CBL-6902: External Keys to work with client cert (#2254)

* CBL-6902: External Keys to work with client cert

- Override ExternalPrivateKey::isPrivateKeyDataAvailable to return false.
- For external keys, we do not have key data. Unlike the KeyData, which is passed in a fleece dictionary inside C4ReplicatorParameters, we have to pass C4KeyPair by object pointer.
- We added "C4KeyPair*" to C4ReplicatorParameters. This is the counterpart of kC4ReplicatorAuthClientCertKey when PrivateKeyData is not available (mutually exclusive).
- It is an EE only option.

Author: jianminzhao

C/include/c4ReplicatorTypes.h

@@ -203,6 +203,9 @@ typedef struct C4ReplicatorParameters {
     const C4SocketFactory* C4NULLABLE                 socketFactory;    ///< Custom C4SocketFactory, if not NULL
     C4ReplicationCollection*                          collections;
     size_t                                            collectionCount;
+#ifdef COUCHBASE_ENTERPRISE
+    C4KeyPair* C4NULLABLE externalKey;
+#endif
 } C4ReplicatorParameters;
 
 #pragma mark - CONSTANTS:

Crypto/PublicKey.hh

@@ -115,6 +115,9 @@ namespace litecore::crypto {
 
     /** A key-pair stored externally; subclasses must implement the crypto operations. */
     class ExternalPrivateKey : public PrivateKey {
+      public:
+        virtual bool isPrivateKeyDataAvailable() override { return false; }
+
       protected:
         explicit ExternalPrivateKey(unsigned keySizeInBits);
 

Networking/WebSockets/BuiltInWebSocket.cc

@@ -29,10 +29,11 @@ using namespace litecore::websocket;
 
 void C4RegisterBuiltInWebSocket() {
     // NOLINTBEGIN(performance-unnecessary-value-param)
-    C4SocketImpl::registerInternalFactory(
-            [](websocket::URL url, fleece::alloc_slice options, std::shared_ptr<DBAccess> database) -> WebSocketImpl* {
-                return new BuiltInWebSocket(url, C4SocketImpl::convertParams(options), database);
-            });
+    C4SocketImpl::registerInternalFactory([](websocket::URL url, fleece::alloc_slice options,
+                                             std::shared_ptr<DBAccess> database,
+                                             C4KeyPair*                externalKey) -> WebSocketImpl* {
+        return new BuiltInWebSocket(url, C4SocketImpl::convertParams(options, externalKey), database);
+    });
     // NOLINTEND(performance-unnecessary-value-param)
 }
 
@@ -252,6 +253,13 @@ namespace litecore::websocket {
                                             "Missing TLS client cert in C4Replicator config"_sl));
                 return false;
             }
+#ifdef COUCHBASE_ENTERPRISE
+            if ( parameters().externalKey ) {
+                Retained<crypto::Cert> cert = make_retained<crypto::Cert>(certData);
+                _tlsContext->setIdentity(new crypto::Identity(cert, parameters().externalKey->getPrivateKey()));
+                return true;
+            }
+#endif
             if ( slice keyData = auth[kC4ReplicatorAuthClientCertKey].asData(); keyData ) {
                 _tlsContext->setIdentity(certData, keyData);
                 return true;

Networking/WebSockets/WebSocketImpl.hh

@@ -14,6 +14,7 @@
 #include "WebSocketInterface.hh"
 #include "Logging.hh"
 #include "Stopwatch.hh"
+#include "c4Certificate.hh"
 #include "fleece/Expert.hh"  // for AllocedDict
 #include <atomic>
 #include <chrono>
@@ -45,6 +46,9 @@ namespace litecore::websocket {
             int                 heartbeatSecs;       ///< WebSocket heartbeat interval in seconds (default if 0)
             fleece::alloc_slice networkInterface;    ///< Network interface
             fleece::AllocedDict options;             ///< Other options
+#ifdef COUCHBASE_ENTERPRISE
+            Retained<C4KeyPair> externalKey;  ///< Client cert uses external key..
+#endif
         };
 
         WebSocketImpl(const URL& url, Role role, bool framing, Parameters);

Replicator/c4RemoteReplicator.hh

@@ -54,6 +54,9 @@ namespace litecore {
                 _customSocketFactory = *params.socketFactory;
                 _socketFactory       = &_customSocketFactory;
             }
+#if COUCHBASE_ENTERPRISE
+            _socketExternalKey = params.externalKey;
+#endif
         }
 
         void start(bool reset) noexcept override {
@@ -117,8 +120,14 @@ namespace litecore {
             _c4db_setDatabaseTag(dbOpenedAgain, DatabaseTag_C4RemoteReplicator);
             auto dbAccess =
                     make_shared<DBAccess>(dbOpenedAgain, _options->properties["disable_blob_support"_sl].asBool());
-            auto webSocket = CreateWebSocket(_url, socketOptions(), dbAccess, _socketFactory);
-            _replicator    = new Replicator(dbAccess, webSocket, *this, _options);
+            auto webSocket = CreateWebSocket(_url, socketOptions(), dbAccess, _socketFactory, nullptr
+#ifdef COUCHBASE_ENTERPRISE
+                                             ,
+                                             _socketExternalKey);
+#else
+            );
+#endif
+            _replicator = new Replicator(dbAccess, webSocket, *this, _options);
 
