Skip to content

Standard grpc mTLS #3909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 114 commits into from
Mar 31, 2025
Merged

Standard grpc mTLS #3909

Changes from 2 commits
Commits
Show all changes
114 commits
Select commit Hold shift + click to select a range
f1894cf
[platform] added the platform root_cert path utility function.
georgeliao Jan 29, 2025
92ae3eb
[platform] change the default root cert location
georgeliao Jan 29, 2025
47ef48f
[ssl cert] added root certificate generation utility function.
georgeliao Jan 30, 2025
a7b70b9
[ssl cert] added the utility function of signing server certificate b…
georgeliao Jan 30, 2025
8838aa3
[ssl cert] a small variable name improvement.
georgeliao Jan 30, 2025
2421fb5
[ssl cert][client] adapted the make_cert_key_pair function so it can …
georgeliao Jan 30, 2025
b8310b5
[unit test][ssl cert] fixed the unit tests in test_ssl_cert_provider.cpp
georgeliao Jan 30, 2025
049f7c2
[unit test] fixed the unit tests in test_cli_client.cpp file
georgeliao Jan 30, 2025
3aceacc
[unit test][daemon rpc] fixed the unt tests in test_daemon_rpc.cpp file
georgeliao Jan 30, 2025
dd0349e
[unit tests][daemon] fixes the unit tests in test_daemon.cpp
georgeliao Jan 30, 2025
862e62e
[unit test][daemon find] fixed the unit tests in test_daemon_find.cpp
georgeliao Jan 30, 2025
0b5d95f
[unit test][alias dict] fixed the unit tests in test_alias_dict.cpp
georgeliao Jan 30, 2025
065b134
[ssl cert] fixed the format.
georgeliao Jan 30, 2025
7044051
[unit test][client common] fixed the unit tests in test_client_common…
georgeliao Jan 31, 2025
dd4e6c1
[unit test] added constness to mock_utils and to corresponding functi…
georgeliao Jan 31, 2025
1ceadc3
[unit test] added constness to MockUtils and corresponding function.
georgeliao Jan 31, 2025
92379b2
[unit test] fixed the format.
georgeliao Jan 31, 2025
54a0093
[ssl cert] added some missed constness.
georgeliao Jan 31, 2025
e025373
[unit test] removed daemon_cert and daemon_key.
georgeliao Jan 31, 2025
8ee9d14
[ssl cert] Using OpenSSL's built-in function to create SAN field.
georgeliao Jan 31, 2025
ec7cdb2
[ssl cert] use default argument instead of function overload.
georgeliao Feb 1, 2025
33d25a4
[ssl cert] remove the cn_name_from function since the dispatch is don…
georgeliao Feb 2, 2025
a017c44
[ssl cert] added cert type enum to facilitate the deduplication of th…
georgeliao Feb 2, 2025
3795eb9
[ssl cert] merged the root, client, signed server certificate generat…
georgeliao Feb 2, 2025
192f690
[ssl cert] modernize the key generation by using openssl 3.0 C apis
georgeliao Feb 3, 2025
905a29c
[ssl cert] use decltype on function pointer directly. So it is consis…
georgeliao Feb 3, 2025
a744702
[ssl cert] remove unneeded headers.
georgeliao Feb 3, 2025
61a4282
[ssl cert] use std::array to replace C-style array to interface with …
georgeliao Feb 3, 2025
a6e7a84
[ssl cert] added comment on the OSSL_PARAM_construct_utf8_string func…
georgeliao Feb 3, 2025
6f6e66b
[ssl cert] rename x509 to cert for better match with variable name EV…
georgeliao Feb 3, 2025
72f681c
[ssl cert] use nullptr instead of NULL to comply with Modern C++ style.
georgeliao Feb 3, 2025
147b2c2
[ssl cert] using add_extension function to deduplicate some code.
georgeliao Feb 3, 2025
d5ee690
[ssl cert] use std::unique_ptr and custom deleter to simplify the code
georgeliao Feb 3, 2025
243efa1
[ssl cert] added check to the pointer and the function return code
georgeliao Feb 3, 2025
e94fb2d
[ssl cert] added the root certificate existence check for server cert…
georgeliao Feb 4, 2025
0825a0c
[vcpckg][grpc client] Switch the gRPC repository to the standard one …
georgeliao Feb 4, 2025
edf1115
[platform] added snap root cert file path
georgeliao Feb 4, 2025
2b69d63
[ssl cert] fixes the snap version multipass can not overwrite the key…
georgeliao Feb 5, 2025
3058143
[ssl cert] convert from std::function to function pointer to avoid th…
georgeliao Feb 6, 2025
9c5e0a7
[ssl cert] added comment for why use hard coded function pointer
georgeliao Feb 6, 2025
8afa5af
[ssl cert] added a comment for the WritableFile constructor change
georgeliao Feb 6, 2025
dc9fdb4
[ssl cert] standardize the serial number format.
georgeliao Feb 6, 2025
a3a317e
[ssl cert] using std::unique_ptr to automate memory management.
georgeliao Feb 6, 2025
64aeb8c
[ssl cert] replace fprint with throw.
georgeliao Feb 6, 2025
a078ab5
[ssl cert] use raw bitwise operation rather than calling BN_set_bit.
georgeliao Feb 6, 2025
59cb1b3
[unit test][ssl cert] added a comment for creates_different_certs_pe…
georgeliao Feb 6, 2025
a8d12f1
[ssl cert] fixes the ci compilation error.
georgeliao Feb 7, 2025
23e3006
[ssl cert] addressed one review comment.
georgeliao Feb 7, 2025
84b1fc1
Update tests/test_alias_dict.cpp
georgeliao Feb 7, 2025
ecff7ed
Update tests/test_cli_client.cpp
georgeliao Feb 7, 2025
85f1976
Update tests/test_client_common.cpp
georgeliao Feb 7, 2025
c7c7c1f
Update tests/test_daemon_find.cpp
georgeliao Feb 7, 2025
c95b81c
Update src/platform/platform_unix.cpp
georgeliao Feb 7, 2025
53fd6c2
[ssl cert] use cached variable to avoid double conversion.
georgeliao Feb 7, 2025
9d83a9e
[platform] fixes the lint.
georgeliao Feb 7, 2025
84d84ef
[platform] move the get_root_cert_path function from unix to linux.
georgeliao Feb 7, 2025
b2d0368
Update tests/test_daemon.cpp
georgeliao Feb 7, 2025
c321ebc
[platform] fix the lint.
georgeliao Feb 7, 2025
60fe47a
