Add Public Key length to x509_cert input.

[str8edgedave]

Use Case

As part of my certificate management process, I have to periodically review how a certificate was originally requested before submitting a renewal.

I have recently migrated from the blackbox_exporter to using Telegraf's x509_cert input as it provides almost all of the information I need out-of -the box.

The only thing that is missing is the key length for certificates. I have to revert to using a bash script to check for older certificate formats (eg. RSA2048). if the x509_cert input could return the key length, it would reduce the number of places I would have to check to validate a certificate's encryption type & key length meets requirements.

I currently have a bash script which pulls back the key length using openssl's s_client, and parses out the info. I do not work for influxdata or Bell Canada.

influxdata: Elliptic Curve Public key:

$ openssl s_client -connect www.influxdata.com:443
Connecting to 172.67.213.236
CONNECTED(00000003)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R4
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WE1
verify return:1
depth=0 CN=www.influxdata.com
verify return:1
---
Certificate chain
 0 s:CN=www.influxdata.com
   i:C=US, O=Google Trust Services, CN=WE1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Jan 10 00:59:20 2025 GMT; NotAfter: Apr 10 01:59:19 2025 GMT
 1 s:C=US, O=Google Trust Services, CN=WE1
   i:C=US, O=Google Trust Services LLC, CN=GTS Root R4
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R4
   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 15 03:43:21 2023 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---

Bell Canada, RSA 2048 bit Public key:

$ openssl s_client -connect www.bell.ca:443
Connecting to 23.204.221.223
CONNECTED(00000003)
depth=2 C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2
verify return:1
depth=1 C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K
verify return:1
depth=0 C=CA, ST=Ontario, L=Ottawa, O=Bell Canada, CN=www.bell.ca
verify return:1
---
Certificate chain
 0 s:C=CA, ST=Ontario, L=Ottawa, O=Bell Canada, CN=www.bell.ca
   i:C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  5 01:02:09 2024 GMT; NotAfter: Oct  5 01:02:08 2025 GMT
 1 s:C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K
   i:C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  5 19:13:56 2015 GMT; NotAfter: Dec  5 19:43:56 2030 GMT
---

Expected behavior

As part of the information returned, 1 additional field, public key length is returned. For example (quick mock-up):

x509_cert_verification_code{application="external websites",common_name="www.influxdata.com",country="",group="External Certs",host="<redacted>",issuer_common_name="Amazon RSA 2048 M03",issuer_serial_number="",locality="",ocsp_stapled="no",ocsp_status="",ocsp_verified="",organization="",organizational_unit="",province="",public_key_algorithm="RSA"**,public_key_length="256 (bit)"**,san="influxdata.com",serial_number="4e25b2fbc104c76ccd839bce0513185",signature_algorithm="SHA256-RSA",source="https://influxdata.com:443",type="leaf",verification="valid",verification_error=""} 0
x509_cert_verification_code{application="external websites",common_name="www.bell.ca",country="CA",group="External Certs",host="<redacted>",issuer_common_name="Entrust Certification Authority - L1K",issuer_serial_number="",locality="Ottawa",ocsp_stapled="yes",ocsp_status="good",ocsp_verified="yes",organization="Bell Canada",organizational_unit="",province="Ontario",public_key_algorithm="RSA",**public_key_length="2048 (bit)"**,san="www.bell.ca,bell.ca,aliant-on.bell.ca,aliant-qc.bell.ca,aliant.bell.ca,www-on.bell.ca,www-qc.bell.ca",serial_number="1e470382a3c2616f09045a9d908ad32",signature_algorithm="SHA256-RSA",source="https://www.bell.ca:443",type="leaf",verification="valid",verification_error=""} 0

Actual behavior

public_key_length is not returned by the x509_cert input.

Additional info

No response

[str8edgedave]

Better formatting on the proposed response:

x509_cert_verification_code{  
    application="external websites",
    common_name="www.bell.ca",
    country="CA",
    group="External Certs",
    host="<redacted>",
    issuer_common_name="Entrust Certification Authority - L1K",
    issuer_serial_number="",
    locality="Ottawa",
    ocsp_stapled="yes",
    ocsp_status="good",
    ocsp_verified="yes",
    organization="Bell Canada",
    organizational_unit="",
    province="Ontario",
    public_key_algorithm="RSA",
    public_key_length="2048 (bit)",   <-- This is the proposed field.
    san="www.bell.ca,bell.ca,aliant-on.bell.ca,aliant-qc.bell.ca,aliant.bell.ca,www-on.bell.ca,www-qc.bell.ca",
    serial_number="1e470382a3c2616f09045a9d908ad32",
    signature_algorithm="SHA256-RSA",
    source="https://www.bell.ca:443",
    type="leaf",
    verification="valid",
    verification_error=""
} 0