diff options
author | Jan Tattermusch <jtattermusch@users.noreply.github.com> | 2018-10-05 22:06:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-05 22:06:19 +0200 |
commit | 10dc690092082b89520365a94a8e500b2b4d9064 (patch) | |
tree | 5897896663affd1b09fccfd582eab21d57781665 /src/csharp/Grpc.Core | |
parent | 818908ae9c9c1b124a6d14bca13513b2e2c1b542 (diff) | |
parent | 460faf4bc2229600dc4d65ca6642277937d62efe (diff) |
Merge pull request #16552 from jtattermusch/csharp_expose_client_certificate_request
Expose certificate request type in SslServerCredentials
Diffstat (limited to 'src/csharp/Grpc.Core')
-rw-r--r-- | src/csharp/Grpc.Core/Internal/NativeMethods.Generated.cs | 6 | ||||
-rw-r--r-- | src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs | 4 | ||||
-rw-r--r-- | src/csharp/Grpc.Core/ServerCredentials.cs | 98 |
3 files changed, 92 insertions, 16 deletions
diff --git a/src/csharp/Grpc.Core/Internal/NativeMethods.Generated.cs b/src/csharp/Grpc.Core/Internal/NativeMethods.Generated.cs index 153a52f947..a45cbe4107 100644 --- a/src/csharp/Grpc.Core/Internal/NativeMethods.Generated.cs +++ b/src/csharp/Grpc.Core/Internal/NativeMethods.Generated.cs @@ -505,7 +505,7 @@ namespace Grpc.Core.Internal public delegate void grpcsharp_redirect_log_delegate(GprLogDelegate callback); public delegate CallCredentialsSafeHandle grpcsharp_metadata_credentials_create_from_plugin_delegate(NativeMetadataInterceptor interceptor); public delegate void grpcsharp_metadata_credentials_notify_from_plugin_delegate(IntPtr callbackPtr, IntPtr userData, MetadataArraySafeHandle metadataArray, StatusCode statusCode, string errorDetails); - public delegate ServerCredentialsSafeHandle grpcsharp_ssl_server_credentials_create_delegate(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray, UIntPtr numKeyCertPairs, int forceClientAuth); + public delegate ServerCredentialsSafeHandle grpcsharp_ssl_server_credentials_create_delegate(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray, UIntPtr numKeyCertPairs, SslClientCertificateRequestType clientCertificateRequest); public delegate void grpcsharp_server_credentials_release_delegate(IntPtr credentials); public delegate ServerSafeHandle grpcsharp_server_create_delegate(ChannelArgsSafeHandle args); public delegate void grpcsharp_server_register_completion_queue_delegate(ServerSafeHandle server, CompletionQueueSafeHandle cq); @@ -752,7 +752,7 @@ namespace Grpc.Core.Internal public static extern void grpcsharp_metadata_credentials_notify_from_plugin(IntPtr callbackPtr, IntPtr userData, MetadataArraySafeHandle metadataArray, StatusCode statusCode, string errorDetails); [DllImport(ImportName)] - public static extern ServerCredentialsSafeHandle grpcsharp_ssl_server_credentials_create(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray, UIntPtr numKeyCertPairs, int forceClientAuth); + public static extern ServerCredentialsSafeHandle grpcsharp_ssl_server_credentials_create(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray, UIntPtr numKeyCertPairs, SslClientCertificateRequestType clientCertificateRequest); [DllImport(ImportName)] public static extern void grpcsharp_server_credentials_release(IntPtr credentials); @@ -1045,7 +1045,7 @@ namespace Grpc.Core.Internal public static extern void grpcsharp_metadata_credentials_notify_from_plugin(IntPtr callbackPtr, IntPtr userData, MetadataArraySafeHandle metadataArray, StatusCode statusCode, string errorDetails); [DllImport(ImportName)] - public static extern ServerCredentialsSafeHandle grpcsharp_ssl_server_credentials_create(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray, UIntPtr numKeyCertPairs, int forceClientAuth); + public static extern ServerCredentialsSafeHandle grpcsharp_ssl_server_credentials_create(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray, UIntPtr numKeyCertPairs, SslClientCertificateRequestType clientCertificateRequest); [DllImport(ImportName)] public static extern void grpcsharp_server_credentials_release(IntPtr credentials); diff --git a/src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs b/src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs index 545e581f94..5f8c95c4ea 100644 --- a/src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs +++ b/src/csharp/Grpc.Core/Internal/ServerCredentialsSafeHandle.cs @@ -32,13 +32,13 @@ namespace Grpc.Core.Internal { } - public static ServerCredentialsSafeHandle CreateSslCredentials(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray, bool forceClientAuth) + public static ServerCredentialsSafeHandle CreateSslCredentials(string pemRootCerts, string[] keyCertPairCertChainArray, string[] keyCertPairPrivateKeyArray, SslClientCertificateRequestType clientCertificateRequest) { GrpcPreconditions.CheckArgument(keyCertPairCertChainArray.Length == keyCertPairPrivateKeyArray.Length); return Native.grpcsharp_ssl_server_credentials_create(pemRootCerts, keyCertPairCertChainArray, keyCertPairPrivateKeyArray, new UIntPtr((ulong)keyCertPairCertChainArray.Length), - forceClientAuth ? 1 : 0); + clientCertificateRequest); } protected override bool ReleaseHandle() diff --git a/src/csharp/Grpc.Core/ServerCredentials.cs b/src/csharp/Grpc.Core/ServerCredentials.cs index 703f9ff6b3..8e4e44ba50 100644 --- a/src/csharp/Grpc.Core/ServerCredentials.cs +++ b/src/csharp/Grpc.Core/ServerCredentials.cs @@ -58,41 +58,106 @@ namespace Grpc.Core } /// <summary> + /// Modes of requesting client's SSL certificate by the server. + /// Corresponds to <c>grpc_ssl_client_certificate_request_type</c>. + /// </summary> + public enum SslClientCertificateRequestType { + /// <summary> + /// Server does not request client certificate. + /// The certificate presented by the client is not checked by the server at + /// all. (A client may present a self signed or signed certificate or not + /// present a certificate at all and any of those option would be accepted) + /// </summary> + DontRequest = 0, + /// <summary> + /// Server requests client certificate but does not enforce