envoyproxy · Augustyniak · Oct 18, 2022 · Aug 18, 2022 · Aug 19, 2022 · Aug 23, 2022
diff --git a/docs/root/api/starting_envoy.rst b/docs/root/api/starting_envoy.rst
@@ -514,6 +514,18 @@ to use IPv6. Note this is an experimental option and should be enabled with caut
   builder.forceIPv6(true)
 
 
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+``enablePlatformCertificatesValidation``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Specify whether to use platform provided certificate validation interfaces. Currently only supported on Android. Defaults to false.
+
+**Example**::
+
+  // Kotlin
+  builder.enablePlatformCertificatesValidation(true)
+
+
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 ``enableProxying``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/docs/root/intro/version_history.rst b/docs/root/intro/version_history.rst
@@ -15,6 +15,7 @@ Bugfixes:
 
 Features:
 
+- api: add option to support platform provided certificates validation interfaces. (:issue `#2144 <2144>`)
- api: add option to support platform provided certificates validation interfaces. (:issue `#2144 <2144>`)
+- kotlin/c++: add option to support platform provided certificates validation interfaces on Android. (:issue `#2144 <2144>`)
- api: add option to support platform provided certificates validation interfaces. (:issue `#2144 <2144>`)
+- kotlin/c++: add option to support platform provided certificates validation interfaces on Android. (:issue `#2144 <2144>`)
 - kotlin: add a way to tell Envoy Mobile to respect system proxy settings by calling an ``enableProxying(true)`` method on the engine builder. (:issue:`#2416 <2416>`)
 
 

diff --git a/envoy_build_config/BUILD b/envoy_build_config/BUILD
@@ -33,6 +33,7 @@ envoy_cc_library(
         "@envoy//source/extensions/transport_sockets/tls:config",
         "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib",
         "@envoy//source/extensions/upstreams/http/generic:config",
+        "@envoy_mobile//library/common/extensions/cert_validator/platform_bridge:config",
         "@envoy_mobile//library/common/extensions/filters/http/assertion:config",
         "@envoy_mobile//library/common/extensions/filters/http/local_error:config",
         "@envoy_mobile//library/common/extensions/filters/http/network_configuration:config",

diff --git a/envoy_build_config/extension_registry.cc b/envoy_build_config/extension_registry.cc
@@ -23,6 +23,7 @@
 #include "source/extensions/upstreams/http/generic/config.h"
 
 #include "extension_registry_platform_additions.h"
+#include "library/common/extensions/cert_validator/platform_bridge/config.h"
 #include "library/common/extensions/filters/http/assertion/config.h"
 #include "library/common/extensions/filters/http/local_error/config.h"
 #include "library/common/extensions/filters/http/network_configuration/config.h"
@@ -63,6 +64,7 @@ void ExtensionRegistry::registerFactories() {
   Envoy::Extensions::TransportSockets::Http11Connect::
       forceRegisterUpstreamHttp11ConnectSocketConfigFactory();
   Envoy::Extensions::TransportSockets::Tls::forceRegisterDefaultCertValidatorFactory();
+  Envoy::Extensions::TransportSockets::Tls::forceRegisterPlatformBridgeCertValidatorFactory();
   Envoy::Extensions::Upstreams::Http::Generic::forceRegisterGenericGenericConnPoolFactory();
   Envoy::Upstream::forceRegisterLogicalDnsClusterFactory();
   ExtensionRegistryPlatformAdditions::registerFactories();

diff --git a/envoy_build_config/extensions_build_config.bzl b/envoy_build_config/extensions_build_config.bzl
@@ -25,5 +25,6 @@ EXTENSIONS = {
     "envoy.transport_sockets.raw_buffer":                  "//source/extensions/transport_sockets/raw_buffer:config",
     "envoy.transport_sockets.tls":                         "//source/extensions/transport_sockets/tls:config",
     "envoy.http.stateful_header_formatters.preserve_case": "//source/extensions/http/header_formatters/preserve_case:config",
+    "envoy_mobile.cert_validator.platform_bridge_cert_validator": "@envoy_mobile//library/common/extensions/cert_validator/platform_bridge:config",
 }
 WINDOWS_EXTENSIONS = {}
diff --git a/library/cc/engine_builder.cc b/library/cc/engine_builder.cc
@@ -124,6 +124,12 @@ EngineBuilder& EngineBuilder::enableSocketTagging(bool socket_tagging_on) {
   return *this;
 }
 
