cert validation: use Android cert validation APIs

docs/root/api/starting_envoy.rst

@@ -514,6 +514,18 @@ to use IPv6. Note this is an experimental option and should be enabled with caut
   builder.forceIPv6(true)
 
 
+~~~~~~~~~~~~~~~~~~~~~~~
+``usePlatformCertValidator``
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Specify whether to use platform provided certificate validation interfaces. Currently only supported on Android. Defaults to false.
+
+**Example**::
+
+  // Kotlin
+  builder.usePlatformCertValidator(true)
+
+
 ----------------------
 Advanced configuration
 ----------------------

docs/root/intro/version_history.rst

@@ -60,6 +60,7 @@ Features:
 - android: create simple persistent SharedPreferencesStore (:issue: `#2319 <2319>`)
 - iOS: A documentation archive is now included in the GitHub release artifact (:issue: `#2335 <2335>`)
 - api: improved C++ APIs compatibility with Java / Kotlin / Swift (:issue `#2362 <2362>`)
+- api: add option to support platform provided certificates validation interfaces. (:issue `#2144 <2144>`)
 - Android: default to use a ``getaddrinfo``-based system DNS resolver instead of c-ares (:issue: `#2419 <2419>`)
 - iOS: add ``KeyValueStore`` protocol conformance to ``UserDefaults`` (:issue: `#2452 <2452>`)
 - iOS: add experimental option to force all connections to use IPv6. (:issue: `#2396 <2396>`)

envoy_build_config/BUILD

@@ -31,6 +31,7 @@ envoy_cc_library(
         "@envoy//source/extensions/transport_sockets/tls:config",
         "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib",
         "@envoy//source/extensions/upstreams/http/generic:config",
+        "@envoy_mobile//library/common/extensions/cert_validator/platform_bridge:config",
         "@envoy_mobile//library/common/extensions/filters/http/assertion:config",
         "@envoy_mobile//library/common/extensions/filters/http/local_error:config",
         "@envoy_mobile//library/common/extensions/filters/http/network_configuration:config",

envoy_build_config/extension_registry.cc

@@ -21,6 +21,7 @@
 #include "source/extensions/upstreams/http/generic/config.h"
 
 #include "extension_registry_platform_additions.h"
+#include "library/common/extensions/cert_validator/platform_bridge/config.h"
 #include "library/common/extensions/filters/http/assertion/config.h"
 #include "library/common/extensions/filters/http/local_error/config.h"
 #include "library/common/extensions/filters/http/network_configuration/config.h"
@@ -59,6 +60,7 @@ void ExtensionRegistry::registerFactories() {
   Envoy::Extensions::TransportSockets::RawBuffer::forceRegisterUpstreamRawBufferSocketFactory();
   Envoy::Extensions::TransportSockets::Tls::forceRegisterUpstreamSslSocketFactory();
   Envoy::Extensions::TransportSockets::Tls::forceRegisterDefaultCertValidatorFactory();
+  Envoy::Extensions::TransportSockets::Tls::forceRegisterPlatformBridgeCertValidatorFactory();
   Envoy::Extensions::Upstreams::Http::Generic::forceRegisterGenericGenericConnPoolFactory();
   Envoy::Upstream::forceRegisterLogicalDnsClusterFactory();
   ExtensionRegistryPlatformAdditions::registerFactories();

envoy_build_config/extensions_build_config.bzl

@@ -24,5 +24,7 @@ EXTENSIONS = {
     "envoy.transport_sockets.raw_buffer":                  "//source/extensions/transport_sockets/raw_buffer:config",
     "envoy.transport_sockets.tls":                         "//source/extensions/transport_sockets/tls:config",
     "envoy.http.stateful_header_formatters.preserve_case": "//source/extensions/http/header_formatters/preserve_case:config",
+
+    "envoy_mobile.cert_validator.platform_bridge_cert_validator": "@envoy_mobile//library/common/extensions/cert_validator/platform_bridge:config",
 }
 WINDOWS_EXTENSIONS = {}

library/cc/engine_builder.cc

@@ -124,6 +124,11 @@ EngineBuilder& EngineBuilder::enableSocketTagging(bool socket_tagging_on) {
   return *this;
 }
 
