Verify SAN with multiple values, support verifying URI type in SAN#559
Verify SAN with multiple values, support verifying URI type in SAN#559mattklein123 merged 5 commits intoenvoyproxy:masterfrom
Conversation
myidpt
changed the title
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
generally looks good, a few comments/questions.
| std::string cert_chain_file_; | ||
| std::string private_key_file_; | ||
| std::string verify_subject_alt_name_; | ||
| std::vector<std::string> verify_subject_alt_name_; |
There was a problem hiding this comment.
nit: verify_subject_alt_names_ or verify_subject_alt_name_list_
There was a problem hiding this comment.
verify_subject_alt_name_list_ sounds good :)
|
|
||
| ContextManagerImpl& parent_; | ||
| SslCtxPtr ctx_; | ||
| std::string verify_subject_alt_name_; |
| } | ||
|
|
||
| TEST(SslContextImplTest, TestVerifySubjectAltNameDNSMatched) { | ||
| FILE* fp = fopen("test/common/ssl/test_data/san_dns.crt", "r"); |
There was a problem hiding this comment.
close fp here and in other test functions.
| } | ||
|
|
||
| bool ContextImpl::verifySubjectAltName(X509* cert, const std::string& subject_alt_name) { | ||
| bool ContextImpl::verifySubjectAltName(X509* cert, |
There was a problem hiding this comment.
I assume we have 100% coverage on this function now? Can you please get someone else who is familiar with TLS to give a +1 on the TLS part. I'm really not familiar with this stuff and don't feel comfortable approving the actual crypto aspect.
There was a problem hiding this comment.
Yes, 100% unit test coverage. I can get Tao Li in the loop as well.
| std::string cert_chain_file_; | ||
| std::string private_key_file_; | ||
| std::string verify_subject_alt_name_; | ||
| std::vector<std::string> verify_subject_alt_name_; |
| for (auto& config_san : subject_alt_names) { | ||
| if (dNSNameMatch(config_san, dns_name)) { | ||
| verified = true; | ||
| break; |
There was a problem hiding this comment.
This break will only jump out the for loop in line 266, but not the one in line 260, which will change the existing behavior.
There was a problem hiding this comment.
Maybe you can free altnames here and return true.
There was a problem hiding this comment.
@mattklein123 , this is not a bug, it's just about efficiency since 'verified' will never be set to 'false' explicitly.
There was a problem hiding this comment.
ah ok, cool, thanks. Didn't look carefully.
There was a problem hiding this comment.
Adding "&& !verified" in the loop condition should do the work.
| for (auto& config_san : subject_alt_names) { | ||
| if (config_san.compare(crt_san) == 0) { | ||
| verified = true; | ||
| break; |
There was a problem hiding this comment.
Same thing here. Should return immediately once a match found.
This commit cleans up a few leftovers from envoyproxy#559 .
This commit cleans up a few leftovers from #559 .
Signed-off-by: Pengyuan Bian <[email protected]>
This archive is actually a zip containing the produced aar, so this makes that a bit less confusing. Signed-off-by: Keith Smiley <[email protected]> Signed-off-by: JP Simard <[email protected]>
This archive is actually a zip containing the produced aar, so this makes that a bit less confusing. Signed-off-by: Keith Smiley <[email protected]> Signed-off-by: JP Simard <[email protected]>
3 participants
Enable Envoy to verify certificate SAN field against multiple values (set through config).
In config, modify the type of verify_subject_alt_name field to an array.
Support verifying URI type in certificate SAN. The exact match is checked.
This is part of Istio work.
fixes #515