diff options
| author |  Ian Haken <ihaken@netflix.com> | 2017-10-26 14:34:15 -0700 |
|---|---|---|
| committer | Ian Haken <ihaken@netflix.com> | 2018-06-12 12:59:37 -0700 |
| commit | 68eff58df61bfde1b438d109c197f1a260230a68 (patch) | |
| tree | e9ac198d2eadb06927ae527cd0d362b4dd3ffddb /include/grpc/grpc_security.h | |
| parent | f91adce31c6ac38aec2490e0337cec8430d3a26c (diff) | |
Create verify_peer_options when creating ssl credentials in order to expose a verification callback option.
These options are not yet exposed to languages outside of core.
Diffstat (limited to 'include/grpc/grpc_security.h')
| -rw-r--r-- | include/grpc/grpc_security.h | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index e1975a8e09..b34fb70898 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -163,6 +163,26 @@ typedef struct { const char* cert_chain; } grpc_ssl_pem_key_cert_pair; +/** Object that holds additional peer-verification options on a secure + channel. */ +typedef struct { + /** If non-NULL this callback will be invoked with the expected + target_name, the peer's certificate (in PEM format), and whatever + userdata pointer is set below. If a non-zero value is returned by this + callback then it is treated as a verification failure. Invocation of + the callback is blocking, so any implementation should be light-weight. + */ + int (*verify_peer_callback)(const char* target_name, const char* peer_pem, + void* userdata); + /** Arbitrary userdata that will be passed as the last argument to + verify_peer_callback. */ + void* verify_peer_callback_userdata; + /** A destruct callback that will be invoked when the channel is being + cleaned up. The userdata argument will be passed to it. The intent is + to perform any cleanup associated with that userdata. */ + void (*verify_peer_destruct)(void* userdata); +} verify_peer_options; + /** Creates an SSL credentials object. - pem_root_certs is the NULL-terminated string containing the PEM encoding of the server root certificates. If this parameter is NULL, the @@ -173,10 +193,17 @@ typedef struct { disk (in the grpc install directory). - pem_key_cert_pair is a pointer on the object containing client's private key and certificate chain. This parameter can be NULL if the client does - not have such a key/cert pair. */ + not have such a key/cert pair. + - verify_options is an optional verify_peer_options object which holds + additional options controlling how peer certificates are verified. For + example, you can supply a callback which receives the peer's certificate + with which you can do additional verification. Can be NULL, in which + case verification will retain default behavior. Any settings in + verify_options are copied during this call, so the verify_options + object can be released afterwards. */ GRPCAPI grpc_channel_credentials* grpc_ssl_credentials_create( const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair, - void* reserved); + const verify_peer_options* verify_options, void* reserved); /** --- grpc_call_credentials object. |