aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--BUILD14
-rw-r--r--CMakeLists.txt14
-rw-r--r--Makefile21
-rw-r--r--build.yaml14
-rw-r--r--config.m411
-rw-r--r--config.w3211
-rw-r--r--gRPC-C++.podspec7
-rw-r--r--gRPC-Core.podspec21
-rw-r--r--grpc.gemspec14
-rw-r--r--grpc.gyp7
-rw-r--r--package.xml14
-rw-r--r--src/core/lib/http/httpcli_security_connector.cc1
-rw-r--r--src/core/lib/security/credentials/alts/alts_credentials.cc2
-rw-r--r--src/core/lib/security/credentials/fake/fake_credentials.cc1
-rw-r--r--src/core/lib/security/credentials/local/local_credentials.cc2
-rw-r--r--src/core/lib/security/credentials/ssl/ssl_credentials.h2
-rw-r--r--src/core/lib/security/security_connector/alts/alts_security_connector.cc (renamed from src/core/lib/security/security_connector/alts_security_connector.cc)3
-rw-r--r--src/core/lib/security/security_connector/alts/alts_security_connector.h (renamed from src/core/lib/security/security_connector/alts_security_connector.h)6
-rw-r--r--src/core/lib/security/security_connector/fake/fake_security_connector.cc310
-rw-r--r--src/core/lib/security/security_connector/fake/fake_security_connector.h42
-rw-r--r--src/core/lib/security/security_connector/local/local_security_connector.cc (renamed from src/core/lib/security/security_connector/local_security_connector.cc)2
-rw-r--r--src/core/lib/security/security_connector/local/local_security_connector.h (renamed from src/core/lib/security/security_connector/local_security_connector.h)6
-rw-r--r--src/core/lib/security/security_connector/security_connector.cc1040
-rw-r--r--src/core/lib/security/security_connector/security_connector.h113
-rw-r--r--src/core/lib/security/security_connector/ssl/ssl_security_connector.cc474
-rw-r--r--src/core/lib/security/security_connector/ssl/ssl_security_connector.h77
-rw-r--r--src/core/lib/security/security_connector/ssl_utils.cc345
-rw-r--r--src/core/lib/security/security_connector/ssl_utils.h93
-rw-r--r--src/core/lib/security/transport/client_auth_filter.cc1
-rw-r--r--src/core/tsi/transport_security.cc17
-rw-r--r--src/core/tsi/transport_security.h3
-rw-r--r--src/python/grpcio/grpc_core_dependencies.py7
-rw-r--r--test/core/security/alts_security_connector_test.cc2
-rw-r--r--test/core/security/security_connector_test.cc1
-rw-r--r--test/core/tsi/fake_transport_security_test.cc1
-rw-r--r--tools/doxygen/Doxyfile.core.internal14
-rw-r--r--tools/run_tests/generated/sources_and_headers.json21
37 files changed, 1517 insertions, 1217 deletions
diff --git a/BUILD b/BUILD
index 0e0eb9f7a9..e39d03b293 100644
--- a/BUILD
+++ b/BUILD
@@ -1566,11 +1566,14 @@ grpc_cc_library(
"src/core/lib/security/credentials/oauth2/oauth2_credentials.cc",
"src/core/lib/security/credentials/plugin/plugin_credentials.cc",
"src/core/lib/security/credentials/ssl/ssl_credentials.cc",
- "src/core/lib/security/security_connector/alts_security_connector.cc",
+ "src/core/lib/security/security_connector/alts/alts_security_connector.cc",
+ "src/core/lib/security/security_connector/fake/fake_security_connector.cc",
"src/core/lib/security/security_connector/load_system_roots_fallback.cc",
"src/core/lib/security/security_connector/load_system_roots_linux.cc",
- "src/core/lib/security/security_connector/local_security_connector.cc",
+ "src/core/lib/security/security_connector/local/local_security_connector.cc",
"src/core/lib/security/security_connector/security_connector.cc",
+ "src/core/lib/security/security_connector/ssl_utils.cc",
+ "src/core/lib/security/security_connector/ssl/ssl_security_connector.cc",
"src/core/lib/security/transport/client_auth_filter.cc",
"src/core/lib/security/transport/secure_endpoint.cc",
"src/core/lib/security/transport/security_handshaker.cc",
@@ -1597,11 +1600,14 @@ grpc_cc_library(
"src/core/lib/security/credentials/oauth2/oauth2_credentials.h",
"src/core/lib/security/credentials/plugin/plugin_credentials.h",
"src/core/lib/security/credentials/ssl/ssl_credentials.h",
- "src/core/lib/security/security_connector/alts_security_connector.h",
