Feature untrusted client certs

api/envoy/api/v2/auth/cert.proto

@@ -171,6 +171,21 @@ message TlsSessionTicketKeys {
 }
 
 message CertificateValidationContext {
+
+  // Peer certificate verification mode.
+  enum TrustChainVerification {
+    // Perform default certificate verification (e.g., against CA / verification lists)
+    VERIFY_TRUST_CHAIN = 0;
+    // Connections where the certificate fails verification will be permitted.
+    // For HTTP connections, the certificate details will be unconditionally placed in the
+    // *x-forwarded-untrusted-client-cert* HTTP header.
+    ACCEPT_UNTRUSTED = 1;
+    // Connections will be permitted without certificate verification performed.
+    // For HTTP connections, the certificate details will be unconditionally placed in the
+    // *x-forwarded-untrusted-client-cert* HTTP header.
+    NOT_VERIFIED = 2;
+  }
+
   // TLS certificate data containing certificate authority certificates to use in verifying
   // a presented peer certificate (e.g. server certificate for clusters or client certificate
   // for listeners). If not specified and a peer certificate is presented it will not be
@@ -279,6 +294,9 @@ message CertificateValidationContext {
 
   // If specified, Envoy will not reject expired certificates.
   bool allow_expired_certificate = 8;
+
+  // Certificate trust chain verification mode.
+  TrustChainVerification trust_chain_verification = 9 [(validate.rules).enum.defined_only = true];
 }
 
 // TLS context shared by both client and server TLS contexts.

include/envoy/http/header_map.h

@@ -310,6 +310,7 @@ class HeaderEntry {
   HEADER_FUNC(Etag)                                                                                \
   HEADER_FUNC(Expect)                                                                              \
   HEADER_FUNC(ForwardedClientCert)                                                                 \
+  HEADER_FUNC(ForwardedUntrustedClientCert)                                                        \
   HEADER_FUNC(ForwardedFor)                                                                        \
   HEADER_FUNC(ForwardedProto)                                                                      \
   HEADER_FUNC(GrpcAcceptEncoding)                                                                  \

include/envoy/ssl/BUILD

@@ -56,4 +56,7 @@ envoy_cc_library(
 envoy_cc_library(
     name = "certificate_validation_context_config_interface",
     hdrs = ["certificate_validation_context_config.h"],
+    deps = [
+        "@envoy_api//envoy/api/v2/auth:cert_cc",
+    ],
 )

include/envoy/ssl/certificate_validation_context_config.h

@@ -4,6 +4,7 @@
 #include <string>
 #include <vector>
 
+#include "envoy/api/v2/auth/cert.pb.h"
 #include "envoy/common/pure.h"
 
 namespace Envoy {
@@ -54,6 +55,12 @@ class CertificateValidationContextConfig {
    * @return whether to ignore expired certificates (both too new and too old).
    */
   virtual bool allowExpiredCertificate() const PURE;
+
+  /**
+   * @return client certificate validation configuration.
+   */
+  virtual envoy::api::v2::auth::CertificateValidationContext_TrustChainVerification
+  trustChainVerification() const PURE;
 };
 
 using CertificateValidationContextConfigPtr = std::unique_ptr<CertificateValidationContextConfig>;

include/envoy/ssl/connection.h

@@ -23,6 +23,11 @@ class ConnectionInfo {
    **/
   virtual bool peerCertificatePresented() const PURE;
 
+  /**
+   * @return bool whether the peer certificate was validated.
+   **/
+  virtual bool peerCertificateValidated() const PURE;
+
   /**
    * @return std::string the URIs in the SAN field of the local certificate. Returns {} if there is
    *         no local certificate, or no SAN field, or no URI.

source/common/http/conn_manager_utility.cc

@@ -291,10 +291,11 @@ void ConnectionManagerUtility::mutateXfccRequestHeader(HeaderMap& request_header
   if (config.forwardClientCert() == ForwardClientCertType::AlwaysForwardOnly) {
     return;
   }
-  // When Sanitize is set, or the connection is not mutual TLS, remove the XFCC header.
+  // When Sanitize is set, or the connection is not mutual TLS, remove the XFCC/XFUCC header.
   if (config.forwardClientCert() == ForwardClientCertType::Sanitize ||
       !(connection.ssl() && connection.ssl()->peerCertificatePresented())) {
     request_headers.removeForwardedClientCert();
+    request_headers.removeForwardedUntrustedClientCert();
     return;
   }
 
