feat: specify a custom CA file for TLS peer verification (#409)

This adds a new config builder option, `CustomCAFile` and associated C binding to the server and client SDKs. When specified, the SDK's streaming, polling, and event connections will verify its TLS peer based on the CAs found in this file. The custom file may be un-set by passing an empty string.
launchdarkly · May 30, 2024 · 857dd28 · 857dd28
1 parent db0a9eb
commit 857dd28
Show file tree

Hide file tree

Showing 30 changed files with 264 additions and 49 deletions.
diff --git a/contract-tests/client-contract-tests/src/entity_manager.cpp b/contract-tests/client-contract-tests/src/entity_manager.cpp
@@ -134,6 +134,9 @@ std::optional<std::string> EntityManager::create(ConfigParams const& in) {
         if (in.tls->skipVerifyPeer) {
             builder.SkipVerifyPeer(*in.tls->skipVerifyPeer);
         }
+        if (in.tls->customCAFile) {
+            builder.CustomCAFile(*in.tls->customCAFile);
+        }
         config_builder.HttpProperties().Tls(std::move(builder));
     }
 

diff --git a/contract-tests/client-contract-tests/src/main.cpp b/contract-tests/client-contract-tests/src/main.cpp
@@ -45,7 +45,8 @@ int main(int argc, char* argv[]) {
         srv.add_capability("anonymous-redaction");
         srv.add_capability("tls:verify-peer");
         srv.add_capability("tls:skip-verify-peer");
-
+        srv.add_capability("tls:custom-ca");
+
         net::signal_set signals{ioc, SIGINT, SIGTERM};
 
         boost::asio::spawn(ioc.get_executor(), [&](auto yield) mutable {

diff --git a/contract-tests/data-model/include/data_model/data_model.hpp b/contract-tests/data-model/include/data_model/data_model.hpp
@@ -31,9 +31,12 @@ struct adl_serializer<std::optional<T>> {
 
 struct ConfigTLSParams {
     std::optional<bool> skipVerifyPeer;
+    std::optional<std::string> customCAFile;
 };
+
 NLOHMANN_DEFINE_TYPE_NON_INTRUSIVE_WITH_DEFAULT(ConfigTLSParams,
-                                                skipVerifyPeer);
+                                                skipVerifyPeer,
+                                                customCAFile);
 
 struct ConfigStreamingParams {
     std::optional<std::string> baseUri;

diff --git a/contract-tests/server-contract-tests/src/entity_manager.cpp b/contract-tests/server-contract-tests/src/entity_manager.cpp
@@ -125,6 +125,9 @@ std::optional<std::string> EntityManager::create(ConfigParams const& in) {
         if (in.tls->skipVerifyPeer) {
             builder.SkipVerifyPeer(*in.tls->skipVerifyPeer);
         }
+        if (in.tls->customCAFile) {
+            builder.CustomCAFile(*in.tls->customCAFile);
+        }
         config_builder.HttpProperties().Tls(std::move(builder));
     }
 

diff --git a/contract-tests/server-contract-tests/src/main.cpp b/contract-tests/server-contract-tests/src/main.cpp
@@ -44,6 +44,7 @@ int main(int argc, char* argv[]) {
         srv.add_capability("anonymous-redaction");
         srv.add_capability("tls:verify-peer");
         srv.add_capability("tls:skip-verify-peer");
+        srv.add_capability("tls:custom-ca");
 
         net::signal_set signals{ioc, SIGINT, SIGTERM};
 

diff --git a/libs/client-sdk/include/launchdarkly/client_side/bindings/c/config/builder.h b/libs/client-sdk/include/launchdarkly/client_side/bindings/c/config/builder.h
@@ -440,6 +440,26 @@ LDClientHttpPropertiesTlsBuilder_SkipVerifyPeer(
     LDClientHttpPropertiesTlsBuilder b,
     bool skip_verify_peer);
 
