Merge pull request #18046 from afishbeck/espIssuerBasedTlsConfig

HPCC-30755 Allow ESP server TLS config to be based on an issuer name

Reviewed-by: Gavin Halliday <[email protected]>
Merged-by: Gavin Halliday <[email protected]>

esp/bindings/http/platform/httpprot.cpp

@@ -216,32 +216,38 @@ CSecureHttpProtocol::CSecureHttpProtocol(IPropertyTree* cfg)
     {
         m_config.setown(cfg);
 
-        //ensure keys are specified. Passphrase is optional
-        StringBuffer sb;
-        cfg->getProp("certificate", sb);
-        if(sb.length() == 0)
-        {
-            throw MakeStringException(-1, "certificate file not specified in config file");
-        }
+        IEspPlugin *pplg = loadPlugin(SSLIB);
+        if (!pplg)
+            throw MakeStringException(-1, "dll/shared-object %s can't be loaded", SSLIB);
 
-        cfg->getProp("privatekey", sb.clear());
-        if(sb.length() == 0)
+        const char *issuer = cfg->queryProp("issuer");
+        if (!isEmptyString(issuer))
         {
-            throw MakeStringException(-1, "private key file not specified in config file");
+            const char *trustedPeers = nullptr;
+            if (cfg->hasProp("verify"))
+                trustedPeers = cfg->queryProp("verify/trusted_peers");
+            createSecureSocketContextSecretSrv_t xproc = (createSecureSocketContextSecretSrv_t) pplg->getProcAddress("createSecureSocketContextSecretSrv");
+            if (!xproc)
+                throw MakeStringException(-1, "procedure createSecureSocketContextSecretSrv can't be loaded");
+            m_ssctx.setown(xproc(issuer, trustedPeers, false));
         }
-
-        createSecureSocketContextEx2_t xproc = NULL;
-        IEspPlugin *pplg = loadPlugin(SSLIB);
-        if (pplg)
-            xproc = (createSecureSocketContextEx2_t) pplg->getProcAddress("createSecureSocketContextEx2");
         else
-            throw MakeStringException(-1, "dll/shared-object %s can't be loaded", SSLIB);
-
-
-        if (xproc)
+        {
+            //ensure keys are specified. Passphrase is optional
+            StringBuffer sb;
+            cfg->getProp("certificate", sb);
+            if(sb.isEmpty())
+                throw MakeStringException(-1, "certificate file not specified in config file");
+
+            cfg->getProp("privatekey", sb.clear());
+            if(sb.isEmpty())
+                throw MakeStringException(-1, "private key file not specified in config file");
+
+            createSecureSocketContextEx2_t xproc = (createSecureSocketContextEx2_t) pplg->getProcAddress("createSecureSocketContextEx2");
+            if (!xproc)
+                throw MakeStringException(-1, "procedure createSecureSocketContextEx2 can't be loaded");
             m_ssctx.setown(xproc(cfg, ServerSocket));
-        else
-            throw MakeStringException(-1, "procedure createSecureSocketContextEx2 can't be loaded");
+        }
     }
 }
 

helm/hpcc/templates/esp.yaml

@@ -45,6 +45,7 @@ data:
       tls: {{ include "hpcc.isIssuerEnabled" (dict "root" .root "issuerKeyName" $issuerKeyName) }}
  {{- end }}
       tls_config:
+        issuer: {{ $issuerKeyName }}
  {{- if $externalCert }}
         certificate: /opt/HPCCSystems/secrets/certificates/{{ $issuerKeyName }}/tls.crt
         privatekey: /opt/HPCCSystems/secrets/certificates/{{ $issuerKeyName }}/tls.key

system/mp/mpcomm.cpp

@@ -2132,7 +2132,7 @@ CMPConnectThread::CMPConnectThread(CMPServer *_parent, unsigned port, bool _list
 
 #if defined(_USE_OPENSSL)
     if (parent->useTLS)
-        secureContextServer.setown(createSecureSocketContextSecretSrv("local", true));
+        secureContextServer.setown(createSecureSocketContextSecretSrv("local", nullptr, true));
 #endif
 }
 

system/security/securesocket/securesocket.cpp

@@ -2011,14 +2011,15 @@ SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecret(const cha
 }
 
 
-SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const char *issuer, bool requireMtlsFlag)
+SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const char *issuer, const char *optTrustedPeers, bool requireMtlsFlag)
 {
     if (requireMtlsFlag && !queryMtls())
-        throw makeStringException(-100, "TLS secure communication requested but not configured");
+        throw makeStringException(-100, "MTLS secure context required but not configured");
+
+    Owned<const ISyncedPropertyTree> info = getIssuerTlsSyncedConfig(issuer, optTrustedPeers, false);
 
-    Owned<const ISyncedPropertyTree> info = getIssuerTlsSyncedConfig(issuer);
     if (!info->isValid())
-        throw makeStringException(-101, "TLS secure communication requested but not configured (2)");
+        throw makeStringExceptionV(-101, "TLS issuer %s secure context requested but not configured (2)", issuer);
 
     return createSecureSocketContextSynced(info, ServerSocket);
 }
@@ -2216,7 +2217,7 @@ class CSingletonSecureSocketConnection: public CSingletonSocketConnection
         state = Snone;
         cancelling = false;
         secureContextClient.setown(createSecureSocketContextSecret("local", ClientSocket));
-        secureContextServer.setown(createSecureSocketContextSecretSrv("local", true));
+        secureContextServer.setown(createSecureSocketContextSecretSrv("local", nullptr, true));
 #ifdef _CONTAINERIZED
         tlsLogLevel = getComponentConfigSP()->getPropInt("logging/@detail", SSLogMin);
         if (tlsLogLevel >= ExtraneousMsgThreshold) // or InfoMsgThreshold ?

system/security/securesocket/securesocket.hpp

@@ -84,13 +84,14 @@ typedef ISecureSocketContext* (*createSecureSocketContext_t)(SecureSocketType);
 typedef ISecureSocketContext* (*createSecureSocketContextEx_t)(const char* certFileOrBuf, const char* privKeyFileOrBuf, const char* passphrase, SecureSocketType);
 typedef ISecureSocketContext* (*createSecureSocketContextEx2_t)(IPropertyTree* config, SecureSocketType);
 typedef ISecureSocketContext* (*createSecureSocketContextSecret_t)(const char *mtlsSecretName, SecureSocketType);
+typedef ISecureSocketContext* (*createSecureSocketContextSecretSrv_t)(const char *mtlsSecretName, const char *optTrustedPeers, bool requireMtlsConfig);
 
 extern "C" {
 
 //The following allow the creation of a secure socket context where the certificates will automatically be updated when they expire.
 SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSynced(const ISyncedPropertyTree * config, SecureSocketType sockettype); // Will become the primary (only) factory method
 SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecret(const char *mtlsSecretName, SecureSocketType);
-SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const char *mtlsSecretName, bool requireMtlsConfig);
+SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const char *mtlsSecretName, const char *optTrustedPeers, bool requireMtlsConfig);
 SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSSF(ISmartSocketFactory* ssf);
 
 //Helper function to aid migration to the functions above.  This should eventually be removed.

thorlcr/msort/tsorts1.cpp

@@ -315,7 +315,7 @@ protected: friend class CSortMerge;
 #if defined(_USE_OPENSSL)
         if (slave.queryTLS())
         {
-            secureContextServer.setown(createSecureSocketContextSecretSrv("local", true));
+            secureContextServer.setown(createSecureSocketContextSecretSrv("local", nullptr, true));
             secureContextClients.setown(createSecureSocketContextSecret("local", ClientSocket));
         }
 #endif