hpcc-systems · ghalliday · Sep 22, 2023 · Jul 26, 2023
diff --git a/common/thorhelper/thorsoapcall.cpp b/common/thorhelper/thorsoapcall.cpp
@@ -876,14 +876,15 @@ class CWSCHelper : implements IWSCHelper, public CInterface
     static CriticalSection secureContextCrit;
     static Owned<ISecureSocketContext> tlsSecureContext;
     static Owned<ISecureSocketContext> localMtlsSecureContext;
+    static Owned<ISecureSocketContext> remoteMtlsSecureContext;
 
     Owned<ISecureSocketContext> customSecureContext;
 
     CTimeMon timeLimitMon;
     bool complete;
     std::atomic_bool timeLimitExceeded{false};
     bool customClientCert = false;
-    bool localClientCert = false;
+    StringAttr clientCertIssuer;
     IRoxieAbortMonitor * roxieAbortMonitor;
 
 protected:
@@ -1021,9 +1022,14 @@ class CWSCHelper : implements IWSCHelper, public CInterface
             throw MakeStringException(0, "%sCALL specified no URLs",wscType == STsoap ? "SOAP" : "HTTP");
         if (0==strncmp(hosts, "mtls:", 5))
         {
-            localClientCert = true;
+            clientCertIssuer.set("local");
             hosts += 5;
         }
+        else if (0==strncmp(hosts, "remote-mtls:", 12))
+        {
+            clientCertIssuer.set("remote");
+            hosts += 12;
+        }
         if (0==strncmp(hosts, "secret:", 7))
         {
             const char *finger = hosts+7;
@@ -1184,8 +1190,8 @@ class CWSCHelper : implements IWSCHelper, public CInterface
         {
             if (clientCert != NULL)
                 ownedSC.setown(createSecureSocketContextEx(clientCert->certificate, clientCert->privateKey, clientCert->passphrase, ClientSocket));
-            else if (localClientCert)
-                ownedSC.setown(createSecureSocketContextSecret("local", ClientSocket));
+            else if (clientCertIssuer.length())
+                ownedSC.setown(createSecureSocketContextSecret(clientCertIssuer.str(), ClientSocket));
             else
                 ownedSC.setown(createSecureSocketContext(ClientSocket));
         }
@@ -1194,8 +1200,13 @@ class CWSCHelper : implements IWSCHelper, public CInterface
     ISecureSocketContext *ensureStaticSecureContext()
     {
         CriticalBlock b(secureContextCrit);
-        if (localClientCert)
-            return ensureSecureContext(localMtlsSecureContext);
+        if (clientCertIssuer.length())
+        {
+            if (strieq(clientCertIssuer.str(), "local"))
+                return ensureSecureContext(localMtlsSecureContext);
+            if (strieq(clientCertIssuer.str(), "remote"))
+                return ensureSecureContext(remoteMtlsSecureContext);
+        }
         return ensureSecureContext(tlsSecureContext);
     }
     ISecureSocket *createSecureSocket(ISocket *sock, const char *fqdn = nullptr)
@@ -1333,6 +1344,7 @@ class CWSCHelper : implements IWSCHelper, public CInterface
 CriticalSection CWSCHelper::secureContextCrit;
 Owned<ISecureSocketContext> CWSCHelper::tlsSecureContext; // created on first use
 Owned<ISecureSocketContext> CWSCHelper::localMtlsSecureContext; // created on first use
+Owned<ISecureSocketContext> CWSCHelper::remoteMtlsSecureContext; // created on first use
 
 
 //=================================================================================================

diff --git a/esp/clients/wsdfuaccess/wsdfuaccess.cpp b/esp/clients/wsdfuaccess/wsdfuaccess.cpp
@@ -543,7 +543,7 @@ StringBuffer &encodeDFUFileMeta(StringBuffer &metaInfoBlob, IPropertyTree *metaI
          * If the size of this initial request was ever a concern, we could consider other ways to ensure a one-off
          * delivery of this esp public signing cert. to dafilesrv, e.g. by dafilesrv reaching out to esp to request it.
          */
-        IPropertyTree *info = queryTlsSecretInfo(keyPairName);
+        Owned<IPropertyTree> info = getIssuerTlsServerConfig(keyPairName);
         if (!info)
             throw makeStringExceptionV(-1, "encodeDFUFileMeta: No '%s' MTLS certificate detected.", keyPairName);
         privateKeyFName = info->queryProp("privatekey");