+EngineBuilder&
+EngineBuilder::enablePlatformCertificatesValidation(bool platform_certificates_validation_on) {
+  this->platform_certificates_validation_on_ = platform_certificates_validation_on;
+  return *this;
+}
+
 std::string EngineBuilder::generateConfigStr() {
 #if defined(__APPLE__)
   std::string dns_resolver_name = "envoy.network.dns_resolver.apple";
@@ -200,6 +206,14 @@ std::string EngineBuilder::generateConfigStr() {
   config_builder << config_template_;
 
   auto config_str = config_builder.str();
+
+  // Choose the right certification validator.
+  absl::StrReplaceAll(
+      {{"{{custom_cert_validation_context}}",
+        (this->platform_certificates_validation_on_ ? platform_cert_validation_context_template
+                                                    : default_cert_validation_context_template)}},
+      &config_str);
+
   if (config_str.find("{{") != std::string::npos) {
     throw std::runtime_error("could not resolve all template keys in config");
   }

diff --git a/library/cc/engine_builder.h b/library/cc/engine_builder.h
@@ -41,6 +41,7 @@ class EngineBuilder {
   EngineBuilder& enableGzip(bool gzip_on);
   EngineBuilder& enableBrotli(bool brotli_on);
   EngineBuilder& enableSocketTagging(bool socket_tagging_on);
+  EngineBuilder& enablePlatformCertificatesValidation(bool platform_certificates_validation_on);
 
   // this is separated from build() for the sake of testability
   std::string generateConfigStr();
@@ -83,6 +84,7 @@ class EngineBuilder {
   bool gzip_filter_ = true;
   bool brotli_filter_ = false;
   bool socket_tagging_filter_ = false;
+  bool use_platform_cert_validator_ = false;
 
   absl::flat_hash_map<std::string, KeyValueStoreSharedPtr> key_value_stores_{};
 

diff --git a/library/common/config/config.cc b/library/common/config/config.cc
@@ -75,6 +75,14 @@ const char* brotli_config_insert = R"(
           ignore_no_transform_header: true
 )";
 
+const char* platform_cert_validation_context_template = R"(
+  custom_validator_config:
+    name: "envoy_mobile.cert_validator.platform_bridge_cert_validator")";
+
+const char* default_cert_validation_context_template = R"(
+  trusted_ca:
+    inline_string: *tls_root_certs)";
+
 const char* socket_tag_config_insert = R"(
   - name: envoy.filters.http.socket_tag
     typed_config:
@@ -149,24 +157,7 @@ R"(- &enable_drain_post_dns_refresh false
 !ignore tls_root_ca_defs: &tls_root_certs |
 )"
 #include "certificates.inc"
-R"(
-
-!ignore tls_socket_defs:
-- &base_tls_socket
-  name: envoy.transport_sockets.http_11_proxy
-  typed_config:
-    "@type": type.googleapis.com/envoy.extensions.transport_sockets.http_11_proxy.v3.Http11ProxyUpstreamTransport
-    transport_socket:
-      name: envoy.transport_sockets.tls
-      typed_config:
-        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-        common_tls_context:
-          tls_params:
-            tls_maximum_protocol_version: TLSv1_3
-          validation_context:
-            trusted_ca:
-              inline_string: *tls_root_certs
-)";
+;
 
 const char* config_template = R"(
 !ignore local_error_defs: &local_error_config
@@ -280,6 +271,46 @@ const char* config_template = R"(
             typed_config:
               "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
 
