tls: support BoringSSL private key async functionality (#6326)

This PR adds BoringSSL private key API abstraction, as discussed in #6248. All comments and discussion is welcomed to get the API sufficient for most private key API tasks. The PR contains the proposed API and the way how it can be used from ssl_socket.h. Also there is some code showing how the PrivateKeyMethodProvider is coming from TLS certificate config. Two example private key method providers are included in the tests. Description: tls: support BoringSSL private key async functionality Risk Level: medium Testing: two basic private key provider implementation Docs Changes: TLS arch doc, cert.proto doc Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> Mirrored from https://github.com/envoyproxy/envoy @ 9a3a234c3cd1f7b6707746d84eb74414b1990c73
6 years ago · dbb27609fc
parent 920b31b5be
commit dbb27609fc
1 changed files with 27 additions and 0 deletions
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@ -10,6 +10,8 @@ option go_package = "auth";
 import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/config_source.proto";

+import "google/protobuf/any.proto";
+import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

 import "validate/validate.proto";
@ -102,6 +104,22 @@ message TlsParameters {
  repeated string ecdh_curves = 4;
 }

+// BoringSSL private key method configuration. The private key methods are used for external
+// (potentially asynchronous) signing and decryption operations. Some use cases for private key
+// methods would be TPM support and TLS acceleration.
+message PrivateKeyProvider {
+  // Private key method provider name. The name must match a
+  // supported private key method provider type.
+  string provider_name = 1 [(validate.rules).string.min_bytes = 1];
+
+  // Private key method provider specific configuration.
+  oneof config_type {
+    google.protobuf.Struct config = 2;
+
+    google.protobuf.Any typed_config = 3;
+  }
+}
+
 message TlsCertificate {
  // The TLS certificate chain.
  core.DataSource certificate_chain = 1;
@ -109,6 +127,15 @@ message TlsCertificate {
  // The TLS private key.
  core.DataSource private_key = 2;

+  // BoringSSL private key method provider. This is an alternative to :ref:`private_key
+  // <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be
+  // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
+  // <envoy_api_field_auth.TlsCertificate.private_key>` and
+  // :ref:`private_key_provider
+  // <envoy_api_field_auth.TlsCertificate.private_key_provider>` fields will result in an
+  // error.
+  PrivateKeyProvider private_key_provider = 6;
+
  // The password to decrypt the TLS private key. If this field is not set, it is assumed that the
  // TLS private key is not password encrypted.
  core.DataSource password = 3;