This repository has been archived by the owner on Nov 20, 2024. It is now read-only.
TLS splicing/bumping #57
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merge following components for integration PoC - Certificate Provider framework - SNI-based cert selection in tls transport socket - A new network filter - BumpingFilter - Certificate Provider instance - LocalMimicCertProvider Signed-off-by: Luyao Zhong <[email protected]> Signed-off-by: LeiZhang <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: LeiZhang <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: LeiZhang <[email protected]>
Add config for setting cert expiration time Bumping filter refactor Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Fix issue of incorrectly copy cert subject to mimic cert. Use cert expiration time when expiration_time config is absent. Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Current local cert provider might generates multiple certs with the same SANs/CN and pkey type which is not our expectation, we need to fix the bug in cert provider and then restore this check Signed-off-by: Luyao Zhong <[email protected]>
Add more detail on how to import CA. Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]>
Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]>
ipuustin
suggested changes
Nov 18, 2022
There was a problem hiding this comment.
Could you see if the commits could be done in a way that would make the review easier? I think the cert validator could be a separate commit (since that might be upstreamed separately) and the config files could be in one commit. There seems to be also two commits about expiration time, could they be just one commit?
Do the tests compile now correctly (if you say bazel build //test/... or do you need to take in the mocks change commit too?
baidu.com.key
Outdated
| MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCgCMNZWCDIiO0G | ||
| 87xBMU/Y0lZDvZhSZg8NA5HQbWumPMNhCvPQyI8dqRvDh0TChWn4ePx24/atl6ay | ||
| ICe3SPsE3n850C/gf0zISK9aegl8Ov8rZIH8aw6lqEa1UZcIcFpgQYP/IveshpRf | ||
| seyvQPXeMSlwnpNuhAjU2i2HzSMx9Pg6tPyfnV14jqgfrvoPy4K0HMmiDr7mAdcR |
There was a problem hiding this comment.
Maybe use intel.com.key instead of baidu.com.key?
There was a problem hiding this comment.
will remove this file, this will not be used any more
| ------------------------ | ||
| #. Download the code to local host:: | ||
|
|
||
| $ git clone [email protected]:envoyproxy/envoy.git; cd envoy/ |
There was a problem hiding this comment.
These could be updated to point to this repo when we merge the PR. Maybe after image release so we can skip the building part?
| "Failed to load certificate chain from {}, at most one " | ||
| "certificate of a given type may be specified for each DNS SAN entry or Subject CN: {}", | ||
| ctx.cert_chain_file_path_, sn_match->first)); | ||
| // throw EnvoyException(fmt::format( |
There was a problem hiding this comment.
Just remove code, no need to comment. Version control will track the changes.
I think you mean "cert provider framework". I have talked with Matt, this will not be upstreamed separately until bumping is ready.
@ipuustin Thanks. We have more changes on the way, would like you to help review when it is ready. |
Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]>
Currently only RSA_2048, RSA_3072, RSA_4096, ECDSA_P256 is supported. If the pkey type is not specified in config file, original server pkey type will be copied. The default value is RSA_2048. Signed-off-by: Luyao Zhong <[email protected]>
** Align with upstream ** Envoy supports selecting certs by selecting filter chain based on SNI. But it is possible that we access different services via one filter chain, which requires SNI-based cert selection in one single filter chain during handshake. Signed-off-by: Luyao Zhong <[email protected]>
Add support for setting cache size Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]>
Signed-off-by: Greg Greenway <[email protected]> Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
|
@LuyaoZhong can you update this PR so that it matches the upstream envoy PR which contains the crash fix. After that we can merge. |
added 2 commits
December 19, 2022 07:37
When the mimic cert is already present, skip establishing connection with upstream in Bumping Filter. Signed-off-by: Luyao Zhong <[email protected]>
When custom handshaker provides certificates, it's possible that no certificate is loaded correctly and become a null pointer. Skip the null cert when populate the map used for SNI-based certificate selection. Signed-off-by: Luyao Zhong <[email protected]>
done |
ipuustin
suggested changes
Dec 19, 2022
There was a problem hiding this comment.
Please run fix_format and also clang_tidy. The target is to have code quality on the same level as upstream Envoy process to allow for easy transfer of code.
diff --git a/envoy/certificate_provider/certificate_provider.h b/envoy/certificate_provider/certificate_provider.h
index 4af5ca40ff..e243b38f14 100644
--- a/envoy/certificate_provider/certificate_provider.h
+++ b/envoy/certificate_provider/certificate_provider.h
@@ -86,7 +86,8 @@ public:
* @return OnDemandUpdateHandle the handle which can remove that update callback.
