HPCC-30755 Allow ESP server TLS config to be based on an issuer name

Signed-off-by: Anthony Fishbeck <[email protected]>

esp/bindings/http/platform/httpprot.cpp

@@ -216,32 +216,35 @@ CSecureHttpProtocol::CSecureHttpProtocol(IPropertyTree* cfg)
     {
         m_config.setown(cfg);
 
-        //ensure keys are specified. Passphrase is optional
-        StringBuffer sb;
-        cfg->getProp("certificate", sb);
-        if(sb.length() == 0)
-        {
-            throw MakeStringException(-1, "certificate file not specified in config file");
-        }
+        IEspPlugin *pplg = loadPlugin(SSLIB);
+        if (!pplg)
+            throw MakeStringException(-1, "dll/shared-object %s can't be loaded", SSLIB);
 
-        cfg->getProp("privatekey", sb.clear());
-        if(sb.length() == 0)
+        const char *issuer = cfg->queryProp("issuer");
+        if (!isEmptyString(issuer))
         {
-            throw MakeStringException(-1, "private key file not specified in config file");
+            createSecureSocketContextSecretSrv_t xproc = (createSecureSocketContextSecretSrv_t) pplg->getProcAddress("createSecureSocketContextSecretSrv");
+            if (!xproc)
+                throw MakeStringException(-1, "procedure createSecureSocketContextSecretSrv can't be loaded");
+            m_ssctx.setown(xproc(issuer, false));
         }
-
-        createSecureSocketContextEx2_t xproc = NULL;
-        IEspPlugin *pplg = loadPlugin(SSLIB);
-        if (pplg)
-            xproc = (createSecureSocketContextEx2_t) pplg->getProcAddress("createSecureSocketContextEx2");
         else
-            throw MakeStringException(-1, "dll/shared-object %s can't be loaded", SSLIB);
-
-
-        if (xproc)
+        {
+            //ensure keys are specified. Passphrase is optional
+            StringBuffer sb;
+            cfg->getProp("certificate", sb);
+            if(sb.isEmpty())
+                throw MakeStringException(-1, "certificate file not specified in config file");
+
+            cfg->getProp("privatekey", sb.clear());
+            if(sb.isEmpty())
+                throw MakeStringException(-1, "private key file not specified in config file");
+
+            createSecureSocketContextEx2_t xproc = (createSecureSocketContextEx2_t) pplg->getProcAddress("createSecureSocketContextEx2");
+            if (!xproc)
+                throw MakeStringException(-1, "procedure createSecureSocketContextEx2 can't be loaded");
             m_ssctx.setown(xproc(cfg, ServerSocket));
-        else
-            throw MakeStringException(-1, "procedure createSecureSocketContextEx2 can't be loaded");
+        }
     }
 }
 

helm/hpcc/templates/esp.yaml

@@ -44,6 +44,7 @@ data:
       tls: {{ include "hpcc.isIssuerEnabled" (dict "root" .root "issuerKeyName" $issuerKeyName) }}
  {{- end }}
       tls_config:
+        issuer: {{ $issuerKeyName }}
  {{- if $externalCert }}
         certificate: /opt/HPCCSystems/secrets/certificates/{{ $issuerKeyName }}/tls.crt
         privatekey: /opt/HPCCSystems/secrets/certificates/{{ $issuerKeyName }}/tls.key

system/security/securesocket/securesocket.cpp

@@ -2014,11 +2014,11 @@ SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecret(const cha
 SECURESOCKET_API ISecureSocketContext* createSecureSocketContextSecretSrv(const char *issuer, bool requireMtlsFlag)
 {
     if (requireMtlsFlag && !queryMtls())
-        throw makeStringException(-100, "TLS secure communication requested but not configured");
+        throw makeStringException(-100, "MTLS secure context required but not configured");
 
     Owned<const ISyncedPropertyTree> info = getIssuerTlsSyncedConfig(issuer);
     if (!info->isValid())
-        throw makeStringException(-101, "TLS secure communication requested but not configured (2)");
+        throw makeStringExceptionV(-101, "TLS issuer %s secure context requested but not configured (2)", issuer);
 
     return createSecureSocketContextSynced(info, ServerSocket);
 }

system/security/securesocket/securesocket.hpp

@@ -84,6 +84,7 @@ typedef ISecureSocketContext* (*createSecureSocketContext_t)(SecureSocketType);
 typedef ISecureSocketContext* (*createSecureSocketContextEx_t)(const char* certFileOrBuf, const char* privKeyFileOrBuf, const char* passphrase, SecureSocketType);
 typedef ISecureSocketContext* (*createSecureSocketContextEx2_t)(IPropertyTree* config, SecureSocketType);
 typedef ISecureSocketContext* (*createSecureSocketContextSecret_t)(const char *mtlsSecretName, SecureSocketType);
+typedef ISecureSocketContext* (*createSecureSocketContextSecretSrv_t)(const char *mtlsSecretName, bool requireMtlsConfig);
 
 extern "C" {