Skip to content

Allow SSL_CTX to use the new multiple certificate slots internally #1100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 28, 2023
Merged

Allow SSL_CTX to use the new multiple certificate slots internally #1100

merged 3 commits into from
Jul 28, 2023

Conversation

@samuel40791765
Copy link
Contributor

@samuel40791765 samuel40791765 commented Jul 19, 2023
edited
Loading

Issues:

Addresses CryptoAlg-1844

Description of changes:

This builds upon the new framework in #1086 to use the new multiple certificate slots available. The SSL connection should use the corresponding index of the certificate and pkey type assigned. As of now, the connection will directly use the last certificate that was set for it's connection. This corresponds with our original behavior before we reintroduced the multiple certificate slots framework, where we only maintained one x509_leaf and one pkey per CERT.
A subsequent PR will be introduced to allow the user to manually select which certificate slots they wish to use.

Call-outs:

These functions change the certificate slot index:

  • SSL_CTX_use_certificate_ASN1 / SSL_use_certificate_ASN1/ SSL_CTX_use_certificate / SSL_use_certificate (functions that call ssl_set_cert internally)
  • SSL_use_*_PrivateKey_* (functions that call ssl_set_pkey internally)

The naming for the list of functions are pretty straightforward. Users setting these functions would have expected SSL_CTX to use the new set certificate/pkey, so it's natural that we switch over to that slot. Despite it seeming straightforward, definately let me know if I should add more documentation regarding this anyways

SSL_CTX_select_current_cert is a bit more interesting since it selects an existing cert in SSL_CTX to use. This will be implemented in one of the next PRs.

Testing:

I've added a new test that sets up a connection with different certificate types and checks if the correct slot is being used.
ED25519 is incompatible with older versions of TLS, so those are skipped.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

justsmth
justsmth reviewed Jul 19, 2023
View reviewed changes
@samuel40791765 samuel40791765 marked this pull request as ready for review July 20, 2023 22:31
@skmcgrail skmcgrail self-requested a review July 25, 2023 17:52
@samuel40791765 samuel40791765 requested a review from a team as a code owner July 25, 2023 22:55
@samuel40791765 samuel40791765 force-pushed the multiple-certs-work branch 2 times, most recently from ad52aa9 to e132ffd Compare July 26, 2023 01:08
skmcgrail
skmcgrail previously approved these changes Jul 26, 2023
View reviewed changes
justsmth
justsmth reviewed Jul 26, 2023
View reviewed changes
@samuel40791765
Copy link
Contributor Author

samuel40791765 commented Jul 26, 2023

While working on Justin's PR comments, I noticed that SSL_CTX_set_chain_and_key (custom BoringSSL only function) also sets up the certificate and private key for use. I fixed it and added a test for it while I was at it.

justsmth
justsmth approved these changes Jul 27, 2023
View reviewed changes
@samuel40791765 samuel40791765 merged commit 99d93a4 into aws:main Jul 28, 2023
@samuel40791765 samuel40791765 deleted the multiple-certs-work branch July 28, 2023 16:42
@skmcgrail skmcgrail mentioned this pull request Aug 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skmcgrail skmcgrail skmcgrail approved these changes

@justsmth justsmth justsmth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@samuel40791765 @skmcgrail @justsmth