diff --git a/esp/services/ws_dfu/ws_dfuService.cpp b/esp/services/ws_dfu/ws_dfuService.cpp
@@ -6112,7 +6112,7 @@ void CWsDfuEx::dFUFileAccessCommon(IEspContext &context, const CDfsLogicalFileNa
     StringBuffer dafilesrvHost;
 #ifdef _CONTAINERIZED
     keyPairName.set("signing");
-    IPropertyTree *info = queryTlsSecretInfo(keyPairName);
+    Owned<IPropertyTree> info = getIssuerTlsServerConfig(keyPairName);
     if (!info)
         throw makeStringExceptionV(-1, "dFUFileAccessCommon: file signing certificate ('%s') not defined in configuration.", keyPairName.str());
 
@@ -6489,7 +6489,7 @@ bool CWsDfuEx::onDFUFileCreateV2(IEspContext &context, IEspDFUFileCreateV2Reques
 
 #ifdef _CONTAINERIZED
         keyPairName.set("signing");
-        IPropertyTree *info = queryTlsSecretInfo(keyPairName);
+        Owned<IPropertyTree> info = getIssuerTlsServerConfig(keyPairName);
         if (!info)
             throw makeStringExceptionV(-1, "onDFUFileCreateV2: file signing certificate ('%s' ) not defined in configuration.", keyPairName.str());
 

diff --git a/esp/services/ws_ecl/ws_ecl_service.cpp b/esp/services/ws_ecl/ws_ecl_service.cpp
@@ -2082,8 +2082,8 @@ void CWsEclBinding::sendRoxieRequest(const char *target, StringBuffer &req, Stri
             throw MakeStringException(-1, "roxie target cluster not mapped: %s", target);
         ep = conn->nextEndpoint();
 
-        Owned<IHttpClientContext> httpctx = getHttpClientContext();
         WsEclSocketFactory *roxieConn = static_cast<WsEclSocketFactory*>(conn);
+        Owned<IHttpClientContext> httpctx = getHttpClientSecretContext(roxieConn->queryTlsIssuer());
         StringBuffer url(roxieConn->isTlsService() ? "https://" : "http://");
         ep.getIpText(url).append(':').append(ep.port ? ep.port : 9876).append('/');
         if (roxieConn->includeTargetInURL)

diff --git a/fs/dafilesrv/dafilesrv.cpp b/fs/dafilesrv/dafilesrv.cpp
@@ -395,7 +395,7 @@ int main(int argc, const char* argv[])
     // Use the "public" certificate issuer, unless it's visibility is "cluster" (meaning internal only)
     const char *visibility = getComponentConfigSP()->queryProp("service/@visibility");
     const char *certScope = strsame("cluster", visibility) ? "local" : "public";
-    IPropertyTree *info = queryTlsSecretInfo(certScope);
+    Owned<IPropertyTree> info = getIssuerTlsServerConfig(certScope);
     connectMethod = info ? SSLOnly : SSLNone;
     // NB: connectMethod will direct the CRemoteFileServer on accept to create a secure socket based on the same issuer certificates
 

diff --git a/fs/dafsclient/rmtclient.cpp b/fs/dafsclient/rmtclient.cpp
@@ -156,7 +156,7 @@ static ISecureSocket *createSecureSocket(ISocket *sock, const char *issuer)
             auto it = secureCtxClientIssuerMap.find(issuer);
             if (it == secureCtxClientIssuerMap.end())
             {
-                IPropertyTree *info = queryTlsSecretInfo(issuer);
+                Owned<IPropertyTree> info = getIssuerTlsServerConfig(issuer);
                 if (!info)
                     throw makeStringExceptionV(-1, "createSecureSocket() : missing MTLS configuration for issuer: %s", issuer);
                 secureContext.setown(createSecureSocketContextEx2(info, ClientSocket));

diff --git a/fs/dafsserver/dafsserver.cpp b/fs/dafsserver/dafsserver.cpp
@@ -133,7 +133,7 @@ static ISecureSocket *createSecureSocket(ISocket *sock, bool disableClientCertVe
              */
 
             const char *certScope = strsame("cluster", getComponentConfigSP()->queryProp("service/@visibility")) ? "local" : "public";
-            IPropertyTree *info = queryTlsSecretInfo(certScope);
+            Owned<IPropertyTree> info = getIssuerTlsServerConfig(certScope);
             if (!info)
                 throw makeStringException(-1, "createSecureSocket() : missing MTLS configuration");
             Owned<IPropertyTree> cloneInfo;