Obtain downstream ssl information

[magnus-gunnarsson]

Describe the bug / error

We're using mTLS in an Istio ingressgateway and have a need to get information from the downstream client certificate. Currently we are using LUA and can then get this information through the streamInfo object but we would like to switch to WASM if possible, but have not found a way to retrieve the same information which is then a deal breaker for us.

You can retrieve the downstream peer subject it seems in WASM like this:

subject, err := proxywasm.GetProperty([]string{"connection", "subject_peer_certificate"})

but we also need to get the peer_issuer and peer_serial_number which I haven't found out how to get.

Istio forwards the downstream certificate in the x-forwarded-client-cert header but there seem to be a problem with Tinygo using the crypto package, making it impossible to parse the data into a x509 certificate. See x509.ParsePKCS1PublicKey() failes due to panic

So I'm wondering if there is a way to get more downstream peer certificate information in some way in WASM? Or does anyone have any pointers on where to contribute to expose this information?

What is your Envoy/Istio version?

Istio: 1.13.3+ Envoy: 1.21.2+

What is the SDK version?

v0.20.0

What is your TinyGo version?

tinygo version 0.26.0 linux/amd64 (using go version go1.19 and LLVM version 14.0.0)

URL or snippet of your code including Envoy configuration

Additional context (Optional)

[mathetake]

so basically, current workaround would be like you can compile Rust library to parse the x509 certs into Wasm and link it with the Proxy-Wasm Go SDK-produced Wasm binary. That is exactly what we (especially @anuraaga ) have done in https://github.com/corazawaf/coraza-proxy-wasm where another garbage collection library written in C is linked and replaces the TinyGo's default GC.

[mathetake]

https://github.com/tetratelabs/proxy-wasm-go-sdk/pull/451