@@ -362,10 +363,19 @@ void ConnectionManagerUtility::mutateXfccRequestHeader(HeaderMap& request_header
 
   const std::string client_cert_details_str = absl::StrJoin(client_cert_details, ";");
   if (config.forwardClientCert() == ForwardClientCertType::AppendForward) {
-    HeaderMapImpl::appendToHeader(request_headers.insertForwardedClientCert().value(),
-                                  client_cert_details_str);
+    HeaderMapImpl::appendToHeader(
+        connection.ssl()->peerCertificateValidated()
+            ? request_headers.insertForwardedClientCert().value()
+            : request_headers.insertForwardedUntrustedClientCert().value(),
+        client_cert_details_str);
   } else if (config.forwardClientCert() == ForwardClientCertType::SanitizeSet) {
-    request_headers.insertForwardedClientCert().value(client_cert_details_str);
+    if (connection.ssl()->peerCertificateValidated()) {
+      request_headers.insertForwardedClientCert().value(client_cert_details_str);
+      request_headers.removeForwardedUntrustedClientCert();
+    } else {
+      request_headers.removeForwardedClientCert();
+      request_headers.insertForwardedUntrustedClientCert().value(client_cert_details_str);
+    }
   } else {
     NOT_REACHED_GCOVR_EXCL_LINE;
   }

source/common/http/headers.h

@@ -116,6 +116,7 @@ class HeaderValues {
   const LowerCaseString Etag{"etag"};
   const LowerCaseString Expect{"expect"};
   const LowerCaseString ForwardedClientCert{"x-forwarded-client-cert"};
+  const LowerCaseString ForwardedUntrustedClientCert{"x-forwarded-untrusted-client-cert"};
   const LowerCaseString ForwardedFor{"x-forwarded-for"};
   const LowerCaseString ForwardedHost{"x-forwarded-host"};
   const LowerCaseString ForwardedProto{"x-forwarded-proto"};

source/common/ssl/certificate_validation_context_config_impl.cc

@@ -26,7 +26,8 @@ CertificateValidationContextConfigImpl::CertificateValidationContextConfigImpl(
                                     config.verify_certificate_hash().end()),
       verify_certificate_spki_list_(config.verify_certificate_spki().begin(),
                                     config.verify_certificate_spki().end()),
-      allow_expired_certificate_(config.allow_expired_certificate()) {
+      allow_expired_certificate_(config.allow_expired_certificate()),
+      trust_chain_verification_(config.trust_chain_verification()) {
   if (ca_cert_.empty()) {
     if (!certificate_revocation_list_.empty()) {
       throw EnvoyException(fmt::format("Failed to load CRL from {} without trusted CA",

source/common/ssl/certificate_validation_context_config_impl.h

@@ -32,6 +32,10 @@ class CertificateValidationContextConfigImpl : public CertificateValidationConte
     return verify_certificate_spki_list_;
   }
   bool allowExpiredCertificate() const override { return allow_expired_certificate_; }
+  envoy::api::v2::auth::CertificateValidationContext_TrustChainVerification
+  trustChainVerification() const override {
+    return trust_chain_verification_;
+  }
 
 private:
   const std::string ca_cert_;
@@ -42,7 +46,9 @@ class CertificateValidationContextConfigImpl : public CertificateValidationConte
   const std::vector<std::string> verify_certificate_hash_list_;
   const std::vector<std::string> verify_certificate_spki_list_;
   const bool allow_expired_certificate_;
+  const envoy::api::v2::auth::CertificateValidationContext_TrustChainVerification
+      trust_chain_verification_;
 };
 
 } // namespace Ssl
-} // namespace Envoy
+} // namespace Envoy

source/extensions/transport_sockets/tls/context_impl.cc

@@ -48,6 +48,14 @@ bool cbsContainsU16(CBS& cbs, uint16_t n) {
 
 } // namespace
 
+int ContextImpl::sslCustomDataIndex() {
+  CONSTRUCT_ON_FIRST_USE(int, []() -> int {
+    int ssl_context_index = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
+    RELEASE_ASSERT(ssl_context_index >= 0, "");
+    return ssl_context_index;
+  }());
+}
+
 ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& config,
                          TimeSource& time_source)
     : scope_(scope), stats_(generateStats(scope)), time_source_(time_source),
@@ -92,6 +100,19 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
   }
 
   int verify_mode = SSL_VERIFY_NONE;
+  int verify_mode_validation_context = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+
+  if (config.certificateValidationContext() != nullptr) {
+    envoy::api::v2::auth::CertificateValidationContext_TrustChainVerification verification =
+        config.certificateValidationContext()->trustChainVerification();
+    if (verification == envoy::api::v2::auth::CertificateValidationContext::ACCEPT_UNTRUSTED ||
+        verification == envoy::api::v2::auth::CertificateValidationContext::NOT_VERIFIED) {
+      verify_mode = SSL_VERIFY_PEER; // Ensure client-certs will be requested even if we have
+                                     // nothing to verify against
+      verify_mode_validation_context = SSL_VERIFY_PEER;
+    }
+  }
+
   if (config.certificateValidationContext() != nullptr &&
       !config.certificateValidationContext()->caCert().empty()) {
     ca_file_path_ = config.certificateValidationContext()->caCertPath();
@@ -176,7 +197,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
       !config.certificateValidationContext()->verifySubjectAltNameList().empty()) {
     verify_subject_alt_name_list_ =
         config.certificateValidationContext()->verifySubjectAltNameList();
-    verify_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+    verify_mode = verify_mode_validation_context;
   }
 
