Add validation context provider

include/envoy/secret/BUILD

@@ -19,6 +19,7 @@ envoy_cc_library(
     deps = [
         ":secret_callbacks_interface",
         "//include/envoy/common:callback",
+        "//include/envoy/ssl:certificate_validation_context_config_interface",
         "//include/envoy/ssl:tls_certificate_config_interface",
     ],
 )

include/envoy/secret/secret_manager.h

@@ -31,12 +31,30 @@ class SecretManager {
   virtual TlsCertificateConfigProviderSharedPtr
   findStaticTlsCertificateProvider(const std::string& name) const PURE;
 
+  /**
+   * @param name a name of the static CertificateValidationContextConfigProviderSharedPtr.
+   * @return the CertificateValidationContextConfigProviderSharedPtr. Returns nullptr
+   * if the static certificate validation context is not found.
+   */
+  virtual CertificateValidationContextConfigProviderSharedPtr
+  findStaticCertificateValidationContextProvider(const std::string& name) const PURE;
+
   /**
    * @param tls_certificate the protobuf config of the TLS certificate.
    * @return a TlsCertificateConfigProviderSharedPtr created from tls_certificate.
    */
   virtual TlsCertificateConfigProviderSharedPtr createInlineTlsCertificateProvider(
       const envoy::api::v2::auth::TlsCertificate& tls_certificate) PURE;
+
+  /**
+   * @param tls_certificate the protobuf config of the certificate validation context.
+   * @return a CertificateValidationContextConfigProviderSharedPtr created from
+   * certificate_validation_context.
+   */
+  virtual CertificateValidationContextConfigProviderSharedPtr
+  createInlineCertificateValidationContextProvider(
+      const envoy::api::v2::auth::CertificateValidationContext& certificate_validation_context)
+      PURE;
 };
 
 } // namespace Secret

include/envoy/secret/secret_provider.h

@@ -4,6 +4,7 @@
 
 #include "envoy/common/callback.h"
 #include "envoy/common/pure.h"
+#include "envoy/ssl/certificate_validation_context_config.h"
 #include "envoy/ssl/tls_certificate_config.h"
 
 namespace Envoy {
@@ -34,5 +35,10 @@ template <class SecretType> class SecretProvider {
 typedef SecretProvider<Ssl::TlsCertificateConfig> TlsCertificateConfigProvider;
 typedef std::shared_ptr<TlsCertificateConfigProvider> TlsCertificateConfigProviderSharedPtr;
 
+typedef SecretProvider<Ssl::CertificateValidationContextConfig>
+    CertificateValidationContextConfigProvider;
+typedef std::shared_ptr<CertificateValidationContextConfigProvider>
+    CertificateValidationContextConfigProviderSharedPtr;
+
 } // namespace Secret
 } // namespace Envoy

include/envoy/ssl/BUILD

@@ -22,6 +22,7 @@ envoy_cc_library(
     name = "context_config_interface",
     hdrs = ["context_config.h"],
     deps = [
+        ":certificate_validation_context_config_interface",
         ":tls_certificate_config_interface",
     ],
 )
@@ -40,3 +41,8 @@ envoy_cc_library(
     name = "tls_certificate_config_interface",
     hdrs = ["tls_certificate_config.h"],
 )
+
+envoy_cc_library(
+    name = "certificate_validation_context_config_interface",
+    hdrs = ["certificate_validation_context_config.h"],
+)

include/envoy/ssl/certificate_validation_context_config.h

@@ -0,0 +1,61 @@
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "envoy/common/pure.h"
+
+namespace Envoy {
+namespace Ssl {
+
+class CertificateValidationContextConfig {
+public:
+  virtual ~CertificateValidationContextConfig() {}
+
+  /**
+   * @return The CA certificate to use for peer validation.
+   */
+  virtual const std::string& caCert() const PURE;
+
+  /**
+   * @return Path of the CA certificate to use for peer validation or "<inline>"
+   * if the CA certificate was inlined.
+   */
+  virtual const std::string& caCertPath() const PURE;
+
+  /**
+   * @return The CRL to check if a cert is revoked.
+   */
+  virtual const std::string& certificateRevocationList() const PURE;
+
+  /**
+   * @return Path of the certificate revocation list, or "<inline>" if the CRL
+   * was inlined.
+   */
+  virtual const std::string& certificateRevocationListPath() const PURE;
+
+  /**
+   * @return The subject alt names to be verified, if enabled. Otherwise, ""
+   */
+  virtual const std::vector<std::string>& verifySubjectAltNameList() const PURE;
+
+  /**
+   * @return A list of a hex-encoded SHA-256 certificate hashes to be verified.
+   */
+  virtual const std::vector<std::string>& verifyCertificateHashList() const PURE;
+
+  /**
+   * @return A list of a hex-encoded SHA-256 SPKI hashes to be verified.
+   */
+  virtual const std::vector<std::string>& verifyCertificateSpkiList() const PURE;
+
+  /**
+   * @return whether to ignore expired certificates (both too new and too old).
+   */
+  virtual bool allowExpiredCertificate() const PURE;
+};
+
+typedef std::unique_ptr<CertificateValidationContextConfig> CertificateValidationContextConfigPtr;
+
+} // namespace Ssl
+} // namespace Envoy

include/envoy/ssl/context_config.h

@@ -5,6 +5,7 @@
 #include <vector>
 
 #include "envoy/common/pure.h"
+#include "envoy/ssl/certificate_validation_context_config.h"
 #include "envoy/ssl/tls_certificate_config.h"
 
 namespace Envoy {
@@ -39,52 +40,15 @@ class ContextConfig {
    */
   virtual const std::string& ecdhCurves() const PURE;
 
