add support for SPIFFE TLS Ids

Signed-off-by: Zahari Dichev <[email protected]>

Cargo.lock

@@ -51,6 +51,45 @@ dependencies = [
  "derive_arbitrary",
 ]
 
+[[package]]
+name = "asn1-rs"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f6fd5ddaf0351dff5b8da21b2fb4ff8e08ddd02857f0bf69c47639106c0fff0"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "726535892e8eae7e70657b4c8ea93d26b8553afb1ce617caee529ef96d7dee6c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
 [[package]]
 name = "async-stream"
 version = "0.3.4"
@@ -291,6 +330,20 @@ dependencies = [
  "gzip-header",
 ]
 
+[[package]]
+name = "der-parser"
+version = "8.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dbd676fbbab537128ef0278adb5576cf363cff6aa22a7b24effe97347cfab61e"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
 [[package]]
 name = "deranged"
 version = "0.3.9"
@@ -311,6 +364,17 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "displaydoc"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.12",
+]
+
 [[package]]
 name = "drain"
 version = "0.1.1"
@@ -1341,8 +1405,10 @@ dependencies = [
 name = "linkerd-identity"
 version = "0.1.0"
 dependencies = [
+ "http",
  "linkerd-dns-name",
  "linkerd-error",
+ "thiserror",
 ]
 
 [[package]]
@@ -1407,7 +1473,7 @@ dependencies = [
  "linkerd-identity",
  "linkerd-io",
  "linkerd-meshtls",
- "linkerd-meshtls-test-util",
+ "linkerd-meshtls-util",
  "linkerd-stack",
  "linkerd-tls",
  "linkerd-tls-test-util",
@@ -1426,7 +1492,7 @@ dependencies = [
  "linkerd-identity",
  "linkerd-io",
  "linkerd-meshtls",
- "linkerd-meshtls-test-util",
+ "linkerd-meshtls-util",
  "linkerd-stack",
  "linkerd-tls",
  "linkerd-tls-test-util",
@@ -1440,11 +1506,14 @@ dependencies = [
 ]
 
 [[package]]
-name = "linkerd-meshtls-test-util"
+name = "linkerd-meshtls-util"
 version = "0.1.0"
 dependencies = [
+ "linkerd-error",
  "linkerd-identity",
  "rcgen",
+ "tracing",
+ "x509-parser",
 ]
 
 [[package]]
@@ -2107,6 +2176,27 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "num-bigint"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-integer"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+dependencies = [
+ "autocfg",
+ "num-traits",
+]
+
 [[package]]
 name = "num-traits"
 version = "0.2.15"
@@ -2126,6 +2216,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "oid-registry"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9bedf36ffb6ba96c2eb7144ef6270557b52e54b20c0a8e1eb2ff99a6c6959bff"
+dependencies = [
+ "asn1-rs",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.17.1"
@@ -2481,6 +2580,15 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
 
+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom",
+]
+
 [[package]]
 name = "rustix"
 version = "0.36.16"
@@ -2674,6 +2782,18 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
 
+[[package]]
+name = "synstructure"
+version = "0.12.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+ "unicode-xid",
+]
+
 [[package]]
 name = "tempfile"
 version = "3.5.0"
@@ -2734,9 +2854,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4a34ab300f2dee6e562c10a046fc05e358b29f9bf92277f30c3c8d82275f6f5"
 dependencies = [
  "deranged",
+ "itoa",
  "powerfmt",
  "serde",
  "time-core",
+ "time-macros",
 ]
 
 [[package]]
@@ -2745,6 +2867,15 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
 
+[[package]]
+name = "time-macros"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ad70d68dba9e1f8aceda7aa6711965dfec1cac869f311a51bd08b3a2ccbce20"
+dependencies = [
+ "time-core",
+]
+
 [[package]]
 name = "tinyvec"
 version = "1.6.0"
@@ -3118,6 +3249,12 @@ dependencies = [
  "tinyvec",
 ]
 
+[[package]]
+name = "unicode-xid"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c"
+
 [[package]]
 name = "untrusted"
 version = "0.7.1"
@@ -3422,6 +3559,23 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "x509-parser"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7069fba5b66b9193bd2c5d3d4ff12b839118f6bcbef5328efafafb5395cf63da"
+dependencies = [
+ "asn1-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom",
+ "oid-registry",
+ "rusticata-macros",
+ "thiserror",
+ "time",
+]
+
 [[package]]
 name = "yasna"
 version = "0.5.2"

Cargo.toml

@@ -36,7 +36,7 @@ members = [
     "linkerd/meshtls",
     "linkerd/meshtls/boring",
     "linkerd/meshtls/rustls",
-    "linkerd/meshtls/test-util",
+    "linkerd/meshtls/util",
     "linkerd/metrics",
     "linkerd/opencensus",
     "linkerd/proxy/api-resolve",

linkerd/app/outbound/src/http/concrete.rs

@@ -374,14 +374,14 @@ impl<T> svc::Param<tls::ConditionalClientTls> for Endpoint<T> {
         self.metadata
             .identity()
             .cloned()
-            .map(move |server_id| {
+            .map(move |(server_id, server_name)| {
                 let alpn = if use_transport_header {
                     use linkerd_app_core::transport_header::PROTOCOL;
                     Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
                 } else {
                     None
                 };
-                tls::ConditionalClientTls::Some(tls::ClientTls::new(server_id, alpn))
+                tls::ConditionalClientTls::Some(tls::ClientTls::new(server_id, server_name, alpn))
             })
             .unwrap_or(tls::ConditionalClientTls::None(
                 tls::NoClientTls::NotProvidedByServiceDiscovery,

linkerd/app/outbound/src/http/require_id_header.rs

@@ -1,5 +1,5 @@
 use futures::{future, TryFutureExt};
-use linkerd_app_core::{dns, identity, svc, tls, Conditional, Error};
+use linkerd_app_core::{identity, svc, tls, Conditional, Error};
 use std::task::{Context, Poll};
 use thiserror::Error;
 use tracing::{debug, trace};
@@ -59,8 +59,7 @@ impl<S> RequireIdentity<S> {
     #[inline]
     fn extract_id<B>(req: &mut http::Request<B>) -> Option<identity::Id> {
         let v = req.headers_mut().remove(HEADER_NAME)?;
-        let n = v.to_str().ok()?.parse::<dns::Name>().ok()?;
-        Some(n.into())
+        v.to_str().ok()?.parse::<identity::Id>().ok()
     }
 }
 

linkerd/app/outbound/src/opaq/concrete.rs

@@ -283,14 +283,14 @@ impl<T> svc::Param<tls::ConditionalClientTls> for Endpoint<T> {
         self.metadata
             .identity()
             .cloned()
-            .map(move |server_id| {
+            .map(move |(server_id, server_name)| {
                 let alpn = if use_transport_header {
                     use linkerd_app_core::transport_header::PROTOCOL;
                     Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
                 } else {
                     None
                 };
-                tls::ConditionalClientTls::Some(tls::ClientTls::new(server_id, alpn))
+                tls::ConditionalClientTls::Some(tls::ClientTls::new(server_id, server_name, alpn))
             })
             .unwrap_or(tls::ConditionalClientTls::None(
                 tls::NoClientTls::NotProvidedByServiceDiscovery,