+ "src/core/lib/security/security_connector/alts/alts_security_connector.h",
+ "src/core/lib/security/security_connector/fake/fake_security_connector.h",
"src/core/lib/security/security_connector/load_system_roots.h",
"src/core/lib/security/security_connector/load_system_roots_linux.h",
- "src/core/lib/security/security_connector/local_security_connector.h",
+ "src/core/lib/security/security_connector/local/local_security_connector.h",
"src/core/lib/security/security_connector/security_connector.h",
+ "src/core/lib/security/security_connector/ssl_utils.h",
+ "src/core/lib/security/security_connector/ssl/ssl_security_connector.h",
"src/core/lib/security/transport/auth_filters.h",
"src/core/lib/security/transport/secure_endpoint.h",
"src/core/lib/security/transport/security_handshaker.h",
diff --git a/CMakeLists.txt b/CMakeLists.txt
index fef14888e4..3edc59d1dd 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1169,11 +1169,14 @@ add_library(grpc
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
src/core/lib/security/credentials/plugin/plugin_credentials.cc
src/core/lib/security/credentials/ssl/ssl_credentials.cc
- src/core/lib/security/security_connector/alts_security_connector.cc
+ src/core/lib/security/security_connector/alts/alts_security_connector.cc
+ src/core/lib/security/security_connector/fake/fake_security_connector.cc
src/core/lib/security/security_connector/load_system_roots_fallback.cc
src/core/lib/security/security_connector/load_system_roots_linux.cc
- src/core/lib/security/security_connector/local_security_connector.cc
+ src/core/lib/security/security_connector/local/local_security_connector.cc
src/core/lib/security/security_connector/security_connector.cc
+ src/core/lib/security/security_connector/ssl/ssl_security_connector.cc
+ src/core/lib/security/security_connector/ssl_utils.cc
src/core/lib/security/transport/client_auth_filter.cc
src/core/lib/security/transport/secure_endpoint.cc
src/core/lib/security/transport/security_handshaker.cc
@@ -1611,11 +1614,14 @@ add_library(grpc_cronet
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
src/core/lib/security/credentials/plugin/plugin_credentials.cc
src/core/lib/security/credentials/ssl/ssl_credentials.cc
- src/core/lib/security/security_connector/alts_security_connector.cc
+ src/core/lib/security/security_connector/alts/alts_security_connector.cc
+ src/core/lib/security/security_connector/fake/fake_security_connector.cc
src/core/lib/security/security_connector/load_system_roots_fallback.cc
src/core/lib/security/security_connector/load_system_roots_linux.cc
- src/core/lib/security/security_connector/local_security_connector.cc
+ src/core/lib/security/security_connector/local/local_security_connector.cc
src/core/lib/security/security_connector/security_connector.cc
+ src/core/lib/security/security_connector/ssl/ssl_security_connector.cc
+ src/core/lib/security/security_connector/ssl_utils.cc
src/core/lib/security/transport/client_auth_filter.cc
src/core/lib/security/transport/secure_endpoint.cc
src/core/lib/security/transport/security_handshaker.cc
diff --git a/Makefile b/Makefile
index f46e4003b2..42166082b0 100644
--- a/Makefile
+++ b/Makefile
@@ -3636,11 +3636,14 @@ LIBGRPC_SRC = \
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc \
src/core/lib/security/credentials/plugin/plugin_credentials.cc \
src/core/lib/security/credentials/ssl/ssl_credentials.cc \
- src/core/lib/security/security_connector/alts_security_connector.cc \
+ src/core/lib/security/security_connector/alts/alts_security_connector.cc \
+ src/core/lib/security/security_connector/fake/fake_security_connector.cc \
src/core/lib/security/security_connector/load_system_roots_fallback.cc \
src/core/lib/security/security_connector/load_system_roots_linux.cc \
- src/core/lib/security/security_connector/local_security_connector.cc \
+ src/core/lib/security/security_connector/local/local_security_connector.cc \
