tls: implement SPIFFE Certificate Validator for independent multiple trust domain support

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v3;
 
 import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/extension.proto";
 import "envoy/type/matcher/v3/string.proto";
 
 import "google/protobuf/any.proto";
@@ -211,7 +212,7 @@ message TlsSessionTicketKeys {
       [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
 
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message CertificateValidationContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.CertificateValidationContext";
@@ -371,4 +372,16 @@ message CertificateValidationContext {
   // Certificate trust chain verification mode.
   TrustChainVerification trust_chain_verification = 10
       [(validate.rules).enum = {defined_only: true}];
+
+  // The configuration of an extension specific certificate validator.
+  // If specified, all validation is done by the specified validator,
+  // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
+  // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
+  // The following names are available here:
+  //
+  // .. _extension_envoy.tls.cert_validator.spiffe:
+  //
+  // **envoy.tls.cert_validator.spiffe**: `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
+  // Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig>` for more information.
+  config.core.v3.TypedExtensionConfig custom_validator_config = 12;
 }

api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto

@@ -0,0 +1,54 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.tls.v3;
+
+import "envoy/config/core/v3/base.proto";
+
+import "udpa/annotations/sensitive.proto";
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
+option java_outer_classname = "TlsSpiffeValidatorConfigProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: SPIFFE Certificate Validator]
+
+// Configuration specific to the SPIFFE certificate validator provided at
+// :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config>`.
+//
+// Example:
+//
+// .. code-block:: yaml
+//
+//  custom_validator_config:
+//    name: envoy.tls.cert_validator.spiffe
+//    typed_config:
+//      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
+//      trust_domains:
+//      - name: foo.com
+//        trust_bundle:
+//          filename: "foo.pem"
+//      - name: envoy.com
+//        trust_bundle:
+//          filename: "envoy.pem"
+//
+// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against
+// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
+// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**`
+// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
+message SPIFFECertValidatorConfig {
+  message TrustDomain {
+    // Name of the trust domain, `example.com`, `foo.bar.gov` for example.
+    // Note that this must *not* have "spiffe://" prefix.
+    string name = 1 [(validate.rules).string = {min_len: 1}];
+
+    // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.
+    config.core.v3.DataSource trust_bundle = 2;
+  }
+
+  // This field specifies trust domains used for validating incoming X.509-SVID(s).
+  repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
+}

bazel/envoy_library.bzl

@@ -91,6 +91,7 @@ EXTENSION_CATEGORIES = [
     "envoy.tracers",
     "envoy.transport_sockets.downstream",
     "envoy.transport_sockets.upstream",
+    "envoy.tls.cert_validator",
     "envoy.upstreams",
     "envoy.wasm.runtime",
     "DELIBERATELY_OMITTED",

include/envoy/ssl/BUILD

@@ -57,6 +57,7 @@ envoy_cc_library(
 envoy_cc_library(
     name = "certificate_validation_context_config_interface",
     hdrs = ["certificate_validation_context_config.h"],
+    external_deps = ["abseil_optional"],
     deps = [
         "//source/common/common:matchers_lib",
         "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
@@ -67,14 +68,11 @@ envoy_cc_library(
 envoy_cc_library(
     name = "ssl_socket_extended_info_interface",
     hdrs = ["ssl_socket_extended_info.h"],
-    deps = [
-    ],
 )
 
 envoy_cc_library(
     name = "ssl_socket_state",
     hdrs = ["ssl_socket_state.h"],
-    deps = [],
 )
 
 envoy_cc_library(