             // Yes this line is disgusting, but the memory addresses that the logger logs
             // are not the _actual_ addresses of the object, but rather the pointer to
@@ -220,6 +229,13 @@ namespace litecore {
       private:
         alloc_slice const      _url;
         const C4SocketFactory* _socketFactory{nullptr};
+        // _socketExternalKey comes from C4ReplicatorParameters::externalKey. It belongs to
+        // kC4ReplicatorOptionAuthentication, but it's not present in the corresponding dictionary.
+        // It's mutually exclusive with kC4ReplicatorAuthClientCertKey, which provides the option
+        // by key-data.
+#if COUCHBASE_ENTERPRISE
+        Retained<C4KeyPair> _socketExternalKey;
+#endif
         C4SocketFactory        _customSocketFactory{};  // Storage for *_socketFactory if non-null
         litecore::actor::Timer _retryTimer;
         unsigned               _retryCount{0};

Replicator/c4Socket+Internal.hh

@@ -22,7 +22,8 @@ namespace litecore::repl {
     // Main factory function to create a WebSocket.
     fleece::Retained<websocket::WebSocket> CreateWebSocket(const websocket::URL&, const fleece::alloc_slice& options,
                                                            std::shared_ptr<DBAccess>, const C4SocketFactory*,
-                                                           void* nativeHandle = nullptr);
+                                                           void*      nativeHandle = nullptr,
+                                                           C4KeyPair* externalKey  = nullptr);
 
     // Returns the WebSocket object associated with a C4Socket
     websocket::WebSocket* WebSocketFrom(C4Socket* c4sock);
@@ -34,11 +35,11 @@ namespace litecore::repl {
       public:
         static const C4SocketFactory& registeredFactory();
 
-        using InternalFactory = websocket::WebSocketImpl* (*)(websocket::URL, fleece::alloc_slice options,
-                                                              std::shared_ptr<DBAccess>);
+        using InternalFactory = websocket::WebSocketImpl* (*)(websocket::URL, fleece::alloc_slice   options,
+                                                              std::shared_ptr<DBAccess>, C4KeyPair* externalKey);
         static void registerInternalFactory(InternalFactory);
 
-        static Parameters convertParams(fleece::slice c4SocketOptions);
+        static Parameters convertParams(fleece::slice c4SocketOptions, C4KeyPair* externalKey = nullptr);
 
         C4SocketImpl(const websocket::URL&, websocket::Role, const fleece::alloc_slice& options, const C4SocketFactory*,
                      void* nativeHandle = nullptr);

Replicator/c4Socket.cc

@@ -62,15 +62,15 @@ namespace litecore::repl {
 
     Retained<WebSocket> CreateWebSocket(const websocket::URL& url, const alloc_slice& options,
                                         shared_ptr<DBAccess> database, const C4SocketFactory* factory,
-                                        void* nativeHandle) {
+                                        void* nativeHandle, C4KeyPair* externalKey) {
         if ( !factory ) factory = sRegisteredFactory;
 
         if ( factory ) {
             auto ret = new C4SocketImpl(url, Role::Client, options, factory, nativeHandle);
             return ret;
         } else if ( sRegisteredInternalFactory ) {
             Assert(!nativeHandle);
-            return sRegisteredInternalFactory(url, options, std::move(database));
+            return sRegisteredInternalFactory(url, options, std::move(database), externalKey);
         } else {
             throw std::logic_error("No default C4SocketFactory registered; call c4socket_registerFactory())");
         }
@@ -80,12 +80,15 @@ namespace litecore::repl {
         return f ? *f : C4SocketImpl::registeredFactory();
     }
 
-    WebSocketImpl::Parameters C4SocketImpl::convertParams(slice c4SocketOptions) {
+    WebSocketImpl::Parameters C4SocketImpl::convertParams(slice c4SocketOptions, C4KeyPair* externalKey) {
         WebSocketImpl::Parameters params = {};
         params.options                   = AllocedDict(c4SocketOptions);
         params.webSocketProtocols        = params.options[kC4SocketOptionWSProtocols].asString();
         params.heartbeatSecs             = (int)params.options[kC4ReplicatorHeartbeatInterval].asInt();
         params.networkInterface          = params.options[kC4SocketOptionNetworkInterface].asString();
+#ifdef COUCHBASE_ENTERPRISE
+        params.externalKey = externalKey;
+#endif
         return params;
     }