Skip to content

quic: support cert selection by SNI, non-PEM formats#32260

Merged
ggreenway merged 32 commits intoenvoyproxy:mainfrom
ggreenway:quic-multi-cert
Mar 6, 2024
Merged

quic: support cert selection by SNI, non-PEM formats#32260
ggreenway merged 32 commits intoenvoyproxy:mainfrom
ggreenway:quic-multi-cert

Conversation

@ggreenway
Copy link
Copy Markdown
Member

@ggreenway ggreenway commented Feb 7, 2024
edited
Loading

Commit Message: Added support for QUIC listeners to choose certificates based on SNI and load certificates from formats other than PEM, such as pkcs12. This brings feature parity between quic and non-quic TLS use for certificate selection and loading formats.
Additional Description:
Risk Level: Medium
Testing: existing tests
Docs Changes: none
Release Notes: added
Platform Specific Features:
Runtime guard: envoy.restart_features.quic_handle_certs_with_shared_tls_code
[Optional Fixes #Issue]

@ggreenway
quic: support multiple certs, selected by SNI
fd93527 
This brings feature parity between quic and non-quic TLS use for
certificate selection.

Signed-off-by: Greg Greenway <ggreenway@apple.com>
@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Feb 7, 2024

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #32260 was opened by ggreenway.

see: more, trace.

@ggreenway
comments and whitespace
c6e5291 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
wip: try to fix integration tests
534667a 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
Merge remote-tracking branch 'upstream/main' into quic-multi-cert
1a343fa
@ggreenway
fix quic handoff hotrestart test
05d5e62 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
integration test fixes
34b39f6 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
fix tls transport socket tests
aa980d1 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
fix quic tests
ba6799f 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
re-use already loaded certs
0e105cd 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
changelog
e6bab00 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway ggreenway marked this pull request as ready for review February 13, 2024 00:03
@ggreenway ggreenway requested a review from lizan as a code owner February 13, 2024 00:03
@ggreenway ggreenway changed the title quic: support multiple certs, selected by SNI quic: support cert selection by SNI, non-PEM formats Feb 13, 2024
@ggreenway
fix format
6d77bc1 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
fix spelling
176791c 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
remove some unneeded stuff
5db400b 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
Merge remote-tracking branch 'upstream/main' into quic-multi-cert
f9b4a25
@ggreenway
fix another test
f4ac1ae 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
fix test
16c8bbd 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
RyanTheOptimist
RyanTheOptimist reviewed Feb 13, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@RyanTheOptimist RyanTheOptimist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks awesome! One small nit.

source/common/quic/quic_server_transport_socket_factory.cc
// we can reuse all the code that loads from different formats, allows using passwords on the key,
// etc.
std::string certs_str;
auto process_one_cert = [&](X509* cert) {
Copy link
Copy Markdown
Contributor

@RyanTheOptimist RyanTheOptimist Feb 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Would it make sense to just make this function in the anonymous namespace?

Copy link
Copy Markdown
Member Author

@ggreenway ggreenway Feb 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer having it in the function that uses it to make it clear the scope in which it's used, and it can capture a variable instead of needing a parameter. But it's just a small style preference. I'll change it if you insist.

@ggreenway
fix compile-time-options
e7355bb 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
danzh2010
danzh2010 reviewed Feb 13, 2024
View reviewed changes
source/common/quic/quic_server_transport_socket_factory.cc Outdated
ASSERT(result == 1);
BUF_MEM* buf_mem = nullptr;
result = BIO_get_mem_ptr(bio.get(), &buf_mem);
certs_str.append(buf_mem->data, buf_mem->length);
Copy link
Copy Markdown
Contributor

@danzh2010 danzh2010 Feb 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you directly populate a std::vector<std::string> instead of concatenating the pem string here and then calling CertificateView::LoadPemFromStream() to split them apart?

Copy link
Copy Markdown
Member Author

@ggreenway ggreenway Feb 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took at stab at this in latest commit; PTAL and let me know if this is what you had in mind.

My understanding is that each string in this vector should be a pem-encoded (base64) string of a cert, without newlines or the begin/end block. Is there a boringssl API to get that directly? I didn't find a more direct way than what's in my latest commit.

@ggreenway
fix asan error
fac9719 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
slightly lower coverage for quic
4c095a1 
Some paths can't be hit anymore because they're caught earlier when
constructing the ContextImpl, but they should still remain in the code
for sanity

Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
create chain more directly
0849a2f 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
Copy link
Copy Markdown
Member Author

ggreenway commented Mar 1, 2024

/retest

ggreenway added 4 commits March 4, 2024 13:11
@ggreenway
switch from assert to exception
5c1c95d 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
factor out common code; use latched runtime value
92f49f5 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@ggreenway
Merge remote-tracking branch 'upstream/main' into quic-multi-cert
53cde4d
@ggreenway
remove conflict marker
ce2a2f8 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@RyanTheOptimist
Copy link
Copy Markdown
Contributor

RyanTheOptimist commented Mar 5, 2024

Needs main merge again?
/wait

@ggreenway
Merge remote-tracking branch 'upstream/main' into quic-multi-cert
48393d1 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
danzh2010
danzh2010 approved these changes Mar 5, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@danzh2010 danzh2010 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ggreenway
Copy link
Copy Markdown
Member Author

ggreenway commented Mar 5, 2024

/retest

@ggreenway ggreenway merged commit d82b5a0 into envoyproxy:main Mar 6, 2024
mattjo added a commit to mattjo/envoy that referenced this pull request Mar 6, 2024
@mattjo
Merge remote-tracking branch 'origin' into sub_check
a12c531 
* origin: (34 commits)
  update CODEOWNER (envoyproxy#32457)
  Delete unused runtime flag. (envoyproxy#32739)
  mobile: Use direct ByteBuffer to pass data between C++ and Java (envoyproxy#32715)
  quic: support cert selection by SNI, non-PEM formats (envoyproxy#32260)
  mobile: Replace std::thread with Envoy::Thread::PosixThread (envoyproxy#32610)
  grpc: Add support for max frame length in gPRC frame decoding (envoyproxy#32511)
  build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (envoyproxy#32728)
  build(deps): bump the examples-golang-network group in /examples/golang-network/simple with 1 update (envoyproxy#32732)
  build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /contrib/golang/filters/http/test/test_data/property (envoyproxy#32731)
  build(deps): bump otel/opentelemetry-collector from `246dfe9` to `71ac13c` in /examples/opentelemetry (envoyproxy#32730)
  build(deps): bump the examples-grpc-bridge group in /examples/grpc-bridge/server with 2 updates (envoyproxy#32720)
  build(deps): bump the contrib-golang group in /contrib/golang/router/cluster_specifier/test/test_data/simple with 1 update (envoyproxy#32721)
  build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/echo with 1 update (envoyproxy#32722)
  build(deps): bump the examples-ext-authz group in /examples/ext_authz/auth/grpc-service with 1 update (envoyproxy#32723)
  build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/routeconfig with 1 update (envoyproxy#32724)
  build(deps): bump the examples-load-reporting group in /examples/load-reporting-service with 1 update (envoyproxy#32726)
  build(deps): bump the contrib-golang group in /contrib/golang/filters/http/test/test_data/buffer with 1 update (envoyproxy#32727)
  build(deps): bump the examples-golang-http group in /examples/golang-http/simple with 1 update (envoyproxy#32729)
  opentelemetrytracer: Add User-Agent header to OTLP trace exporters (envoyproxy#32659)
  build: remove incorrect cc_library after tls code move (envoyproxy#32714)
  ...
@danzh2010 danzh2010 mentioned this pull request Mar 6, 2024
Merged
RyanTheOptimist pushed a commit that referenced this pull request Mar 7, 2024
@danzh2010
mobile: fix quic_test_server_test (#32755)
0bd73e3 
Commit Message: the test failed after #32260 because the test server uses a mocked MockTransportSocketFactoryContext which doesn't return a real ContextManager object in sslContextManager(). The mocked object returns nullptr in createSslServerContext(), thus fail to initialize the new member ssl_ctx_ in QuicServerTransportSocketFactory.

Additional Description: bazel test //test/java/io/envoyproxy/envoymobile/engine/testing:quic_test_server_test passes in this PR
Risk Level: low, test only
Testing: existing tests pass
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A

Signed-off-by: Dan Zhang <danzh@google.com>
sayboras added a commit to cilium/proxy that referenced this pull request Jul 3, 2024
@sayboras
cilium: Adjust cilium related changes
dbc7e45 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 3, 2024
@sayboras
cilium: Adjust cilium related changes
982850f 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 3, 2024
@sayboras
cilium: Adjust cilium related changes
5245adc 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 4, 2024
@sayboras
cilium: Adjust cilium related changes
10530d3 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 4, 2024
@sayboras
cilium: Adjust cilium related changes
68df01f 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 17, 2024
@sayboras
cilium: Adjust cilium related changes
a11d3a8 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 17, 2024
@sayboras
cilium: Adjust cilium related changes
6631f1f 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 17, 2024
@sayboras
cilium: Adjust cilium related changes
773d3b7 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
sayboras added a commit to cilium/proxy that referenced this pull request Jul 23, 2024
@sayboras
cilium: Adjust cilium related changes
f26fc7b 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
github-merge-queue bot pushed a commit to cilium/proxy that referenced this pull request Jul 23, 2024
@sayboras
cilium: Adjust cilium related changes
54affde 
Relates: envoyproxy/envoy#31841
Relates: envoyproxy/envoy#32203
Relates: envoyproxy/envoy#32260
Relates: envoyproxy/envoy#33019
@alyssawilk alyssawilk mentioned this pull request Oct 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danzh2010 danzh2010 danzh2010 approved these changes

@RyanTheOptimist RyanTheOptimist RyanTheOptimist approved these changes

@lizan lizan Awaiting requested review from lizan

Assignees

@danzh2010 danzh2010

@RyanTheOptimist RyanTheOptimist

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ggreenway @RyanTheOptimist @danzh2010