tls: support BoringSSL private key async functionality

api/envoy/api/v2/auth/cert.proto

@@ -10,6 +10,7 @@ option go_package = "auth";
 import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/config_source.proto";
 
+import "google/protobuf/any.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
@@ -147,6 +148,15 @@ message TlsSessionTicketKeys {
   repeated core.DataSource keys = 1 [(validate.rules).repeated .min_items = 1];
 }
 
+message PrivateKeyOperations {
+  // Private key operations provider name. The name must match a
+  // supported private key operations provider type.
+  string provider_name = 1 [(validate.rules).string.min_bytes = 1];
+
+  // Private key operations provider specific configuration.
+  google.protobuf.Any typed_config = 2;
+}
+
 message CertificateValidationContext {
   // TLS certificate data containing certificate authority certificates to use in verifying
   // a presented peer certificate (e.g. server certificate for clusters or client certificate
@@ -315,6 +325,8 @@ message CommonTlsContext {
   repeated string alpn_protocols = 4;
 
   reserved 5;
+
+  PrivateKeyOperations private_key_operations = 9;
 }
 
 message UpstreamTlsContext {

include/envoy/ssl/BUILD

@@ -31,6 +31,7 @@ envoy_cc_library(
     deps = [
         ":certificate_validation_context_config_interface",
         ":tls_certificate_config_interface",
+        "//include/envoy/ssl/private_key:private_key_interface",
     ],
 )
 

include/envoy/ssl/context_config.h

@@ -6,6 +6,7 @@
 
 #include "envoy/common/pure.h"
 #include "envoy/ssl/certificate_validation_context_config.h"
+#include "envoy/ssl/private_key/private_key.h"
 #include "envoy/ssl/tls_certificate_config.h"
 
 namespace Envoy {
@@ -69,6 +70,12 @@ class ContextConfig {
    * @param callback callback that is executed by context config.
    */
   virtual void setSecretUpdateCallback(std::function<void()> callback) PURE;
+
+  /**
+   * @return the configured BoringSSL private key operations provider.
+   */
+  virtual const Envoy::Ssl::PrivateKeyOperationsProviderSharedPtr
+  privateKeyOperationsProvider() const PURE;
 };
 
 class ClientContextConfig : public virtual ContextConfig {

include/envoy/ssl/context_manager.h

@@ -4,6 +4,7 @@
 
 #include "envoy/ssl/context.h"
 #include "envoy/ssl/context_config.h"
+#include "envoy/ssl/private_key/private_key.h"
 #include "envoy/stats/scope.h"
 
 namespace Envoy {
@@ -38,6 +39,12 @@ class ContextManager {
    * Iterate through all currently allocated contexts.
    */
   virtual void iterateContexts(std::function<void(const Context&)> callback) PURE;
+
+  /**
+   * Access the private key operations manager, which is part of SSL
+   * context manager.
+   */
+  virtual PrivateKeyOperationsManager& privateKeyOperationsManager() PURE;
 };
 
 } // namespace Ssl

include/envoy/ssl/private_key/BUILD

@@ -0,0 +1,35 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "private_key_interface",
+    hdrs = ["private_key.h"],
+    external_deps = ["ssl"],
+    deps = [
+        ":private_key_callbacks_interface",
+        "//include/envoy/event:dispatcher_interface",
+        "@envoy_api//envoy/api/v2/auth:cert_cc",
+    ],
+)
+
+envoy_cc_library(
+    name = "private_key_config_interface",
+    hdrs = ["private_key_config.h"],
+    deps = [
+        ":private_key_interface",
+        "//include/envoy/registry",
+    ],
+)
+
+envoy_cc_library(
+    name = "private_key_callbacks_interface",
+    hdrs = ["private_key_callbacks.h"],
+    external_deps = ["ssl"],
+)

include/envoy/ssl/private_key/private_key.h

@@ -0,0 +1,82 @@
+#pragma once
+
+#include <functional>
+#include <string>
+
+#include "envoy/api/v2/auth/cert.pb.h"
+#include "envoy/common/pure.h"
+#include "envoy/event/dispatcher.h"
+#include "envoy/ssl/private_key/private_key_callbacks.h"
+
+#include "openssl/ssl.h"
+
+namespace Envoy {
+namespace Server {
+namespace Configuration {
+class TransportSocketFactoryContext;
+} // namespace Configuration
+} // namespace Server
+
+namespace Ssl {
+
+typedef std::shared_ptr<SSL_PRIVATE_KEY_METHOD> PrivateKeyMethodSharedPtr;
+
+class PrivateKeyOperations {
+public:
+  virtual ~PrivateKeyOperations() {}
+
+  /**
+   * Get the private key asynchronous methods from the provider, if the context can be handled by
+   * the provider.
+   * @param ssl a SSL connection object.
+   * @return private key methods, or nullptr if regular TLS processing should happen.
+   */
+  virtual PrivateKeyMethodSharedPtr getPrivateKeyMethods(SSL* ssl) PURE;
+};
+
+typedef std::unique_ptr<PrivateKeyOperations> PrivateKeyOperationsPtr;
+
+class PrivateKeyOperationsProvider {
+public:
+  virtual ~PrivateKeyOperationsProvider() {}
+
+  /**
+   * Get a private key operations instance from the provider.
+   * @param cb a callbacks object, whose "complete" method will be invoked when the asynchronous
+   * processing is complete.
+   * @param dispatcher supplies the owning thread's dispatcher.
+   * @return the private key operations.
+   */
+  virtual PrivateKeyOperationsPtr getPrivateKeyOperations(PrivateKeyOperationsCallbacks& cb,
+                                                          Event::Dispatcher& dispatcher) PURE;
+};
+
+typedef std::shared_ptr<PrivateKeyOperationsProvider> PrivateKeyOperationsProviderSharedPtr;
+
+/**
+ * A manager for finding correct user-provided functions for handling BoringSSL private key
+ * operations.
+ */
+class PrivateKeyOperationsManager {
+public:
+  virtual ~PrivateKeyOperationsManager() {}
+
+  /**
+   * Finds and returns a private key operations provider for BoringSSL.
+   *
+   * @param config_source a protobuf message object containing a TLS config source.
+   * @param config_name a name that uniquely refers to the private key operations provider.
+   * @param private_key_provider_context context that provides components for creating and
+   * initializing connections for keyless TLS etc.
+   * @return TlsPrivateKeyOperationsProvider the private key operations provider, or nullptr if
+   * no provider can be used with the context configuration.
+   */
+  virtual PrivateKeyOperationsProviderSharedPtr createPrivateKeyOperationsProvider(
+      const envoy::api::v2::auth::PrivateKeyOperations& message,
+      Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) PURE;
+};
+
+// typedef std::shared_ptr<PrivateKeyOperationsManager> PrivateKeyOperationsManagerSharedPtr;
+
+} // namespace Ssl
+} // namespace Envoy

include/envoy/ssl/private_key/private_key_callbacks.h

@@ -0,0 +1,30 @@
+#pragma once
+
+#include <functional>
+#include <string>
+
+#include "envoy/common/pure.h"
+
+namespace Envoy {
+namespace Ssl {
+
+enum class PrivateKeyOperationStatus {
+  Success,
+  Failure,
+};
+
+class PrivateKeyOperationsCallbacks {
+public:
+  virtual ~PrivateKeyOperationsCallbacks() {}
+
+  /**
+   * Callback function which is called when the asynchronous private key
+   * operation has been completed.
+   * @param status is "Success" or "Failure" depending on whether the private key operation was
+   * successful or not.
+   */
+  virtual void complete(PrivateKeyOperationStatus status) PURE;
+};
+
+} // namespace Ssl
+} // namespace Envoy

include/envoy/ssl/private_key/private_key_config.h

@@ -0,0 +1,22 @@
+#pragma once
+
+#include "envoy/api/v2/auth/cert.pb.h"
+#include "envoy/registry/registry.h"
+#include "envoy/ssl/private_key/private_key.h"
+
+namespace Envoy {
+namespace Ssl {
+
+// Base class which the private key operation provider implementations can register.
+
+class PrivateKeyOperationsProviderInstanceFactory {
+public:
+  virtual ~PrivateKeyOperationsProviderInstanceFactory() {}
+  virtual PrivateKeyOperationsProviderSharedPtr createPrivateKeyOperationsProviderInstance(
+      const envoy::api::v2::auth::PrivateKeyOperations& message,
+      Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) PURE;
+  virtual std::string name() const PURE;
+};
+
+} // namespace Ssl
+} // namespace Envoy

source/extensions/transport_sockets/tls/BUILD

@@ -38,6 +38,8 @@ envoy_cc_library(
         ":utility_lib",
         "//include/envoy/network:connection_interface",
         "//include/envoy/network:transport_socket_interface",
+        "//include/envoy/ssl/private_key:private_key_callbacks_interface",
+        "//include/envoy/ssl/private_key:private_key_interface",
         "//include/envoy/stats:stats_macros",
         "//source/common/common:assert_lib",
         "//source/common/common:empty_string",
@@ -59,6 +61,7 @@ envoy_cc_library(
         "//include/envoy/secret:secret_provider_interface",
         "//include/envoy/server:transport_socket_config_interface",
         "//include/envoy/ssl:context_config_interface",
+        "//include/envoy/ssl/private_key:private_key_interface",
         "//source/common/common:assert_lib",
         "//source/common/common:empty_string",
         "//source/common/config:datasource_lib",
@@ -91,13 +94,15 @@ envoy_cc_library(
         "//include/envoy/ssl:context_config_interface",
         "//include/envoy/ssl:context_interface",
         "//include/envoy/ssl:context_manager_interface",
+        "//include/envoy/ssl/private_key:private_key_interface",
         "//include/envoy/stats:stats_interface",
         "//include/envoy/stats:stats_macros",
         "//source/common/common:assert_lib",
         "//source/common/common:base64_lib",
         "//source/common/common:hex_lib",
         "//source/common/common:utility_lib",
         "//source/common/protobuf:utility_lib",
+        "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib",
         "@envoy_api//envoy/admin/v2alpha:certs_cc",
     ],
 )

source/extensions/transport_sockets/tls/context_config_impl.cc

@@ -104,6 +104,20 @@ getCertificateValidationContextConfigProvider(
   }
 }
 
+Ssl::PrivateKeyOperationsProviderSharedPtr getPrivateKeyOperationsProvider(
+    const envoy::api::v2::auth::CommonTlsContext& config,
+    Server::Configuration::TransportSocketFactoryContext& factory_context) {
+
+  const auto private_key_operations_config = config.private_key_operations();
+
+  if (private_key_operations_config.provider_name() != "") {
+    return factory_context.sslContextManager()
+        .privateKeyOperationsManager()
+        .createPrivateKeyOperationsProvider(private_key_operations_config, factory_context);
+  }
+  return nullptr;
+}
+
 } // namespace
 
 ContextConfigImpl::ContextConfigImpl(
@@ -120,6 +134,7 @@ ContextConfigImpl::ContextConfigImpl(
       tls_certificate_providers_(getTlsCertificateConfigProviders(config, factory_context)),
       certificate_validation_context_provider_(
           getCertificateValidationContextConfigProvider(config, factory_context, &default_cvc_)),
+      private_key_provider_(getPrivateKeyOperationsProvider(config, factory_context)),
       min_protocol_version_(tlsVersionFromProto(config.tls_params().tls_minimum_protocol_version(),
                                                 default_min_protocol_version)),
       max_protocol_version_(tlsVersionFromProto(config.tls_params().tls_maximum_protocol_version(),

source/extensions/transport_sockets/tls/context_config_impl.h

@@ -8,6 +8,7 @@
 #include "envoy/secret/secret_provider.h"
 #include "envoy/server/transport_socket_config.h"
 #include "envoy/ssl/context_config.h"
+#include "envoy/ssl/private_key/private_key.h"
 
 #include "common/common/empty_string.h"
 #include "common/json/json_loader.h"
@@ -41,6 +42,10 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig {
   certificateValidationContext() const override {
     return validation_context_config_.get();
   }
+  const Envoy::Ssl::PrivateKeyOperationsProviderSharedPtr
+  privateKeyOperationsProvider() const override {
+    return private_key_provider_;
+  }
   unsigned minProtocolVersion() const override { return min_protocol_version_; };
   unsigned maxProtocolVersion() const override { return max_protocol_version_; };
 
@@ -87,6 +92,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig {
   Common::CallbackHandle* tc_update_callback_handle_{};
   Secret::CertificateValidationContextConfigProviderSharedPtr
       certificate_validation_context_provider_;
+  Ssl::PrivateKeyOperationsProviderSharedPtr private_key_provider_;
   // Handle for certificate validation context dynamic secret callback.
   Common::CallbackHandle* cvc_update_callback_handle_{};
   Common::CallbackHandle* cvc_validation_callback_handle_{};

source/extensions/transport_sockets/tls/context_impl.cc

@@ -48,7 +48,8 @@ bool cbsContainsU16(CBS& cbs, uint16_t n) {
 ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config,
                          TimeSource& time_source)
     : scope_(scope), stats_(generateStats(scope)), time_source_(time_source),
-      tls_max_version_(config.maxProtocolVersion()) {
+      tls_max_version_(config.maxProtocolVersion()),
+      private_key_provider_(config.privateKeyOperationsProvider()) {
   const auto tls_certificates = config.tlsCertificates();
   tls_contexts_.resize(std::max(1UL, tls_certificates.size()));
 

source/extensions/transport_sockets/tls/context_impl.h

@@ -7,6 +7,7 @@
 
 #include "envoy/ssl/context.h"
 #include "envoy/ssl/context_config.h"
+#include "envoy/ssl/private_key/private_key.h"
 #include "envoy/stats/scope.h"
 #include "envoy/stats/stats_macros.h"
 
@@ -73,6 +74,10 @@ class ContextImpl : public virtual Envoy::Ssl::Context {
 
   SslStats& stats() { return stats_; }
 
+  Envoy::Ssl::PrivateKeyOperationsProviderSharedPtr getPrivateKeyOperationsProvider() {
+    return private_key_provider_;
+  }
+
   // Ssl::Context
   size_t daysUntilFirstCertExpires() const override;
   Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override;
@@ -159,6 +164,7 @@ class ContextImpl : public virtual Envoy::Ssl::Context {
   std::string cert_chain_file_path_;
   TimeSource& time_source_;
   const unsigned tls_max_version_;
+  Ssl::PrivateKeyOperationsProviderSharedPtr private_key_provider_;
 };
 
 typedef std::shared_ptr<ContextImpl> ContextImplSharedPtr;