From 58f6122dba048b89afe6863728b8e983fc9ebf76 Mon Sep 17 00:00:00 2001
From: Andrey Molotkov <molotkov-and@ydb.tech>
Date: Thu, 20 Jun 2024 14:20:30 +0300
Subject: [PATCH] [Ticket parser] Print certificate fingerprint in debug
 message (#5650)

---
 .../certificate_check/cert_auth_processor.cpp         | 11 +++++++++++
 .../security/certificate_check/cert_auth_processor.h  |  1 +
 .../security/certificate_check/cert_auth_utils.cpp    | 10 ++++++++++
 ydb/core/security/certificate_check/cert_auth_utils.h |  2 ++
 ydb/core/security/ticket_parser_impl.h                |  3 +++
 5 files changed, 27 insertions(+)

diff --git a/ydb/core/security/certificate_check/cert_auth_processor.cpp b/ydb/core/security/certificate_check/cert_auth_processor.cpp
index edf79c9e8849..f2effa29e9a7 100644
--- a/ydb/core/security/certificate_check/cert_auth_processor.cpp
+++ b/ydb/core/security/certificate_check/cert_auth_processor.cpp
@@ -5,10 +5,12 @@
 #include <openssl/bio.h>
 #include <openssl/objects.h>
 #include <openssl/obj_mac.h>
+#include <openssl/sha.h>
 
 #include <util/generic/yexception.h>
 #include <util/generic/map.h>
 #include <util/generic/string.h>
+#include <util/string/hex.h>
 
 namespace NKikimr {
 
@@ -98,6 +100,15 @@ TVector<std::pair<TString, TString>> X509CertificateReader::ReadIssuerTerms(cons
     return ReadTerms(name);
 }
 
+TString X509CertificateReader::GetFingerprint(const X509Ptr& x509) {
+    static constexpr size_t FINGERPRINT_LENGTH = SHA_DIGEST_LENGTH;
+    unsigned char fingerprint[FINGERPRINT_LENGTH];
+    if (X509_digest(x509.get(), EVP_sha1(), fingerprint, nullptr) <= 0) {
+        return "";
+    }
+    return HexEncode(fingerprint, FINGERPRINT_LENGTH);
+}
+
 TCertificateAuthorizationParams::TCertificateAuthorizationParams(const TDN& dn, bool requireSameIssuer, const std::vector<TString>& groups)
     : SubjectDn(dn)
     , RequireSameIssuer(requireSameIssuer)
diff --git a/ydb/core/security/certificate_check/cert_auth_processor.h b/ydb/core/security/certificate_check/cert_auth_processor.h
index ad279273fc33..42ec4bf3981c 100644
--- a/ydb/core/security/certificate_check/cert_auth_processor.h
+++ b/ydb/core/security/certificate_check/cert_auth_processor.h
@@ -63,6 +63,7 @@ struct X509CertificateReader {
     static TVector<std::pair<TString, TString>> ReadSubjectTerms(const X509Ptr& x509);
     static TVector<std::pair<TString, TString>> ReadAllSubjectTerms(const X509Ptr& x509);
     static TVector<std::pair<TString, TString>> ReadIssuerTerms(const X509Ptr& x509);
+    static TString GetFingerprint(const X509Ptr& x509);
 private:
     static std::pair<TString, TString> GetTermFromX509Name(X509_NAME* name, int nid);
     static TVector<std::pair<TString, TString>> ReadTerms(X509_NAME* name);
diff --git a/ydb/core/security/certificate_check/cert_auth_utils.cpp b/ydb/core/security/certificate_check/cert_auth_utils.cpp
index 1f27489900cf..a310c197d2f0 100644
--- a/ydb/core/security/certificate_check/cert_auth_utils.cpp
+++ b/ydb/core/security/certificate_check/cert_auth_utils.cpp
@@ -529,4 +529,14 @@ TProps TProps::AsClientServer() {
 
 TProps& TProps::WithValid(TDuration duration) { SecondsValid = duration.Seconds(); return *this; }
 
+std::string GetCertificateFingerprint(const std::string& certificate) {
+    const static std::string defaultFingerprint = "certificate";
+    X509CertificateReader::X509Ptr x509Cert = X509CertificateReader::ReadCertAsPEM(certificate);
+    if (!x509Cert) {
+        return defaultFingerprint;
+    }
+    std::string fingerprint = X509CertificateReader::GetFingerprint(x509Cert);
+    return (fingerprint.empty() ? defaultFingerprint : fingerprint);
+}
+
 }  //namespace NKikimr
diff --git a/ydb/core/security/certificate_check/cert_auth_utils.h b/ydb/core/security/certificate_check/cert_auth_utils.h
index 1b491233e3d3..9bffa64093db 100644
--- a/ydb/core/security/certificate_check/cert_auth_utils.h
+++ b/ydb/core/security/certificate_check/cert_auth_utils.h
@@ -50,4 +50,6 @@ TCertAndKey GenerateCA(const TProps& props);
 TCertAndKey GenerateSignedCert(const TCertAndKey& ca, const TProps& props);
 void VerifyCert(const std::string& cert, const std::string& caCert);
 
+std::string GetCertificateFingerprint(const std::string& certificate);
+
 } //namespace NKikimr
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
index 00839bb4b040..6571c0940b73 100644
--- a/ydb/core/security/ticket_parser_impl.h
+++ b/ydb/core/security/ticket_parser_impl.h
@@ -246,6 +246,9 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             if (Signature.AccessKeyId) {
                 return MaskTicket(Signature.AccessKeyId);
             }
+            if (TokenType == TDerived::ETokenType::Certificate) {
+                return GetCertificateFingerprint(Ticket);
+            }
             return MaskTicket(Ticket);
         }
     };