*/
virtual OnDemandUpdateHandlePtr addOnDemandUpdateCallback(
- const std::string cert_name, absl::optional<Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
+ const std::string cert_name,
+ absl::optional<Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
Event::Dispatcher& thread_local_dispatcher, OnDemandUpdateCallbacks& callback) PURE;
/**
diff --git a/source/extensions/certificate_providers/local_certificate/local_certificate.cc b/source/extensions/certificate_providers/local_certificate/local_certificate.cc
index 1ae79c43c3..48485524d6 100644
--- a/source/extensions/certificate_providers/local_certificate/local_certificate.cc
+++ b/source/extensions/certificate_providers/local_certificate/local_certificate.cc
@@ -1,8 +1,9 @@
#include "source/extensions/certificate_providers/local_certificate/local_certificate.h"
-#include <cstddef>
#include <openssl/x509.h>
+#include <cstddef>
+
#include "source/common/common/logger.h"
#include "source/common/config/datasource.h"
#include "source/common/protobuf/protobuf.h"
@@ -55,7 +56,8 @@ Provider::tlsCertificates(const std::string&) const {
}
Envoy::CertificateProvider::OnDemandUpdateHandlePtr Provider::addOnDemandUpdateCallback(
- const std::string sni, absl::optional<::Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
+ const std::string sni,
+ absl::optional<::Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
Event::Dispatcher& thread_local_dispatcher,
Envoy::CertificateProvider::OnDemandUpdateCallbacks& callback) {
ASSERT(main_thread_dispatcher_.isThreadSafe());
@@ -69,7 +71,6 @@ Envoy::CertificateProvider::OnDemandUpdateHandlePtr Provider::addOnDemandUpdateC
// We need to align this cache_hit with current transport socket behavior
bool cache_hit = [&]() { return certificates_.is_in_cache(sni); }();
-
if (metadata.has_value()) {
if (cache_hit) {
ENVOY_LOG(debug, "Cache hit for {}", sni);
@@ -81,8 +82,7 @@ Envoy::CertificateProvider::OnDemandUpdateHandlePtr Provider::addOnDemandUpdateC
signCertificate(sni, metadata.value(), thread_local_dispatcher);
});
}
- }
- else {
+ } else {
runOnDemandUpdateCallback(sni, absl::nullopt, thread_local_dispatcher, cache_hit);
}
return handle;
@@ -99,10 +99,10 @@ void Provider::runAddUpdateCallback() {
update_callback_manager_.runCallbacks();
}
-void Provider::runOnDemandUpdateCallback(const std::string& host,
- absl::optional<Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
- Event::Dispatcher& thread_local_dispatcher,
- bool in_cache) {
+void Provider::runOnDemandUpdateCallback(
+ const std::string& host,
+ absl::optional<Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
+ Event::Dispatcher& thread_local_dispatcher, bool in_cache) {
ASSERT(main_thread_dispatcher_.isThreadSafe());
auto host_it = on_demand_update_callbacks_.find(host);
if (host_it != on_demand_update_callbacks_.end()) {
@@ -110,9 +110,11 @@ void Provider::runOnDemandUpdateCallback(const std::string& host,
auto& callbacks = pending_callbacks->callbacks_;
pending_callbacks->cancel();
if (in_cache) {
- thread_local_dispatcher.post([&callbacks, host, metadata] { callbacks.onCacheHit(host, !metadata.has_value()); });
+ thread_local_dispatcher.post(
+ [&callbacks, host, metadata] { callbacks.onCacheHit(host, !metadata.has_value()); });
} else {
- thread_local_dispatcher.post([&callbacks, host, metadata] { callbacks.onCacheMiss(host, !metadata.has_value()); });
+ thread_local_dispatcher.post(
+ [&callbacks, host, metadata] { callbacks.onCacheMiss(host, !metadata.has_value()); });
}
}
on_demand_update_callbacks_.erase(host_it);
diff --git a/source/extensions/certificate_providers/local_certificate/local_certificate.h b/source/extensions/certificate_providers/local_certificate/local_certificate.h
index 5512b96d00..ebfb037311 100644
--- a/source/extensions/certificate_providers/local_certificate/local_certificate.h
+++ b/source/extensions/certificate_providers/local_certificate/local_certificate.h
@@ -85,7 +85,8 @@ public:
std::reference_wrapper<const envoy::extensions::transport_sockets::tls::v3::TlsCertificate>>
tlsCertificates(const std::string& cert_name) const override;
Envoy::CertificateProvider::OnDemandUpdateHandlePtr addOnDemandUpdateCallback(
- const std::string cert_name, absl::optional<Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
+ const std::string cert_name,
+ absl::optional<Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
