diff options
author | Deepak Lukose <deepaklukose@google.com> | 2016-03-25 12:54:25 -0700 |
---|---|---|
committer | Deepak Lukose <deepaklukose@google.com> | 2016-04-19 15:02:06 -0700 |
commit | dba4c5fd0144b68916b4dc2bbbd02d12c2e12041 (patch) | |
tree | f7284c54983f7bd9859453dc4e2111a80442441f /include | |
parent | 17735908ed4eb1c54bd1b3652062b49f58a985e3 (diff) |
Add various options to verify ssl/tls client cert including letting the
application handle the authentication.
Diffstat (limited to 'include')
-rw-r--r-- | include/grpc++/security/server_credentials.h | 15 | ||||
-rw-r--r-- | include/grpc/grpc_security.h | 38 | ||||
-rw-r--r-- | include/grpc/grpc_security_constants.h | 114 |
3 files changed, 140 insertions, 27 deletions
diff --git a/include/grpc++/security/server_credentials.h b/include/grpc++/security/server_credentials.h index 5a9f8a42e2..229bab8d84 100644 --- a/include/grpc++/security/server_credentials.h +++ b/include/grpc++/security/server_credentials.h @@ -39,6 +39,7 @@ #include <grpc++/security/auth_metadata_processor.h> #include <grpc++/support/config.h> +#include <grpc/grpc_security_constants.h> struct grpc_server; @@ -69,7 +70,13 @@ class ServerCredentials { /// Options to create ServerCredentials with SSL struct SslServerCredentialsOptions { - SslServerCredentialsOptions() : force_client_auth(false) {} + // Deprecated + SslServerCredentialsOptions() + : force_client_auth(false), + client_certificate_request(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE) {} + SslServerCredentialsOptions( + grpc_ssl_client_certificate_request_type request_type) + : force_client_auth(false), client_certificate_request(request_type) {} struct PemKeyCertPair { grpc::string private_key; @@ -77,7 +84,13 @@ struct SslServerCredentialsOptions { }; grpc::string pem_root_certs; std::vector<PemKeyCertPair> pem_key_cert_pairs; + // Deprecated bool force_client_auth; + + // If both force_client_auth and client_certificate_request fields are set, + // force_client_auth takes effect i.e + // REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY will be enforced. + grpc_ssl_client_certificate_request_type client_certificate_request; }; /// Builds SSL ServerCredentials given SSL specific options diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index a36926b23e..79199cc5d6 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -35,6 +35,7 @@ #define GRPC_GRPC_SECURITY_H #include <grpc/grpc.h> +#include <grpc/grpc_security_constants.h> #include <grpc/status.h> #ifdef __cplusplus @@ -43,13 +44,6 @@ extern "C" { /* --- Authentication Context. --- */ -#define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type" -#define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl" - -#define GRPC_X509_CN_PROPERTY_NAME "x509_common_name" -#define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name" -#define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert" - typedef struct grpc_auth_context grpc_auth_context; typedef struct grpc_auth_property_iterator { @@ -130,29 +124,11 @@ typedef struct grpc_channel_credentials grpc_channel_credentials; The creator of the credentials object is responsible for its release. */ GRPCAPI void grpc_channel_credentials_release(grpc_channel_credentials *creds); -/* Environment variable that points to the google default application - credentials json key or refresh token. Used in the - grpc_google_default_credentials_create function. */ -#define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS" - /* Creates default credentials to connect to a google gRPC service. WARNING: Do NOT use this credentials to connect to a non-google service as this could result in an oauth2 token leak. */ GRPCAPI grpc_channel_credentials *grpc_google_default_credentials_create(void); -/* Environment variable that points to the default SSL roots file. This file - must be a PEM encoded file with all the roots such as the one that can be - downloaded from https://pki.google.com/roots.pem. */ -#define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ - "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" - -/* Results for the SSL roots override callback. */ -typedef enum { - GRPC_SSL_ROOTS_OVERRIDE_OK, - GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /* Do not try fallback options. */ - GRPC_SSL_ROOTS_OVERRIDE_FAIL -} grpc_ssl_roots_override_result; - /* Callback for getting the SSL roots override from the application. In case of success, *pem_roots_certs must be set to a NULL terminated string containing the list of PEM encoded root certificates. The ownership is passed @@ -334,7 +310,8 @@ typedef struct grpc_server_credentials grpc_server_credentials; */ GRPCAPI void