From 1fc174e3de49c385f33b4fbb4a4e8e0798e15122 Mon Sep 17 00:00:00 2001 From: Rachana Nandan Date: Wed, 30 Oct 2024 23:25:33 -0700 Subject: [PATCH] use issuer_type for prodCA cert fetch Reviewed By: abakiaydin Differential Revision: D64119325 fbshipit-source-id: 78f8a96afffadd0a7fd1160f07e8651d3a77a0d3 --- wangle/acceptor/ServerSocketConfig.h | 2 +- wangle/ssl/SSLContextConfig.h | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/wangle/acceptor/ServerSocketConfig.h b/wangle/acceptor/ServerSocketConfig.h index bd91666b9..ebd72ee02 100644 --- a/wangle/acceptor/ServerSocketConfig.h +++ b/wangle/acceptor/ServerSocketConfig.h @@ -96,7 +96,7 @@ struct ServerSocketConfig { bool hasProdCASignedCert() const { for (const auto& cfg : sslContextConfigs) { - if (cfg.isProdCASigned) { + if (cfg.shouldLoadFromProdCA) { return true; } } diff --git a/wangle/ssl/SSLContextConfig.h b/wangle/ssl/SSLContextConfig.h index 7b3284979..f231b327b 100644 --- a/wangle/ssl/SSLContextConfig.h +++ b/wangle/ssl/SSLContextConfig.h @@ -56,6 +56,7 @@ struct SSLContextConfig { bool isBuffer{false}; }; + enum IssuerType { PUBLIC_CA, PROD_CA, PUBLIC_TO_PRODCA }; /* * If using a delegated credential, in this case we expect * a combined pem. Also we expect the key here to refer to the @@ -175,8 +176,16 @@ struct SSLContextConfig { // Load cert-key pairs corresponding to these domains std::vector domains; - // If true, the certs for this domain is signed by our internal CA - bool isProdCASigned{false}; + // This field is utilized in the origin tiers for the migration remaining + // Public cert usgae to our internal CA. + // If true, prefer to fetch an EC cert firectly from ProdCA. + // If false, or cert fetch failed, fallback to certs provided by Cryptossl + // Note: cryptossl may provide both RSA and EC cert for a given domain + bool shouldLoadFromProdCA{false}; + + // This value is used by the cert offload flow. + // Default to public cert (fetched from cryptossl) + IssuerType issuerType{IssuerType::PUBLIC_CA}; // A namespace to use for sessions generated from this context so that // they will not be shared between other sessions generated from the