Event::Dispatcher& thread_local_dispatcher,
::Envoy::CertificateProvider::OnDemandUpdateCallbacks& callback) override;
Common::CallbackHandlePtr addUpdateCallback(const std::string& cert_name,
@@ -106,9 +107,10 @@ private:
CertCacheImpl certificates_;
void runAddUpdateCallback();
- void runOnDemandUpdateCallback(const std::string& host,
- absl::optional<Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
- Event::Dispatcher& thread_local_dispatcher, bool in_cache = true);
+ void runOnDemandUpdateCallback(
+ const std::string& host,
+ absl::optional<Envoy::CertificateProvider::OnDemandUpdateMetadataPtr> metadata,
+ Event::Dispatcher& thread_local_dispatcher, bool in_cache = true);
// void signCertificate(std::string sni, absl::Span<const std::string> dns_sans, const std::string
// subject,
// Event::Dispatcher& thread_local_dispatcher);
diff --git a/source/extensions/filters/network/bumping/bumping.cc b/source/extensions/filters/network/bumping/bumping.cc
index 1836b49759..2f66842555 100644
--- a/source/extensions/filters/network/bumping/bumping.cc
+++ b/source/extensions/filters/network/bumping/bumping.cc
@@ -236,8 +236,8 @@ void Filter::requestCertificate(Ssl::ConnectionInfoConstSharedPtr info) {
// to establish connection with upstream
config_->main_dispatcher_.post([this]() {
this->on_demand_handle_ = config_->tls_certificate_provider_->addOnDemandUpdateCallback(
- std::string(read_callbacks_->connection().requestedServerName()),
- absl::nullopt, read_callbacks_->connection().dispatcher(), *this);
+ std::string(read_callbacks_->connection().requestedServerName()), absl::nullopt,
+ read_callbacks_->connection().dispatcher(), *this);
});
return;
}
@@ -323,9 +323,10 @@ void Filter::onCacheHit(const std::string, bool) {
void Filter::onCacheMiss(const std::string, bool check_only) {
if (check_only) {
// cert is not present in cert provider cache, and mimic cert is not generated
- // establish connection with upstream and trigger cert mimicking based on original certification.
+ // establish connection with upstream and trigger cert mimicking based on original
+ // certification.
establishUpstreamConnection();
- //read_callbacks_->continueReading();
+ // read_callbacks_->continueReading();
return;
}
// cert is not present in cert provider cache, and mimic cert is generatedSigned-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
|
It's better to fixing warning diagnostics as well, working on that. |
added 2 commits
December 20, 2022 12:17
fix clang_tidy warnings and fix format Signed-off-by: Luyao Zhong <[email protected]>
Signed-off-by: Luyao Zhong <[email protected]>
giantcroc
pushed a commit
to giantcroc/intel_envoy
that referenced
this pull request
Jan 4, 2023
* generate csr using boringssl api 1. add getRSAPublicKey and getECDSAPublicKey to get key data from CTK. 2. add some necessary methods to decode key data 3. using boringssl api to create csr in CreateCSR * add san in csr 1. read san(subject altname) from openssl config received from istio 2. insert san into x509_req as v3_req extension 3. change control-plane to use new CreateCSR 4. cleanup comments * add check and fix comments * change hard-code to boringssl 1. change to use boringssl api 2. clean hard-code * tls: update BoringSSL to b9512430(5195) (#22805) Signed-off-by: giantcroc <[email protected]> Signed-off-by: giantcroc <[email protected]>
soulxu
pushed a commit
that referenced
this pull request
Jan 28, 2023
* TLS bumping integration Merge following components for integration PoC - Certificate Provider framework - SNI-based cert selection in tls transport socket - A new network filter - BumpingFilter - Certificate Provider instance - LocalMimicCertProvider Signed-off-by: Luyao Zhong <[email protected]> Signed-off-by: LeiZhang <[email protected]> * Add docs for building TLS bumping Signed-off-by: Luyao Zhong <[email protected]> * Add docs for testing TLS bumping without CONNECT Signed-off-by: Luyao Zhong <[email protected]> * Add config for bumping with http connect case (#308) Signed-off-by: LeiZhang <[email protected]> * Add config for TLS splicing without HTTP CONNECT case Signed-off-by: Luyao Zhong <[email protected]> * Add config for TLS splicing with HTTP CONNECT case Signed-off-by: Luyao Zhong <[email protected]> * Add config for TLS splicing/bumping w/wo HTTP CONNECT Signed-off-by: Luyao Zhong <[email protected]> * Improve doc with testing details (#309) Signed-off-by: LeiZhang <[email protected]> * Expiration time check (#320) Add config for setting cert expiration time Bumping filter refactor Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]> * Update splicing/bumping config to cover more test cases Signed-off-by: Luyao Zhong <[email protected]> * Fix issues of subject and expiration time (#322) Fix issue of incorrectly copy cert subject to mimic cert. Use cert expiration time when expiration_time config is absent. Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]> * Update config to cover http2 test case Signed-off-by: Luyao Zhong <[email protected]> * skip duplicate certs check Current local cert provider might generates multiple certs with the same SANs/CN and pkey type which is not our expectation, we need to fix the bug in cert provider and then restore this check Signed-off-by: Luyao Zhong <[email protected]> * Fix doc (#325) Add more detail on how to import CA. Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]> * Fix lacking sni of tls handshake in bumping filter (#329) Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]> * Refactor local certificate provider config (#337) Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]> * Add support for different pkey types and sizes (#342) Currently only RSA_2048, RSA_3072, RSA_4096, ECDSA_P256 is supported. If the pkey type is not specified in config file, original server pkey type will be copied. The default value is RSA_2048. Signed-off-by: Luyao Zhong <[email protected]> * tls: SNI-based cert selection during TLS handshake ** Align with upstream ** Envoy supports selecting certs by selecting filter chain based on SNI. But it is possible that we access different services via one filter chain, which requires SNI-based cert selection in one single filter chain during handshake. Signed-off-by: Luyao Zhong <[email protected]> * Cache size (#347) Add support for setting cache size Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]> * remove useless files Signed-off-by: Luyao Zhong <[email protected]> * remove useless docs/notes due to rebase Signed-off-by: Luyao Zhong <[email protected]> * add mocks to pass test compiling Signed-off-by: Luyao Zhong <[email protected]> * code cleanup Signed-off-by: Luyao Zhong <[email protected]> * replace raw pointer with smart pointer Signed-off-by: Luyao Zhong <[email protected]> * Code cleanup (#349) Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]> * tls: allow multiple certs with the same SAN Signed-off-by: Greg Greenway <[email protected]> Signed-off-by: Luyao Zhong <[email protected]> * bug fix Signed-off-by: Luyao Zhong <[email protected]> * avoid establishing additional connection with upstream When the mimic cert is already present, skip establishing connection with upstream in Bumping Filter. Signed-off-by: Luyao Zhong <[email protected]> * bug fix: add nullptr check for cert When custom handshaker provides certificates, it's possible that no certificate is loaded correctly and become a null pointer. Skip the null cert when populate the map used for SNI-based certificate selection. Signed-off-by: Luyao Zhong <[email protected]> * fix format Signed-off-by: Luyao Zhong <[email protected]> * fix test case Signed-off-by: Luyao Zhong <[email protected]> * Fix active tcp listener test (#351) Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]> * fix code format and fix spelling format Signed-off-by: Luyao Zhong <[email protected]> * fix clang_tidy warning fix clang_tidy warnings and fix format Signed-off-by: Luyao Zhong <[email protected]> * add matt to CODEOWNER to pass format check Signed-off-by: Luyao Zhong <[email protected]> --------- Signed-off-by: Luyao Zhong <[email protected]> Signed-off-by: LeiZhang <[email protected]> Signed-off-by: lei zhang <[email protected]> Signed-off-by: Greg Greenway <[email protected]> Co-authored-by: lei zhang <[email protected]> Co-authored-by: Greg Greenway <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Copy changes of envoyproxy/envoy#23192.
This PR is to merge following parts, and do integration test.
Certificate Provider framework envoyproxy/envoy#19582
SNI-based cert selection in tls transport socket envoyproxy/envoy#22036
A new network filter - BumpingFilter envoyproxy/envoy#22582
Certificate Provider instance - LocalMimicCertProvider envoyproxy/envoy#23063
Signed-off-by: Luyao Zhong [email protected]
Signed-off-by: LeiZhang [email protected]