diff options
| author |  Craig Tiller <ctiller@google.com> | 2016-02-01 07:36:14 -0800 |
|---|---|---|
| committer | Craig Tiller <ctiller@google.com> | 2016-02-01 07:36:14 -0800 |
| commit | 26af07924e70ae72caa5f60c587ca7b269533c6d (patch) | |
| tree | af6b77c0e0a73c1b54becd143ed8220924b8f006 /include/grpc/grpc_security.h | |
| parent | f09fb7e4b042fbb0b7272598b941acc58b41e839 (diff) | |
| parent | 2757fa8b3967b3dbbf75782d59d284cf2f7cd3ca (diff) | |
Merge pull request #4934 from jboeuf/ssl_credentials_override_default_roots
Ssl credentials override default roots
Diffstat (limited to 'include/grpc/grpc_security.h')
| -rw-r--r-- | include/grpc/grpc_security.h | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index b50c58ce1e..b43045af04 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -147,6 +147,29 @@ GRPC_API grpc_channel_credentials *grpc_google_default_credentials_create(void); #define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" +/* Results for the SSL roots override callback. */ +typedef enum { + GRPC_SSL_ROOTS_OVERRIDE_OK, + GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /* Do not try fallback options. */ + GRPC_SSL_ROOTS_OVERRIDE_FAIL +} grpc_ssl_roots_override_result; + +/* Callback for getting the SSL roots override from the application. + In case of success, *pem_roots_certs must be set to a NULL terminated string + containing the list of PEM encoded root certificates. The ownership is passed + to the core and freed (laster by the core) with gpr_free. + If this function fails and GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is + set to a valid path, it will override the roots specified this func */ +typedef grpc_ssl_roots_override_result (*grpc_ssl_roots_override_callback)( + char **pem_root_certs); + +/* Setup a callback to override the default TLS/SSL roots. + This function is not thread-safe and must be called at initialization time + before any ssl credentials are created to have the desired side effect. + If GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment is set to a valid path, the + callback will not be called. */ +void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb); + /* Object that holds a private key / certificate chain pair in PEM format. */ typedef struct { /* private_key is the NULL-terminated string containing the PEM encoding of @@ -163,8 +186,9 @@ typedef struct { of the server root certificates. If this parameter is NULL, the implementation will first try to dereference the file pointed by the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable, and if that fails, - get the roots from a well-known place on disk (in the grpc install - directory). + try to get the roots set by grpc_override_ssl_default_roots. Eventually, + if all these fail, it will try to get the roots from a well-known place on + disk (in the grpc install directory). - pem_key_cert_pair is a pointer on the object containing client's private key and certificate chain. This parameter can be NULL if the client does not have such a key/cert pair. */ |