Support SSL server certificate reloading.

author: Justin Burke <burkej@google.com> 2017-09-19 15:06:01 -0700
committer: Justin Burke <burkej@google.com> 2017-10-27 13:41:44 -0700
commit: c1d354d7f2621f467e2f37f36498c20e132c3a72 (patch)
tree: 7cd280aef1a9a3e35f381782163e220dc7fee6f8 /src/core/lib/security/credentials/ssl
parent: bf3f4be8f3b841ff2bd2fc0b8b11597580776568 (diff)
2 files changed, 159 insertions, 9 deletions
diff --git a/src/core/lib/security/credentials/ssl/ssl_credentials.cc b/src/core/lib/security/credentials/ssl/ssl_credentials.cc
index 8e47aebedb..2085e2b8e7 100644
--- a/src/core/lib/security/credentials/ssl/ssl_credentials.cc
+++ b/src/core/lib/security/credentials/ssl/ssl_credentials.cc
@@ -119,6 +119,12 @@ grpc_channel_credentials *grpc_ssl_credentials_create(
 // SSL Server Credentials.
 //
 
+struct grpc_ssl_server_credentials_options {
+  grpc_ssl_client_certificate_request_type client_certificate_request;
+  grpc_ssl_server_certificate_config *certificate_config;
+  grpc_ssl_server_certificate_config_fetcher *certificate_config_fetcher;
+};
+
 static void ssl_server_destruct(grpc_exec_ctx *exec_ctx,
                                 grpc_server_credentials *creds) {
   grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *)creds;
@@ -130,9 +136,7 @@ static void ssl_server_destruct(grpc_exec_ctx *exec_ctx,
 static grpc_security_status ssl_server_create_security_connector(
     grpc_exec_ctx *exec_ctx, grpc_server_credentials *creds,
     grpc_server_security_connector **sc) {
-  grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *)creds;
-  return grpc_ssl_server_security_connector_create(exec_ctx, creds, &c->config,
-                                                   sc);
+  return grpc_ssl_server_security_connector_create(exec_ctx, creds, sc);
 }
 
 static grpc_server_credentials_vtable ssl_server_vtable = {
@@ -170,6 +174,86 @@ static void ssl_build_server_config(
   config->num_key_cert_pairs = num_key_cert_pairs;
 }
 
