HPCC-27255 TLS cert/key as buffers

[mckellyln]

Type of change:

• This change is a bug fix (non-breaking change which fixes an issue).
• This change is a new feature (non-breaking change which adds functionality).
• This change improves the code (refactor or other change that does not change the functionality)
• This change fixes warnings (the fix does not alter the functionality or the generated code)
• This change is a breaking change (fix or feature that will cause existing behavior to change).
• This change alters the query API (existing queries will have to be recompiled)

Checklist:

• My code follows the code style of this project.
  • My code does not create any new warnings from compiler, build system, or lint.
• The commit message is properly formatted and free of typos.
  • The commit message title makes sense in a changelog, by itself.
  • The commit is signed.
• My change requires a change to the documentation.
  • I have updated the documentation accordingly, or...
  • I have created a JIRA ticket to update the documentation.
  • Any new interfaces or exported functions are appropriately commented.
• I have read the CONTRIBUTORS document.
• The change has been fully tested:
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • I have checked that this change does not introduce memory leaks.
  • I have used Valgrind or similar tools to check for potential issues.
• I have given due consideration to all of the following potential concerns:
  • Scalability
  • Performance
  • Security
  • Thread-safety
  • Cloud-compatibility
  • Premature optimization
  • Existing deployed queries will not be broken
  • This change fixes the problem, not just the symptom
  • The target branch of this pull request is appropriate for such a change.
• There are no similar instances of the same problem that should be addressed
  • I have addressed them here
  • I have raised JIRA issues to address them separately
• This is a user interface / front-end modification
  • I have tested my changes in multiple modern browsers
  • The component(s) render as expected

Smoketest:

• Send notifications about my Pull Request position in Smoketest queue.
• Test my draft Pull Request.

Testing:

[github-actions]

https://track.hpccsystems.com/browse/HPCC-27255
Jira updated

[mckellyln]

@afishbeck is this what you are sort of looking for ?
It is a draft PR - let me know if this is on the right track.

[mckellyln]

@jakesmith this is a draft PR - let me know your thoughts.

[afishbeck]

@mckellyln I haven't reviewed the details, but this functionality looks great.

The one thing that would make this just sort of work magically for much of the kubernetes code is if you updated this constructor:

CSecureSocketContext(const IPropertyTree* config, SecureSocketType sockettype)

So that it detects if the following are file paths like they are now, or memory buffers.

If the ptree could support either then it would become almost seemless.

    const char* certfile = config->queryProp("certificate");
    if (isPEMBuffer(certfile)
       -- loadfrommemory
    else
       --current behavior

    const char* privkeyfile = config->queryProp("privatekey");
    if (isPEMBuffer(privkeyfile)
       -- loadfrommemory
    else
       --current behavior

    if(m_verify)
    {
        const char* cabuffer = config->queryProp("verify/ca_certificates/pem");
    if (!isEmptyString(cabuffer)
       --loadfrommemory
   else
   {
        const char* capath = config->queryProp("verify/ca_certificates/@path");
    if (!isEmptyString(capath)
       --current behavior
  }

Can verify the path to the cacert pem buffer later, but that's the idea.

[mckellyln]

ok, I've added code for this, thanks.

[afishbeck]

@mckellyln I made a minor suggestion above. Other than that, I haven't reviewed the fine points, but the design looks great. I will be able to make use of this to allow more certificates to come from vault rather than local secrets.

[mckellyln]

ok, thanks, I will remove the '@' from the '@pem'

[jakesmith]

@mckellyln - looks good, a few minor points and questions, main one may be - is const char * the best choice for these certificate buffers that ultimately call through to the methods that take a void * + len ?

[jakesmith]

minor: it would be safer to 'own' the BIO pointer, would avoid the manual free's and guarantee (e.g. if exception) that it would be freed, e.g. with:

cryptohelper::OwnedEVPBio cbio = BIO_new_mem_buf((void *)certbuf, -1);

[jakesmith]

worth considering for similar cleanup code, e.g. when SSL_CTX_free called

[jakesmith]

not new: slightly more efficient (avoids VMT) to do : public CInterfaceOf

[mckellyln]

ok, changed

[jakesmith]

trivial: MakeStringException is deprecated in favour of makeStringException or makeStringExceptionV

[ghalliday]

@mckellyln a few comments. I didn't look in detail at the functions.