   if (config.certificateValidationContext() != nullptr &&
@@ -193,7 +214,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
       }
       verify_certificate_hash_list_.push_back(decoded);
     }
-    verify_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+    verify_mode = verify_mode_validation_context;
   }
 
   if (config.certificateValidationContext() != nullptr &&
@@ -205,7 +226,7 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
       }
       verify_certificate_spki_list_.emplace_back(decoded.begin(), decoded.end());
     }
-    verify_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+    verify_mode = verify_mode_validation_context;
   }
 
   for (auto& ctx : tls_contexts_) {
@@ -372,6 +393,14 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
     SSL_CTX_set_options(ctx.ssl_ctx_.get(), SSL_OP_CIPHER_SERVER_PREFERENCE);
   }
 
+  if (config.certificateValidationContext() != nullptr) {
+    allow_untrusted_certificate_ =
+        config.certificateValidationContext()->trustChainVerification() ==
+            envoy::api::v2::auth::CertificateValidationContext::ACCEPT_UNTRUSTED ||
+        config.certificateValidationContext()->trustChainVerification() ==
+            envoy::api::v2::auth::CertificateValidationContext::NOT_VERIFIED;
+  }
+
   parsed_alpn_protocols_ = parseAlpnProtocols(config.alpnProtocols());
 
   // To enumerate the required builtin ciphers, curves, algorithms, and
@@ -465,32 +494,55 @@ int ContextImpl::ignoreCertificateExpirationCallback(int ok, X509_STORE_CTX* ctx
 
 int ContextImpl::verifyCallback(X509_STORE_CTX* store_ctx, void* arg) {
   ContextImpl* impl = reinterpret_cast<ContextImpl*>(arg);
+  SSL* ssl = reinterpret_cast<SSL*>(
+      X509_STORE_CTX_get_ex_data(store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+  ClientValidationStatus* clientValidationStatus = reinterpret_cast<ClientValidationStatus*>(
+      SSL_get_ex_data(ssl, ContextImpl::sslCustomDataIndex()));
 
   if (impl->verify_trusted_ca_) {
     int ret = X509_verify_cert(store_ctx);
+    if (clientValidationStatus) {
+      *clientValidationStatus =
+          ret == 1 ? ClientValidationStatus::Validated : ClientValidationStatus::Failed;
+    }
+
     if (ret <= 0) {
       impl->stats_.fail_verify_error_.inc();
-      return ret;
+      return impl->allow_untrusted_certificate_ ? 1 : ret;
     }
   }
 
-  SSL* ssl = reinterpret_cast<SSL*>(
-      X509_STORE_CTX_get_ex_data(store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
   bssl::UniquePtr<X509> cert(SSL_get_peer_certificate(ssl));
 
   const Network::TransportSocketOptions* transport_socket_options =
       static_cast<const Network::TransportSocketOptions*>(SSL_get_app_data(ssl));
-  return impl->verifyCertificate(
+  ClientValidationStatus validated = impl->verifyCertificate(
       cert.get(), transport_socket_options &&
                           !transport_socket_options->verifySubjectAltNameListOverride().empty()
                       ? transport_socket_options->verifySubjectAltNameListOverride()
                       : impl->verify_subject_alt_name_list_);
+
+  if (clientValidationStatus) {
+    if (*clientValidationStatus == ClientValidationStatus::NotValidated) {
+      *clientValidationStatus = validated;
+    } else if (validated != ClientValidationStatus::NotValidated) {
+      *clientValidationStatus = validated;
+    }
+  }
+
+  return impl->allow_untrusted_certificate_ ? 1 : (validated != ClientValidationStatus::Failed);
 }
 