grpc_server_credentials_release(grpc_server_credentials *creds); -/* Creates an SSL server_credentials object. +/* Deprecated in favor of grpc_ssl_server_credentials_create_ex. + Creates an SSL server_credentials object. - pem_roots_cert is the NULL-terminated string containing the PEM encoding of the client root certificates. This parameter may be NULL if the server does not want the client to be authenticated with SSL. @@ -349,6 +326,15 @@ GRPCAPI grpc_server_credentials *grpc_ssl_server_credentials_create( const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs, size_t num_key_cert_pairs, int force_client_auth, void *reserved); +/* Same as grpc_ssl_server_credentials_create method except uses + grpc_ssl_client_certificate_request_type enum to support more ways to + authenticate client cerificates.*/ +GRPCAPI grpc_server_credentials *grpc_ssl_server_credentials_create_ex( + const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs, + size_t num_key_cert_pairs, + grpc_ssl_client_certificate_request_type client_certificate_request, + void *reserved); + /* --- Server-side secure ports. --- */ /* Add a HTTP2 over an encrypted link over tcp listener. diff --git a/include/grpc/grpc_security_constants.h b/include/grpc/grpc_security_constants.h new file mode 100644 index 0000000000..da05c5a97b --- /dev/null +++ b/include/grpc/grpc_security_constants.h @@ -0,0 +1,114 @@ +/* + * + * Copyright 2016, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GRPC_GRPC_SECURITY_CONSTANTS_H +#define GRPC_GRPC_SECURITY_CONSTANTS_H + +#ifdef __cplusplus +extern "C" { +#endif + +#define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type" +#define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl" + +#define GRPC_X509_CN_PROPERTY_NAME "x509_common_name" +#define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name" +#define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert" + +/* Environment variable that points to the default SSL roots file. This file + must be a PEM encoded file with all the roots such as the one that can be + downloaded from https://pki.google.com/roots.pem. */ +#define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \ + "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH" + +/* Environment variable that points to the google default application + credentials json key or refresh token. Used in the + grpc_google_default_credentials_create function. */ +#define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS" + +/* Results for the SSL roots override callback. */ +typedef enum { + GRPC_SSL_ROOTS_OVERRIDE_OK, + GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /* Do not try fallback options. */ + GRPC_SSL_ROOTS_OVERRIDE_FAIL +} grpc_ssl_roots_override_result; + +typedef enum { + /* Server does not request client certificate. A client can present a self + signed or signed certificates if it wishes to do so and they would be + accepted. */ + GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, + /* Server requests client certificate but does not enforce that the client + presents a certificate. + + If the client presents a certificate, the client authentication is left to + the application based on the metadata like certificate etc. + + The key cert pair should still be valid for the SSL connection to be + established. */ + GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, + /* Server requests client certificate but does not enforce that the client + presents a certificate. + + If the client presents a certificate, the client authentication is done by + grpc framework (The client needs to either present a signed cert or skip no + certificate for a successful connection). + + The key cert pair should still be valid for the SSL connection to be + established. */ + GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY, + /* Server requests client certificate but enforces that the client presents a + certificate. + + If the client presents a certificate, the client authentication is left to + the application based on the metadata like certificate etc. + + The key cert pair should still be valid for the SSL connection to be + established. */ + GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY, + /* Server requests client certificate but enforces that the client presents a + certificate. + + The cerificate presented by the client is verified by grpc framework (The + client needs to present signed certs for a successful connection). + + The key cert pair should still be valid for the SSL connection to be + established. */ + GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY +} grpc_ssl_client_certificate_request_type; + +#ifdef __cplusplus +} +#endif + +#endif /* GRPC_GRPC_SECURITY_CONSTANTS_H */ |