diff --git a/include/envoy/network/BUILD b/include/envoy/network/BUILD index 2c1a20f5e90c6..8cb310b02bc9f 100644 --- a/include/envoy/network/BUILD +++ b/include/envoy/network/BUILD @@ -90,6 +90,7 @@ envoy_cc_library( ":io_handle_interface", "//include/envoy/buffer:buffer_interface", "//include/envoy/ssl:connection_interface", + "//include/envoy/ssl:context_config_interface", ], ) diff --git a/include/envoy/network/transport_socket.h b/include/envoy/network/transport_socket.h index 289f17c28bf2b..cf5dd954e192a 100644 --- a/include/envoy/network/transport_socket.h +++ b/include/envoy/network/transport_socket.h @@ -3,6 +3,7 @@ #include "envoy/buffer/buffer.h" #include "envoy/common/pure.h" #include "envoy/network/io_handle.h" +#include "envoy/ssl/certificate_validation_context_config.h" #include "envoy/ssl/connection.h" #include "absl/types/optional.h" @@ -181,6 +182,11 @@ class TransportSocketFactory { */ virtual bool implementsSecureTransport() const PURE; + /** + * @return CertificateValidationContextConfig the certificate validation context config. + */ + virtual const Ssl::CertificateValidationContextConfig* certificateValidationContext() const PURE; + /** * @param options for creating the transport socket * @return Network::TransportSocketPtr a transport socket to be passed to connection. diff --git a/source/common/network/raw_buffer_socket.cc b/source/common/network/raw_buffer_socket.cc index 21dff87a8e0f5..37ae4d8c21716 100644 --- a/source/common/network/raw_buffer_socket.cc +++ b/source/common/network/raw_buffer_socket.cc @@ -88,5 +88,9 @@ RawBufferSocketFactory::createTransportSocket(TransportSocketOptionsSharedPtr) c } bool RawBufferSocketFactory::implementsSecureTransport() const { return false; } +const Envoy::Ssl::CertificateValidationContextConfig* +RawBufferSocketFactory::certificateValidationContext() const { + return nullptr; +} } // namespace Network } // namespace Envoy diff --git a/source/common/network/raw_buffer_socket.h b/source/common/network/raw_buffer_socket.h index aeb48825e949f..db66dc4c1cd90 100644 --- a/source/common/network/raw_buffer_socket.h +++ b/source/common/network/raw_buffer_socket.h @@ -31,6 +31,8 @@ class RawBufferSocketFactory : public TransportSocketFactory { // Network::TransportSocketFactory TransportSocketPtr createTransportSocket(TransportSocketOptionsSharedPtr options) const override; bool implementsSecureTransport() const override; + const Envoy::Ssl::CertificateValidationContextConfig* + certificateValidationContext() const override; }; } // namespace Network diff --git a/source/extensions/transport_sockets/alts/tsi_socket.cc b/source/extensions/transport_sockets/alts/tsi_socket.cc index 65d655fbc578f..2a9df7701858e 100644 --- a/source/extensions/transport_sockets/alts/tsi_socket.cc +++ b/source/extensions/transport_sockets/alts/tsi_socket.cc @@ -248,6 +248,10 @@ TsiSocketFactory::TsiSocketFactory(HandshakerFactory handshaker_factory, handshake_validator_(std::move(handshake_validator)) {} bool TsiSocketFactory::implementsSecureTransport() const { return true; } +const Envoy::Ssl::CertificateValidationContextConfig* +TsiSocketFactory::certificateValidationContext() const { + return nullptr; +} Network::TransportSocketPtr TsiSocketFactory::createTransportSocket(Network::TransportSocketOptionsSharedPtr) const { diff --git a/source/extensions/transport_sockets/alts/tsi_socket.h b/source/extensions/transport_sockets/alts/tsi_socket.h index 8e3ee5e954438..23479855bf8b0 100644 --- a/source/extensions/transport_sockets/alts/tsi_socket.h +++ b/source/extensions/transport_sockets/alts/tsi_socket.h @@ -98,6 +98,8 @@ class TsiSocketFactory : public Network::TransportSocketFactory { TsiSocketFactory(HandshakerFactory handshaker_factory, HandshakeValidator handshake_validator); bool implementsSecureTransport() const override; + const Envoy::Ssl::CertificateValidationContextConfig* + certificateValidationContext() const override; Network::TransportSocketPtr createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override; diff --git a/source/extensions/transport_sockets/tap/tap.cc