-  /**
-   * @return The CA certificate to use for peer validation.
-   */
-  virtual const std::string& caCert() const PURE;
-
-  /**
-   * @return Path of the CA certificate to use for peer validation or "<inline>"
-   * if the CA certificate was inlined.
-   */
-  virtual const std::string& caCertPath() const PURE;
-
-  /**
-   * @return The CRL to check if a cert is revoked.
-   */
-  virtual const std::string& certificateRevocationList() const PURE;
-
-  /**
-   * @return Path of the certificate revocation list, or "<inline>" if the CRL
-   * was inlined.
-   */
-  virtual const std::string& certificateRevocationListPath() const PURE;
-
   /**
    * @return TlsCertificateConfig the certificate config used to identify the local side.
    */
   virtual const TlsCertificateConfig* tlsCertificate() const PURE;
 
   /**
-   * @return The subject alt names to be verified, if enabled. Otherwise, ""
-   */
-  virtual const std::vector<std::string>& verifySubjectAltNameList() const PURE;
-
-  /**
-   * @return A list of a hex-encoded SHA-256 certificate hashes to be verified.
-   */
-  virtual const std::vector<std::string>& verifyCertificateHashList() const PURE;
-
-  /**
-   * @return A list of a hex-encoded SHA-256 SPKI hashes to be verified.
-   */
-  virtual const std::vector<std::string>& verifyCertificateSpkiList() const PURE;
-
-  /**
-   * @return whether to ignore expired certificates (both too new and too old).
+   * @return CertificateValidationContextConfig the certificate validation context config.
    */
-  virtual bool allowExpiredCertificate() const PURE;
+  virtual const CertificateValidationContextConfig* certificateValidationContext() const PURE;
 
   /**
    * @return The minimum TLS protocol version to negotiate.

source/common/common/logger.h

@@ -44,6 +44,7 @@ namespace Logger {
   FUNCTION(router)               \
   FUNCTION(runtime)              \
   FUNCTION(stats)                \
+  FUNCTION(secret)               \
   FUNCTION(testing)              \
   FUNCTION(thrift)               \
   FUNCTION(tracing)              \

source/common/secret/BUILD

@@ -26,6 +26,7 @@ envoy_cc_library(
     hdrs = ["secret_provider_impl.h"],
     deps = [
         "//include/envoy/secret:secret_provider_interface",
+        "//source/common/ssl:certificate_validation_context_config_impl_lib",
         "//source/common/ssl:tls_certificate_config_impl_lib",
         "@envoy_api//envoy/api/v2/auth:cert_cc",
     ],

source/common/secret/secret_manager_impl.cc

@@ -4,6 +4,7 @@
 
 #include "common/common/assert.h"
 #include "common/secret/secret_provider_impl.h"
+#include "common/ssl/certificate_validation_context_config_impl.h"
 #include "common/ssl/tls_certificate_config_impl.h"
 
 namespace Envoy {
@@ -21,6 +22,17 @@ void SecretManagerImpl::addStaticSecret(const envoy::api::v2::auth::Secret& secr
     }
     break;
   }
+  case envoy::api::v2::auth::Secret::TypeCase::kValidationContext: {
+    auto secret_provider = std::make_shared<CertificateValidationContextConfigProviderImpl>(
+        secret.validation_context());
+    if (!static_certificate_validation_context_providers_
+             .insert(std::make_pair(secret.name(), secret_provider))
+             .second) {
+      throw EnvoyException(fmt::format(
+          "Duplicate static CertificateValidationContext secret name {}", secret.name()));
+    }
+    break;
+  }
   default:
     throw EnvoyException("Secret type not implemented");
   }
@@ -32,10 +44,24 @@ SecretManagerImpl::findStaticTlsCertificateProvider(const std::string& name) con
   return (secret != static_tls_certificate_providers_.end()) ? secret->second : nullptr;
 }
 
+CertificateValidationContextConfigProviderSharedPtr
+SecretManagerImpl::findStaticCertificateValidationContextProvider(const std::string& name) const {
+  auto secret = static_certificate_validation_context_providers_.find(name);
+  return (secret != static_certificate_validation_context_providers_.end()) ? secret->second
+                                                                            : nullptr;
+}
+
 TlsCertificateConfigProviderSharedPtr SecretManagerImpl::createInlineTlsCertificateProvider(
     const envoy::api::v2::auth::TlsCertificate& tls_certificate) {
   return std::make_shared<TlsCertificateConfigProviderImpl>(tls_certificate);
 }
 
