HPCC-27255 TLS cert/key as buffers

Signed-off-by: Mark Kelly <[email protected]>
hpcc-systems · Aug 29, 2023 · 75bae22 · 75bae22
1 parent a8c9ce0
commit 75bae22
Show file tree

Hide file tree

Showing 6 changed files with 339 additions and 53 deletions.
diff --git a/esp/bindings/SOAP/Platform/soapbind.cpp b/esp/bindings/SOAP/Platform/soapbind.cpp
@@ -271,6 +271,29 @@ int CHttpSoapBinding::HandleSoapRequest(CHttpRequest* request, CHttpResponse* re
     return 0;
 }
 
+static IPropertyTree *createSecClientConfigBuf(const char *clientCertBuf, const char *clientPrivKeyBuf, const char *caCertsBuf, bool acceptSelfSigned)
+{
+    Owned<IPropertyTree> info = createPTree();
+
+    if (!isEmptyString(clientCertBuf))
+    {
+        info->setProp("certificatebuf", clientCertBuf);
+        if (!isEmptyString(clientPrivKeyBuf))
+            info->setProp("privatekeybuf", clientPrivKeyBuf);
+    }
+
+    IPropertyTree *verify = ensurePTree(info, "verify");
+    if (!isEmptyString(caCertsBuf))
+    {
+        IPropertyTree *ca = ensurePTree(verify, "ca_certificates");
+        ca->setProp("@cacertbuf", caCertsBuf);
+    }
+    verify->setPropBool("@enable", true);
+    verify->setPropBool("@accept_selfsigned", acceptSelfSigned);
+    verify->setProp("trusted_peers", "anyone");
+
+    return info.getClear();
+}
 
 static IPropertyTree *createSecClientConfig(const char *clientCertPath, const char *clientPrivateKey, const char *caCertsPath, bool acceptSelfSigned)
 {
@@ -313,7 +336,12 @@ void CSoapRequestBinding::post(const char *proxy, const char* url, IRpcResponseB
         soapclient.setReadTimeoutSecs(readTimeoutSecs_);
     if (mtls_secret_.length())
         soapclient.setMtlsSecretName(mtls_secret_);
-    if (client_cert_.length() || ca_certs_.length() || accept_self_signed_)
+
+    if (client_cert_buf_.length() || ca_certs_buf_.length())
+        soapclient.setSecureSocketConfig(createSecClientConfigBuf(client_cert_buf_, client_priv_key_buf_, ca_certs_buf_, accept_self_signed_));
+    else if (client_cert_.length() || ca_certs_.length())
+        soapclient.setSecureSocketConfig(createSecClientConfig(client_cert_, client_priv_key_, ca_certs_, accept_self_signed_));
+    else if (accept_self_signed_)
         soapclient.setSecureSocketConfig(createSecClientConfig(client_cert_, client_priv_key_, ca_certs_, accept_self_signed_));
 
     soapclient.setUsernameToken(soap_getUserId(), soap_getPassword(), soap_getRealm());

diff --git a/esp/bindings/SOAP/Platform/soapbind.hpp b/esp/bindings/SOAP/Platform/soapbind.hpp
@@ -132,8 +132,11 @@ class esp_http_decl CSoapRequestBinding : public CSoapComplexType,
     StringBuffer password_;
     StringBuffer realm_;
     StringBuffer mtls_secret_;
+    StringBuffer client_cert_buf_;
     StringBuffer client_cert_;
+    StringBuffer client_priv_key_buf_;
     StringBuffer client_priv_key_;
+    StringBuffer ca_certs_buf_;
     StringBuffer ca_certs_;
     bool accept_self_signed_ = false;
 
