e39ccf799fdd4c6f7c8bb8e4ca4cf (patch) | |
| tree | 9e2fdbd7c7a48041411d8f229513e92bee9039b9 | |
| parent | 5c9655a1bb2af0f23ca6d9daf96aed44cd01c3c8 (diff) | |
use sha256 for client cert fingerprints, and log them when available
| -rw-r--r-- | examples/inspectls/main.go | 4 | ||||
| -rw-r--r-- | logging/middleware.go | 28 |
2 files changed, 26 insertions, 6 deletions
diff --git a/examples/inspectls/main.go b/examples/inspectls/main.go index 5becb71..d400fe9 100644 --- a/examples/inspectls/main.go +++ b/examples/inspectls/main.go @@ -3,7 +3,7 @@ package main import ( "bytes" "context" - "crypto/md5" + "crypto/sha256" "crypto/tls" "crypto/x509" "encoding/hex" @@ -88,7 +88,7 @@ func displayTLSState(state *tls.ConnectionState) string { } func fingerprint(cert *x509.Certificate) []byte { - raw := md5.Sum(cert.Raw) + raw := sha256.Sum256(cert.Raw) dst := make([]byte, hex.EncodedLen(len(raw))) hex.Encode(dst, raw[:]) return dst diff --git a/logging/middleware.go b/logging/middleware.go index 750f987..693cb2f 100644 --- a/logging/middleware.go +++ b/logging/middleware.go @@ -2,6 +2,8 @@ package logging import ( "context" + "crypto/sha256" + "encoding/hex" "errors" "io" "time" @@ -18,13 +20,17 @@ func LogRequests(logger Logger) sr.Middleware { response.Body = loggingBody(logger, request, response, start) } else { end := time.Now() - _ = logger.Log( + params := []any{ "msg", "request", "ts", end.UTC(), "dur", end.Sub(start), "url", request.URL, "status", "(not found)", - ) + } + if fingerprint, ok := clientFingerprint(request); ok { + params = append(params, "client_ident", fingerprint) + } + _ = logger.Log(params...) } return response @@ -32,6 +38,15 @@ func LogRequests(logger Logger) sr.Middleware { } } +func clientFingerprint(request *sr.Request) (string, bool) { + if request.TLSState == nil || len(request.TLSState.PeerCertificates) == 0 { + return "", false + } + + digest := sha256.Sum256(request.TLSState.PeerCertificates[0].Raw) + return hex.EncodeToString(digest[:]), true +} + type loggedResponseBody struct { request *sr.Request response *sr.Response @@ -45,14 +60,19 @@ type loggedResponseBody struct { func (lr *loggedResponseBody) log() { end := time.Now() - _ = lr.logger.Log( + params := []any{ "msg", "request", "ts", end.UTC(), "dur", end.Sub(lr.start), "url", lr.request.URL, "status", lr.response.Status, "bodylen", lr.written, - ) + } + if fingerprint, ok := clientFingerprint(lr.request); ok { + params = append(params, "client_ident", fingerprint) + } + + _ = lr.logger.Log(params...) } func (lr *loggedResponseBody) Read(b []byte) (int, error) { |