src/core/lib/security/security_connector/security_connector.cc \
+ src/core/lib/security/security_connector/ssl/ssl_security_connector.cc \
+ src/core/lib/security/security_connector/ssl_utils.cc \
src/core/lib/security/transport/client_auth_filter.cc \
src/core/lib/security/transport/secure_endpoint.cc \
src/core/lib/security/transport/security_handshaker.cc \
@@ -4072,11 +4075,14 @@ LIBGRPC_CRONET_SRC = \
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc \
src/core/lib/security/credentials/plugin/plugin_credentials.cc \
src/core/lib/security/credentials/ssl/ssl_credentials.cc \
- src/core/lib/security/security_connector/alts_security_connector.cc \
+ src/core/lib/security/security_connector/alts/alts_security_connector.cc \
+ src/core/lib/security/security_connector/fake/fake_security_connector.cc \
src/core/lib/security/security_connector/load_system_roots_fallback.cc \
src/core/lib/security/security_connector/load_system_roots_linux.cc \
- src/core/lib/security/security_connector/local_security_connector.cc \
+ src/core/lib/security/security_connector/local/local_security_connector.cc \
src/core/lib/security/security_connector/security_connector.cc \
+ src/core/lib/security/security_connector/ssl/ssl_security_connector.cc \
+ src/core/lib/security/security_connector/ssl_utils.cc \
src/core/lib/security/transport/client_auth_filter.cc \
src/core/lib/security/transport/secure_endpoint.cc \
src/core/lib/security/transport/security_handshaker.cc \
@@ -24820,11 +24826,14 @@ src/core/lib/security/credentials/local/local_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/plugin/plugin_credentials.cc: $(OPENSSL_DEP)
src/core/lib/security/credentials/ssl/ssl_credentials.cc: $(OPENSSL_DEP)
-src/core/lib/security/security_connector/alts_security_connector.cc: $(OPENSSL_DEP)
+src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP)
+src/core/lib/security/security_connector/fake/fake_security_connector.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/load_system_roots_fallback.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/load_system_roots_linux.cc: $(OPENSSL_DEP)
-src/core/lib/security/security_connector/local_security_connector.cc: $(OPENSSL_DEP)
+src/core/lib/security/security_connector/local/local_security_connector.cc: $(OPENSSL_DEP)
src/core/lib/security/security_connector/security_connector.cc: $(OPENSSL_DEP)
+src/core/lib/security/security_connector/ssl/ssl_security_connector.cc: $(OPENSSL_DEP)
+src/core/lib/security/security_connector/ssl_utils.cc: $(OPENSSL_DEP)
src/core/lib/security/transport/client_auth_filter.cc: $(OPENSSL_DEP)
src/core/lib/security/transport/secure_endpoint.cc: $(OPENSSL_DEP)
src/core/lib/security/transport/security_handshaker.cc: $(OPENSSL_DEP)
diff --git a/build.yaml b/build.yaml
index 9386048e21..42addc4014 100644
--- a/build.yaml
+++ b/build.yaml
@@ -824,11 +824,14 @@ filegroups:
- src/core/lib/security/credentials/oauth2/oauth2_credentials.h
- src/core/lib/security/credentials/plugin/plugin_credentials.h
- src/core/lib/security/credentials/ssl/ssl_credentials.h
- - src/core/lib/security/security_connector/alts_security_connector.h
+ - src/core/lib/security/security_connector/alts/alts_security_connector.h
+ - src/core/lib/security/security_connector/fake/fake_security_connector.h
- src/core/lib/security/security_connector/load_system_roots.h
- src/core/lib/security/security_connector/load_system_roots_linux.h
- - src/core/lib/security/security_connector/local_security_connector.h
+ - src/core/lib/security/security_connector/local/local_security_connector.h
- src/core/lib/security/security_connector/security_connector.h
+ - src/core/lib/security/security_connector/ssl/ssl_security_connector.h
+ - src/core/lib/security/security_connector/ssl_utils.h
- src/core/lib/security/transport/auth_filters.h
- src/core/lib/security/transport/secure_endpoint.h
- src/core/lib/security/transport/security_handshaker.h
@@ -853,11 +856,14 @@ filegroups:
- src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
- src/core/lib/security/credentials/plugin/plugin_credentials.cc
- src/core/lib/security/credentials/ssl/ssl_credentials.cc
- - src/core/lib/security/security_connector/alts_security_connector.cc
+ - src/core/lib/security/security_connector/alts/alts_security_connector.cc
+ - src/core/lib/security/security_connector/fake/fake_security_connector.cc
- src/core/lib/security/security_connector/load_system_roots_fallback.cc
- src/core/lib/security/security_connector/load_system_roots_linux.cc
- - src/core/lib/security/security_connector/local_security_connector.cc
+ - src/core/lib/security/security_connector/local/local_security_connector.cc
- src/core/lib/security/security_connector/security_connector.cc
+ - src/core/lib/security/security_connector/ssl/ssl_security_connector.cc
+ - src/core/lib/security/security_connector/ssl_utils.cc
- src/core/lib/security/transport/client_auth_filter.cc
- src/core/lib/security/transport/secure_endpoint.cc
- src/core/lib/security/transport/security_handshaker.cc
diff --git a/config.m4 b/config.m4
index 9b758b3f14..c271c93ed3 100644
--- a/config.m4
+++ b/config.m4
@@ -280,11 +280,14 @@ if test "$PHP_GRPC" != "no"; then
src/core/lib/security/credentials/oauth2/oauth2_credentials.cc \
src/core/lib/security/credentials/plugin/plugin_credentials.cc \
src/core/lib/security/credentials/ssl/ssl_credentials.cc \
- src/core/lib/security/security_connector/alts_security_connector.cc \
+ src/core/lib/security/security_connector/alts/alts_security_connector.cc \
+ src/core/lib/security/security_connector/fake/fake_security_connector.cc \
src/core/lib/security/security_connector/load_system_roots_fallback.cc \
src/core/lib/security/security_connector/load_system_roots_linux.cc \
- src/core/lib/security/security_connector/local_security_connector.cc \
+ src/core/lib/security/security_connector/local/local_security_connector.cc \
src/core/lib/security/security_connector/security_connector.cc \
+ src/core/lib/security/security_connector/ssl/ssl_security_connector.cc \
+ src/core/lib/security/security_connector/ssl_utils.cc \
src/core/lib/security/transport/client_auth_filter.cc \
src/core/lib/security/transport/secure_endpoint.cc \
src/core/lib/security/transport/security_handshaker.cc \
@@ -718,6 +721,10 @@ if test "$PHP_GRPC" != "no"; then
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/plugin)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/ssl)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector)
+ PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/alts)
+ PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/fake)
+ PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/local)
+ PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/ssl)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/transport)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/util)
PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/slice)
diff --git a/config.w32 b/config.w32
index a1bada1c61..10e28cff7c 100644
--- a/config.w32
+++ b/config.w32
@@ -255,11 +255,14 @@ if (PHP_GRPC != "no") {
"src\\core\\lib\\security\\credentials\\oauth2\\oauth2_credentials.cc " +
"src\\core\\lib\\security\\credentials\\plugin\\plugin_credentials.cc " +
"src\\core\\lib\\security\\credentials\\ssl\\ssl_credentials.cc " +
- "src\\core\\lib\\security\\security_connector\\alts_security_connector.cc " +
+ "src\\core\\lib\\security\\security_connector\\alts\\alts_security_connector.cc " +
+ "src\\core\\lib\\security\\security_connector\\fake\\fake_security_connector.cc " +
"src\\core\\lib\\security\\security_connector\\load_system_roots_fallback.cc " +
"src\\core\\lib\\security\\security_connector\\load_system_roots_linux.cc " +
- "src\\core\\lib\\security\\security_connector\\local_security_connector.cc " +
+ "src\\core\\lib\\security\\security_connector\\local\\local_security_connector.cc " +
"src\\core\\lib\\security\\security_connector\\security_connector.cc " +