[ghalliday]

@afishbeck there is a mixture of attributes (enable, accept) and values (trusted_peers, pem, certificatebuf etc.) is there a reason for each?

[afishbeck]

@ghalliday There is, this is basically config for a SecureSocket to be used for either client or server. It's been around quite a while, and used multiple places. I create some from secrets which is where this PR comes from. We could clean it up at some point (along with much of the SecureSocket interface), but it would be a separate effort.

[ghalliday]

may be simpler as a single function that also takes the buffer parameters - it would remove some duplicate code and would also work with a mixuture of buffers and files (although I can't see that being used)

[ghalliday]

Worth using a wrapper class for a BIO * which calls BIO_free on exit. It would clean up the code in this and other functions.
... I see Jake has suggested the same below. I think the following works (it compiles!), and might be a good pattern to adopt elsewhere:

struct BIO_deleter
{
    void operator() ( BIO * bio )
    {
       BIO_free( bio ); 
    }
};
using unique_bioptr = std::unique_ptr<BIO, BIO_deleter>;
...
unique_bioptr cbio(BIO_new_mem_buf((void *)privkeybuf, -1));

@jakesmith thoughts?

[jakesmith]

std::unique_ptr vs cryptohelper::OwnedEVPBio would be okay too, and more standard.
Only -ve is that std::unique_ptr doesn't implicitly cast to the underlying pointer the way we are used to with our Owned* varieties [i.e. u need to call uptr.get() ]

Either would make the code cleaner/safer.
It would be nice if we consistently use the same pattern though.

[mckellyln]

ok, added for BIO.
Perhaps could also do same for stack of x509 ...

[jakesmith]

yes, I think in almost all cases, it would be cleaner/safer and make the code more robust in general (the pke/cryptocommon code does so for all SSL objects).

[mckellyln]

Have made many updates in commit 4 to address your comments.
Please re-review when you have time.

[mckellyln]

perhaps a unique_ptr could be used for infostk as well ?

[jakesmith]

yes, I think it would help the code be more robust in general if we contained these objects, such as they were auto deleted when out of scope.

[mckellyln]

build / checks failed because of something not related to code changes -

Error: buildx failed with: ERROR: failed to solve: failed to register layer: write /opt/HPCCSystems/lib/libws_topology.so: no space left on device

[jakesmith]

@mckellyln - please see comments

[jakesmith]

trivial: this should really be makeStringExceptionV, also in some other places new and old.

[jakesmith]

personal: not keen on formatting like this, clearer if spaced and on newlines IMO.

[jakesmith]

minor: missing 'override'

[jakesmith]

currently, this new constructor isn't used, but also it's confusing that there's 1 ctor taking 2 const char *'s and another taking 2 StringBuffer's.

I think as with the property config ctor, it would be better to consolidate into 1, which differentiated whether a file or content, via isPEMBuffer().

There's quite a bit of common code here too (was to some extent before as well), it would be cleaner/clearer to read if there were member helper functions, e.g. setCertificateFromBuf, setCertificateFromFile, and same for private key.
The calling code in ctor's could then reuse, and with the above change, both can call a common setCertificate and setPrivateKey private member methods, i.e.

    void setCertificate(const char *certificate)
    {
        if (isPEMBuffer(certificate))
            setCertificateFromBuf(certificate);
        else
            setCertificateFromFile(certificate);
    }
    void setPrivateKey(const char *privateKey)
    {
        if (isPEMBuffer(privateKey))
            setPrivateKeyFromBuf(privateKey);
        else
            setPrivateKeyFromFile(privateKey);
    }

[jakesmith]

trivial: quite a lot of pre-existing mixed conventions in use already, but we should try to use camelCase for new/changed code.

