Envoy: quiche: implement certificate verification

Created on 20 Dec 2019  路  4Comments  路  Source: envoyproxy/envoy

Current integration uses a fake QuicProofSource/Verifier in handshake: https://github.com/envoyproxy/envoy/blob/44a8588219209c4b96fca2e7e9f009138e1f3ca6/source/extensions/quic_listeners/quiche/envoy_quic_fake_proof_source.h. In ActiveQuicListener, a QuicCryptoServerConfig object is created with this.

A real EnvoyQuicProofSource should wrap FilterChainManager which can retrieve filter chain based on filter chain match. And in FilterChain object there is QuicServerTransportSocketFactory which can provides Ssl::ServerContextConfig. EnvoyQuicProofSource::GetProof() should use the ServerContextConfig to create QUIC version of certs chain and signature.

A real EnvoyQuicProofVerifier should also associate with QuicClientTransportSocketFactory and use Ssl::ClientContextConfig to verify the cert chain.

arequic help wanted
Source
picture danzh2010

All 4 comments

/assign @bencebeky

danzh2010 picture danzh2010 on 10 Feb 2020
👍1

@danzh2010 Is this complete, or is there other work still to be done?

ggreenway picture ggreenway on 7 Aug 2020

/assign @danzh2010

danzh2010 picture danzh2010 on 7 Aug 2020
👍1

need one more change about key enforcement.

danzh2010 picture danzh2010 on 7 Aug 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alkov-ibm picture alkov-ibm  路  3Comments
weixiao-huang picture weixiao-huang  路  3Comments
jmillikin-stripe picture jmillikin-stripe  路  3Comments
hzxuzhonghu picture hzxuzhonghu  路  3Comments
vpiduri picture vpiduri  路  3Comments