+/**
+ * Configures TLS peer certificate verification to use a custom
+ * CA file.
+ *
+ * The parameter is a filepath pointing to a bundle of
+ * one or more PEM-encoded x509 certificates comprising the root of trust for
+ * the SDK's outbound connections.
+ *
+ * By default, the SDK uses the system's CA bundle. Passing the empty string
+ * will unset any previously set path and revert to the system's CA bundle.
+ *
+ * @param b Client config builder. Must not be NULL.
+ * @param custom_ca_file Filepath of the custom CA bundle, or empty string. Must
+ * not be NULL.
+ */
+LD_EXPORT(void)
+LDClientHttpPropertiesTlsBuilder_CustomCAFile(
+    LDClientHttpPropertiesTlsBuilder b,
+    char const* custom_ca_file);
+
 /**
  * Disables the default SDK logging.
  * @param b Client config builder. Must not be NULL.

diff --git a/libs/client-sdk/src/bindings/c/builder.cpp b/libs/client-sdk/src/bindings/c/builder.cpp
@@ -332,6 +332,16 @@ LDClientHttpPropertiesTlsBuilder_SkipVerifyPeer(
     TO_TLS_BUILDER(b)->SkipVerifyPeer(skip_verify_peer);
 }
 
+LD_EXPORT(void)
+LDClientHttpPropertiesTlsBuilder_CustomCAFile(
+    LDClientHttpPropertiesTlsBuilder b,
+    char const* custom_ca_file) {
+    LD_ASSERT_NOT_NULL(b);
+    LD_ASSERT_NOT_NULL(custom_ca_file);
+
+    TO_TLS_BUILDER(b)->CustomCAFile(custom_ca_file);
+}
+
 LD_EXPORT(LDClientHttpPropertiesTlsBuilder)
 LDClientHttpPropertiesTlsBuilder_New(void) {
     return FROM_TLS_BUILDER(new TlsBuilder());

diff --git a/libs/client-sdk/src/client_impl.cpp b/libs/client-sdk/src/client_impl.cpp
@@ -109,6 +109,16 @@ ClientImpl::ClientImpl(Config in_cfg,
       eval_reasons_available_(config_.DataSourceConfig().with_reasons) {
     flag_manager_.LoadCache(context_);
 
+    if (auto custom_ca = http_properties_.Tls().CustomCAFile()) {
+        LD_LOG(logger_, LogLevel::kInfo)
+            << "TLS peer verification configured with custom CA file: "
+            << *custom_ca;
+    }
+    if (http_properties_.Tls().PeerVerifyMode() ==
+        config::shared::built::TlsOptions::VerifyMode::kVerifyNone) {
+        LD_LOG(logger_, LogLevel::kInfo) << "TLS peer verification disabled";
+    }
+
     if (config_.Events().Enabled() && !config_.Offline()) {
         event_processor_ =
             std::make_unique<events::AsioEventProcessor<ClientSDK>>(

diff --git a/libs/client-sdk/src/data_sources/polling_data_source.cpp b/libs/client-sdk/src/data_sources/polling_data_source.cpp
@@ -74,7 +74,7 @@ PollingDataSource::PollingDataSource(
       status_manager_(status_manager),
       data_source_handler_(
           DataSourceEventHandler(context, handler, logger, status_manager_)),
-      requester_(ioc, http_properties.Tls().PeerVerifyMode()),
+      requester_(ioc, http_properties.Tls()),
       timer_(ioc),
       polling_interval_(
           std::get<
@@ -88,10 +88,6 @@ PollingDataSource::PollingDataSource(
     auto const& polling_config = std::get<
         config::shared::built::PollingConfig<config::shared::ClientSDK>>(
         data_source_config.method);
-    if (http_properties.Tls().PeerVerifyMode() ==
-        config::shared::built::TlsOptions::VerifyMode::kVerifyNone) {
-        LD_LOG(logger_, LogLevel::kDebug) << "TLS peer verification disabled";
-    }
     if (polling_interval_ < polling_config.min_polling_interval) {
         LD_LOG(logger_, LogLevel::kWarn)
             << "Polling interval too frequent, defaulting to "

diff --git a/libs/client-sdk/src/data_sources/streaming_data_source.cpp b/libs/client-sdk/src/data_sources/streaming_data_source.cpp
@@ -132,6 +132,10 @@ void StreamingDataSource::Start() {
         client_builder.skip_verify_peer(true);
     }
 
+    if (auto ca_file = http_config_.Tls().CustomCAFile()) {
+        client_builder.custom_ca_file(*ca_file);
+    }
+
     auto weak_self = weak_from_this();
 
     client_builder.receiver([weak_self](launchdarkly::sse::Event const& event) {

diff --git a/libs/client-sdk/tests/client_config_test.cpp b/libs/client-sdk/tests/client_config_test.cpp
@@ -82,6 +82,7 @@ TEST(ClientConfigBindings, AllConfigs) {
     LDClientHttpPropertiesTlsBuilder tls_builder =
         LDClientHttpPropertiesTlsBuilder_New();
     LDClientHttpPropertiesTlsBuilder_SkipVerifyPeer(tls_builder, false);
+    LDClientHttpPropertiesTlsBuilder_CustomCAFile(tls_builder, "ca.pem");
     LDClientConfigBuilder_HttpProperties_Tls(builder, tls_builder);
 
     LDClientHttpPropertiesTlsBuilder tls_builder2 =

diff --git a/libs/common/include/launchdarkly/config/shared/builders/http_properties_builder.hpp b/libs/common/include/launchdarkly/config/shared/builders/http_properties_builder.hpp
@@ -40,6 +40,21 @@ class TlsBuilder {
      */
     TlsBuilder& SkipVerifyPeer(bool skip_verify_peer);
 
+    /**
+     * Path to a file containing one or more CAs to verify
+     * the peer with. The certificate(s) must be PEM-encoded.
+     *
+     * By default, the SDK uses the system's root CA bundle.
+     *
+     * If the empty string is passed, this function will clear any existing
+     * CA bundle path previously set, and the system's root CA bundle will be
+     * used.
+     *
+     * @param custom_ca_file File path.
+     * @return A reference to this builder.
+     */
+    TlsBuilder& CustomCAFile(std::string custom_ca_file);
+
     /**
      * Builds the TLS options.
      * @return The built options.
@@ -48,6 +63,7 @@ class TlsBuilder {
 
    private:
     enum built::TlsOptions::VerifyMode verify_mode_;
+    std::optional<std::string> custom_ca_file_;
 };
 /**
  * Class used for building a set of HttpProperties.

diff --git a/libs/common/include/launchdarkly/config/shared/built/http_properties.hpp b/libs/common/include/launchdarkly/config/shared/built/http_properties.hpp
@@ -2,6 +2,7 @@
 
 #include <chrono>
 #include <map>
+#include <optional>
 #include <string>
 #include <vector>
 
@@ -10,12 +11,16 @@ namespace launchdarkly::config::shared::built {
 class TlsOptions final {
    public:
     enum class VerifyMode { kVerifyPeer, kVerifyNone };
-    TlsOptions(VerifyMode verify_mode);
+    explicit TlsOptions(VerifyMode verify_mode);
+    TlsOptions(VerifyMode verify_mode,
+               std::optional<std::string> ca_bundle_path);
     TlsOptions();
     [[nodiscard]] VerifyMode PeerVerifyMode() const;
+    [[nodiscard]] std::optional<std::string> const& CustomCAFile() const;
 
    private:
     VerifyMode verify_mode_;
+    std::optional<std::string> ca_bundle_path_;
 };
 
 class HttpProperties final {

diff --git a/libs/common/src/config/http_properties.cpp b/libs/common/src/config/http_properties.cpp
@@ -4,15 +4,24 @@
 
 namespace launchdarkly::config::shared::built {
 
-TlsOptions::TlsOptions(enum TlsOptions::VerifyMode verify_mode)
-    : verify_mode_(verify_mode) {}
+TlsOptions::TlsOptions(TlsOptions::VerifyMode verify_mode,
+                       std::optional<std::string> ca_bundle_path)
+    : verify_mode_(verify_mode), ca_bundle_path_(std::move(ca_bundle_path)) {}
 
-TlsOptions::TlsOptions() : TlsOptions(TlsOptions::VerifyMode::kVerifyPeer) {}
+TlsOptions::TlsOptions(TlsOptions::VerifyMode verify_mode)
+    : TlsOptions(verify_mode, std::nullopt) {}
+
+TlsOptions::TlsOptions()
+    : TlsOptions(TlsOptions::VerifyMode::kVerifyPeer, std::nullopt) {}
 
 TlsOptions::VerifyMode TlsOptions::PeerVerifyMode() const {
     return verify_mode_;
 }
 
+std::optional<std::string> const& TlsOptions::CustomCAFile() const {
+    return ca_bundle_path_;
+}
+
 HttpProperties::HttpProperties(std::chrono::milliseconds connect_timeout,
                                std::chrono::milliseconds read_timeout,
                                std::chrono::milliseconds write_timeout,
@@ -58,7 +67,8 @@ bool operator==(HttpProperties const& lhs, HttpProperties const& rhs) {
 }
 
 bool operator==(TlsOptions const& lhs, TlsOptions const& rhs) {
-    return lhs.PeerVerifyMode() == rhs.PeerVerifyMode();
+    return lhs.PeerVerifyMode() == rhs.PeerVerifyMode() &&
+           lhs.CustomCAFile() == rhs.CustomCAFile();
 }
 
 }  // namespace launchdarkly::config::shared::built
diff --git a/libs/common/src/config/http_properties_builder.cpp b/libs/common/src/config/http_properties_builder.cpp
@@ -12,6 +12,7 @@ TlsBuilder<SDK>::TlsBuilder() : TlsBuilder(shared::Defaults<SDK>::TLS()) {}
 template <typename SDK>
 TlsBuilder<SDK>::TlsBuilder(built::TlsOptions const& tls) {
     verify_mode_ = tls.PeerVerifyMode();
+    custom_ca_file_ = tls.CustomCAFile();
 }
 
 template <typename SDK>
@@ -22,9 +23,19 @@ TlsBuilder<SDK>& TlsBuilder<SDK>::SkipVerifyPeer(bool skip_verify_peer) {
     return *this;
 }
 
+template <typename SDK>
+TlsBuilder<SDK>& TlsBuilder<SDK>::CustomCAFile(std::string custom_ca_file) {
+    if (custom_ca_file.empty()) {
+        custom_ca_file_ = std::nullopt;
+    } else {
+        custom_ca_file_ = std::move(custom_ca_file);
+    }
+    return *this;
+}
+
 template <typename SDK>
 built::TlsOptions TlsBuilder<SDK>::Build() const {
-    return {verify_mode_};
+    return {verify_mode_, custom_ca_file_};
 }
 
 template <typename SDK>

diff --git a/libs/internal/include/launchdarkly/events/detail/request_worker.hpp b/libs/internal/include/launchdarkly/events/detail/request_worker.hpp
@@ -99,13 +99,12 @@ class RequestWorker {
      * @param mode TLS peer verification mode.
      * @param logger Logger.
      */
-    RequestWorker(
-        boost::asio::any_io_executor io,
-        std::chrono::milliseconds retry_after,
-        std::size_t id,
-        std::optional<std::locale> date_header_locale,
-        enum config::shared::built::TlsOptions::VerifyMode verify_mode,
-        Logger& logger);
+    RequestWorker(boost::asio::any_io_executor io,
+                  std::chrono::milliseconds retry_after,
+                  std::size_t id,
+                  std::optional<std::locale> date_header_locale,
+                  config::shared::built::TlsOptions tls_options,
+                  Logger& logger);
 
     /**
      * Returns true if the worker is available for delivery.

diff --git a/libs/internal/include/launchdarkly/events/detail/worker_pool.hpp b/libs/internal/include/launchdarkly/events/detail/worker_pool.hpp
@@ -30,13 +30,14 @@ class WorkerPool {
      * @param pool_size How many workers to make available.
      * @param delivery_retry_delay How long a worker should wait after a failed
      * delivery before trying again.
-     * @param verify_mode The TLS verification mode.
+     * @param tls_options The TLS options to use for the connection to
+     * LaunchDarkly event delivery endpoint.
      * @param logger Logger.
      */
     WorkerPool(boost::asio::any_io_executor io,
                std::size_t pool_size,
                std::chrono::milliseconds delivery_retry_delay,
-               enum config::shared::built::TlsOptions::VerifyMode verify_mode,
+               config::shared::built::TlsOptions const& tls_options,
                Logger& logger);
 
     /**

diff --git a/libs/internal/include/launchdarkly/network/asio_requester.hpp b/libs/internal/include/launchdarkly/network/asio_requester.hpp
@@ -3,6 +3,7 @@
 #include "http_requester.hpp"
 
 #include <launchdarkly/config/shared/built/http_properties.hpp>
+#include <launchdarkly/detail/c_binding_helpers.hpp>
 #include <launchdarkly/detail/unreachable.hpp>
 
 #include <boost/asio.hpp>
@@ -30,7 +31,7 @@ using tcp = boost::asio::ip::tcp;
 
 namespace launchdarkly::network {
 
-using VerifyMode = config::shared::built::TlsOptions::VerifyMode;
+using TlsOptions = config::shared::built::TlsOptions;
 
 static unsigned char const kRedirectLimit = 20;
 
@@ -258,14 +259,26 @@ class AsioRequester {
      * must be accounted for.
      */
    public:
-    AsioRequester(net::any_io_executor ctx, VerifyMode verify_mode)
+    AsioRequester(net::any_io_executor ctx, TlsOptions const& tls_options)
         : ctx_(std::move(ctx)),
           ssl_ctx_(std::make_shared<net::ssl::context>(
               launchdarkly::foxy::make_ssl_ctx(ssl::context::tlsv12_client))) {
+        ssl_ctx_->set_verify_mode(ssl::verify_peer);
         ssl_ctx_->set_default_verify_paths();
-        ssl_ctx_->set_verify_mode(verify_mode == VerifyMode::kVerifyPeer
-                                      ? ssl::verify_peer
-                                      : ssl::verify_none);
+
+        std::optional<std::string> const& custom_ca_file =
+            tls_options.CustomCAFile();
+
+        if (custom_ca_file) {
+            // The builder should enforce that the path (if set) is not empty.
+            LD_ASSERT(!custom_ca_file->empty());
+            ssl_ctx_->load_verify_file(custom_ca_file->c_str());
+        }
+
+        using VerifyMode = config::shared::built::TlsOptions::VerifyMode;
+        if (tls_options.PeerVerifyMode() == VerifyMode::kVerifyNone) {
+            ssl_ctx_->set_verify_mode(ssl::verify_none);
+        }
     }
 
     template <typename CompletionToken>

diff --git a/libs/internal/src/events/asio_event_processor.cpp b/libs/internal/src/events/asio_event_processor.cpp
@@ -47,7 +47,7 @@ AsioEventProcessor<SDK>::AsioEventProcessor(
       workers_(io_,
                events_config.FlushWorkers(),
                events_config.DeliveryRetryDelay(),
-               http_properties.Tls().PeerVerifyMode(),
+               http_properties.Tls(),
                logger),
       inbox_capacity_(events_config.Capacity()),
       inbox_size_(0),

diff --git a/libs/internal/src/events/request_worker.cpp b/libs/internal/src/events/request_worker.cpp
@@ -3,17 +3,16 @@
 
 namespace launchdarkly::events::detail {
 
-RequestWorker::RequestWorker(
-    boost::asio::any_io_executor io,
-    std::chrono::milliseconds retry_after,
-    std::size_t id,
-    std::optional<std::locale> date_header_locale,
-    enum config::shared::built::TlsOptions::VerifyMode verify_mode,
-    Logger& logger)
+RequestWorker::RequestWorker(boost::asio::any_io_executor io,
+                             std::chrono::milliseconds retry_after,
+                             std::size_t id,
+                             std::optional<std::locale> date_header_locale,
+                             config::shared::built::TlsOptions tls_options,
+                             Logger& logger)
     : timer_(std::move(io)),
       retry_delay_(retry_after),
       state_(State::Idle),
-      requester_(timer_.get_executor(), verify_mode),
+      requester_(timer_.get_executor(), tls_options),
       batch_(std::nullopt),
       tag_("flush-worker[" + std::to_string(id) + "]: "),
       date_header_locale_(std::move(date_header_locale)),