[jakesmith]

agree, management of these types of objects would be cleaner/safer if owned (e.g. with unique_ptr).
and if this code is moved into the helper methods that handle private key setting, then it will be more relevant, as it will be owned by the class - the free would not need to happen at this point.

[jakesmith]

I think this is being leaked (similar code in pke.cpp, ensures it is owned)

[jakesmith]

yes, I think it would help the code be more robust in general if we contained these objects, such as they were auto deleted when out of scope.

[jakesmith]

it would help clearup other code if this was owned.

[ghalliday]

The code I suggested:

struct BIO_deleter
{
    void operator() ( BIO * bio )
    {
       BIO_free( bio ); 
    }
};
using unique_bioptr = std::unique_ptr<BIO, BIO_deleter>;

avoids the need to pass BIO_free to the constructor of each BIO_ptr.

[jakesmith]

ok, that's a nice approach.

We should keep these helper objects and functions together.
We already have existing helpers in system/security/cryptohelper/cryptocommon.hpp,
both for owned semantics of these ssl objects, and for openssl exception creation.

I'd be happy for those to be switched to using std::unique_ptr in this PR, or it might be best to use them as is for now, and switch their implementation to std::unique_ptr at a later date.

[mckellyln]

Code changes in commits 5 and 6.
Only items left (except for new comments) are:
1). X509_STORE *store = SSL_CTX_get_cert_store(ctx); - do we need to explicitly free this ?
2). no unique_ptr / owned wrapper for STACK_OF(X509_INFO) *infoStk to free up automatically
Please re-review when you have time, thx.

[jakesmith]

@mckellyln - looks pretty good, some minor comments, 1 question, and replies to your q's

[jakesmith]

trivial/pedantic/camelCase: ...Fileor... > ...FileOr..

(and similar elsewhere)

[mckellyln]

ok, changed

[jakesmith]

question: if this code (and similar at other entry points) spotted it was a file, could it load it into a buffer and then unify much of the code it calls to dealing with PEM buffer's only (not files), and therefore simply the code?

[afishbeck]

In our current kubernetes installations that would work. But in general I'm not sure whether our file handling supports more formats than just PEM. This buffer handling is for PEM content only.

[jakesmith]

minor: should be makeStringException

[mckellyln]

ok, changed

[jakesmith]

could use cryptohelper::makeEVPExceptionVA instead of these 3 lines,
and similar in other places below.

[mckellyln]

ok, changed

[jakesmith]

could use cryptohelper::makeEVPExceptionVA instead of these 3 lines

[mckellyln]

ok, changed

[jakesmith]

@mckellyln - although squashed, I have scanned this and other changes made in the last commit and looks good.

[jakesmith]

minor: should be makeStringException

[mckellyln]

ok, changed

[jakesmith]

minor: should be makeStringException

[mckellyln]

ok, changed

[jakesmith]

no need, better to remove it.

[jakesmith]

looks like we should provide a way for an opional cipherList to be provided via this ctor route too,
and default like the other ctor if not.
and/or could it a method of ISecureSocketContext and (optionally) called to set after construction?

[ghalliday]

@mckellyln that looks good. A few comments that you may want to address, but I think it can be merged soon/now and other issues tackled later.

[ghalliday]

Can this always set "certificate" and then have the PEMbuffer test later? A later clean up PR would be fine.

[mckellyln]

Yes, but there is also the pem / @path difference, do we leave that in or also remove ?

[ghalliday]

Might be worth coming up with a more intuitive function name (I didn't know what PEM stood for). Something like containsEmbeddedKey()?

[mckellyln]

ok, renamed function.

[mckellyln]

Squashed commits

[afishbeck]

@mckellyln some comments.

[afishbeck]

This is picky and might just be me, but I'd prefer the method name be slightly different.
Like "createInMemorySecClientConfig" or "createBufferedSecClientConfig".. the ending of "ConfigBuf" just implies something specific to me.

[afishbeck]

Part of this is probably copy and paste, but new code being added should use nullptr rather than NULL.

