-
Notifications
You must be signed in to change notification settings - Fork 84
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cert validation: use Android cert validation APIs (#2525)
Description: add engine API to allow user config to use Android cert validation APIs. Risk Level: high Testing: added tests in Http2TestServerTest.java Docs Changes: Release Notes: Fixes #1575 Part of #2144
- Loading branch information
Showing
36 changed files
with
1,009 additions
and
179 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
library/common/extensions/cert_validator/platform_bridge/BUILD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
load( | ||
"@envoy//bazel:envoy_build_system.bzl", | ||
"envoy_cc_extension", | ||
"envoy_cc_library", | ||
"envoy_extension_package", | ||
) | ||
|
||
licenses(["notice"]) # Apache 2 | ||
|
||
envoy_extension_package() | ||
|
||
envoy_cc_library( | ||
name = "c_types_lib", | ||
hdrs = ["c_types.h"], | ||
repository = "@envoy", | ||
deps = [ | ||
"//library/common/data:utility_lib", | ||
], | ||
) | ||
|
||
envoy_cc_library( | ||
name = "platform_bridge_cert_validator_lib", | ||
srcs = ["platform_bridge_cert_validator.cc"], | ||
hdrs = [ | ||
"platform_bridge_cert_validator.h", | ||
], | ||
repository = "@envoy", | ||
deps = [ | ||
":c_types_lib", | ||
"@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", | ||
], | ||
) | ||
|
||
envoy_cc_extension( | ||
name = "config", | ||
srcs = ["config.cc"], | ||
hdrs = [ | ||
"c_types.h", | ||
"config.h", | ||
], | ||
repository = "@envoy", | ||
deps = [ | ||
":platform_bridge_cert_validator_lib", | ||
"//library/common/api:external_api_lib", | ||
"//library/common/data:utility_lib", | ||
"@envoy//envoy/registry", | ||
], | ||
) |
42 changes: 42 additions & 0 deletions
42
library/common/extensions/cert_validator/platform_bridge/c_types.h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
#pragma once | ||
|
||
#include "library/common/types/c_types.h" | ||
|
||
// NOLINT(namespace-envoy) | ||
|
||
/** | ||
* Certification validation binary result with corresponding boring SSL alert | ||
* and error details if the result indicates failure. | ||
*/ | ||
typedef struct { | ||
envoy_status_t result; | ||
uint8_t tls_alert; | ||
const char* error_details; | ||
} envoy_cert_validation_result; | ||
|
||
#ifdef __cplusplus | ||
extern "C" { // function pointers | ||
#endif | ||
|
||
/** | ||
* Function signature for calling into platform APIs to validate certificates. | ||
*/ | ||
typedef envoy_cert_validation_result (*envoy_validate_cert_f)(const envoy_data* certs, uint8_t size, | ||
const char* host_name); | ||
|
||
/** | ||
* Function signature for calling into platform APIs to clean up after validation completion. | ||
*/ | ||
typedef void (*envoy_release_validator_f)(); | ||
|
||
#ifdef __cplusplus | ||
} // function pointers | ||
#endif | ||
|
||
/** | ||
* A bag of function pointers to be registered in the platform registry. | ||
*/ | ||
typedef struct { | ||
envoy_validate_cert_f validate_cert; | ||
envoy_release_validator_f release_validator; | ||
} envoy_cert_validator; |
25 changes: 25 additions & 0 deletions
25
library/common/extensions/cert_validator/platform_bridge/config.cc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
#include "library/common/extensions/cert_validator/platform_bridge/config.h" | ||
|
||
#include "library/common/api/external.h" | ||
|
||
namespace Envoy { | ||
namespace Extensions { | ||
namespace TransportSockets { | ||
namespace Tls { | ||
|
||
CertValidatorPtr PlatformBridgeCertValidatorFactory::createCertValidator( | ||
const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, | ||
TimeSource& /*time_source*/) { | ||
if (platform_validator_ == nullptr) { | ||
platform_validator_ = | ||
static_cast<envoy_cert_validator*>(Api::External::retrieveApi("platform_cert_validator")); | ||
} | ||
return std::make_unique<PlatformBridgeCertValidator>(config, stats, platform_validator_); | ||
} | ||
|
||
REGISTER_FACTORY(PlatformBridgeCertValidatorFactory, CertValidatorFactory); | ||
|
||
} // namespace Tls | ||
} // namespace TransportSockets | ||
} // namespace Extensions | ||
} // namespace Envoy |
Oops, something went wrong.