+!ignore tls_socket_defs:
+- &validation_context {{custom_cert_validation_context}}
+- &validation_context_config_trust_chain {{custom_cert_validation_context}}
+  trust_chain_verification: *trust_chain_verification
+
+- &base_tls_socket
+  name: envoy.transport_sockets.http_11_proxy
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.transport_sockets.http_11_proxy.v3.Http11ProxyUpstreamTransport
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        common_tls_context:
+          tls_params:
+            tls_maximum_protocol_version: TLSv1_3
+          validation_context: *validation_context
+- &base_h2_socket
+  name: envoy.transport_sockets.http_11_proxy
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.transport_sockets.http_11_proxy.v3.Http11ProxyUpstreamTransport
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        common_tls_context:
+          alpn_protocols: [h2]
+          tls_params:
+            tls_maximum_protocol_version: TLSv1_3
+          validation_context: *validation_context_config_trust_chain
+- &base_h3_socket
+  name: envoy.transport_sockets.quic
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicUpstreamTransport
+    upstream_tls_context:
+      common_tls_context:
+        tls_params:
+          tls_maximum_protocol_version: TLSv1_3
+        validation_context: *validation_context_config_trust_chain
+
 !ignore custom_cluster_defs:
   stats_cluster: &stats_cluster
     name: stats
@@ -429,41 +460,15 @@ const char* config_template = R"(
     connect_timeout: *connect_timeout
     lb_policy: CLUSTER_PROVIDED
     cluster_type: *base_cluster_type
-    transport_socket:
-      name: envoy.transport_sockets.http_11_proxy
-      typed_config:
-        "@type": type.googleapis.com/envoy.extensions.transport_sockets.http_11_proxy.v3.Http11ProxyUpstreamTransport
-        transport_socket:
-          name: envoy.transport_sockets.tls
-          typed_config:
-            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-            common_tls_context:
-              alpn_protocols: [h2]
-              tls_params:
-                tls_maximum_protocol_version: TLSv1_3
-              validation_context:
-                trusted_ca:
-                  inline_string: *tls_root_certs
-                trust_chain_verification: *trust_chain_verification
+    transport_socket: *base_h2_socket
     upstream_connection_options: *upstream_opts
     circuit_breakers: *circuit_breakers_settings
     typed_extension_protocol_options: *h2_protocol_options
   - name: base_h3
     connect_timeout: *connect_timeout
     lb_policy: CLUSTER_PROVIDED
     cluster_type: *base_cluster_type
-    transport_socket:
-      name: envoy.transport_sockets.quic
-      typed_config:
-        "@type": type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicUpstreamTransport
-        upstream_tls_context:
-          common_tls_context:
-            tls_params:
-              tls_maximum_protocol_version: TLSv1_3
-            validation_context:
-              trusted_ca:
-                inline_string: *tls_root_certs
-              trust_chain_verification: *trust_chain_verification
+    transport_socket: *base_h3_socket
     upstream_connection_options: *upstream_opts
     circuit_breakers: *circuit_breakers_settings
     typed_extension_protocol_options: *h3_protocol_options

