use sha256 for client cert fingerprints, and log them when available

2023-05-03 19:37:26 -06:00 · 2023-05-03 19:37:26 -06:00 · 91218665d2
parent 5c9655a1bb
commit 91218665d2
2 changed files with 26 additions and 6 deletions
--- a/examples/inspectls/main.go
+++ b/examples/inspectls/main.go
@ -3,7 +3,7 @@ package main
 import (
 	"bytes"
 	"context"
-	"crypto/md5"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
@ -88,7 +88,7 @@ func displayTLSState(state *tls.ConnectionState) string {
 }

 func fingerprint(cert *x509.Certificate) []byte {
-	raw := md5.Sum(cert.Raw)
+	raw := sha256.Sum256(cert.Raw)
 	dst := make([]byte, hex.EncodedLen(len(raw)))
 	hex.Encode(dst, raw[:])
 	return dst
--- a/logging/middleware.go
+++ b/logging/middleware.go
@ -2,6 +2,8 @@ package logging

 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"errors"
 	"io"
 	"time"
@ -18,13 +20,17 @@ func LogRequests(logger Logger) sr.Middleware {
 				response.Body = loggingBody(logger, request, response, start)
 			} else {
 				end := time.Now()
-				_ = logger.Log(
+				params := []any{
 					"msg", "request",
 					"ts", end.UTC(),
 					"dur", end.Sub(start),
 					"url", request.URL,
 					"status", "(not found)",
-				)
+				}
+				if fingerprint, ok := clientFingerprint(request); ok {
+					params = append(params, "client_ident", fingerprint)
+				}
+				_ = logger.Log(params...)
 			}

 			return response
@ -32,6 +38,15 @@ func LogRequests(logger Logger) sr.Middleware {
 	}
 }

+func clientFingerprint(request *sr.Request) (string, bool) {
+	if request.TLSState == nil || len(request.TLSState.PeerCertificates) == 0 {
+		return "", false
+	}
+
+	digest := sha256.Sum256(request.TLSState.PeerCertificates[0].Raw)
+	return hex.EncodeToString(digest[:]), true
+}
+
 type loggedResponseBody struct {
 	request  *sr.Request
 	response *sr.Response
@ -45,14 +60,19 @@ type loggedResponseBody struct {

 func (lr *loggedResponseBody) log() {
 	end := time.Now()
-	_ = lr.logger.Log(
+	params := []any{
 		"msg", "request",
 		"ts", end.UTC(),
 		"dur", end.Sub(lr.start),
 		"url", lr.request.URL,
 		"status", lr.response.Status,
 		"bodylen", lr.written,
-	)
+	}
+	if fingerprint, ok := clientFingerprint(lr.request); ok {
+		params = append(params, "client_ident", fingerprint)
+	}
+
+	_ = lr.logger.Log(params...)
 }

 func (lr *loggedResponseBody) Read(b []byte) (int, error) {