+grpc_ssl_server_certificate_config *grpc_ssl_server_certificate_config_create(
+    const char *pem_root_certs,
+    const grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
+    size_t num_key_cert_pairs) {
+  grpc_ssl_server_certificate_config *config =
+      (grpc_ssl_server_certificate_config *)gpr_zalloc(
+          sizeof(grpc_ssl_server_certificate_config));
+  if (pem_root_certs != NULL) {
+    config->pem_root_certs = gpr_strdup(pem_root_certs);
+  }
+  if (num_key_cert_pairs > 0) {
+    GPR_ASSERT(pem_key_cert_pairs != NULL);
+    config->pem_key_cert_pairs = (grpc_ssl_pem_key_cert_pair *)gpr_zalloc(
+        num_key_cert_pairs * sizeof(grpc_ssl_pem_key_cert_pair));
+  }
+  config->num_key_cert_pairs = num_key_cert_pairs;
+  for (size_t i = 0; i < num_key_cert_pairs; i++) {
+    GPR_ASSERT(pem_key_cert_pairs[i].private_key != NULL);
+    GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != NULL);
+    config->pem_key_cert_pairs[i].cert_chain =
+        gpr_strdup(pem_key_cert_pairs[i].cert_chain);
+    config->pem_key_cert_pairs[i].private_key =
+        gpr_strdup(pem_key_cert_pairs[i].private_key);
+  }
+  return config;
+}
+
+void grpc_ssl_server_certificate_config_destroy(
+    grpc_ssl_server_certificate_config *config) {
+  if (config == NULL) return;
+  for (size_t i = 0; i < config->num_key_cert_pairs; i++) {
+    gpr_free((void *)config->pem_key_cert_pairs[i].private_key);
+    gpr_free((void *)config->pem_key_cert_pairs[i].cert_chain);
+  }
+  gpr_free(config->pem_key_cert_pairs);
+  gpr_free(config->pem_root_certs);
+  gpr_free(config);
+}
+
+grpc_ssl_server_credentials_options *
+grpc_ssl_server_credentials_create_options_using_config(
+    grpc_ssl_client_certificate_request_type client_certificate_request,
+    grpc_ssl_server_certificate_config *config) {
+  grpc_ssl_server_credentials_options *options = NULL;
+  if (config == NULL) {
+    gpr_log(GPR_ERROR, "Certificate config must not be NULL.");
+    goto done;
+  }
+  options = (grpc_ssl_server_credentials_options *)gpr_zalloc(
+      sizeof(grpc_ssl_server_credentials_options));
+  options->client_certificate_request = client_certificate_request;
+  options->certificate_config = config;
+done:
+  return options;
+}
+
+grpc_ssl_server_credentials_options *
+grpc_ssl_server_credentials_create_options_using_config_fetcher(
+    grpc_ssl_client_certificate_request_type client_certificate_request,
+    grpc_ssl_server_certificate_config_callback cb, void *user_data) {
+  if (cb == NULL) {
+    gpr_log(GPR_ERROR, "Invalid certificate config callback parameter.");
+    return NULL;
+  }
+
+  grpc_ssl_server_certificate_config_fetcher *fetcher =
+      (grpc_ssl_server_certificate_config_fetcher *)gpr_zalloc(
+          sizeof(grpc_ssl_server_certificate_config_fetcher));
+  fetcher->cb = cb;
+  fetcher->user_data = user_data;
+
+  grpc_ssl_server_credentials_options *options =
+      (grpc_ssl_server_credentials_options *)gpr_zalloc(
+          sizeof(grpc_ssl_server_credentials_options));
+  options->client_certificate_request = client_certificate_request;
+  options->certificate_config_fetcher = fetcher;
+
+  return options;
+}
+
 grpc_server_credentials *grpc_ssl_server_credentials_create(
     const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs,
     size_t num_key_cert_pairs, int force_client_auth, void *reserved) {
@@ -186,8 +270,6 @@ grpc_server_credentials *grpc_ssl_server_credentials_create_ex(
     size_t num_key_cert_pairs,
     grpc_ssl_client_certificate_request_type client_certificate_request,
     void *reserved) {
-  grpc_ssl_server_credentials *c = (grpc_ssl_server_credentials *)gpr_zalloc(
-      sizeof(grpc_ssl_server_credentials));
   GRPC_API_TRACE(
       "grpc_ssl_server_credentials_create_ex("
       "pem_root_certs=%s, pem_key_cert_pairs=%p, num_key_cert_pairs=%lu, "
@@ -195,11 +277,67 @@ grpc_server_credentials *grpc_ssl_server_credentials_create_ex(
       5, (pem_root_certs, pem_key_cert_pairs, (unsigned long)num_key_cert_pairs,
           client_certificate_request, reserved));
   GPR_ASSERT(reserved == NULL);
+
+  grpc_ssl_server_certificate_config *cert_config =
+      grpc_ssl_server_certificate_config_create(
+          pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs);
+  grpc_ssl_server_credentials_options *options =
+      grpc_ssl_server_credentials_create_options_using_config(
+          client_certificate_request, cert_config);
+
+  return grpc_ssl_server_credentials_create_with_options(options);
+}
+
+grpc_server_credentials *grpc_ssl_server_credentials_create_with_options(
+    grpc_ssl_server_credentials_options *options) {
+  grpc_server_credentials *retval = NULL;
+  grpc_ssl_server_credentials *c = NULL;
+
+  if (options == NULL) {
+    gpr_log(GPR_ERROR,
+            "Invalid options trying to create SSL server credentials.");
+    goto done;
+  }
+
+  if (options->certificate_config == NULL &&
+      options->certificate_config_fetcher == NULL) {
+    gpr_log(GPR_ERROR,
+            "SSL server credentials options must specify either "
+            "certificate config or fetcher.");
+    goto done;
+  } else if (options->certificate_config_fetcher != NULL &&
+             options->certificate_config_fetcher->cb == NULL) {
+    gpr_log(GPR_ERROR, "Certificate config fetcher callback must not be NULL.");
+    goto done;
+  }
+
+  c = (grpc_ssl_server_credentials *)gpr_zalloc(
+      sizeof(grpc_ssl_server_credentials));
   c->base.type = GRPC_CHANNEL_CREDENTIALS_TYPE_SSL;
   gpr_ref_init(&c->base.refcount, 1);
   c->base.vtable = &ssl_server_vtable;
-  ssl_build_server_config(pem_root_certs, pem_key_cert_pairs,
-                          num_key_cert_pairs, client_certificate_request,
-                          &c->config);
-  return &c->base;
+
+  if (options->certificate_config_fetcher != NULL) {
+    c->config.client_certificate_request = options->client_certificate_request;
+    c->certificate_config_fetcher = *options->certificate_config_fetcher;
+  } else {
+    ssl_build_server_config(options->certificate_config->pem_root_certs,
+                            options->certificate_config->pem_key_cert_pairs,
+                            options->certificate_config->num_key_cert_pairs,
+                            options->client_certificate_request, &c->config);
+  }
+
+  retval = &c->base;
+
+done:
+  grpc_ssl_server_credentials_options_destroy(options);
+  return retval;
+}
+
+void grpc_ssl_server_credentials_options_destroy(
+    grpc_ssl_server_credentials_options *o) {
+  if (o == NULL) return;
+  gpr_free(o->certificate_config_fetcher);
+  grpc_ssl_server_certificate_config_destroy(o->certificate_config);
+  gpr_free(o);
 }
diff --git a/src/core/lib/security/credentials/ssl/ssl_credentials.h b/src/core/lib/security/credentials/ssl/ssl_credentials.h
index 42e425d9f1..5542484aae 100644
--- a/src/core/lib/security/credentials/ssl/ssl_credentials.h
+++ b/src/core/lib/security/credentials/ssl/ssl_credentials.h
@@ -29,9 +29,21 @@ typedef struct {
   grpc_ssl_config config;
 } grpc_ssl_credentials;
 
+struct grpc_ssl_server_certificate_config {
+  grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs;
+  size_t num_key_cert_pairs;
+  char *pem_root_certs;
+};
+
+typedef struct {
+  grpc_ssl_server_certificate_config_callback cb;
+  void *user_data;
+} grpc_ssl_server_certificate_config_fetcher;
+
 typedef struct {
   grpc_server_credentials base;
   grpc_ssl_server_config config;
+  grpc_ssl_server_certificate_config_fetcher certificate_config_fetcher;
 } grpc_ssl_server_credentials;
 
 tsi_ssl_pem_key_cert_pair *grpc_convert_grpc_to_tsi_cert_pairs(
author	Justin Burke <burkej@google.com>	2017-09-19 15:06:01 -0700
committer	Justin Burke <burkej@google.com>	2017-10-27 13:41:44 -0700
commit	c1d354d7f2621f467e2f37f36498c20e132c3a72 (patch)
tree	7cd280aef1a9a3e35f381782163e220dc7fee6f8 /src/core/lib/security/credentials/ssl
parent	bf3f4be8f3b841ff2bd2fc0b8b11597580776568 (diff)