[platform][linux] used the mp::StandardPaths::AppDataLocation instead…
georgeliao Feb 10, 2025
ef8bd74
[ssl cert] restore the accidentally deleted X509_set_version call.
georgeliao Feb 11, 2025
82cfa6e
[platform][linux] change the snap case storage location back to snap …
georgeliao Feb 11, 2025
4d374a0
[platform][linux] fix the snap path mistake.
georgeliao Feb 11, 2025
07557b8
[ssl cert] make sure the parent directory of key, certificate file al…
georgeliao Feb 12, 2025
21b6bc9
[ssl cert] fixed the windows build failure.
georgeliao Feb 12, 2025
5f412a2
[ssl cert] replace the remove file with adding owner write permission…
georgeliao Feb 12, 2025
0f97e5c
[client][cert] removed the unneeded check and create directory.
georgeliao Feb 13, 2025
e84205a
[ssl cert] move the permission change from WritableFile to EVPKey::wr…
georgeliao Feb 13, 2025
8de2df4
[daemon_config] remove the unneeded MP_UTILS.make_dir call .
georgeliao Feb 13, 2025
9934ea4
[unit test][ssl cert] removed the unneeded MP_UTILS.make_dir call.
georgeliao Feb 13, 2025
5eaf6ad
[unit test][platform linux] added a unit test to cover multipass_fina…
georgeliao Feb 13, 2025
9a353ee
[platform][linux] moved "/data/multipassd" out so the user defined st…
georgeliao Feb 13, 2025
c0ce12e
[ssl cert] moved the creating file pointer logic to a function, so th…
georgeliao Feb 14, 2025
6444ca4
[ssl cert] moved the raw key pointer creation into a function so the …
georgeliao Feb 14, 2025
56507be
[ssl cert] used the chrono time units to improve the readability.
georgeliao Feb 14, 2025
1afb812
[ssl cert] added assertion to the end BIGNUM value.
georgeliao Feb 14, 2025
59f1fd5
[ssl cert] changed the remaining NULL to nullptr
georgeliao Feb 14, 2025
302d7d6
[ssl cert] added comment for the usage of the SSLCertProvider class.
georgeliao Feb 14, 2025
9747cbb
[ssl cert] fixed the linter.
georgeliao Feb 17, 2025
3984815
[platform] for just testing snap standardpaths values.
georgeliao Feb 18, 2025
d18e3cc
[platform linuxj] removed the logs and use constant variable for mult…
georgeliao Feb 24, 2025
c58c8c7
[daemon config] remove the restrict_permissions on data folder.
georgeliao Mar 3, 2025
61f731e
[cert store] enforce ower_all permission to authenticated-certs sub-f…
georgeliao Mar 3, 2025
d08a6bb
[qemu platform] enforce ower_all permission to network sub-folder.
georgeliao Mar 3, 2025
90ef620
[open ssh] enforce permission to ssh-keys sub-folder.
georgeliao Mar 3, 2025
3c4d0f4
[vault] enforce ower_all permission to vault sub-folder.
georgeliao Mar 3, 2025
3db5b2e
[daemon] enforce ower_all permission to multipassd-vm-instances.json …
georgeliao Mar 3, 2025
eb39c87
[daemon config] added explicit permission setting for overwriting pur…
georgeliao Mar 3, 2025
37858e8
[daemon] use toStdU16String for windows possible non-latin characters.
georgeliao Mar 4, 2025
c848554
[ssl cert] enforced zero initialization for some objects creation.
georgeliao Mar 4, 2025
3d22fb5
[ssl cert] added some return code check for some open ssl apis.
georgeliao Mar 4, 2025
2291748
[ssl cert] improve the key creation function by returning unique poin…
georgeliao Mar 4, 2025
b34d78e
[ssl cert] changed create_key to be static private function and made …
georgeliao Mar 4, 2025
51c3025
[ssl cert] changing open_file to return unique pointer.
georgeliao Mar 4, 2025
a5fbc97
[ssl cert] move the open_file into the WritableFile class.
georgeliao Mar 4, 2025
4b8b386
[ssl cert] added nodiscard attribute to some functions.
georgeliao Mar 4, 2025
19e5257
[utils] added check utility function for checking c-api return.
georgeliao Mar 5, 2025
10f1650
[ssl cert] used the check function checking raw file pointer.
georgeliao Mar 5, 2025
9e69003
[ssl cert] more invocations of the check utility function.
georgeliao Mar 5, 2025
bb42414
[ssl cert] more mp::utils::check based refactors
georgeliao Mar 5, 2025
1946644
[ssl cert] more refactor based on mp::utils::check.
georgeliao Mar 5, 2025
9393794
[ssl cert] more refactor based on mp::utils::check.
georgeliao Mar 5, 2025
56c478f
[ssl cert] refined the check utility function.
georgeliao Mar 5, 2025
c3f3bc9
[ssl cert] more refactor based mp::utils::check function.
georgeliao Mar 5, 2025
7a5118a
[ssl cert] more refactor based on the mp::utils::check function.
georgeliao Mar 5, 2025
af78689
[ssl cert] confined the check utility function into ssl_cert_provider…
georgeliao Mar 5, 2025
897c924
Update src/daemon/daemon_config.cpp
georgeliao Mar 6, 2025
ccac46a
[file permission] use restrictive default permission, and only open u…
georgeliao Mar 6, 2025
d5d8ac6
Revert "[cert store] enforce ower_all permission to authenticated-cer…
georgeliao Mar 6, 2025
a8366de
[daemon config] used two steps approach for permission setting.
georgeliao Mar 6, 2025
aed8425
[snap] make snap to setup necessary directory for multipass
georgeliao Mar 7, 2025
7254f69
[daemon config][ssl cert] added group user needed permission for acce…
georgeliao Mar 7, 2025
268ac0d
[ssl cert] fixed the server restart causes the root certificate lose …
georgeliao Mar 27, 2025
fb49148
[ssl cert] added comment for the existing root cert permission overwr…
georgeliao Mar 27, 2025
6c97765
Update src/cert/ssl_cert_provider.cpp
georgeliao Mar 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions src/cert/ssl_cert_provider.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,14 +46,14 @@
{
if (result == nullptr)
{
throw std::runtime_error(errorMessage);