that the client + /// presents a certificate. + /// If the client presents a certificate, the client authentication is left to + /// the application (the necessary metadata will be available to the + /// application via authentication context properties, see grpc_auth_context). + /// The client's key certificate pair must be valid for the SSL connection to + /// be established. + ///</summary> + RequestButDontVerify, + /// <summary> + /// Server requests client certificate but does not enforce that the client + /// presents a certificate. + /// If the client presents a certificate, the client authentication is done by + /// the gRPC framework. (For a successful connection the client needs to either + /// present a certificate that can be verified against the root certificate + /// configured by the server or not present a certificate at all) + /// The client's key certificate pair must be valid for the SSL connection to + /// be established. + /// </summary> + RequestAndVerify, + /// <summary> + /// Server requests client certificate and enforces that the client presents a + /// certificate. + /// If the client presents a certificate, the client authentication is left to + /// the application (the necessary metadata will be available to the + /// application via authentication context properties, see grpc_auth_context). + /// The client's key certificate pair must be valid for the SSL connection to + /// be established. + ///</summary> + RequestAndRequireButDontVerify, + /// <summary> + /// Server requests client certificate and enforces that the client presents a + /// certificate. + /// The cerificate presented by the client is verified by the gRPC framework. + /// (For a successful connection the client needs to present a certificate that + /// can be verified against the root certificate configured by the server) + /// The client's key certificate pair must be valid for the SSL connection to + /// be established. + /// </summary> + RequestAndRequireAndVerify, + } + /// <summary> /// Server-side SSL credentials. /// </summary> public class SslServerCredentials : ServerCredentials { readonly IList<KeyCertificatePair> keyCertificatePairs; readonly string rootCertificates; - readonly bool forceClientAuth; + readonly SslClientCertificateRequestType clientCertificateRequest; /// <summary> /// Creates server-side SSL credentials. /// </summary> /// <param name="keyCertificatePairs">Key-certificates to use.</param> /// <param name="rootCertificates">PEM encoded client root certificates used to authenticate client.</param> - /// <param name="forceClientAuth">If true, client will be rejected unless it proves its unthenticity using against rootCertificates.</param> + /// <param name="forceClientAuth">Deprecated, use clientCertificateRequest overload instead.</param> public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs, string rootCertificates, bool forceClientAuth) + : this(keyCertificatePairs, rootCertificates, forceClientAuth ? SslClientCertificateRequestType.RequestAndRequireAndVerify : SslClientCertificateRequestType.DontRequest) + { + } + + /// <summary> + /// Creates server-side SSL credentials. + /// </summary> + /// <param name="keyCertificatePairs">Key-certificates to use.</param> + /// <param name="rootCertificates">PEM encoded client root certificates used to authenticate client.</param> + /// <param name="clientCertificateRequest">Options for requesting and verifying client certificate.</param> + public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs, string rootCertificates, SslClientCertificateRequestType clientCertificateRequest) { this.keyCertificatePairs = new List<KeyCertificatePair>(keyCertificatePairs).AsReadOnly(); GrpcPreconditions.CheckArgument(this.keyCertificatePairs.Count > 0, "At least one KeyCertificatePair needs to be provided."); - if (forceClientAuth) + if (clientCertificateRequest == SslClientCertificateRequestType.RequestAndRequireAndVerify) { GrpcPreconditions.CheckNotNull(rootCertificates, - "Cannot force client authentication unless you provide rootCertificates."); + "Cannot require and verify client certificate unless you provide rootCertificates."); } this.rootCertificates = rootCertificates; - this.forceClientAuth = forceClientAuth; + this.clientCertificateRequest = clientCertificateRequest; } /// <summary> /// Creates server-side SSL credentials. - /// This constructor should be use if you do not wish to autheticate client - /// using client root certificates. + /// This constructor should be used if you do not wish to authenticate the client. + /// (client certificate won't be requested and checked by the server at all). /// </summary> /// <param name="keyCertificatePairs">Key-certificates to use.</param> - public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs) : this(keyCertificatePairs, null, false) + public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs) : this(keyCertificatePairs, null, SslClientCertificateRequestType.DontRequest) { } @@ -119,13 +184,24 @@ namespace Grpc.Core } /// <summary> - /// If true, the authenticity of client check will be enforced. + /// Deprecated. If true, the authenticity of client check will be enforced. /// </summary> public bool ForceClientAuthentication { get { - return this.forceClientAuth; + return this.clientCertificateRequest == SslClientCertificateRequestType.RequestAndRequireAndVerify; + } + } + + /// <summary> + /// Mode of requesting certificate from client by the server. + /// </summary> + public SslClientCertificateRequestType ClientCertificateRequest + { + get + { + return this.clientCertificateRequest; } } @@ -139,7 +215,7 @@ namespace Grpc.Core certChains[i] = keyCertificatePairs[i].CertificateChain; keys[i] = keyCertificatePairs[i].PrivateKey; } - return ServerCredentialsSafeHandle.CreateSslCredentials(rootCertificates, certChains, keys, forceClientAuth); + return ServerCredentialsSafeHandle.CreateSslCredentials(rootCertificates, certChains, keys, clientCertificateRequest); } } } |