+CertificateValidationContextConfigProviderSharedPtr
+SecretManagerImpl::createInlineCertificateValidationContextProvider(
+    const envoy::api::v2::auth::CertificateValidationContext& certificate_validation_context) {
+  return std::make_shared<CertificateValidationContextConfigProviderImpl>(
+      certificate_validation_context);
+}
+
 } // namespace Secret
 } // namespace Envoy

source/common/secret/secret_manager_impl.h

@@ -4,24 +4,40 @@
 
 #include "envoy/secret/secret_manager.h"
 #include "envoy/secret/secret_provider.h"
+#include "envoy/ssl/certificate_validation_context_config.h"
 #include "envoy/ssl/tls_certificate_config.h"
 
 #include "common/common/logger.h"
 
 namespace Envoy {
 namespace Secret {
 
-class SecretManagerImpl : public SecretManager, Logger::Loggable<Logger::Id::upstream> {
+class SecretManagerImpl : public SecretManager, Logger::Loggable<Logger::Id::secret> {
 public:
   void addStaticSecret(const envoy::api::v2::auth::Secret& secret) override;
+
   TlsCertificateConfigProviderSharedPtr
   findStaticTlsCertificateProvider(const std::string& name) const override;
+
+  CertificateValidationContextConfigProviderSharedPtr
+  findStaticCertificateValidationContextProvider(const std::string& name) const override;
+
   TlsCertificateConfigProviderSharedPtr createInlineTlsCertificateProvider(
       const envoy::api::v2::auth::TlsCertificate& tls_certificate) override;
 
+  CertificateValidationContextConfigProviderSharedPtr
+  createInlineCertificateValidationContextProvider(
+      const envoy::api::v2::auth::CertificateValidationContext& certificate_validation_context)
+      override;
+
 private:
+  // Manages pairs of secret name and TlsCertificateConfigProviderSharedPtr.
   std::unordered_map<std::string, TlsCertificateConfigProviderSharedPtr>
       static_tls_certificate_providers_;
+
+  // Manages pairs of secret name and CertificateValidationContextConfigProviderSharedPtr.
+  std::unordered_map<std::string, CertificateValidationContextConfigProviderSharedPtr>
+      static_certificate_validation_context_providers_;
 };
 
 } // namespace Secret

source/common/secret/secret_provider_impl.cc

@@ -1,6 +1,7 @@
 #include "common/secret/secret_provider_impl.h"
 
 #include "common/common/assert.h"
+#include "common/ssl/certificate_validation_context_config_impl.h"
 #include "common/ssl/tls_certificate_config_impl.h"
 
 namespace Envoy {
@@ -10,5 +11,10 @@ TlsCertificateConfigProviderImpl::TlsCertificateConfigProviderImpl(
     const envoy::api::v2::auth::TlsCertificate& tls_certificate)
     : tls_certificate_(std::make_unique<Ssl::TlsCertificateConfigImpl>(tls_certificate)) {}
 
+CertificateValidationContextConfigProviderImpl::CertificateValidationContextConfigProviderImpl(
+    const envoy::api::v2::auth::CertificateValidationContext& certificate_validation_context)
+    : certificate_validation_context_(std::make_unique<Ssl::CertificateValidationContextConfigImpl>(
+          certificate_validation_context)) {}
+
 } // namespace Secret
 } // namespace Envoy

source/common/secret/secret_provider_impl.h

@@ -4,6 +4,7 @@
 
 #include "envoy/api/v2/auth/cert.pb.h"
 #include "envoy/secret/secret_provider.h"
+#include "envoy/ssl/certificate_validation_context_config.h"
 #include "envoy/ssl/tls_certificate_config.h"
 
 namespace Envoy {
@@ -21,5 +22,21 @@ class TlsCertificateConfigProviderImpl : public TlsCertificateConfigProvider {
   Ssl::TlsCertificateConfigPtr tls_certificate_;
 };
 
+class CertificateValidationContextConfigProviderImpl
+    : public CertificateValidationContextConfigProvider {
+public:
+  CertificateValidationContextConfigProviderImpl(
+      const envoy::api::v2::auth::CertificateValidationContext& certificate_validation_context);
+
+  const Ssl::CertificateValidationContextConfig* secret() const override {
+    return certificate_validation_context_.get();
+  }
+
+  Common::CallbackHandle* addUpdateCallback(std::function<void()>) override { return nullptr; }
+
+private:
+  Ssl::CertificateValidationContextConfigPtr certificate_validation_context_;
+};
+
 } // namespace Secret
 } // namespace Envoy

source/common/ssl/BUILD

@@ -85,6 +85,18 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "certificate_validation_context_config_impl_lib",
+    srcs = ["certificate_validation_context_config_impl.cc"],
+    hdrs = ["certificate_validation_context_config_impl.h"],
+    deps = [
+        "//include/envoy/ssl:certificate_validation_context_config_interface",
+        "//source/common/common:empty_string",
+        "//source/common/config:datasource_lib",
+        "@envoy_api//envoy/api/v2/auth:cert_cc",
+    ],
+)
+
 envoy_cc_library(
     name = "utility_lib",
     srcs = ["utility.cc"],