Skip to content

GnuTLS: load and send X.509 certificate chains#831

Open
yadij wants to merge 3 commits into
squid-cache:masterfrom
yadij:gnutls-chainload
Open

GnuTLS: load and send X.509 certificate chains#831
yadij wants to merge 3 commits into
squid-cache:masterfrom
yadij:gnutls-chainload

Conversation

@yadij

@yadij yadij commented May 25, 2021

Copy link
Copy Markdown
Contributor

Feature parity with OpenSSL in terms of loading and validating a chain
of X.509 intermediary certificates from a PEM file during configuration,
and delivery of the resulting chain on TLS ServerHello handshakes.

@yadij

yadij commented May 25, 2021

Copy link
Copy Markdown
Contributor Author

Replacement PR for #458

@yadij yadij added review-1 S-waiting-for-author author action is expected (and usually required) labels May 25, 2021
@yadij yadij added S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box and removed S-waiting-for-author author action is expected (and usually required) labels May 27, 2021
@yadij yadij requested a review from rousskov May 27, 2021 02:29
@rousskov rousskov requested review from rousskov and removed request for rousskov June 5, 2021 16:49
@yadij yadij removed the Squid-5 label Jun 21, 2021
@yadij yadij force-pushed the gnutls-chainload branch from 6293fd3 to d7e9180 Compare July 5, 2021 06:47
rousskov

This comment was marked as resolved.

@rousskov rousskov added S-waiting-for-author author action is expected (and usually required) and removed S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box labels Jul 13, 2021
@yadij yadij force-pushed the gnutls-chainload branch from d7e9180 to 60bb4b9 Compare July 15, 2021 12:36
@yadij yadij added S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box and removed S-waiting-for-author author action is expected (and usually required) labels Jul 16, 2021
@yadij yadij requested a review from rousskov July 16, 2021 03:37
rousskov

This comment was marked as resolved.

@rousskov rousskov added the S-waiting-for-author author action is expected (and usually required) label Jul 20, 2021
@yadij yadij removed the S-waiting-for-author author action is expected (and usually required) label Jul 21, 2021
rousskov

This comment was marked as resolved.

@rousskov rousskov added the S-waiting-for-author author action is expected (and usually required) label Aug 3, 2021
@yadij yadij removed the S-waiting-for-author author action is expected (and usually required) label Aug 27, 2021
@rousskov rousskov added the S-waiting-for-author author action is expected (and usually required) label Aug 27, 2021
@squid-anubis squid-anubis added M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels and removed M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels labels Sep 15, 2021
@squid-anubis squid-anubis added M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels and removed M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels labels Oct 18, 2021
@rousskov rousskov added S-waiting-for-author author action is expected (and usually required) and removed S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box labels Nov 12, 2021

@rousskov rousskov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yadij, the PR needs more work, but I think it is time to give you a chance to review recent changes and adjust what you think should be adjusted (inside and outside those changes). Please ping me when you are happy with the branch code, and I will re-review.

@yadij yadij removed the review-1 label Jan 18, 2022
@yadij

yadij commented Jan 18, 2022

Copy link
Copy Markdown
Contributor Author

Putting aside my dislike of the extra CPU cycles this API design creates from all the de-ref/re-ref taking I can accept your changes.

@rousskov This last push is simply a rebase to fix the code collision and github editors empty line removal. Over to you for final review.

@yadij yadij added S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box and removed S-waiting-for-author author action is expected (and usually required) labels Jan 18, 2022
@yadij yadij requested a review from rousskov January 18, 2022 09:43
@rousskov

Copy link
Copy Markdown
Contributor

Putting aside my dislike of the extra CPU cycles this API design creates from all the de-ref/re-ref taking

What makes you think that these reference and dereference operations spend extra CPU cycles? At that low level, both pointers and references are just memory addresses to the compiler. The low-level CPU instructions are exactly the same, regardless of whether the memory is accessed via a raw pointer or a reference.

When used correctly, these never-nil and always-immutable pointers (called references) can make code safer, clearer, and faster. They do not cost anything extra in terms of CPU cycles.

@rousskov rousskov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alex: the PR needs more work, but I think it is time to give you a chance to review recent changes and adjust what you think should be adjusted (inside and outside those changes). Please ping me when you are happy with the branch code, and I will re-review.

Amos: Over to you for final review.

This code is buggy and still needs more polishing work AFAICT. I left a few specific change requests, but this is not a comprehensive review -- I ignored most polishing issues (among others). Writing code by review is inefficient and unpleasant. Please let me know if you prefer that I finish this development work instead. I know others are waiting for this PR to land.

Comment thread src/security/KeyData.cc
debugs(83, 2, "Loading certificate chain from PEM files not implemented in this Squid.");
const char *certFilename = certFile.c_str();
gnutls_datum_t rawFileContent;
Security::ErrorCode x = gnutls_load_file(certFilename, &rawFileContent);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/// Squid-defined error code (<0), an error code returned by X.509 API, or zero
typedef int ErrorCode;

Using Security::ErrorCode type here conflicts with that type description (e.g., GNUTLS_E_FILE_ERROR returned by gnutls_load_file() is negative). It also mismatches the otherwise identical code in KeyData::loadX509CertFromFile(). I hope the type description and loadX509CertFromFile() are OK, and this (poorly duplicated) code is wrong.

Suggested change
Security::ErrorCode x = gnutls_load_file(certFilename, &rawFileContent);
Security::LibErrorCode x = gnutls_load_file(certFilename, &rawFileContent);

Comment on lines +251 to +262
const auto certCount = 1 + keys.chain.size();
auto crt = new gnutls_x509_crt_t[certCount];
crt[0] = keys.cert.get();
if (certCount > 1) {
int i = 1;
for (const auto &cert : keys.chain) {
crt[i++] = cert.get(); // gnutls_x509_crt_t is a raw-pointer
}
}

const auto x = gnutls_certificate_set_x509_key(t.get(), crt, certCount, xkey);
delete[] crt;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please refactor to use std::vector instead of raw new/delete. Use std::vector::data() to pass the raw array to gnutls_certificate_set_x509_key(). I expect certCount to be gone after this refactoring.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not seem right to me. It assumes that std::vector is always a single consecutive memory allocation - AFAIK that is not a guarantee from std::vector, just a common compiler choice.

std::array does document that guarantee officially, so I will look into switching to that.

Comment thread src/security/KeyData.cc Outdated
Comment thread src/security/CertGadgets.h Outdated
@rousskov rousskov added S-waiting-for-author author action is expected (and usually required) and removed S-waiting-for-reviewer ready for review: Set this when requesting a (re)review using GitHub PR Reviewers box labels Jan 20, 2022
@squid-anubis squid-anubis added the M-failed-description https://github.com/measurement-factory/anubis#pull-request-labels label Aug 8, 2022
@squid-anubis squid-anubis removed the M-failed-description https://github.com/measurement-factory/anubis#pull-request-labels label Aug 23, 2022
@squid-anubis squid-anubis added M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels and removed M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels labels Mar 27, 2023
@squid-anubis squid-anubis added M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels and removed M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels labels Jun 6, 2023
@squid-anubis squid-anubis added M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels and removed M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels labels Jan 9, 2024
@squid-anubis squid-anubis added M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels and removed M-failed-other https://github.com/measurement-factory/anubis#pull-request-labels labels Mar 2, 2024
@kinkie kinkie added the M-ignored-by-merge-bots https://github.com/measurement-factory/anubis/blob/master/README.md#pull-request-labels label Nov 1, 2024
Feature parity with OpenSSL in terms of loading and validating a chain
of X.509 intermediary certificates from a PEM file during configuration,
and delivery of the resulting chain on TLS ServerHello handshakes.
@yadij yadij force-pushed the gnutls-chainload branch from b96c3c1 to 9215012 Compare July 11, 2026 09:47
// TODO: support collection of certificates
auto raw = reinterpret_cast<const unsigned char*>(downloaderAnswer.resource.rawContent());
if (auto cert = d2i_X509(nullptr, &raw, downloaderAnswer.resource.length())) {
if (auto cert = CertPointer(d2i_X509(nullptr, &raw, downloaderAnswer.resource.length()))) {

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file changes result from incremental review polishing. The original change around these was split off into an already merged PR without this pointer-safety action.
TODO: split this off also.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

feature maintainer needs documentation updates for merge M-ignored-by-merge-bots https://github.com/measurement-factory/anubis/blob/master/README.md#pull-request-labels S-waiting-for-author author action is expected (and usually required)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants