tls: add BoringSSL private key operations provider manager support.

The private key operations manager allows extensions to register
private key operations provider factories. These factories in turn
create providers for individual SSL contexts.

Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>

api/envoy/api/v2/auth/cert.proto

@@ -147,6 +147,11 @@ message TlsSessionTicketKeys {
   repeated core.DataSource keys = 1 [(validate.rules).repeated .min_items = 1];
 }
 
+message PrivateKeyOperations {
+  string private_key_provider = 1;
+  core.ConfigSource private_key_provider_config = 2;
+}
+
 message CertificateValidationContext {
   // TLS certificate data containing certificate authority certificates to use in verifying
   // a presented peer certificate (e.g. server certificate for clusters or client certificate
@@ -315,6 +320,8 @@ message CommonTlsContext {
   repeated string alpn_protocols = 4;
 
   reserved 5;
+
+  PrivateKeyOperations private_key_operations = 9;
 }
 
 message UpstreamTlsContext {

include/envoy/ssl/context_manager.h

@@ -4,6 +4,7 @@
 
 #include "envoy/ssl/context.h"
 #include "envoy/ssl/context_config.h"
+#include "envoy/ssl/private_key/private_key.h"
 #include "envoy/stats/scope.h"
 
 namespace Envoy {
@@ -38,6 +39,12 @@ class ContextManager {
    * Iterate through all currently allocated contexts.
    */
   virtual void iterateContexts(std::function<void(const Context&)> callback) PURE;
+
+  /**
+   * Access the private key operations manager, which is part of SSL
+   * context manager.
+   */
+  virtual PrivateKeyOperationsManager& privateKeyOperationsManager() PURE;
 };
 
 } // namespace Ssl

include/envoy/ssl/private_key/BUILD

@@ -19,6 +19,15 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "private_key_config_interface",
+    hdrs = ["private_key_config.h"],
+    deps = [
+        ":private_key_interface",
+        "//include/envoy/registry",
+    ],
+)
+
 envoy_cc_library(
     name = "private_key_callbacks_interface",
     hdrs = ["private_key_callbacks.h"],

include/envoy/ssl/private_key/private_key.h

@@ -11,6 +11,12 @@
 #include "openssl/ssl.h"
 
 namespace Envoy {
+namespace Server {
+namespace Configuration {
+class TransportSocketFactoryContext;
+} // namespace Configuration
+} // namespace Server
+
 namespace Ssl {
 
 typedef std::shared_ptr<SSL_PRIVATE_KEY_METHOD> PrivateKeyMethodSharedPtr;
@@ -60,15 +66,17 @@ class PrivateKeyOperationsManager {
    *
    * @param config_source a protobuf message object containing a TLS config source.
    * @param config_name a name that uniquely refers to the private key operations provider.
+   * @param private_key_provider_context context that provides components for creating and
+   * initializing connections for keyless TLS etc.
    * @return TlsPrivateKeyOperationsProvider the private key operations provider, or nullptr if
    * no provider can be used with the context configuration.
    */
-  virtual PrivateKeyOperationsProviderSharedPtr
-  findPrivateKeyOperationsProvider(const envoy::api::v2::core::ConfigSource& config_source,
-                                   const std::string& config_name) PURE;
+  virtual PrivateKeyOperationsProviderSharedPtr createPrivateKeyOperationsProvider(
+      const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
+      Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) PURE;
 };
 
-typedef std::shared_ptr<PrivateKeyOperationsManager> PrivateKeyOperationsManagerSharedPtr;
+// typedef std::shared_ptr<PrivateKeyOperationsManager> PrivateKeyOperationsManagerSharedPtr;
 
 } // namespace Ssl
 } // namespace Envoy

include/envoy/ssl/private_key/private_key_config.h

@@ -0,0 +1,22 @@
+#pragma once
+
+#include "envoy/api/v2/core/config_source.pb.h"
+#include "envoy/registry/registry.h"
+#include "envoy/ssl/private_key/private_key.h"
+
+namespace Envoy {
+namespace Ssl {
+
+// Base class which the private key operation provider implementations can register.
+
+class PrivateKeyOperationsProviderInstanceFactory {
+public:
+  virtual ~PrivateKeyOperationsProviderInstanceFactory() {}
+  virtual PrivateKeyOperationsProviderSharedPtr createPrivateKeyOperationsProviderInstance(
+      const std::string name, const envoy::api::v2::core::ConfigSource& config_source,
+      Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) PURE;
+  virtual std::string name() const PURE;
+};
+
+} // namespace Ssl
+} // namespace Envoy

source/extensions/transport_sockets/tls/BUILD

@@ -102,6 +102,7 @@ envoy_cc_library(
         "//source/common/common:hex_lib",
         "//source/common/common:utility_lib",
         "//source/common/protobuf:utility_lib",
+        "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib",
         "@envoy_api//envoy/admin/v2alpha:certs_cc",
     ],
 )

source/extensions/transport_sockets/tls/context_config_impl.cc

@@ -107,11 +107,16 @@ getCertificateValidationContextConfigProvider(
 Ssl::PrivateKeyOperationsProviderSharedPtr getPrivateKeyOperationsProvider(
     const envoy::api::v2::auth::CommonTlsContext& config,
     Server::Configuration::TransportSocketFactoryContext& factory_context) {
-  (void)config;
-  (void)factory_context;
 
-  // TODO: get PrivateKeyOperationsManager from the factory_context and
-  // get a provider based on the provider name in the TLS context.
+  const auto private_key_operations_config = config.private_key_operations();
+
+  if (private_key_operations_config.private_key_provider() != "") {
+    return factory_context.sslContextManager()
+        .privateKeyOperationsManager()
+        .createPrivateKeyOperationsProvider(
+            private_key_operations_config.private_key_provider_config(),
+            private_key_operations_config.private_key_provider(), factory_context);
+  }
   return nullptr;
 }
 

source/extensions/transport_sockets/tls/context_manager_impl.h

@@ -5,8 +5,11 @@
 
 #include "envoy/common/time.h"
 #include "envoy/ssl/context_manager.h"
+#include "envoy/ssl/private_key/private_key.h"
 #include "envoy/stats/scope.h"
 
+#include "extensions/transport_sockets/tls/private_key/private_key_manager_impl.h"
+
 namespace Envoy {
 namespace Extensions {
 namespace TransportSockets {
@@ -33,11 +36,15 @@ class ContextManagerImpl final : public Envoy::Ssl::ContextManager {
                          const std::vector<std::string>& server_names) override;
   size_t daysUntilFirstCertExpires() const override;
   void iterateContexts(std::function<void(const Envoy::Ssl::Context&)> callback) override;
+  Ssl::PrivateKeyOperationsManager& privateKeyOperationsManager() override {
+    return private_key_operations_manager_;
+  };
 
 private:
   void removeEmptyContexts();
   TimeSource& time_source_;
   std::list<std::weak_ptr<Envoy::Ssl::Context>> contexts_;
+  PrivateKeyOperationsManagerImpl private_key_operations_manager_{};
 };
 
 } // namespace Tls

source/extensions/transport_sockets/tls/private_key/BUILD

@@ -18,6 +18,8 @@ envoy_cc_library(
     ],
     deps = [
         "//include/envoy/event:dispatcher_interface",
+        "//include/envoy/registry",
+        "//include/envoy/ssl/private_key:private_key_config_interface",
         "//include/envoy/ssl/private_key:private_key_interface",
         "@envoy_api//envoy/api/v2/core:config_source_cc",
     ],

source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.cc

@@ -1,18 +1,26 @@
 #include "extensions/transport_sockets/tls/private_key/private_key_manager_impl.h"
 
+#include "envoy/registry/registry.h"
+
 namespace Envoy {
 namespace Extensions {
 namespace TransportSockets {
 namespace Tls {
 
 Envoy::Ssl::PrivateKeyOperationsProviderSharedPtr
-PrivateKeyOperationsManagerImpl::findPrivateKeyOperationsProvider(
-    const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name) {
+PrivateKeyOperationsManagerImpl::createPrivateKeyOperationsProvider(
+    const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
+    Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) {
 
-  (void)config_name;
-  (void)config_source;
+  Ssl::PrivateKeyOperationsProviderInstanceFactory* factory =
+      Registry::FactoryRegistry<Ssl::PrivateKeyOperationsProviderInstanceFactory>::getFactory(
+          config_name);
 
-  // TODO(ipuustin): implement this.
+  // Create a new provider instance with the configuration.
+  if (factory) {
+    return factory->createPrivateKeyOperationsProviderInstance(config_name, config_source,
+                                                               private_key_provider_context);
+  }
 
   return nullptr;
 }

source/extensions/transport_sockets/tls/private_key/private_key_manager_impl.h

@@ -2,6 +2,7 @@
 
 #include "envoy/api/v2/core/config_source.pb.h"
 #include "envoy/ssl/private_key/private_key.h"
+#include "envoy/ssl/private_key/private_key_config.h"
 
 namespace Envoy {
 namespace Extensions {
@@ -10,9 +11,9 @@ namespace Tls {
 
 class PrivateKeyOperationsManagerImpl : public virtual Ssl::PrivateKeyOperationsManager {
 public:
-  Ssl::PrivateKeyOperationsProviderSharedPtr
-  findPrivateKeyOperationsProvider(const envoy::api::v2::core::ConfigSource& config_source,
-                                   const std::string& config_name) override;
+  Ssl::PrivateKeyOperationsProviderSharedPtr createPrivateKeyOperationsProvider(
+      const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
+      Server::Configuration::TransportSocketFactoryContext& private_key_provider_context) override;
 };
 
 } // namespace Tls