b/source/extensions/transport_sockets/tap/tap.cc index 2e830b4a06137..dd2f4b0a12b51 100644 --- a/source/extensions/transport_sockets/tap/tap.cc +++ b/source/extensions/transport_sockets/tap/tap.cc @@ -71,6 +71,11 @@ bool TapSocketFactory::implementsSecureTransport() const { return transport_socket_factory_->implementsSecureTransport(); } +const Envoy::Ssl::CertificateValidationContextConfig* +TapSocketFactory::certificateValidationContext() const { + return transport_socket_factory_->certificateValidationContext(); +} + } // namespace Tap } // namespace TransportSockets } // namespace Extensions diff --git a/source/extensions/transport_sockets/tap/tap.h b/source/extensions/transport_sockets/tap/tap.h index da50dad76f9ce..46ca934bed403 100644 --- a/source/extensions/transport_sockets/tap/tap.h +++ b/source/extensions/transport_sockets/tap/tap.h @@ -46,6 +46,8 @@ class TapSocketFactory : public Network::TransportSocketFactory, Network::TransportSocketPtr createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override; bool implementsSecureTransport() const override; + const Envoy::Ssl::CertificateValidationContextConfig* + certificateValidationContext() const override; private: Network::TransportSocketFactoryPtr transport_socket_factory_; diff --git a/source/extensions/transport_sockets/tls/ssl_socket.cc b/source/extensions/transport_sockets/tls/ssl_socket.cc index 7feefa902dfeb..902ebe4ca9b5b 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.cc +++ b/source/extensions/transport_sockets/tls/ssl_socket.cc @@ -415,6 +415,11 @@ Network::TransportSocketPtr ClientSslSocketFactory::createTransportSocket( bool ClientSslSocketFactory::implementsSecureTransport() const { return true; } +const Envoy::Ssl::CertificateValidationContextConfig* +ClientSslSocketFactory::certificateValidationContext() const { + return config_->certificateValidationContext(); +} + void ClientSslSocketFactory::onAddOrUpdateSecret() { ENVOY_LOG(debug, "Secret is updated."); { @@ -455,6 +460,11 @@ ServerSslSocketFactory::createTransportSocket(Network::TransportSocketOptionsSha bool ServerSslSocketFactory::implementsSecureTransport() const { return true; } +const Envoy::Ssl::CertificateValidationContextConfig* +ServerSslSocketFactory::certificateValidationContext() const { + return config_->certificateValidationContext(); +} + void ServerSslSocketFactory::onAddOrUpdateSecret() { ENVOY_LOG(debug, "Secret is updated."); { diff --git a/source/extensions/transport_sockets/tls/ssl_socket.h b/source/extensions/transport_sockets/tls/ssl_socket.h index dc88fc43bb9e0..4ba2939cba703 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.h +++ b/source/extensions/transport_sockets/tls/ssl_socket.h @@ -97,6 +97,8 @@ class ClientSslSocketFactory : public Network::TransportSocketFactory, Network::TransportSocketPtr createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override; bool implementsSecureTransport() const override; + const Envoy::Ssl::CertificateValidationContextConfig* + certificateValidationContext() const override; // Secret::SecretCallbacks void onAddOrUpdateSecret() override; @@ -121,6 +123,8 @@ class ServerSslSocketFactory : public Network::TransportSocketFactory, Network::TransportSocketPtr createTransportSocket(Network::TransportSocketOptionsSharedPtr options) const override; bool implementsSecureTransport() const override; + const Envoy::Ssl::CertificateValidationContextConfig* + certificateValidationContext() const override; // Secret::SecretCallbacks void onAddOrUpdateSecret() override; diff --git a/test/mocks/network/mocks.h b/test/mocks/network/mocks.h index 735766b3504ee..580e7338cb043 100644 --- a/test/mocks/network/mocks.h +++ b/test/mocks/network/mocks.h @@ -382,6 +382,7 @@ class MockTransportSocketFactory : public TransportSocketFactory { ~MockTransportSocketFactory(); MOCK_CONST_METHOD0(implementsSecureTransport, bool()); + MOCK_CONST_METHOD0(certificateValidationContext, Ssl::CertificateValidationContextConfig*()); MOCK_CONST_METHOD1(createTransportSocket, TransportSocketPtr(TransportSocketOptionsSharedPtr)); };