Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

quic: support cert selection by SNI, non-PEM formats #32260

Merged
merged 32 commits into from
Mar 6, 2024

Conversation

ggreenway
Copy link
Contributor

@ggreenway ggreenway commented Feb 7, 2024

Commit Message: Added support for QUIC listeners to choose certificates based on SNI and load certificates from formats other than PEM, such as pkcs12. This brings feature parity between quic and non-quic TLS use for certificate selection and loading formats.
Additional Description:
Risk Level: Medium
Testing: existing tests
Docs Changes: none
Release Notes: added
Platform Specific Features:
Runtime guard: envoy.restart_features.quic_handle_certs_with_shared_tls_code
[Optional Fixes #Issue]

This brings feature parity between quic and non-quic TLS use for
certificate selection.

Signed-off-by: Greg Greenway <ggreenway@apple.com>
Copy link

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #32260 was opened by ggreenway.

see: more, trace.

Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway ggreenway marked this pull request as ready for review February 13, 2024 00:03
@ggreenway ggreenway requested a review from lizan as a code owner February 13, 2024 00:03
@ggreenway ggreenway changed the title quic: support multiple certs, selected by SNI quic: support cert selection by SNI, non-PEM formats Feb 13, 2024
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Copy link
Contributor

@RyanTheOptimist RyanTheOptimist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks awesome! One small nit.

// we can reuse all the code that loads from different formats, allows using passwords on the key,
// etc.
std::string certs_str;
auto process_one_cert = [&](X509* cert) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Would it make sense to just make this function in the anonymous namespace?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer having it in the function that uses it to make it clear the scope in which it's used, and it can capture a variable instead of needing a parameter. But it's just a small style preference. I'll change it if you insist.

Signed-off-by: Greg Greenway <ggreenway@apple.com>
ASSERT(result == 1);
BUF_MEM* buf_mem = nullptr;
result = BIO_get_mem_ptr(bio.get(), &buf_mem);
certs_str.append(buf_mem->data, buf_mem->length);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you directly populate a std::vector<std::string> instead of concatenating the pem string here and then calling CertificateView::LoadPemFromStream() to split them apart?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took at stab at this in latest commit; PTAL and let me know if this is what you had in mind.

My understanding is that each string in this vector should be a pem-encoded (base64) string of a cert, without newlines or the begin/end block. Is there a boringssl API to get that directly? I didn't find a more direct way than what's in my latest commit.

source/extensions/transport_sockets/tls/context_impl.cc Outdated Show resolved Hide resolved
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Some paths can't be hit anymore because they're caught earlier when
constructing the ContextImpl, but they should still remain in the code
for sanity

Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
Copy link
Contributor Author

/retest

Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@RyanTheOptimist
Copy link
Contributor

Needs main merge again?
/wait

Signed-off-by: Greg Greenway <ggreenway@apple.com>
Copy link
Contributor

@danzh2010 danzh2010 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ggreenway
Copy link
Contributor Author

/retest

@ggreenway ggreenway merged commit d82b5a0 into envoyproxy:main Mar 6, 2024
54 checks passed
mattjo added a commit to mattjo/envoy that referenced this pull request Mar 6, 2024
* origin: (34 commits)
  update CODEOWNER (envoyproxy#32457)
  Delete unused runtime flag. (envoyproxy#32739)
  mobile: Use direct ByteBuffer to pass data between C++ and Java (envoyproxy#32715)
  quic: support cert selection by SNI, non-PEM formats (envoyproxy#32260)
  mobile: Replace std::thread with Envoy::Thread::PosixThread (envoyproxy#32610)
  grpc: Add support for max frame length in gPRC frame decoding (envoyproxy#32511)
  build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (envoyproxy#32728)
  build(deps): bump the examples-golang-network group in /examples/golang-network/simple with 1 update (envoyproxy#32732)
  build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /contrib/golang/filters/http/test/test_data/property (envoyproxy#32731)
  build(deps): bump otel/opentelemetry-collector from `246dfe9` to `71ac13c` in /examples/opentelemetry (envoyproxy#32730)
  build(deps): bump the examples-grpc-bridge group in /examples/grpc-bridge/server with 2 updates (envoyproxy#32720)
  build(deps): bump the contrib-golang group in /contrib/golang/router/cluster_specifier/test/test_data/simple with 1 update (envoyproxy#32721)
  build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/echo with 1 update (envoyproxy#32722)
  build(deps): bump the examples-ext-authz group in /examples/ext_authz/auth/grpc-service with 1 update (envoyproxy#32723)
  build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/routeconfig with 1 update (envoyproxy#32724)
  build(deps): bump the examples-load-reporting group in /examples/load-reporting-service with 1 update (envoyproxy#32726)
  build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/buffer with 1 update (envoyproxy#32727)
  build(deps): bump the examples-golang-http group in /examples/golang-http/simple with 1 update (envoyproxy#32729)
  opentelemetrytracer: Add User-Agent header to OTLP trace exporters (envoyproxy#32659)
  build: remove incorrect cc_library after tls code move (envoyproxy#32714)
  ...
RyanTheOptimist pushed a commit that referenced this pull request Mar 7, 2024
Commit Message: the test failed after #32260 because the test server uses a mocked MockTransportSocketFactoryContext which doesn't return a real ContextManager object in sslContextManager(). The mocked object returns nullptr in createSslServerContext(), thus fail to initialize the new member ssl_ctx_ in QuicServerTransportSocketFactory.

Additional Description: bazel test //test/java/io/envoyproxy/envoymobile/engine/testing:quic_test_server_test passes in this PR
Risk Level: low, test only
Testing: existing tests pass
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A

Signed-off-by: Dan Zhang <danzh@google.com>
sayboras added a commit to cilium/proxy that referenced this pull request Jul 3, 2024
sayboras added a commit to cilium/proxy that referenced this pull request Jul 3, 2024
sayboras added a commit to cilium/proxy that referenced this pull request Jul 3, 2024
sayboras added a commit to cilium/proxy that referenced this pull request Jul 4, 2024
sayboras added a commit to cilium/proxy that referenced this pull request Jul 4, 2024
sayboras added a commit to cilium/proxy that referenced this pull request Jul 17, 2024
sayboras added a commit to cilium/proxy that referenced this pull request Jul 17, 2024
sayboras added a commit to cilium/proxy that referenced this pull request Jul 17, 2024
sayboras added a commit to cilium/proxy that referenced this pull request Jul 23, 2024
github-merge-queue bot pushed a commit to cilium/proxy that referenced this pull request Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants