ClickHouse/src/Server/CertificateReloader.cpp

#include "CertificateReloader.h"
#include <common/errnoToString.h>


#if USE_SSL

namespace DB
{

namespace ErrorCodes
{
    extern const int CANNOT_STAT;
}

int CertificateReloader::setCertificate(SSL * ssl)
{
    std::shared_lock lock(mutex);
    SSL_use_certificate(ssl, const_cast<X509 *>(cert->certificate()));
    SSL_use_RSAPrivateKey(ssl, key->impl()->getRSA());

    int err = SSL_check_private_key(ssl);
    if (err != 1)
    {
        std::string msg = Poco::Net::Utility::getLastError();
        LOG_ERROR(log, "Unusable keypair {}", msg);
        return -1;
    }
    return 1;
}

void CertificateReloader::init(const Poco::Util::AbstractConfiguration & config)
{
    LOG_DEBUG(log, "Initializing certificate reloader.");

    SSL_CTX_set_cert_cb(
        Poco::Net::SSLManager::instance().defaultClientContext()->sslContext(),
        [](SSL * ssl, void * arg) { return reinterpret_cast<CertificateReloader *>(arg)->setCertificate(ssl); },
        static_cast<void *>(this));

    reload(config);
}

void CertificateReloader::reload(const Poco::Util::AbstractConfiguration & config)
{
    LOG_DEBUG(log, "Handling certificate reload.");
    const auto cert_file_ = config.getString("openSSL.server.certificateFile", "");
    const auto key_file_ = config.getString("openSSL.server.privateKeyFile", "");

    bool changed = false;
    changed |= setKeyFile(key_file_);
    changed |= setCertificateFile(cert_file_);

    if (changed)
    {
        LOG_INFO(log, "Reloading certificate ({}) and key ({}).", cert_file, key_file);
        {
            std::unique_lock lock(mutex);
            key = std::make_unique<Poco::Crypto::RSAKey>(/* public key */ "", /* private key */ key_file);
            cert = std::make_unique<Poco::Crypto::X509Certificate>(cert_file);
        }
        LOG_INFO(log, "Reloaded certificate ({}).", cert_file);
    }
}

bool CertificateReloader::setKeyFile(const std::string key_file_)
{
    if (key_file_.empty())
        return false;

    stat_t st;
    int res = stat(key_file_.c_str(), &st);
    if (res == -1)
    {
        LOG_ERROR(log, "Cannot obtain stat for key file {}, skipping update. {}", key_file_, errnoToString(ErrorCodes::CANNOT_STAT));
        return false;
    }

    /// NOTE: if file changed twice in a second, the update will be missed.

    if (st.st_mtime != key_file_st.st_mtime || key_file != key_file_)
    {
        key_file = key_file_;
        key_file_st = st;
        return true;
    }

    return false;
}

bool CertificateReloader::setCertificateFile(const std::string cert_file_)
{
    if (cert_file_.empty())
        return false;

    stat_t st;
    int res = stat(cert_file_.c_str(), &st);
    if (res == -1)
    {
        LOG_ERROR(log, "Cannot obtain stat for certificate file {}, skipping update. {}", cert_file_, errnoToString(ErrorCodes::CANNOT_STAT));
        return false;
    }

    if (st.st_mtime != cert_file_st.st_mtime || cert_file != cert_file_)
    {
        cert_file = cert_file_;
        cert_file_st = st;
        return true;
    }

    return false;
}

}

#endif
Twiddling 2021-07-06 23:15:30 +00:00			`#include "CertificateReloader.h"`
More twiddling 2021-07-06 23:34:43 +00:00			`#include <common/errnoToString.h>`

Twiddling 2021-07-06 23:15:30 +00:00
			`#if USE_SSL`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00
			`namespace DB`
			`{`
Twiddling 2021-07-06 23:15:30 +00:00
More twiddling 2021-07-06 23:34:43 +00:00			`namespace ErrorCodes`
			`{`
			`extern const int CANNOT_STAT;`
			`}`

Twiddling 2021-07-06 23:15:30 +00:00			`int CertificateReloader::setCertificate(SSL * ssl)`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`{`
Update CertReloader.cpp 2021-07-06 22:19:26 +00:00			`std::shared_lock lock(mutex);`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`SSL_use_certificate(ssl, const_cast<X509 *>(cert->certificate()));`
			`SSL_use_RSAPrivateKey(ssl, key->impl()->getRSA());`

			`int err = SSL_check_private_key(ssl);`
			`if (err != 1)`
			`{`
			`std::string msg = Poco::Net::Utility::getLastError();`
			`LOG_ERROR(log, "Unusable keypair {}", msg);`
			`return -1;`
			`}`
			`return 1;`
			`}`

Twiddling 2021-07-06 23:15:30 +00:00			`void CertificateReloader::init(const Poco::Util::AbstractConfiguration & config)`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`{`
More twiddling 2021-07-06 23:34:43 +00:00			`LOG_DEBUG(log, "Initializing certificate reloader.");`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00
More twiddling 2021-07-06 23:34:43 +00:00			`SSL_CTX_set_cert_cb(`
			`Poco::Net::SSLManager::instance().defaultClientContext()->sslContext(),`
			`[](SSL * ssl, void * arg) { return reinterpret_cast<CertificateReloader *>(arg)->setCertificate(ssl); },`
			`static_cast<void *>(this));`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00
			`reload(config);`
			`}`

Twiddling 2021-07-06 23:15:30 +00:00			`void CertificateReloader::reload(const Poco::Util::AbstractConfiguration & config)`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`{`
More twiddling 2021-07-06 23:34:43 +00:00			`LOG_DEBUG(log, "Handling certificate reload.");`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`const auto cert_file_ = config.getString("openSSL.server.certificateFile", "");`
			`const auto key_file_ = config.getString("openSSL.server.privateKeyFile", "");`

Revert some cleanup (to be squashed) When I was cleaning up this up for review I factored out this change but it's required. 2020-10-08 20:15:04 +00:00			`bool changed = false;`
			`changed \|= setKeyFile(key_file_);`
Twiddling 2021-07-06 23:15:30 +00:00			`changed \|= setCertificateFile(cert_file_);`
Revert some cleanup (to be squashed) When I was cleaning up this up for review I factored out this change but it's required. 2020-10-08 20:15:04 +00:00
			`if (changed)`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`{`
More twiddling 2021-07-06 23:34:43 +00:00			`LOG_INFO(log, "Reloading certificate ({}) and key ({}).", cert_file, key_file);`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`{`
Update CertReloader.cpp 2021-07-06 22:19:26 +00:00			`std::unique_lock lock(mutex);`
More twiddling 2021-07-06 23:34:43 +00:00			`key = std::make_unique<Poco::Crypto::RSAKey>(/* public key / "", / private key */ key_file);`
Update CertReloader.cpp 2021-07-06 22:20:14 +00:00			`cert = std::make_unique<Poco::Crypto::X509Certificate>(cert_file);`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`}`
More twiddling 2021-07-06 23:34:43 +00:00			`LOG_INFO(log, "Reloaded certificate ({}).", cert_file);`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`}`
			`}`

Twiddling 2021-07-06 23:15:30 +00:00			`bool CertificateReloader::setKeyFile(const std::string key_file_)`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`{`
			`if (key_file_.empty())`
			`return false;`

			`stat_t st;`
			`int res = stat(key_file_.c_str(), &st);`
			`if (res == -1)`
More twiddling 2021-07-06 23:34:43 +00:00			`{`
			`LOG_ERROR(log, "Cannot obtain stat for key file {}, skipping update. {}", key_file_, errnoToString(ErrorCodes::CANNOT_STAT));`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`return false;`
More twiddling 2021-07-06 23:34:43 +00:00			`}`

			`/// NOTE: if file changed twice in a second, the update will be missed.`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00
			`if (st.st_mtime != key_file_st.st_mtime \|\| key_file != key_file_)`
			`{`
			`key_file = key_file_;`
			`key_file_st = st;`
			`return true;`
			`}`

			`return false;`
			`}`

Twiddling 2021-07-06 23:15:30 +00:00			`bool CertificateReloader::setCertificateFile(const std::string cert_file_)`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`{`
			`if (cert_file_.empty())`
			`return false;`

			`stat_t st;`
			`int res = stat(cert_file_.c_str(), &st);`
			`if (res == -1)`
More twiddling 2021-07-06 23:34:43 +00:00			`{`
			`LOG_ERROR(log, "Cannot obtain stat for certificate file {}, skipping update. {}", cert_file_, errnoToString(ErrorCodes::CANNOT_STAT));`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00			`return false;`
More twiddling 2021-07-06 23:34:43 +00:00			`}`
[WIP] Introduce dynamic TLS server context This is a first pass at setting an x509 keypair dynamically. I'm not so sure it should be a singleton (especaially because it depends on the SSLManager singleton). Needs more better error handling. Functionally, it works. Simply change the cert/key path in config, or touch cert; touch config. 2020-10-08 16:07:58 +00:00
			`if (st.st_mtime != cert_file_st.st_mtime \|\| cert_file != cert_file_)`
			`{`
			`cert_file = cert_file_;`
			`cert_file_st = st;`
			`return true;`
			`}`

			`return false;`
			`}`

			`}`
Twiddling 2021-07-06 23:15:30 +00:00
			`#endif`