+EngineBuilder& EngineBuilder::usePlatformCertValidator(bool use_platform_cert_validator) {
+  this->use_platform_cert_validator_ = use_platform_cert_validator;
+  return *this;
+}
+
 std::string EngineBuilder::generateConfigStr() {
 #if defined(__APPLE__)
   std::string dns_resolver_name = "envoy.network.dns_resolver.apple";
@@ -200,6 +205,14 @@ std::string EngineBuilder::generateConfigStr() {
   config_builder << config_template_;
 
   auto config_str = config_builder.str();
+
+  // Choose the right certification validator.
+  absl::StrReplaceAll(
+      {{"{{custom_cert_validation_context}}",
+        (this->use_platform_cert_validator_ ? platform_cert_validation_context_template
+                                            : default_cert_validation_context_template)}},
+      &config_str);
+
   if (config_str.find("{{") != std::string::npos) {
     throw std::runtime_error("could not resolve all template keys in config");
   }

library/cc/engine_builder.h

@@ -41,6 +41,7 @@ class EngineBuilder {
   EngineBuilder& enableGzip(bool gzip_on);
   EngineBuilder& enableBrotli(bool brotli_on);
   EngineBuilder& enableSocketTagging(bool socket_tagging_on);
+  EngineBuilder& usePlatformCertValidator(bool use_platform_cert_validator);
 
   // this is separated from build() for the sake of testability
   std::string generateConfigStr();
@@ -83,6 +84,7 @@ class EngineBuilder {
   bool gzip_filter_ = true;
   bool brotli_filter_ = false;
   bool socket_tagging_filter_ = false;
+  bool use_platform_cert_validator_ = false;
 
   absl::flat_hash_map<std::string, KeyValueStoreSharedPtr> key_value_stores_{};
 

library/common/config/config.cc

@@ -75,6 +75,14 @@ const char* brotli_config_insert = R"(
           ignore_no_transform_header: true
 )";
 
+const char* platform_cert_validation_context_template = R"(
+  custom_validator_config:
+    name: "envoy_mobile.cert_validator.platform_bridge_cert_validator")";
+
+const char* default_cert_validation_context_template = R"(
+  trusted_ca:
+    inline_string: *tls_root_certs)";
+
 const char* socket_tag_config_insert = R"(
   - name: envoy.filters.http.socket_tag
     typed_config:
@@ -149,20 +157,7 @@ R"(- &enable_drain_post_dns_refresh false
 !ignore tls_root_ca_defs: &tls_root_certs |
 )"
 #include "certificates.inc"
-R"(
-
-!ignore tls_socket_defs:
-- &base_tls_socket
-  name: envoy.transport_sockets.tls
-  typed_config:
-    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-    common_tls_context:
-      tls_params:
-        tls_maximum_protocol_version: TLSv1_3
-      validation_context:
-        trusted_ca:
-          inline_string: *tls_root_certs
-)";
+;
 
 const char* config_template = R"(
 !ignore local_error_defs: &local_error_config
@@ -276,6 +271,38 @@ const char* config_template = R"(
             typed_config:
               "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
 
+!ignore tls_socket_defs:
+- &validation_context {{custom_cert_validation_context}}
+- &validation_context_config_trust_chain {{custom_cert_validation_context}}
+  trust_chain_verification: *trust_chain_verification
+
+- &base_tls_socket
+  name: envoy.transport_sockets.tls
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+    common_tls_context:
+      tls_params:
+        tls_maximum_protocol_version: TLSv1_3
+      validation_context: *validation_context
+- &base_h2_socket
+  name: envoy.transport_sockets.tls
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+    common_tls_context:
+      alpn_protocols: [h2]
+      tls_params:
+        tls_maximum_protocol_version: TLSv1_3
+      validation_context: *validation_context_config_trust_chain
+- &base_h3_socket
+  name: envoy.transport_sockets.quic
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicUpstreamTransport
+    upstream_tls_context:
+      common_tls_context:
+        tls_params:
+          tls_maximum_protocol_version: TLSv1_3
+        validation_context: *validation_context_config_trust_chain
+
 !ignore custom_cluster_defs:
   stats_cluster: &stats_cluster
     name: stats
@@ -421,37 +448,15 @@ const char* config_template = R"(
     connect_timeout: *connect_timeout
     lb_policy: CLUSTER_PROVIDED
     cluster_type: *base_cluster_type
-    transport_socket:
-      name: envoy.transport_sockets.tls
-      typed_config:
-        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-        common_tls_context:
-          alpn_protocols: [h2]
-          tls_params:
-            tls_maximum_protocol_version: TLSv1_3
-          validation_context:
-            trusted_ca:
-              inline_string: *tls_root_certs
-            trust_chain_verification: *trust_chain_verification
+    transport_socket: *base_h2_socket
     upstream_connection_options: *upstream_opts
     circuit_breakers: *circuit_breakers_settings
     typed_extension_protocol_options: *h2_protocol_options
   - name: base_h3
     connect_timeout: *connect_timeout
     lb_policy: CLUSTER_PROVIDED
     cluster_type: *base_cluster_type
-    transport_socket:
-      name: envoy.transport_sockets.quic
-      typed_config:
-        "@type": type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicUpstreamTransport
-        upstream_tls_context:
-          common_tls_context:
-            tls_params:
-              tls_maximum_protocol_version: TLSv1_3
-            validation_context:
-              trusted_ca:
-                inline_string: *tls_root_certs
-              trust_chain_verification: *trust_chain_verification
+    transport_socket: *base_h3_socket
     upstream_connection_options: *upstream_opts
     circuit_breakers: *circuit_breakers_settings
     typed_extension_protocol_options: *h3_protocol_options

