Skip to content

Commit 5b9ffdb

Browse files
djcodedjcode
committed
Added metric to return TLS Key Size and Information
1 parent 6efcf0c commit 5b9ffdb

File tree

4 files changed

+56
-3
lines changed

4 files changed

+56
-3
lines changed

prober/grpc.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,14 @@ func ProbeGRPC(ctx context.Context, target string, module config.Module, registr
111111
},
112112
[]string{"fingerprint_sha256", "subject", "issuer", "subjectalternative"},
113113
)
114+
115+
probeSSLLastKeyBits = prometheus.NewGaugeVec(
116+
prometheus.GaugeOpts{
117+
Name: "probe_ssl_last_chain_key_bits",
118+
Help: "Contains SSL leaf key information and size in bits",
119+
},
120+
[]string{"type", "fingerprint_sha256"},
121+
)
114122
)
115123

116124
for _, lv := range []string{"resolve"} {
@@ -124,6 +132,7 @@ func ProbeGRPC(ctx context.Context, target string, module config.Module, registr
124132
registry.MustRegister(probeSSLEarliestCertExpiryGauge)
125133
registry.MustRegister(probeTLSVersion)
126134
registry.MustRegister(probeSSLLastInformation)
135+
registry.MustRegister(probeSSLLastKeyBits)
127136

128137
if !strings.HasPrefix(target, "http://") && !strings.HasPrefix(target, "https://") {
129138
target = "http://" + target
@@ -207,6 +216,8 @@ func ProbeGRPC(ctx context.Context, target string, module config.Module, registr
207216
probeSSLEarliestCertExpiryGauge.Set(float64(getEarliestCertExpiry(&tlsInfo.State).Unix()))
208217
probeTLSVersion.WithLabelValues(getTLSVersion(&tlsInfo.State)).Set(1)
209218
probeSSLLastInformation.WithLabelValues(getFingerprint(&tlsInfo.State), getSubject(&tlsInfo.State), getIssuer(&tlsInfo.State), getDNSNames(&tlsInfo.State)).Set(1)
219+
keyType, keySize := getTLSKeyTypeAndSize(&tlsInfo.State)
220+
probeSSLLastKeyBits.WithLabelValues(keyType, getTLSKeyFingerprint(&tlsInfo.State)).Set(float64(keySize))
210221
} else {
211222
isSSLGauge.Set(float64(0))
212223
}

prober/http.go

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -277,6 +277,14 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
277277
[]string{"fingerprint_sha256", "subject", "issuer", "subjectalternative"},
278278
)
279279

280+
probeSSLLastKeyBits = prometheus.NewGaugeVec(
281+
prometheus.GaugeOpts{
282+
Name: "probe_ssl_last_chain_key_bits",
283+
Help: "Contains SSL leaf key information and size in bits",
284+
},
285+
[]string{"type", "fingerprint_sha256"},
286+
)
287+
280288
probeTLSVersion = prometheus.NewGaugeVec(
281289
probeTLSInfoGaugeOpts,
282290
[]string{"version"},
@@ -643,12 +651,14 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
643651

644652
if resp.TLS != nil {
645653
isSSLGauge.Set(float64(1))
646-
registry.MustRegister(probeSSLEarliestCertExpiryGauge, probeTLSVersion, probeTLSCipher, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation)
654+
registry.MustRegister(probeSSLEarliestCertExpiryGauge, probeTLSVersion, probeTLSCipher, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation, probeSSLLastKeyBits)
647655
probeSSLEarliestCertExpiryGauge.Set(float64(getEarliestCertExpiry(resp.TLS).Unix()))
648656
probeTLSVersion.WithLabelValues(getTLSVersion(resp.TLS)).Set(1)
649657
probeTLSCipher.WithLabelValues(getTLSCipher(resp.TLS)).Set(1)
650658
probeSSLLastChainExpiryTimestampSeconds.Set(float64(getLastChainExpiry(resp.TLS).Unix()))
651659
probeSSLLastInformation.WithLabelValues(getFingerprint(resp.TLS), getSubject(resp.TLS), getIssuer(resp.TLS), getDNSNames(resp.TLS)).Set(1)
660+
keyType, keySize := getTLSKeyTypeAndSize(resp.TLS)
661+
probeSSLLastKeyBits.WithLabelValues(keyType, getTLSKeyFingerprint(resp.TLS)).Set(float64(keySize))
652662
if httpConfig.FailIfSSL {
653663
level.Error(logger).Log("msg", "Final request was over SSL")
654664
success = false