-int ContextImpl::verifyCertificate(X509* cert, const std::vector<std::string>& verify_san_list) {
-  if (!verify_san_list.empty() && !verifySubjectAltName(cert, verify_san_list)) {
-    stats_.fail_verify_san_.inc();
-    return 0;
+ClientValidationStatus
+ContextImpl::verifyCertificate(X509* cert, const std::vector<std::string>& verify_san_list) {
+  ClientValidationStatus validated = ClientValidationStatus::NotValidated;
+
+  if (!verify_san_list.empty()) {
+    if (!verifySubjectAltName(cert, verify_san_list)) {
+      stats_.fail_verify_san_.inc();
+      return ClientValidationStatus::Failed;
+    }
+    validated = ClientValidationStatus::Validated;
   }
 
   if (!verify_certificate_hash_list_.empty() || !verify_certificate_spki_list_.empty()) {
@@ -503,11 +555,13 @@ int ContextImpl::verifyCertificate(X509* cert, const std::vector<std::string>& v
 
     if (!valid_certificate_hash && !valid_certificate_spki) {
       stats_.fail_verify_cert_hash_.inc();
-      return 0;
+      return ClientValidationStatus::Failed;
     }
+
+    validated = ClientValidationStatus::Validated;
   }
 
-  return 1;
+  return validated;
 }
 
 void ContextImpl::incCounter(const Stats::StatName name, absl::string_view value) const {

source/extensions/transport_sockets/tls/context_impl.h

@@ -48,6 +48,8 @@ struct SslStats {
   ALL_SSL_STATS(GENERATE_COUNTER_STRUCT, GENERATE_GAUGE_STRUCT, GENERATE_HISTOGRAM_STRUCT)
 };
 
+enum class ClientValidationStatus { NotValidated, NoClientCertificate, Validated, Failed };
+
 class ContextImpl : public virtual Envoy::Ssl::Context {
 public:
   virtual bssl::UniquePtr<SSL> newSsl(const Network::TransportSocketOptions* options);
@@ -77,6 +79,12 @@ class ContextImpl : public virtual Envoy::Ssl::Context {
 
   SslStats& stats() { return stats_; }
 
+  /**
+   * The global SSL-library index used for storing a pointer to the SslSocket
+   * class in the SSL instance, for retrieval in callbacks.
+   */
+  static int sslCustomDataIndex();
+
   // Ssl::Context
   size_t daysUntilFirstCertExpires() const override;
   Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override;
@@ -100,7 +108,8 @@ class ContextImpl : public virtual Envoy::Ssl::Context {
   // A SSL_CTX_set_cert_verify_callback for custom cert validation.
   static int verifyCallback(X509_STORE_CTX* store_ctx, void* arg);
 
-  int verifyCertificate(X509* cert, const std::vector<std::string>& verify_san_list);
+  ClientValidationStatus verifyCertificate(X509* cert,
+                                           const std::vector<std::string>& verify_san_list);
 
   /**
    * Verifies certificate hash for pinning. The hash is a hex-encoded SHA-256 of the DER-encoded
@@ -161,6 +170,7 @@ class ContextImpl : public virtual Envoy::Ssl::Context {
   std::vector<std::string> verify_subject_alt_name_list_;
   std::vector<std::vector<uint8_t>> verify_certificate_hash_list_;
   std::vector<std::vector<uint8_t>> verify_certificate_spki_list_;
+  bool allow_untrusted_certificate_{false};
   Stats::Scope& scope_;
   SslStats stats_;
   std::vector<uint8_t> parsed_alpn_protocols_;

source/extensions/transport_sockets/tls/ssl_socket.cc

@@ -48,7 +48,8 @@ SslSocket::SslSocket(Envoy::Ssl::ContextSharedPtr ctx, InitialState state,
       ctx_(std::dynamic_pointer_cast<ContextImpl>(ctx)), state_(SocketState::PreHandshake) {
   bssl::UniquePtr<SSL> ssl = ctx_->newSsl(transport_socket_options_.get());
   ssl_ = ssl.get();
-  info_ = std::make_shared<SslSocketInfo>(std::move(ssl));
+  info_ = std::make_shared<SslSocketInfo>(std::move(ssl), ctx_);
+
   if (state == InitialState::Client) {
     SSL_set_connect_state(ssl_);
   } else {
@@ -301,11 +302,20 @@ void SslSocket::shutdownSsl() {
   }
 }
 
+SslSocketInfo::SslSocketInfo(bssl::UniquePtr<SSL> ssl, ContextImplSharedPtr ctx)
+    : ssl_(std::move(ssl)) {
+  SSL_set_ex_data(ssl_.get(), ctx->sslCustomDataIndex(), &(this->certificate_validation_status_));
+}
+
 bool SslSocketInfo::peerCertificatePresented() const {
   bssl::UniquePtr<X509> cert(SSL_get_peer_certificate(ssl_.get()));
   return cert != nullptr;
 }
 
+bool SslSocketInfo::peerCertificateValidated() const {
+  return certificate_validation_status_ == ClientValidationStatus::Validated;
+}
+
 std::vector<std::string> SslSocketInfo::uriSanLocalCertificate() const {
   if (!cached_uri_san_local_certificate_.empty()) {
     return cached_uri_san_local_certificate_;