+ "src\\core\\lib\\security\\security_connector\\ssl\\ssl_security_connector.cc " +
+ "src\\core\\lib\\security\\security_connector\\ssl_utils.cc " +
"src\\core\\lib\\security\\transport\\client_auth_filter.cc " +
"src\\core\\lib\\security\\transport\\secure_endpoint.cc " +
"src\\core\\lib\\security\\transport\\security_handshaker.cc " +
@@ -734,6 +737,10 @@ if (PHP_GRPC != "no") {
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\plugin");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\ssl");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\alts");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\fake");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\local");
+ FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\ssl");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\transport");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\util");
FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\slice");
diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec
index 1ab17006e3..d65009cbe3 100644
--- a/gRPC-C++.podspec
+++ b/gRPC-C++.podspec
@@ -284,11 +284,14 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/oauth2/oauth2_credentials.h',
'src/core/lib/security/credentials/plugin/plugin_credentials.h',
'src/core/lib/security/credentials/ssl/ssl_credentials.h',
- 'src/core/lib/security/security_connector/alts_security_connector.h',
+ 'src/core/lib/security/security_connector/alts/alts_security_connector.h',
+ 'src/core/lib/security/security_connector/fake/fake_security_connector.h',
'src/core/lib/security/security_connector/load_system_roots.h',
'src/core/lib/security/security_connector/load_system_roots_linux.h',
- 'src/core/lib/security/security_connector/local_security_connector.h',
+ 'src/core/lib/security/security_connector/local/local_security_connector.h',
'src/core/lib/security/security_connector/security_connector.h',
+ 'src/core/lib/security/security_connector/ssl/ssl_security_connector.h',
+ 'src/core/lib/security/security_connector/ssl_utils.h',
'src/core/lib/security/transport/auth_filters.h',
'src/core/lib/security/transport/secure_endpoint.h',
'src/core/lib/security/transport/security_handshaker.h',
diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec
index 8d63f67c34..c3e0c4d8cb 100644
--- a/gRPC-Core.podspec
+++ b/gRPC-Core.podspec
@@ -291,11 +291,14 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/oauth2/oauth2_credentials.h',
'src/core/lib/security/credentials/plugin/plugin_credentials.h',
'src/core/lib/security/credentials/ssl/ssl_credentials.h',
- 'src/core/lib/security/security_connector/alts_security_connector.h',
+ 'src/core/lib/security/security_connector/alts/alts_security_connector.h',
+ 'src/core/lib/security/security_connector/fake/fake_security_connector.h',
'src/core/lib/security/security_connector/load_system_roots.h',
'src/core/lib/security/security_connector/load_system_roots_linux.h',
- 'src/core/lib/security/security_connector/local_security_connector.h',
+ 'src/core/lib/security/security_connector/local/local_security_connector.h',
'src/core/lib/security/security_connector/security_connector.h',
+ 'src/core/lib/security/security_connector/ssl/ssl_security_connector.h',
+ 'src/core/lib/security/security_connector/ssl_utils.h',
'src/core/lib/security/transport/auth_filters.h',
'src/core/lib/security/transport/secure_endpoint.h',
'src/core/lib/security/transport/security_handshaker.h',
@@ -715,11 +718,14 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
- 'src/core/lib/security/security_connector/alts_security_connector.cc',
+ 'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
+ 'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
'src/core/lib/security/security_connector/load_system_roots_linux.cc',
- 'src/core/lib/security/security_connector/local_security_connector.cc',
+ 'src/core/lib/security/security_connector/local/local_security_connector.cc',
'src/core/lib/security/security_connector/security_connector.cc',