diff --git a/library/common/config/templates.h b/library/common/config/templates.h
@@ -85,3 +85,15 @@ extern const char* socket_tag_config_insert;
  * direct responses to mutate headers which are then later used for routing.
  */
 extern const char* route_cache_reset_filter_insert;
+
+/**
+ * Config template which uses Envoy's built-in certificates validator to verify
+ * certificate chain.
+ */
+extern const char* default_cert_validation_context_template;
+
+/**
+ * Config template which uses platform's certificates APIs to verify certificate
+ * chain.
+ */
+extern const char* platform_cert_validation_context_template;
diff --git a/library/common/extensions/cert_validator/platform_bridge/BUILD b/library/common/extensions/cert_validator/platform_bridge/BUILD
@@ -0,0 +1,48 @@
+load(
+    "@envoy//bazel:envoy_build_system.bzl",
+    "envoy_cc_extension",
+    "envoy_cc_library",
+    "envoy_extension_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_extension_package()
+
+envoy_cc_library(
+    name = "c_types_lib",
+    hdrs = ["c_types.h"],
+    repository = "@envoy",
+    deps = [
+        "//library/common/data:utility_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "platform_bridge_cert_validator_lib",
+    srcs = ["platform_bridge_cert_validator.cc"],
+    hdrs = [
+        "platform_bridge_cert_validator.h",
+    ],
+    repository = "@envoy",
+    deps = [
+        ":c_types_lib",
+        "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib",
+    ],
+)
+
+envoy_cc_extension(
+    name = "config",
+    srcs = ["config.cc"],
+    hdrs = [
+        "c_types.h",
+        "config.h",
+    ],
+    repository = "@envoy",
+    deps = [
+        ":platform_bridge_cert_validator_lib",
+        "//library/common/api:external_api_lib",
+        "//library/common/data:utility_lib",
+        "@envoy//envoy/registry",
+    ],
+)
diff --git a/library/common/extensions/cert_validator/platform_bridge/c_types.h b/library/common/extensions/cert_validator/platform_bridge/c_types.h
@@ -0,0 +1,42 @@
+#pragma once
+
+#include "library/common/types/c_types.h"
+
+// NOLINT(namespace-envoy)
+
+/**
+ * Certification validation binary result with corresponding boring SSL alert
+ * and error details if the result indicates failure.
+ */
+typedef struct {
+  envoy_status_t result;
+  uint8_t tls_alert;
+  const char* error_details;
+} envoy_cert_validation_result;
+
+#ifdef __cplusplus
+extern "C" { // function pointers
+#endif
+
+/**
+ * Function signature for calling into platform APIs to validate certificates.
+ */
+typedef envoy_cert_validation_result (*envoy_validate_cert_f)(const envoy_data* certs, uint8_t size,
+                                                              const char* host_name);
+
+/**
+ * Function signature for calling into platform APIs to clean up after validation completion.
+ */
+typedef void (*envoy_release_validator_f)();
+
+#ifdef __cplusplus
+} // function pointers
+#endif
+
+/**
+ * A bag of function pointers to be registered in the platform registry.
+ */
+typedef struct {
+  envoy_validate_cert_f validate_cert;
+  envoy_release_validator_f release_validator;
+} envoy_cert_validator;
diff --git a/library/common/extensions/cert_validator/platform_bridge/config.cc b/library/common/extensions/cert_validator/platform_bridge/config.cc
@@ -0,0 +1,23 @@
+#include "library/common/extensions/cert_validator/platform_bridge/config.h"
+
+#include "library/common/api/external.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+CertValidatorPtr PlatformBridgeCertValidatorFactory::createCertValidator(
+    const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats,
+    TimeSource& /*time_source*/) {
+  platform_validator_ =
+      static_cast<envoy_cert_validator*>(Api::External::retrieveApi("platform_cert_validator"));
 // TODO(alyssawilk, abeyad): gracefully handle the case where an Api by the given name is not 
 // TODO(alyssawilk, abeyad): gracefully handle the case where an Api by the given name is not 
+  return std::make_unique<PlatformBridgeCertValidator>(config, stats, platform_validator_);
+}
+
+REGISTER_FACTORY(PlatformBridgeCertValidatorFactory, CertValidatorFactory);
+
+} // namespace Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy
diff --git a/library/common/extensions/cert_validator/platform_bridge/config.h b/library/common/extensions/cert_validator/platform_bridge/config.h
@@ -0,0 +1,30 @@
+#include "envoy/registry/registry.h"
+
+#include "source/extensions/transport_sockets/tls/cert_validator/factory.h"
+
+#include "library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+class PlatformBridgeCertValidatorFactory : public CertValidatorFactory {
+public:
+  CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config,
+                                       SslStats& stats, TimeSource& time_source) override;
+
+  std::string name() const override {
+    return "envoy_mobile.cert_validator.platform_bridge_cert_validator";
+  }
+
+private:
+  const envoy_cert_validator* platform_validator_;
+};
+
+DECLARE_FACTORY(PlatformBridgeCertValidatorFactory);
+
+} // namespace Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy