envoyproxy/envoy-openssl

Porting BoringSSL-OQS Fork Into Envoy

dr7ana opened this issue · 0 comments

dr7ana commented

Hi everyone, firstly apologies if this is the wrong place to open a discussion on this. I referenced previous work done by the /envoy-openssl integration project in attempting to port BoringSSL into Envoy, and I think we ran into a lot of similar issues, at least according to the roadmap published.

What I'm Trying To Do

I'm currently working on an open source implementation of a post-quantum enabled service mesh. This effort is in 3 parts:

  • Nginx-oqs (finished in march of this year)
  • Envoy (in progress)
  • Istio (contingent on completion of envoy)

Nginx was fairly straightforward to port the OpenSSL-OQS fork, but Envoy is giving me some trouble. Envoy is incompatible with OpenSSL (there is a team working on fixing this currently), so I had to use the BoringSSL-OQS fork

How I'm Doing it

To update BoringSSL for envoy, specifically the "main-with-bazel" branch must be used:

Screen Shot 2022-06-24 at 07 31 31

The last updated Boringssl-OQS main-with-bazel was from 2019, so I forked it and added the siphash.h file needed by Envoy.

A few other modifications I needed to make in the Envoy fork I'm modifying:

  • Disable jwt-auth
  • Disable QUIC to side-step Quiche compatibility issues

Envoy successfully builds with my modifications

image
image

Here are the commands I used to generate the self-signed CA cert and the server cert as per the instructions on the OpenSSL-OQS page. I have tried them with all combinations of standard/OQS/hybrid for both the CA cert and the server cert

/usr/local/openssl/apps/openssl req -x509 -new -newkey rsa:2048 -keyout root_CA.key -out root_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config /usr/local/openssl/apps/openssl.cnf

/usr/local/openssl/apps/openssl req -new -newkey rsa3072_dilithium2 -keyout serverkey.key -out servercsr.csr -nodes -subj "/CN=oqstest server" -config /usr/local/openssl/apps/openssl.cnf

/usr/local/openssl/apps/openssl x509 -req -in servercsr.csr -out servercert.crt -CA root_CA.crt -CAkey root_CA.key -CAcreateserial -days 365

How It's Working: Standard RSA

I can confirm my build works by passing RSA certs and keys generated using the OQS-OpenSSL fork. The HTTPS server successfully performs the TLS handshake, and I am able to reach HTTP upstream.

image

How It's Not Working 1: "Cannot Load Certificate Chain"

If I pass the (hybrid or OQS) server cert to Envoy, I get this error:

image

I have tracked it down to this portion of the Envoy source code:

image

Here is a diagram of the functions and their locations in the Envoy and BoringSSL source code:

image

How It's Not Working 2: "Unsupported Algorithm"

If I pass the (RSA) root CA cert to Envoy with the (hybrid or OQS) key, I am faced with this error instead

Screenshot_f

Questions

If anyone is curious and wants to reproduce this, the instructions are on this repo I have set up.

At this point, I feel like there may be something catastrophically important I'm missing about either BoringSSL/OpenSSL, Envoy, or just software development in general

I would love any and all feedback/advice/thoughts/criticism about why this may be happening, and what I can do to fix this