+ 'src/core/lib/security/security_connector/ssl/ssl_security_connector.cc',
+ 'src/core/lib/security/security_connector/ssl_utils.cc',
'src/core/lib/security/transport/client_auth_filter.cc',
'src/core/lib/security/transport/secure_endpoint.cc',
'src/core/lib/security/transport/security_handshaker.cc',
@@ -900,11 +906,14 @@ Pod::Spec.new do |s|
'src/core/lib/security/credentials/oauth2/oauth2_credentials.h',
'src/core/lib/security/credentials/plugin/plugin_credentials.h',
'src/core/lib/security/credentials/ssl/ssl_credentials.h',
- 'src/core/lib/security/security_connector/alts_security_connector.h',
+ 'src/core/lib/security/security_connector/alts/alts_security_connector.h',
+ 'src/core/lib/security/security_connector/fake/fake_security_connector.h',
'src/core/lib/security/security_connector/load_system_roots.h',
'src/core/lib/security/security_connector/load_system_roots_linux.h',
- 'src/core/lib/security/security_connector/local_security_connector.h',
+ 'src/core/lib/security/security_connector/local/local_security_connector.h',
'src/core/lib/security/security_connector/security_connector.h',
+ 'src/core/lib/security/security_connector/ssl/ssl_security_connector.h',
+ 'src/core/lib/security/security_connector/ssl_utils.h',
'src/core/lib/security/transport/auth_filters.h',
'src/core/lib/security/transport/secure_endpoint.h',
'src/core/lib/security/transport/security_handshaker.h',
diff --git a/grpc.gemspec b/grpc.gemspec
index 533bb90b75..8128044652 100644
--- a/grpc.gemspec
+++ b/grpc.gemspec
@@ -223,11 +223,14 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/credentials/oauth2/oauth2_credentials.h )
s.files += %w( src/core/lib/security/credentials/plugin/plugin_credentials.h )
s.files += %w( src/core/lib/security/credentials/ssl/ssl_credentials.h )
- s.files += %w( src/core/lib/security/security_connector/alts_security_connector.h )
+ s.files += %w( src/core/lib/security/security_connector/alts/alts_security_connector.h )
+ s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.h )
s.files += %w( src/core/lib/security/security_connector/load_system_roots.h )
s.files += %w( src/core/lib/security/security_connector/load_system_roots_linux.h )
- s.files += %w( src/core/lib/security/security_connector/local_security_connector.h )
+ s.files += %w( src/core/lib/security/security_connector/local/local_security_connector.h )
s.files += %w( src/core/lib/security/security_connector/security_connector.h )
+ s.files += %w( src/core/lib/security/security_connector/ssl/ssl_security_connector.h )
+ s.files += %w( src/core/lib/security/security_connector/ssl_utils.h )
s.files += %w( src/core/lib/security/transport/auth_filters.h )
s.files += %w( src/core/lib/security/transport/secure_endpoint.h )
s.files += %w( src/core/lib/security/transport/security_handshaker.h )
@@ -651,11 +654,14 @@ Gem::Specification.new do |s|
s.files += %w( src/core/lib/security/credentials/oauth2/oauth2_credentials.cc )
s.files += %w( src/core/lib/security/credentials/plugin/plugin_credentials.cc )
s.files += %w( src/core/lib/security/credentials/ssl/ssl_credentials.cc )
- s.files += %w( src/core/lib/security/security_connector/alts_security_connector.cc )
+ s.files += %w( src/core/lib/security/security_connector/alts/alts_security_connector.cc )
+ s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.cc )
s.files += %w( src/core/lib/security/security_connector/load_system_roots_fallback.cc )
s.files += %w( src/core/lib/security/security_connector/load_system_roots_linux.cc )
- s.files += %w( src/core/lib/security/security_connector/local_security_connector.cc )
+ s.files += %w( src/core/lib/security/security_connector/local/local_security_connector.cc )
s.files += %w( src/core/lib/security/security_connector/security_connector.cc )
+ s.files += %w( src/core/lib/security/security_connector/ssl/ssl_security_connector.cc )
+ s.files += %w( src/core/lib/security/security_connector/ssl_utils.cc )