Check warning on line 49 in src/cert/ssl_cert_provider.cpp

View check run for this annotation

Codecov / codecov/patch

src/cert/ssl_cert_provider.cpp#L49 

Added line #L49 was not covered by tests
}
}
else
{
if (result <= 0)
{
throw std::runtime_error(fmt::format("{}, with the error code {}", errorMessage, result));

Check warning on line 56 in src/cert/ssl_cert_provider.cpp

View check run for this annotation

Codecov / codecov/patch

src/cert/ssl_cert_provider.cpp#L56 

Added line #L56 was not covered by tests
}
}
}
Expand Down Expand Up @@ -110,7 +110,7 @@
if (std::filesystem::exists(key_path_std))
{
// enable fopen in WritableFile with wb mode
MP_PLATFORM.set_permissions(key_path_std,

Check warning on line 113 in src/cert/ssl_cert_provider.cpp

View check run for this annotation

Codecov / codecov/patch

src/cert/ssl_cert_provider.cpp#L113 

Added line #L113 was not covered by tests
std::filesystem::perms::owner_read | std::filesystem::perms::owner_write);
}

Expand Down Expand Up @@ -312,7 +312,14 @@
const std::filesystem::path root_cert_path = MP_PLATFORM.get_root_cert_path();
if (std::filesystem::exists(root_cert_path) && QFile::exists(priv_key_path) && QFile::exists(cert_path))
{
// In cases where the root certificate exists within the data folder (such as in Snap or Windows
// environments), its file permissions is unintentionally overwritten due to recursive permission
// settings applied to the entire folder. To ensure the client process has access, we need to explicitly
// reset the file permissions on the root certificate.
MP_PLATFORM.set_permissions(root_cert_path,

Check warning on line 319 in src/cert/ssl_cert_provider.cpp

View check run for this annotation

Codecov / codecov/patch

src/cert/ssl_cert_provider.cpp#L319 

Added line #L319 was not covered by tests
std::filesystem::perms::owner_all | std::filesystem::perms::group_read |
std::filesystem::perms::others_read);
return {mp::utils::contents_of(cert_path), mp::utils::contents_of(priv_key_path)};

Check warning on line 322 in src/cert/ssl_cert_provider.cpp

View check run for this annotation

Codecov / codecov/patch

src/cert/ssl_cert_provider.cpp#L322 

Added line #L322 was not covered by tests
}

const auto priv_root_key_path = cert_dir.filePath(prefix + "_root_key.pem");
Expand Down
Loading