Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quic: support cert selection by SNI, non-PEM formats #32260

Merged
merged 32 commits into from
Mar 6, 2024
Merged

quic: support cert selection by SNI, non-PEM formats #32260

merged 32 commits into from
Mar 6, 2024

Conversation

ggreenway
Copy link
Contributor

@ggreenway ggreenway commented Feb 7, 2024
edited
Loading

Commit Message: Added support for QUIC listeners to choose certificates based on SNI and load certificates from formats other than PEM, such as pkcs12. This brings feature parity between quic and non-quic TLS use for certificate selection and loading formats.
Additional Description:
Risk Level: Medium
Testing: existing tests
Docs Changes: none
Release Notes: added
Platform Specific Features:
Runtime guard: envoy.restart_features.quic_handle_certs_with_shared_tls_code
[Optional Fixes #Issue]

@ggreenway
quic: support multiple certs, selected by SNI
fd93527 
This brings feature parity between quic and non-quic TLS use for
certificate selection.

Signed-off-by: Greg Greenway <ggreenway@apple.com>
@repokitteh-read-only RepoKitteh - Read Only
Copy link

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #32260 was opened by ggreenway.

see: more, trace.

@ggreenway
comments and whitespace
c6e5291 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
wip: try to fix integration tests
534667a 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
Merge remote-tracking branch 'upstream/main' into quic-multi-cert
1a343fa
@ggreenway
fix quic handoff hotrestart test
05d5e62 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
integration test fixes
34b39f6 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
fix tls transport socket tests
aa980d1 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
fix quic tests
ba6799f 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
re-use already loaded certs
0e105cd 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
changelog
e6bab00 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway ggreenway marked this pull request as ready for review February 13, 2024 00:03
@ggreenway ggreenway changed the title quic: support multiple certs, selected by SNI quic: support cert selection by SNI, non-PEM formats Feb 13, 2024
@ggreenway
fix format
6d77bc1 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
fix spelling
176791c 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
remove some unneeded stuff
5db400b 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
Merge remote-tracking branch 'upstream/main' into quic-multi-cert
f9b4a25
@ggreenway
fix another test
f4ac1ae 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
fix test
16c8bbd 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
RyanTheOptimist
RyanTheOptimist reviewed Feb 13, 2024
View reviewed changes
Copy link
Contributor

@RyanTheOptimist RyanTheOptimist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks awesome! One small nit.

source/common/quic/quic_server_transport_socket_factory.cc
// we can reuse all the code that loads from different formats, allows using passwords on the key,
// etc.
std::string certs_str;
auto process_one_cert = [&](X509* cert) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Would it make sense to just make this function in the anonymous namespace?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer having it in the function that uses it to make it clear the scope in which it's used, and it can capture a variable instead of needing a parameter. But it's just a small style preference. I'll change it if you insist.

@ggreenway
fix compile-time-options
e7355bb 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
danzh2010
danzh2010 reviewed Feb 13, 2024
View reviewed changes
source/common/quic/quic_server_transport_socket_factory.cc Outdated
ASSERT(result == 1);
BUF_MEM* buf_mem = nullptr;
result = BIO_get_mem_ptr(bio.get(), &buf_mem);
certs_str.append(buf_mem->data, buf_mem->length);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you directly populate a std::vector<std::string> instead of concatenating the pem string here and then calling CertificateView::LoadPemFromStream() to split them apart?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took at stab at this in latest commit; PTAL and let me know if this is what you had in mind.

My understanding is that each string in this vector should be a pem-encoded (base64) string of a cert, without newlines or the begin/end block. Is there a boringssl API to get that directly? I didn't find a more direct way than what's in my latest commit.

source/extensions/transport_sockets/tls/context_impl.cc Outdated Show resolved Hide resolved
@ggreenway
fix asan error
fac9719 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
slightly lower coverage for quic
4c095a1 
Some paths can't be hit anymore because they're caught earlier when
constructing the ContextImpl, but they should still remain in the code
for sanity

Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
create chain more directly
0849a2f 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
Copy link
Contributor Author

/retest

@ggreenway
switch from assert to exception
5c1c95d 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
factor out common code; use latched runtime value
92f49f5 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
Merge remote-tracking branch 'upstream/main' into quic-multi-cert
53cde4d
@ggreenway
remove conflict marker
ce2a2f8 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@RyanTheOptimist
Copy link
Contributor

Needs main merge again?
/wait

@ggreenway
Merge remote-tracking branch 'upstream/main' into quic-multi-cert
48393d1 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
danzh2010
danzh2010 approved these changes Mar 5, 2024
View reviewed changes
Copy link
Contributor

