CCBC-1658: Add support for encrypted TLS keys

The key password should be specified in connection options
with lcb_createopts_tls_key_password()

Change-Id: I2ef89b3f55499c08d610823d96a273e975371d4c
Reviewed-on: https://review.couchbase.org/c/libcouchbase/+/224097
Tested-by: Build Bot <build@couchbase.com>
Reviewed-by: Hiren <hiren.bavaskar@couchbase.com>

Author: avsej

include/libcouchbase/couchbase.h

@@ -271,6 +271,10 @@ LIBCOUCHBASE_API lcb_STATUS lcb_createopts_io(lcb_CREATEOPTS *options, struct lc
 LIBCOUCHBASE_API lcb_STATUS lcb_createopts_meter(lcb_CREATEOPTS *options, const lcbmetrics_METER *metrics);
 
 LIBCOUCHBASE_API lcb_STATUS lcb_createopts_tracer(lcb_CREATEOPTS *options, lcbtrace_TRACER *tracer);
+
+LIBCOUCHBASE_API lcb_STATUS lcb_createopts_tls_key_password(lcb_CREATEOPTS *options, const char *password,
+                                                            size_t password_len);
+
 /**
  * @brief Create an instance of lcb.
  * @param instance Where the instance should be returned

src/instance.cc

@@ -102,6 +102,14 @@ LIBCOUCHBASE_API lcb_STATUS lcb_createopts_meter(lcb_CREATEOPTS *options, const
     return LCB_SUCCESS;
 }
 
+LIBCOUCHBASE_API lcb_STATUS lcb_createopts_tls_key_password(lcb_CREATEOPTS *options, const char *password,
+                                                            size_t password_len)
+{
+    options->tls_key_password = password;
+    options->tls_key_password_len = password_len;
+    return LCB_SUCCESS;
+}
+
 LIBCOUCHBASE_API
 const char *lcb_get_version(lcb_uint32_t *version)
 {
@@ -313,7 +321,7 @@ static lcb_STATUS init_providers(lcb_INSTANCE *obj, const Connspec &spec)
     return LCB_SUCCESS;
 }
 
-static lcb_STATUS setup_ssl(lcb_INSTANCE *obj, const Connspec &params)
+static lcb_STATUS setup_ssl(lcb_INSTANCE *obj, const Connspec &params, const char *keypass, size_t keypass_len)
 {
     char optbuf[4096];
     long env_policy = -1;
@@ -368,8 +376,8 @@ static lcb_STATUS setup_ssl(lcb_INSTANCE *obj, const Connspec &params)
             lcb_log(LOGARGS(obj, ERR), "SSL key have to be specified with certificate");
             return LCB_ERR_INVALID_ARGUMENT;
         }
-        settings->ssl_ctx = lcbio_ssl_new(settings->truststorepath, settings->certpath, settings->keypath,
-                                          settings->sslopts & LCB_SSL_NOVERIFY, &err, settings);
+        settings->ssl_ctx = lcbio_ssl_new(settings->truststorepath, settings->certpath, settings->keypath, keypass,
+                                          keypass_len, settings->sslopts & LCB_SSL_NOVERIFY, &err, settings);
         if (!settings->ssl_ctx) {
             return err;
         }
@@ -452,11 +460,18 @@ lcb_STATUS lcb_create(lcb_INSTANCE **instance, const lcb_CREATEOPTS *options)
     lcb_INSTANCE *obj = nullptr;
     lcb_STATUS err;
     lcb_settings *settings;
+    std::string effective_connstr;
+    const char *keypass = nullptr;
+    std::size_t keypass_len = 0;
 
     if (options) {
         io_priv = options->io;
         type = options->type;
         err = spec.load(*options);
+        if (options->tls_key_password != nullptr && options->tls_key_password_len > 0) {
+            keypass = options->tls_key_password;
+            keypass_len = options->tls_key_password_len;
+        }
     } else {
         const char *errmsg;
         const char *default_connstr = "couchbase://";
@@ -543,8 +558,26 @@ lcb_STATUS lcb_create(lcb_INSTANCE **instance, const lcb_CREATEOPTS *options)
     }
 
     lcb_log(LOGARGS(obj, INFO), "Version=%s, Changeset=%s", lcb_get_version(nullptr), LCB_VERSION_CHANGESET);
+    effective_connstr = spec.connstr();
+    {
+        std::vector<std::string> sensitive_params{
+            "password=",
+        };
+
+        for (const auto &param : sensitive_params) {
+            auto start = effective_connstr.find(param);
+            if (start != std::string::npos) {
+                auto value_start = start + param.size();
+                auto end = effective_connstr.find('&', value_start);
+                if (end == std::string::npos) {
+                    end = effective_connstr.size();
+                }
+                effective_connstr.replace(value_start, end - value_start, "[REDACTED]");
+            }
+        }
+    }
     lcb_log(LOGARGS(obj, INFO), "Effective connection string: " LCB_LOG_SPEC("%s") ". Bucket=" LCB_LOG_SPEC("%s"),
-            settings->log_redaction ? LCB_LOG_SD_OTAG : "", spec.connstr().c_str(),
+            settings->log_redaction ? LCB_LOG_SD_OTAG : "", effective_connstr.c_str(),
             settings->log_redaction ? LCB_LOG_SD_CTAG : "", settings->log_redaction ? LCB_LOG_MD_OTAG : "",
             settings->bucket, settings->log_redaction ? LCB_LOG_MD_CTAG : "");
 
@@ -580,7 +613,7 @@ lcb_STATUS lcb_create(lcb_INSTANCE **instance, const lcb_CREATEOPTS *options)
     lcb_aspend_init(&obj->pendops);
     obj->collcache = new lcb::CollectionCache();
 
-    if ((err = setup_ssl(obj, spec)) != LCB_SUCCESS) {
+    if ((err = setup_ssl(obj, spec, keypass, keypass_len)) != LCB_SUCCESS) {
         goto GT_DONE;
     }
 

src/internalstructs.h

@@ -55,6 +55,8 @@ struct lcb_CREATEOPTS_ {
     size_t bucket_len;
     lcbtrace_TRACER *tracer;
     const lcbmetrics_METER *meter;
+    const char *tls_key_password;
+    size_t tls_key_password_len;
 };
 
 /**

src/lcbio/ioutils.cc

@@ -309,7 +309,8 @@ int lcbio_ssl_supported(void)
 #endif
 }
 
-lcbio_pSSLCTX lcbio_ssl_new__fallback(const char *, const char *, const char *, int, lcb_STATUS *errp, lcb_settings *)
+lcbio_pSSLCTX lcbio_ssl_new__fallback(const char *, const char *, const char *, const char *, size_t, int,
+                                      lcb_STATUS *errp, lcb_settings *)
 {
     if (errp) {
         *errp = LCB_ERR_SDK_FEATURE_UNAVAILABLE;

src/lcbio/ssl.h

@@ -59,22 +59,25 @@ typedef struct lcbio_SSLCTX *lcbio_pSSLCTX;
  */
 int lcbio_ssl_supported(void);
 
-lcbio_pSSLCTX lcbio_ssl_new__fallback(const char *, const char *, const char *, int, lcb_STATUS *, lcb_settings *);
+lcbio_pSSLCTX lcbio_ssl_new__fallback(const char *, const char *, const char *, const char *, size_t, int, lcb_STATUS *,
+                                      lcb_settings *);
 
 #ifndef LCB_NO_SSL
 /**
  * Create a new SSL context to be used to establish SSL policy.
  * @param tsfile Path to trusted store file
  * @param cafile Optional path to CA file
  * @param keyfile Path to private key file
+ * @param keypass password for key file or NULL.
+ * @param keypass_len length of the password for key file or 0.
  * @param noverify To not attempt to verify server's certificate
  * @param errp a pointer to contain the error code if initialization failed
  * @param settings settings structure, used for logging.
  *
  * @return A new SSL context, or NULL on error.
  */
-lcbio_pSSLCTX lcbio_ssl_new(const char *tsfile, const char *cafile, const char *keyfile, int noverify, lcb_STATUS *errp,
-                            lcb_settings *settings);
+lcbio_pSSLCTX lcbio_ssl_new(const char *tsfile, const char *cafile, const char *keyfile, const char *keypass,
+                            size_t keypass_len, int noverify, lcb_STATUS *errp, lcb_settings *settings);
 #else
 #define lcbio_ssl_new lcbio_ssl_new__fallback
 #endif

src/ssl/ssl_common.c

@@ -24,6 +24,7 @@
 #include "logging.h"
 #include <openssl/err.h>
 #include <openssl/opensslv.h>
+#include <openssl/ssl.h>
 
 #if OPENSSL_VERSION_NUMBER >= 0x1010100fL
 #define HAVE_CIPHERSUITES 1
@@ -370,8 +371,26 @@ static lcb_STATUS add_certificate_authority(const lcb_settings *settings, SSL_CT
     return rc;
 }
 
-lcbio_pSSLCTX lcbio_ssl_new(const char *tsfile, const char *cafile, const char *keyfile, int noverify, lcb_STATUS *errp,
-                            lcb_settings *settings)
+struct tls_key_secret {
+    const char *password;
+    size_t password_len;
+};
+
+static int keyfile_password_cb(char *buf, int size, int rwflag, void *userdata)
+{
+    (void)rwflag;
+
+    struct tls_key_secret *secret = (struct tls_key_secret *)userdata;
+    if (secret->password_len > (size_t)size) {
+        return 0;
+    }
+
+    memcpy(buf, secret->password, secret->password_len);
+    return secret->password_len;
+}
+
+lcbio_pSSLCTX lcbio_ssl_new(const char *tsfile, const char *cafile, const char *keyfile, const char *keypass,
+                            size_t keypass_len, int noverify, lcb_STATUS *errp, lcb_settings *settings)
 {
     lcb_STATUS err_s;
     lcbio_pSSLCTX ret;
@@ -444,11 +463,17 @@ lcbio_pSSLCTX lcbio_ssl_new(const char *tsfile, const char *cafile, const char *
     }
 
     if (cafile && keyfile) {
-        lcb_log(LOGARGS_S(settings, LCB_LOG_DEBUG), "Authenticate with key \"%s\", cert \"%s\"", keyfile, cafile);
+        lcb_log(LOGARGS_S(settings, LCB_LOG_DEBUG), "Authenticate with key \"%s\"%s, cert \"%s\"", keyfile,
+                keypass ? " (encrypted)" : "", cafile);
         if (!SSL_CTX_use_certificate_chain_file(ret->ctx, cafile)) {
             *errp = LCB_ERR_SSL_ERROR;
             goto GT_ERR;
         }
+        struct tls_key_secret secret = {keypass, keypass_len};
+        if (keypass) {
+            SSL_CTX_set_default_passwd_cb(ret->ctx, keyfile_password_cb);
+            SSL_CTX_set_default_passwd_cb_userdata(ret->ctx, (void *)&secret);
+        }
         if (!SSL_CTX_use_PrivateKey_file(ret->ctx, keyfile, SSL_FILETYPE_PEM)) {
             lcb_log(LOGARGS_S(settings, LCB_LOG_ERROR), "Unable to load private key \"%s\"", keyfile);
             *errp = LCB_ERR_SSL_ERROR;

tests/socktests/t_ssl.cc

@@ -35,7 +35,7 @@ class SSLTest : public SockTest
 
         SockTest::SetUp();
         loop->settings->sslopts = LCB_SSL_ENABLED | LCB_SSL_NOVERIFY;
-        loop->settings->ssl_ctx = lcbio_ssl_new(nullptr, nullptr, nullptr, 1, &errp, loop->settings);
+        loop->settings->ssl_ctx = lcbio_ssl_new(nullptr, nullptr, nullptr, nullptr, 0, 1, &errp, loop->settings);
         loop->server->factory = TestServer::sslSocketFactory;
         EXPECT_FALSE(loop->settings->ssl_ctx == nullptr) << lcb_strerror_short(errp);
     }