[afishbeck]

I think the parameters should still just be char pointers and you should find another way of making the constructor signature unique. Like passing flags. That way if the caller is using some other type of string class they can still function.

If you did keep them as StringBuffer, I think the parameters could be const.

[afishbeck]

Looking at this now, I think I can just do what you did when I create these config ptrees. When I have a buffer I can call it certificatebuf, privatekeybuf, pem, etc. You don't need to autodetect the type. It just gets a bit convoluted.

[afishbeck]

I don't think we should force these to be passed as StringBuffer. It takes away the flexibility const char * gives is someone is using a different primitive for the strings, or reads them directly into some location.

[afishbeck]

In our current kubernetes installations that would work. But in general I'm not sure whether our file handling supports more formats than just PEM. This buffer handling is for PEM content only.

[afishbeck]

Having given it more thought, to support other formats in the future should we call this "certificate_pem" or something similar?

[mckellyln]

ok, renamed. Yes the check for if its embedded could return a type ...

[afishbeck]

I think "verify locations" usually refers to locations on disk, can we change the name to something like "setVerifyCertPEMBuffer" or "setCACertPEMBuffer"?

[mckellyln]

ok, renamed to setVerifyCertPEMBuffer().

[afishbeck]

As mentioned above, I think we should rename these "buf" properties to "certificate_pem" or similiar so we know exactly what they are. For any new formats in the future we can use other names.

[mckellyln]

ok, renamed.

[afishbeck]

Perhaps rename this to "setCACerts" or "setVerifyCerts". I think locations is meant to convey files and/or directories.

[mckellyln]

ok, renamed to setVerifyCerts

[mckellyln]

@afishbeck made changes based on your comments in commit 2a.
Please re-review when you have time.

[afishbeck]

@mckellyln clarified my 1 remaining question.

[afishbeck]

@mckellyln what I'm wondering is, because we want only our cacerts, and don't want any default cacerts to remain...

Instead of doing:

 X509_STORE *store = SSL_CTX_get_cert_store(ctx);
loop{
    X509_STORE_add_cert(store, infoVal->x509);
}

we should do?:

X509_STORE *store = X509_STORE_new();
loop{
    X509_STORE_add_cert(store, infoVal->x509);
}
SSL_CTX_set_cert_store(ctx, store);  //this will clear (and free) old and add new

[mckellyln]

ok, good point, I agree we should reset/clear store or check if cert already there, etc.
I was thinking of it being same as call to SSL_CTX_load_verify_locations(), but its not quite the same.
I'll look at it next week.
Thanks.

[mckellyln]

@afishbeck like this ?

[afishbeck]

What happens when the OwnedX509Store above goes out of scope but the pointer has been passed to SSL_CTX_set_cert_store?

Should you do:
SSL_CTX_set_cert_store(ctx, store.getClear());

instead?

[mckellyln]

Yes, thank you. It needs to survive.

[mckellyln]

But then does it get freed when ref count goes to zero ? Or it is already zero at this point ?

[mckellyln]

When would it ever get freed ? I am thinking we need to free it when we free ctx ?

[mckellyln]

Maybe a store should be added to CSecureSocketContext ?

[mckellyln]

I've added a m_store member, if you think this is an ok way to go.

[afishbeck]

@mckellyln I think this is the difference between SSL_CTX_set_cert_store and SSL_CTX_set1_cert_store. One takes ownership and one increments and decrements the reference count. Either case needs testing to make sure there is no leak or extra free.

I think the only reason to add an m_store is if the store is shared by multiple contexts otherwise it's extra complexity with nothing to gain.

[afishbeck]

@mckellyln one comment.

[mckellyln]

Having some trouble deciding / understanding the lifetime of a store within a context. Please let me know what you think of adding an m_store member like the last commit ??

[mckellyln]

ok, removed commit 4a with m_store, so back to original design with the getClear() so it is not freed just after here.

[ghalliday]

@mckellyln looks good, and code looks clean. Please squash once Tony has approved and I will merge.

[afishbeck]

@mckellyln looks good.

[mckellyln]

Squashed and rebased onto candidate-9.4.x