Implement an iOS platform certificate verifier.#2638
Implement an iOS platform certificate verifier.#2638RyanTheOptimist merged 23 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Ryan Hamilton <rch@google.com>
Signed-off-by: Ryan Hamilton <rch@google.com>
Signed-off-by: Ryan Hamilton <rch@google.com>
Signed-off-by: Ryan Hamilton <rch@google.com>
Signed-off-by: Ryan Hamilton <rch@google.com>
Signed-off-by: Ryan Hamilton <rch@google.com>
Signed-off-by: Ryan Hamilton <rch@google.com>
Signed-off-by: Ryan Hamilton <rch@google.com>
|
/assign @jpsim |
|
@jpsim this is finally passing CI. Woo hoo! I'm 100% confident that it needs work, but I'm not clear enough on how iOS work in Envoy Mobile to really have a good sense for where this code should go/what it should look like. So this is really more of rough draft than a ready-to-review PR, but if you could take a look, I would appreciate it. |
| private var enableBrotli: Bool = false | ||
| private var enableInterfaceBinding: Bool = false | ||
| private var enforceTrustChainVerification: Bool = true | ||
| private var enablePlatformCertificateValidation: Bool = true |
There was a problem hiding this comment.
Should this default to false until it's been vetted in a production experiment?
| private var enablePlatformCertificateValidation: Bool = true | |
| private var enablePlatformCertificateValidation: Bool = false |
There was a problem hiding this comment.
Yes, definitely! This was a hack to make sure this new code would be run though CI to help make sure it works. Do you have a suggestion for how to write a test for this code? Or alternatively, a suggestion for some place I could explicitly enable in, maybe in the experimental app?
|
It's great to see this @RyanTheOptimist! My main thought is if it's possible to move the bulk of this into the I look forward to being able to stop bundling certs with Envoy Mobile in the long run! |
RyanTheOptimist
left a comment
RyanTheOptimist
left a comment
There was a problem hiding this comment.
Thanks for the review!
| private var enableBrotli: Bool = false | ||
| private var enableInterfaceBinding: Bool = false | ||
| private var enforceTrustChainVerification: Bool = true | ||
| private var enablePlatformCertificateValidation: Bool = true |
There was a problem hiding this comment.
Yes, definitely! This was a hack to make sure this new code would be run though CI to help make sure it works. Do you have a suggestion for how to write a test for this code? Or alternatively, a suggestion for some place I could explicitly enable in, maybe in the experimental app?
Update library/objective-c/EnvoyConfiguration.m Fix test constant Fix Test revert .bazelrc Co-authored-by: JP Simard <jp@jpsim.com> Signed-off-by: Ryan Hamilton <rch@google.com>
RyanTheOptimist
force-pushed
the
ios_verifier
branch
from
7f8c2c5 to
4f4fe2d
Compare
Signed-off-by: Ryan Hamilton <rch@google.com>
jpsim
left a comment
jpsim
left a comment
There was a problem hiding this comment.
This is really shaping up! Did you want to hook this up in the C++ builder in this PR or as a followup?
|
I think I'm seeing a crash with this enabled: |
|
The crash happened when I was stepping through code in lldb breakpoints, so it may have influenced the crash. I haven't seen the crash since running without stopping at a breakpoint. Can you add this to the experimental app so we get some integration test coverage? |
Signed-off-by: Ryan Hamilton <rch@google.com>
I'd prefer to hook up in a followup, just to keep this smaller, if that works for you? |
Is the experimental all the same thing as hello_world? I enabled it there, hoping that's what you're looking for, but maybe not? |
RyanTheOptimist
left a comment
RyanTheOptimist
left a comment
There was a problem hiding this comment.
Thanks for the review!
No, we try to keep the "hello world" type apps focused, the "baseline" apps as using the default engine builder configurations and the "experimental" apps using non-default engine builder configurations. Can you set |
Signed-off-by: Ryan Hamilton <rch@google.com>
Oh, I see. Done! |
library/common/network/BUILD
Outdated
| ) | ||
|
|
||
| cc_library( | ||
| name = "ios_platform_verifier", |
There was a problem hiding this comment.
Nit: can we call this apple_cert_verifier since "verifier" could imply it verifies a lot of things, and this applies to all Apple platforms, not just iOS, and mirrors the naming of the apple_dns_resolver.
| name = "ios_platform_verifier", | |
| name = "apple_platform_cert_verifier", |
There was a problem hiding this comment.
Good idea. Done.
library/common/network/BUILD
Outdated
| ], | ||
| "//conditions:default": [], | ||
| }), | ||
| ) No newline at end of file |
There was a problem hiding this comment.
Can you add a trailing newline to match unix conventions?
There was a problem hiding this comment.
Done. Not sure how that crept back :/ (Also not sure why clang-format didn't fix it. But c'est la vie)
jpsim
left a comment
jpsim
left a comment
There was a problem hiding this comment.
Hooray, great job setting this up.
Signed-off-by: Ryan Hamilton <rch@google.com>
Signed-off-by: Ryan Hamilton <rch@google.com>
…builder-function * origin/main: ci: hopefully fixing bes timeout failures (#2666) Update Envoy (#2660) bazel: update rules_jvm_external to 4.5 (#2665) Remove note about DWARF patch being required (#2645) Bump Lyft Support Rotation (#2661) build: remove alwayslink set enablePlatformCertificateValidation to false on iOS by default (#2663) bump Envoy dep (#2659) Implement an iOS platform certificate verifier. (#2638) Signed-off-by: JP Simard <jp@jpsim.com>
2 participants
Implement an iOS platform certificate verifier
and Swift builder APIs for enabling it.
Risk Level: Low
Testing: Help?
Docs Changes: N/A
Release Notes: Updated version_history.txt
Signed-off-by: Ryan Hamilton rch@google.com