Add support for custom certificate verification callbacks #7317
Conversation
Specified as part of `TransportSecurityOptions` and will default to a callback accepting all pre-verified certificates if not given. Callback is provided with certificate subject Common Name and DNS Subject Alternate Name entries.
|
This PR is part of #7219 |
|
|
||
| struct SubjectInfo { | ||
| DistinguishedName dn; | ||
| std::vector<vespalib::string> subject_alt_names; |
There was a problem hiding this comment.
The SANs should contain the type (DNS, IP, etc) to in case other SAN types are required for a production use case.
There was a problem hiding this comment.
Will do when this code is refactored out of test module (or IP SANs are added, whichever comes first)
| virtual ~CertificateVerificationCallback() = default; | ||
| // Return true iff the peer credentials pass verification, false otherwise. | ||
| // Must be thread safe. | ||
| virtual bool verify(const PeerCredentials& peer_creds) const = 0; |
There was a problem hiding this comment.
Consider adding the remote IP address (or similar) as well. That will allow for the typical browser verification (CN/SAN matches DNS of remote ip).
There was a problem hiding this comment.
Definitely agree we want this, but the context in which the callback is invoked unfortunately does not contain any networking details. Will likely want the networking layer to explicitly pass down peer information when crypto sockets/codecs are created. Then this information can in turn be passed on to the verification callback.
| // or the empty string if no CN is given (or if the CN is curiously empty). | ||
| vespalib::string common_name; | ||
| // 0-n DNS SAN entries. Note: "DNS:" prefix is not present in strings. | ||
| std::vector<vespalib::string> dns_sans; |
There was a problem hiding this comment.
IPADDR SAN support Coming Soon(tm).
vekterli
deleted the
vekterli/custom-tls-certificate-verification-callback
branch
@bjorncs please review. You are the lucky recipient of this bundle of crypto joy due to the sheer amount of key/X.509 meddling it involves. Note that the X.509 building and keygen code is currently only built and used by tests. It is intended to be upgraded to production library code later, but that will require a lot of domain specific tests to be written first.
@havardpe FYI
Manually tested with OpenSSL versions 1.0.1e, 1.0.2k, 1.1.0u and 1.1.1.
Callback is specified as part of
TransportSecurityOptionsand will defaultto a callback accepting all pre-verified certificates if not given.
Callback is provided with certificate subject Common Name and
DNS Subject Alternate Name entries.