@danzh2010 danzh2010 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ggreenway
Copy link
Contributor Author

/retest

@ggreenway ggreenway merged commit d82b5a0 into envoyproxy:main Mar 6, 2024
54 checks passed
mattjo added a commit to mattjo/envoy that referenced this pull request Mar 6, 2024
@mattjo
Merge remote-tracking branch 'origin' into sub_check
a12c531 
* origin: (34 commits)
  update CODEOWNER (envoyproxy#32457)
  Delete unused runtime flag. (envoyproxy#32739)
  mobile: Use direct ByteBuffer to pass data between C++ and Java (envoyproxy#32715)
  quic: support cert selection by SNI, non-PEM formats (envoyproxy#32260)
  mobile: Replace std::thread with Envoy::Thread::PosixThread (envoyproxy#32610)
  grpc: Add support for max frame length in gPRC frame decoding (envoyproxy#32511)
  build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (envoyproxy#32728)
  build(deps): bump the examples-golang-network group in /examples/golang-network/simple with 1 update (envoyproxy#32732)
  build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /contrib/golang/filters/http/test/test_data/property (envoyproxy#32731)
  build(deps): bump otel/opentelemetry-collector from `246dfe9` to `71ac13c` in /examples/opentelemetry (envoyproxy#32730)
  build(deps): bump the examples-grpc-bridge group in /examples/grpc-bridge/server with 2 updates (envoyproxy#32720)
  build(deps): bump the contrib-golang group in /contrib/golang/router/cluster_specifier/test/test_data/simple with 1 update (envoyproxy#32721)
  build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/echo with 1 update (envoyproxy#32722)
  build(deps): bump the examples-ext-authz group in /examples/ext_authz/auth/grpc-service with 1 update (envoyproxy#32723)
  build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/routeconfig with 1 update (envoyproxy#32724)
  build(deps): bump the examples-load-reporting group in /examples/load-reporting-service with 1 update (envoyproxy#32726)
  build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/buffer with 1 update (envoyproxy#32727)
  build(deps): bump the examples-golang-http group in /examples/golang-http/simple with 1 update (envoyproxy#32729)
  opentelemetrytracer: Add User-Agent header to OTLP trace exporters (envoyproxy#32659)
  build: remove incorrect cc_library after tls code move (envoyproxy#32714)
  ...
@danzh2010 danzh2010 mentioned this pull request Mar 6, 2024
Merged
RyanTheOptimist pushed a commit that referenced this pull request Mar 7, 2024
@danzh2010
mobile: fix quic_test_server_test (#32755)
0bd73e3 
Commit Message: the test failed after #32260 because the test server uses a mocked MockTransportSocketFactoryContext which doesn't return a real ContextManager object in sslContextManager(). The mocked object returns nullptr in createSslServerContext(), thus fail to initialize the new member ssl_ctx_ in QuicServerTransportSocketFactory.

Additional Description: bazel test //test/java/io/envoyproxy/envoymobile/engine/testing:quic_test_server_test passes in this PR
Risk Level: low, test only
Testing: existing tests pass
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A

Signed-off-by: Dan Zhang <danzh@google.com>
sayboras added a commit to cilium/proxy that referenced this pull request Jul 3, 2024
@sayboras
cilium: Adjust cilium related changes
dbc7e45 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 3, 2024
@sayboras
cilium: Adjust cilium related changes
982850f 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 3, 2024
@sayboras
cilium: Adjust cilium related changes
5245adc 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 4, 2024
@sayboras
cilium: Adjust cilium related changes
10530d3 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 4, 2024
@sayboras
cilium: Adjust cilium related changes
68df01f 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 17, 2024
@sayboras
cilium: Adjust cilium related changes
a11d3a8 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 17, 2024
@sayboras
cilium: Adjust cilium related changes
6631f1f 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 17, 2024
@sayboras
cilium: Adjust cilium related changes
773d3b7 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 23, 2024
@sayboras
cilium: Adjust cilium related changes
f26fc7b 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
github-merge-queue bot pushed a commit to cilium/proxy that referenced this pull request Jul 23, 2024
@sayboras
cilium: Adjust cilium related changes
54affde 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danzh2010 danzh2010 danzh2010 approved these changes

@RyanTheOptimist RyanTheOptimist RyanTheOptimist approved these changes

@lizan lizan Awaiting requested review from lizan

Assignees

@danzh2010 danzh2010

@RyanTheOptimist RyanTheOptimist

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ggreenway @RyanTheOptimist @danzh2010