aboutsummaryrefslogtreecommitdiffhomepage
path: root/include
diff options
context:
space:
mode:
authorGravatar Jan Tattermusch <jtattermusch@users.noreply.github.com>2016-04-20 21:01:30 -0700
committerGravatar Jan Tattermusch <jtattermusch@users.noreply.github.com>2016-04-20 21:01:30 -0700
commitdde6dfbb0bd1dfb3deac0b4f703d63528e1dc798 (patch)
tree04e2a31059b75fce8a174e0bbc4bdfebfae4b714 /include
parentde4fcb3a7f22d887090130036e2287d1f4f02da2 (diff)
parentdba4c5fd0144b68916b4dc2bbbd02d12c2e12041 (diff)
Merge pull request #5958 from deepaklukose/skip_client_cert_verification
Add various options to verify ssl/tls client cert including letting the application handle the authentication.
Diffstat (limited to 'include')
-rw-r--r--include/grpc++/security/server_credentials.h15
-rw-r--r--include/grpc/grpc_security.h38
-rw-r--r--include/grpc/grpc_security_constants.h114
3 files changed, 140 insertions, 27 deletions
diff --git a/include/grpc++/security/server_credentials.h b/include/grpc++/security/server_credentials.h
index 5a9f8a42e2..229bab8d84 100644
--- a/include/grpc++/security/server_credentials.h
+++ b/include/grpc++/security/server_credentials.h
@@ -39,6 +39,7 @@
#include <grpc++/security/auth_metadata_processor.h>
#include <grpc++/support/config.h>
+#include <grpc/grpc_security_constants.h>
struct grpc_server;
@@ -69,7 +70,13 @@ class ServerCredentials {
/// Options to create ServerCredentials with SSL
struct SslServerCredentialsOptions {
- SslServerCredentialsOptions() : force_client_auth(false) {}
+ // Deprecated
+ SslServerCredentialsOptions()
+ : force_client_auth(false),
+ client_certificate_request(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE) {}
+ SslServerCredentialsOptions(
+ grpc_ssl_client_certificate_request_type request_type)
+ : force_client_auth(false), client_certificate_request(request_type) {}
struct PemKeyCertPair {
grpc::string private_key;
@@ -77,7 +84,13 @@ struct SslServerCredentialsOptions {
};
grpc::string pem_root_certs;
std::vector<PemKeyCertPair> pem_key_cert_pairs;
+ // Deprecated
bool force_client_auth;
+
+ // If both force_client_auth and client_certificate_request fields are set,
+ // force_client_auth takes effect i.e
+ // REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY will be enforced.
+ grpc_ssl_client_certificate_request_type client_certificate_request;
};
/// Builds SSL ServerCredentials given SSL specific options
diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h
index a36926b23e..79199cc5d6 100644
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@@ -35,6 +35,7 @@
#define GRPC_GRPC_SECURITY_H
#include <grpc/grpc.h>
+#include <grpc/grpc_security_constants.h>
#include <grpc/status.h>
#ifdef __cplusplus
@@ -43,13 +44,6 @@ extern "C" {
/* --- Authentication Context. --- */
-#define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type"
-#define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl"
-
-#define GRPC_X509_CN_PROPERTY_NAME "x509_common_name"
-#define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name"
-#define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert"
-
typedef struct grpc_auth_context grpc_auth_context;
typedef struct grpc_auth_property_iterator {
@@ -130,29 +124,11 @@ typedef struct grpc_channel_credentials grpc_channel_credentials;
The creator of the credentials object is responsible for its release. */
GRPCAPI void grpc_channel_credentials_release(grpc_channel_credentials *creds);
-/* Environment variable that points to the google default application
- credentials json key or refresh token. Used in the
- grpc_google_default_credentials_create function. */
-#define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS"
-
/* Creates default credentials to connect to a google gRPC service.
WARNING: Do NOT use this credentials to connect to a non-google service as
this could result in an oauth2 token leak. */
GRPCAPI grpc_channel_credentials *grpc_google_default_credentials_create(void);
-/* Environment variable that points to the default SSL roots file. This file
- must be a PEM encoded file with all the roots such as the one that can be
- downloaded from https://pki.google.com/roots.pem. */
-#define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \
- "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"
-
-/* Results for the SSL roots override callback. */
-typedef enum {
- GRPC_SSL_ROOTS_OVERRIDE_OK,
- GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /* Do not try fallback options. */
- GRPC_SSL_ROOTS_OVERRIDE_FAIL
-} grpc_ssl_roots_override_result;
-
/* Callback for getting the SSL roots override from the application.