prober/tcp.go

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,15 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
9898
},
9999
[]string{"fingerprint_sha256", "subject", "issuer", "subjectalternative"},
100100
)
101+
102+
probeSSLLastKeyBits := prometheus.NewGaugeVec(
103+
prometheus.GaugeOpts{
104+
Name: "probe_ssl_last_chain_key_bits",
105+
Help: "Contains SSL leaf certificate information",
106+
},
107+
[]string{"type", "fingerprint_sha256"},
108+
)
109+
101110
probeTLSVersion := prometheus.NewGaugeVec(
102111
probeTLSInfoGaugeOpts,
103112
[]string{"version"},
@@ -126,11 +135,13 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
126135
}
127136
if module.TCP.TLS {
128137
state := conn.(*tls.Conn).ConnectionState()
129-
registry.MustRegister(probeSSLEarliestCertExpiry, probeTLSVersion, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation)
138+
registry.MustRegister(probeSSLEarliestCertExpiry, probeTLSVersion, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation, probeSSLLastKeyBits)
130139
probeSSLEarliestCertExpiry.Set(float64(getEarliestCertExpiry(&state).Unix()))
131140
probeTLSVersion.WithLabelValues(getTLSVersion(&state)).Set(1)
132141
probeSSLLastChainExpiryTimestampSeconds.Set(float64(getLastChainExpiry(&state).Unix()))
133142
probeSSLLastInformation.WithLabelValues(getFingerprint(&state), getSubject(&state), getIssuer(&state), getDNSNames(&state)).Set(1)
143+
keyType, keySize := getTLSKeyTypeAndSize(&state)
144+
probeSSLLastKeyBits.WithLabelValues(keyType, getTLSKeyFingerprint(&state)).Set(float64(keySize))
134145
}
135146
scanner := bufio.NewScanner(conn)
136147
for i, qr := range module.TCP.QueryResponse {
@@ -192,11 +203,13 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
192203

193204
// Get certificate expiry.
194205
state := tlsConn.ConnectionState()
195-
registry.MustRegister(probeSSLEarliestCertExpiry, probeTLSVersion, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation)
206+
registry.MustRegister(probeSSLEarliestCertExpiry, probeTLSVersion, probeSSLLastChainExpiryTimestampSeconds, probeSSLLastInformation, probeSSLLastKeyBits)
196207
probeSSLEarliestCertExpiry.Set(float64(getEarliestCertExpiry(&state).Unix()))
197208
probeTLSVersion.WithLabelValues(getTLSVersion(&state)).Set(1)
198209
probeSSLLastChainExpiryTimestampSeconds.Set(float64(getLastChainExpiry(&state).Unix()))
199210
probeSSLLastInformation.WithLabelValues(getFingerprint(&state), getSubject(&state), getIssuer(&state), getDNSNames(&state)).Set(1)
211+
keyType, keySize := getTLSKeyTypeAndSize(&state)
212+
probeSSLLastKeyBits.WithLabelValues(keyType, getTLSKeyFingerprint(&state)).Set(float64(keySize))
200213
}
201214
}
202215
return true

prober/tls.go

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ package prober
1616
import (
1717
"crypto/sha256"
1818
"crypto/tls"
19+
"crypto/rsa"
20+
"crypto/ecdsa"
1921
"encoding/hex"
2022
"strings"
2123
"time"
@@ -87,3 +89,20 @@ func getTLSVersion(state *tls.ConnectionState) string {
8789
func getTLSCipher(state *tls.ConnectionState) string {
8890
return tls.CipherSuiteName(state.CipherSuite)
8991
}
92+
93+
func getTLSKeyTypeAndSize(state *tls.ConnectionState) (string, int) {
94+
cert := state.PeerCertificates[0]
95+
if key, ok := cert.PublicKey.(*ecdsa.PublicKey); ok {
96+
return "ec", key.Curve.Params().BitSize
97+
}
98+
if key, ok := cert.PublicKey.(*rsa.PublicKey); ok {
99+
return "rsa", key.N.BitLen()
100+
}
101+
return "", 0
102+
}
103+
104+
func getTLSKeyFingerprint(state *tls.ConnectionState) string {
105+
cert := state.PeerCertificates[0]
106+
fingerprint := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
107+
return hex.EncodeToString(fingerprint[:])
108+
}

0 commit comments

Comments
 (0)