Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Standard grpc mTLS #3909

Draft
wants to merge 37 commits into
base: main
Choose a base branch
from
Draft

Standard grpc mTLS #3909

wants to merge 37 commits into from
+287 −189

Conversation

georgeliao
Copy link
Contributor

@georgeliao georgeliao commented Jan 30, 2025
edited
Loading

A few things to note:
The make_cert_key_pair originally handles both server and client certificate-key pair generation. server_name is used to tell which case it is. When server_name is an empty string, it is the client certificate-key case. With the standard grpc tls scheme, the root certificate-key pair is added. Now the make_cert_key_pair role becomes still generating and holding server and client certificate-key pair. However, the server certificate one becomes signed server certificate. As the result of that, the server branch has to generate root certificate-key pair first and use them to sign the generated server certificate.

WIP

  1. how to re-generate root certificate and signed server certificate, delete the server certificate and key
  2. how to re-generate client certificate, delete the client certificate and key and delete the authenticated cert in the server side
  3. Unit tests before and after
  4. x509 constructor, how it generates certificate for server client before and how server, root, client after, the format difference, the server vs root vs client certs, what kind of traits should they have, what changes we made.
  5. how to guarantee the new install of multipass generate the root certificate and regenerate the server certificate with signing.
    /home/georgel/.local/share/multipass-client-certificate/multipass_cert.pem,
    openssl x509 -in /root/.local/share/multipassd/certificates/localhost.pem -noout -text
    /usr/local/share/ca-certificates/multipass_root_cert.pem

root cert attached to the server name?

@georgeliao georgeliao changed the title Standard grpc mTLs Standard grpc mTLS Jan 30, 2025
@georgeliao georgeliao marked this pull request as draft January 30, 2025 11:42
@codecov Codecov
Copy link

codecov bot commented Jan 31, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 88.77551% with 11 lines in your changes missing coverage. Please review.

Project coverage is 89.12%. Comparing base (51783a4) to head (0e4998e).
Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
src/cert/ssl_cert_provider.cpp 88.76% 10 Missing ⚠️
src/utils/utils.cpp 66.66% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3909      +/-   ##
==========================================
+ Coverage   89.10%   89.12%   +0.01%     
==========================================
  Files         255      255              
  Lines       14600    14626      +26     
==========================================
+ Hits        13010    13035      +25     
- Misses       1590     1591       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@georgeliao
[platform] added the platform root_cert path utility function.
e371ab2
@georgeliao
[platform] change the default root cert location
07acd52
@georgeliao
[ssl cert] added root certificate generation utility function.
63c72c3
@georgeliao
[ssl cert] added the utility function of signing server certificate b…
2ffb44f 
…y root certificate
@georgeliao
[ssl cert] a small variable name improvement.
34ef0a4
@georgeliao
[ssl cert][client] adapted the make_cert_key_pair function so it can …
b2eeea7 
…generated signed server certificate. Client side ssl option is also updated accordingly.

Unit tests are broken temporarily due to this change.
@georgeliao
[unit test][ssl cert] fixed the unit tests in test_ssl_cert_provider.cpp
663c8b2
@georgeliao
[unit test] fixed the unit tests in test_cli_client.cpp file
7869fe6 
Added the root certificate and signed server certificate. Note, the client_cert key and certificate are default mock_ssl_cert_provider output and as a result these two variables are used as the server certificate key pair in almost all unit tests.
@georgeliao
[unit test][daemon rpc] fixed the unt tests in test_daemon_rpc.cpp file
952e2ac 
Made the mock_cert_provider using the default certificate and key pair which is the client_cert and client_key in the file mock_cert_provider.h. Meanwhile, the make_secure_stub is also updated to make the unit tests pass.
@georgeliao
[unit tests][daemon] fixes the unit tests in test_daemon.cpp
3c08ace
@georgeliao
[unit test][daemon find] fixed the unit tests in test_daemon_find.cpp
54898bb
@georgeliao
[unit test][alias dict] fixed the unit tests in test_alias_dict.cpp
4a9429e
@georgeliao
[ssl cert] fixed the format.
ae824d7
@georgeliao
[unit test][client common] fixed the unit tests in test_client_common…
df216a6 
….cpp file
@georgeliao
[unit test] added constness to mock_utils and to corresponding functi…
ec61c39 
…ons.
@georgeliao
[unit test] added constness to MockUtils and corresponding function.
607365d
@georgeliao
[unit test] fixed the format.
a15d01c
@georgeliao
[ssl cert] use decltype on function pointer directly. So it is consis…
c7613a6 
…tent with other custom deleters. Meanwhile, it is also more explicit and preferred for clarity.
@georgeliao
[ssl cert] remove unneeded headers.
d52b59a
@georgeliao
[ssl cert] use std::array to replace C-style array to interface with …
340c4d3 
…function EVP_PKEY_CTX_set_params
@georgeliao
[ssl cert] added comment on the OSSL_PARAM_construct_utf8_string func…
eb28beb 
…tion.
@georgeliao
[ssl cert] rename x509 to cert for better match with variable name EV…
79ac9f5 
…PKey::Key.
@georgeliao
[ssl cert] use nullptr instead of NULL to comply with Modern C++ style.
bf57e62
@georgeliao
[ssl cert] using add_extension function to deduplicate some code.
69f7dbd
@georgeliao
[ssl cert] use std::unique_ptr and custom deleter to simplify the code
1d521ad
@georgeliao
[ssl cert] added check to the pointer and the function return code
c815486
@georgeliao
[ssl cert] added the root certificate existence check for server cert…
8d2030d 
…ificate migration when the user upgrades multipass to the version includes this.
@georgeliao
[vcpckg][grpc client] Switch the gRPC repository to the standard one …
7fbc03f 
…and commit to release 1.52.1, which serves as the base for our patches. Then, remove the patch-related code.
@georgeliao
[platform] added snap root cert file path
0e4998e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@georgeliao