In case of success, *pem_roots_certs must be set to a NULL terminated string
containing the list of PEM encoded root certificates. The ownership is passed
@@ -334,7 +310,8 @@ typedef struct grpc_server_credentials grpc_server_credentials;
*/
GRPCAPI void grpc_server_credentials_release(grpc_server_credentials *creds);
-/* Creates an SSL server_credentials object.
+/* Deprecated in favor of grpc_ssl_server_credentials_create_ex.
+ Creates an SSL server_credentials object.
- pem_roots_cert is the NULL-terminated string containing the PEM encoding of
the client root certificates. This parameter may be NULL if the server does
not want the client to be authenticated with SSL.
@@ -349,6 +326,15 @@ GRPCAPI grpc_server_credentials *grpc_ssl_server_credentials_create(
const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
size_t num_key_cert_pairs, int force_client_auth, void *reserved);
+/* Same as grpc_ssl_server_credentials_create method except uses
+ grpc_ssl_client_certificate_request_type enum to support more ways to
+ authenticate client cerificates.*/
+GRPCAPI grpc_server_credentials *grpc_ssl_server_credentials_create_ex(
+ const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
+ size_t num_key_cert_pairs,
+ grpc_ssl_client_certificate_request_type client_certificate_request,
+ void *reserved);
+
/* --- Server-side secure ports. --- */
/* Add a HTTP2 over an encrypted link over tcp listener.
diff --git a/include/grpc/grpc_security_constants.h b/include/grpc/grpc_security_constants.h
new file mode 100644
index 0000000000..da05c5a97b
--- /dev/null
+++ b/include/grpc/grpc_security_constants.h
@@ -0,0 +1,114 @@
+/*
+ *
+ * Copyright 2016, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef GRPC_GRPC_SECURITY_CONSTANTS_H
+#define GRPC_GRPC_SECURITY_CONSTANTS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME "transport_security_type"
+#define GRPC_SSL_TRANSPORT_SECURITY_TYPE "ssl"
+
+#define GRPC_X509_CN_PROPERTY_NAME "x509_common_name"
+#define GRPC_X509_SAN_PROPERTY_NAME "x509_subject_alternative_name"
+#define GRPC_X509_PEM_CERT_PROPERTY_NAME "x509_pem_cert"
+
+/* Environment variable that points to the default SSL roots file. This file
+ must be a PEM encoded file with all the roots such as the one that can be
+ downloaded from https://pki.google.com/roots.pem. */
+#define GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR \
+ "GRPC_DEFAULT_SSL_ROOTS_FILE_PATH"
+
+/* Environment variable that points to the google default application
+ credentials json key or refresh token. Used in the
+ grpc_google_default_credentials_create function. */
+#define GRPC_GOOGLE_CREDENTIALS_ENV_VAR "GOOGLE_APPLICATION_CREDENTIALS"
+
+/* Results for the SSL roots override callback. */
+typedef enum {
+ GRPC_SSL_ROOTS_OVERRIDE_OK,
+ GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY, /* Do not try fallback options. */
+ GRPC_SSL_ROOTS_OVERRIDE_FAIL
+} grpc_ssl_roots_override_result;
+
+typedef enum {
+ /* Server does not request client certificate. A client can present a self
+ signed or signed certificates if it wishes to do so and they would be
+ accepted. */
+ GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
+ /* Server requests client certificate but does not enforce that the client
+ presents a certificate.
+
+ If the client presents a certificate, the client authentication is left to
+ the application based on the metadata like certificate etc.
+
+ The key cert pair should still be valid for the SSL connection to be
+ established. */
+ GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY,
+ /* Server requests client certificate but does not enforce that the client
+ presents a certificate.
+
+ If the client presents a certificate, the client authentication is done by
+ grpc framework (The client needs to either present a signed cert or skip no
+ certificate for a successful connection).
+
+ The key cert pair should still be valid for the SSL connection to be
+ established. */
+ GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY,
+ /* Server requests client certificate but enforces that the client presents a
+ certificate.
+
+ If the client presents a certificate, the client authentication is left to
+ the application based on the metadata like certificate etc.
+
+ The key cert pair should still be valid for the SSL connection to be
+ established. */
+ GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY,
+ /* Server requests client certificate but enforces that the client presents a
+ certificate.
+
+ The cerificate presented by the client is verified by grpc framework (The
+ client needs to present signed certs for a successful connection).
+
+ The key cert pair should still be valid for the SSL connection to be
+ established. */
+ GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
+} grpc_ssl_client_certificate_request_type;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GRPC_GRPC_SECURITY_CONSTANTS_H */