@@ -182,11 +185,21 @@ class esp_http_decl CSoapRequestBinding : public CSoapComplexType,
     const char *getMtlsSecretName(){return mtls_secret_.str();}
 
     void setCACertificates(const char *path) override {ca_certs_.set(path);}
+
     virtual void setClientCertificate(const char *certPath, const char *privateKeyPath) override
     {
         client_cert_.set(certPath);
         client_priv_key_.set(privateKeyPath);
     }
+
+    void setCACertificatesBuf(const char *caCertBuf) override {ca_certs_buf_.set(caCertBuf);}
+
+    virtual void setClientCertificateBuf(const char *certBuf, const char *privKeyBuf)
+    {
+        client_cert_buf_.set(certBuf);
+        client_priv_key_buf_.set(privKeyBuf);
+    }
+
     virtual void setAcceptSelfSigned(bool acceptSelfSigned) override {accept_self_signed_=acceptSelfSigned;}
 
     void post(const char *proxy, const char* url, IRpcResponseBinding& response, const char *action=NULL);
@@ -202,6 +215,28 @@ class esp_http_decl CSoapRequestBinding : public CSoapComplexType,
     }
 };
 
+inline void setRpcSSLOptionsBuf(IEspClientRpcSettings &rpc, bool useSSL, const char *clientCertBuf, const char *clientPrivKeyBuf, const char *caCertBuf, bool acceptSelfSigned)
+{
+    if (useSSL)
+    {
+        // MCK - do we require a client cert ?
+        if (!isEmptyString(clientCertBuf))
+        {
+            if (isEmptyString(clientPrivKeyBuf))
+                throw makeStringException(-1,"Client private key not provided.");
+
+            rpc.setClientCertificateBuf(clientCertBuf, clientPrivKeyBuf);
+        }
+
+        if (!isEmptyString(caCertBuf))
+        {
+            rpc.setCACertificatesBuf(caCertBuf);
+        }
+
+        rpc.setAcceptSelfSigned(acceptSelfSigned);
+    }
+}
+
 inline void setRpcSSLOptions(IEspClientRpcSettings &rpc, bool useSSL, const char *clientCert, const char *clientPrivateKey, const char *caCert, bool acceptSelfSigned)
 {
     if (useSSL)

diff --git a/esp/clients/ws_dfsclient/ws_dfsclient.cpp b/esp/clients/ws_dfsclient/ws_dfsclient.cpp
@@ -577,11 +577,13 @@ static CriticalSection localSecretCrit;
 static constexpr unsigned cachedSecretTimeoutSecs = 120; // 2 mins
 static void configureClientSSL(IEspClientRpcSettings &rpc, const char *secretName)
 {
+#if 0
     /*
      * This is a bit of a kludge, it gets the certificates from secrets, and writes them to local temp strorage.
      * It does this so that it can pass the filename paths to rpc ssl / secure socket layer, which currently only
      * accepts filenames, not binary blobs from memory.
      */
+
     StringBuffer clientCertFilename, clientPrivateKeyFilename, caCertFilename;
 
     StringBuffer tempDirStr;
@@ -635,6 +637,18 @@ static void configureClientSSL(IEspClientRpcSettings &rpc, const char *secretNam
         io->close();
     }
     setRpcSSLOptions(rpc, true, clientCertFilename, clientPrivateKeyFilename, caCertFilename, false);
+#endif
+
+    StringBuffer certSecretBuf;
+    getSecretValue(certSecretBuf, "storage", secretName, "tls.crt", true);
+
+    StringBuffer privKeySecretBuf;
+    getSecretValue(privKeySecretBuf, "storage", secretName, "tls.key", true);
+
+    StringBuffer caCertFileBuf;
+    getSecretValue(caCertFileBuf, "storage", secretName, "ca.crt", true);
+
+    setRpcSSLOptionsBuf(rpc, true, certSecretBuf.str(), privKeySecretBuf.str(), caCertFileBuf.str(), false);
 }
 
 static CriticalSection serviceLeaseMapCS;

diff --git a/esp/platform/esp.hpp b/esp/platform/esp.hpp
@@ -331,6 +331,8 @@ interface IEspClientRpcSettings : extends IEspStruct
     virtual const char * getMtlsSecretName() = 0;
     virtual void setClientCertificate(const char * certPath, const char * privateKeyPath) = 0;
     virtual void setCACertificates(const char * path) = 0;
+    virtual void setClientCertificateBuf(const char *certBuf, const char *privKeyBuf) = 0;
+    virtual void setCACertificatesBuf(const char *caBuf) = 0;
     virtual void setAcceptSelfSigned(bool accept) = 0;
 };