Support multiple certificates

[colmmacc]

At present s2n supports one certificate chain per configuration which effectively limits it to one certificate per listening IP address. It should be possible to provide s2n multiple certificates and to have s2n negotiate which certificate should be used based on 1) certificate name matching, including wildcards 2) signature algorithm type and 3) key agreement type (e.g. DSA, ECDSA, RSA ...).

[colmmacc]

After some initial discussion about this feature, the current proposal that callers should load certificates and s2n should "do the right thing" and figure out the correct certificate to serve. The API might look like something like this;

struct s2n_bundle *bundle = s2n_new_bundle();

s2n_bundle_add_certificate_chain_and_key(bundle, certificate_chain, key, name, signature_algorithm, signature_digest);

where name is a DNS name, and signature_algorithm is RSA | ECDSA and signature_digest is SHA, SHA256, SHA384 ... etc. A bundle can be associated with a connection. At runtime s2n will figure out which certificate chain to vend and which key to use based on the following search order:

ECDSA + SHA384 + exact_name
ECDSA + SHA256 + exact_name
ECDSA + SHA + exact_name
RSA + SHA384 + exact_name
RSA + SHA256 + exact_name
RSA + SHA + exact_name
ECDSA + SHA384 + wildcard_matches
ECDSA + SHA256 + wildcard_matches
ECDSA + SHA + wildcard_matches
RSA + SHA384 + wildcard_matches
RSA + SHA256 + wildcard_matches
RSA + SHA + wildcard_matches

This kind of search order can be implemented efficiently using a prefix tree or trie, with names stored backwards, e.g.

com.amazon.www | is_wildcard_flag | algorithm | digest 

in a later iteration, once X509 parsing is implemented, the names (including subject alternate names) can be automatically pulled from certificates and the function signature changed to avoid needing to specify the name.

[baldwinmatt]

That sounds reasonable for most implementations, but thinking of our use case which binds certs to vips and not (necessarily) hostnames, how do we handle that? I'll follow up with you offline

[colmmacc]

s2n works at the file descriptor level, so an application is free to use different bundles with different connections/file descriptors - but it would have to keep some kind of ip -> bundle lookup table itself.

We could make s2n aware of IP addresses and to use getpeername() and so on, but this does end up muddling the API somewhat. Definitely something to talk/think about.

[colmmacc]

Based on looking at how certs are used in the real world, I'm leaning towards some kind of hash table rather than a tree for the index. The main reasons are 1. Real world clients only support one level of wildcards, so a given SNI name should require at most two searches (e.g. www.amazon.com and *.amazon.com) to find a certificate, and 2. When running as a client, following certificates to the root is not a "nearest match" kind of thing.

So with that in mind, I'm thinking of implementing an index that looks something like;

www.amazon.com  -> [ entry ]
*.amazonaws.com -> [ entry ]

and then the entry will have a simple array which is ordered as follows:

SHA384 + ECDSA  -> certificate_key_pair
SHA384 + RSA    -> certificate_key_pair
SHA256 + ECDSA  -> certificate_key_pair
SHA256 + RSA    -> certificate_key_pair
SHA1 + ECDSA    -> certificate_key_pair
SHA1 + RSA      -> certificate_key_pair

With the top-most option supported by the client used.