library/common/config/templates.h

@@ -85,3 +85,7 @@ extern const char* socket_tag_config_insert;
  * direct responses to mutate headers which are then later used for routing.
  */
 extern const char* route_cache_reset_filter_insert;
+
+extern const char* default_cert_validation_context_template;
+
+extern const char* platform_cert_validation_context_template;

library/common/extensions/cert_validator/platform_bridge/BUILD

@@ -0,0 +1,48 @@
+load(
+    "@envoy//bazel:envoy_build_system.bzl",
+    "envoy_cc_extension",
+    "envoy_cc_library",
+    "envoy_extension_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_extension_package()
+
+envoy_cc_library(
+    name = "c_types_lib",
+    hdrs = ["c_types.h"],
+    repository = "@envoy",
+    deps = [
+        "//library/common/data:utility_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "platform_bridge_cert_validator_lib",
+    srcs = ["platform_bridge_cert_validator.cc"],
+    hdrs = [
+        "platform_bridge_cert_validator.h",
+    ],
+    repository = "@envoy",
+    deps = [
+        ":c_types_lib",
+        "@envoy//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib",
+    ],
+)
+
+envoy_cc_extension(
+    name = "config",
+    srcs = ["config.cc"],
+    hdrs = [
+        "c_types.h",
+        "config.h",
+    ],
+    repository = "@envoy",
+    deps = [
+        ":platform_bridge_cert_validator_lib",
+        "//library/common/api:external_api_lib",
+        "//library/common/data:utility_lib",
+        "@envoy//envoy/registry",
+    ],
+)

library/common/extensions/cert_validator/platform_bridge/c_types.h

@@ -0,0 +1,29 @@
+#pragma once
+
+#include "library/common/types/c_types.h"
+
+// NOLINT(namespace-envoy)
+
+typedef struct {
+  envoy_status_t result;
+  uint8_t tls_alert;
+  const char* error_details;
+} envoy_cert_validation_result;
+
+#ifdef __cplusplus
+extern "C" { // function pointers
+#endif
+
+typedef envoy_cert_validation_result (*envoy_validate_cert_f)(const envoy_data* certs, uint8_t size,
+                                                              const char* host_name);
+
+typedef void (*envoy_validation_done_f)();
+#ifdef __cplusplus
+} // function pointers
+#endif
+
+typedef struct {
+  envoy_validate_cert_f validate_cert;
+  envoy_validation_done_f validation_done;
+
+} envoy_cert_validator;

library/common/extensions/cert_validator/platform_bridge/config.cc

@@ -0,0 +1,26 @@
+#include "library/common/extensions/cert_validator/platform_bridge/config.h"
+
+#include "library/common/api/external.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+CertValidatorPtr PlatformBridgeCertValidatorFactory::createCertValidator(
+    const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats,
+    TimeSource& /*time_source*/) {
+#if defined(__APPLE__)
+  PANIC("IOS platform based cert validation is not supported.");
+#endif
+  platform_bridge_api_ =
+      static_cast<envoy_cert_validator*>(Api::External::retrieveApi("platform_cert_validator"));
+  return std::make_unique<PlatformBridgeCertValidator>(config, stats, platform_bridge_api_);
+}
+
+REGISTER_FACTORY(PlatformBridgeCertValidatorFactory, CertValidatorFactory);
+
+} // namespace Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy

library/common/extensions/cert_validator/platform_bridge/config.h

@@ -0,0 +1,30 @@
+#include "envoy/registry/registry.h"
+
+#include "source/extensions/transport_sockets/tls/cert_validator/factory.h"
+
+#include "library/common/extensions/cert_validator/platform_bridge/platform_bridge_cert_validator.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace TransportSockets {
+namespace Tls {
+
+class PlatformBridgeCertValidatorFactory : public CertValidatorFactory {
+public:
+  CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config,
+                                       SslStats& stats, TimeSource& time_source) override;
+
+  std::string name() const override {
+    return "envoy_mobile.cert_validator.platform_bridge_cert_validator";
+  }
+
+private:
+  const envoy_cert_validator* platform_bridge_api_;
+};
+
+DECLARE_FACTORY(PlatformBridgeCertValidatorFactory);
+
+} // namespace Tls
+} // namespace TransportSockets
+} // namespace Extensions
+} // namespace Envoy