s.files += %w( src/core/lib/security/transport/client_auth_filter.cc )
s.files += %w( src/core/lib/security/transport/secure_endpoint.cc )
s.files += %w( src/core/lib/security/transport/security_handshaker.cc )
diff --git a/grpc.gyp b/grpc.gyp
index 36a458b139..e593db8267 100644
--- a/grpc.gyp
+++ b/grpc.gyp
@@ -472,11 +472,14 @@
'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
- 'src/core/lib/security/security_connector/alts_security_connector.cc',
+ 'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
+ 'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
'src/core/lib/security/security_connector/load_system_roots_linux.cc',
- 'src/core/lib/security/security_connector/local_security_connector.cc',
+ 'src/core/lib/security/security_connector/local/local_security_connector.cc',
'src/core/lib/security/security_connector/security_connector.cc',
+ 'src/core/lib/security/security_connector/ssl/ssl_security_connector.cc',
+ 'src/core/lib/security/security_connector/ssl_utils.cc',
'src/core/lib/security/transport/client_auth_filter.cc',
'src/core/lib/security/transport/secure_endpoint.cc',
'src/core/lib/security/transport/security_handshaker.cc',
diff --git a/package.xml b/package.xml
index 0d40707786..76f72d41be 100644
--- a/package.xml
+++ b/package.xml
@@ -228,11 +228,14 @@
<file baseinstalldir="/" name="src/core/lib/security/credentials/oauth2/oauth2_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/plugin/plugin_credentials.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/ssl/ssl_credentials.h" role="src" />
- <file baseinstalldir="/" name="src/core/lib/security/security_connector/alts_security_connector.h" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/alts/alts_security_connector.h" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_linux.h" role="src" />
- <file baseinstalldir="/" name="src/core/lib/security/security_connector/local_security_connector.h" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/local/local_security_connector.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/security_connector.h" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/ssl/ssl_security_connector.h" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/ssl_utils.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/transport/auth_filters.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/transport/secure_endpoint.h" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/transport/security_handshaker.h" role="src" />
@@ -656,11 +659,14 @@
<file baseinstalldir="/" name="src/core/lib/security/credentials/oauth2/oauth2_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/plugin/plugin_credentials.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/credentials/ssl/ssl_credentials.cc" role="src" />
- <file baseinstalldir="/" name="src/core/lib/security/security_connector/alts_security_connector.cc" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/alts/alts_security_connector.cc" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_fallback.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_linux.cc" role="src" />
- <file baseinstalldir="/" name="src/core/lib/security/security_connector/local_security_connector.cc" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/local/local_security_connector.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/security_connector/security_connector.cc" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/ssl/ssl_security_connector.cc" role="src" />
+ <file baseinstalldir="/" name="src/core/lib/security/security_connector/ssl_utils.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/transport/client_auth_filter.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/transport/secure_endpoint.cc" role="src" />
<file baseinstalldir="/" name="src/core/lib/security/transport/security_handshaker.cc" role="src" />
diff --git a/src/core/lib/http/httpcli_security_connector.cc b/src/core/lib/http/httpcli_security_connector.cc
index 00128f1c82..1c798d368b 100644
--- a/src/core/lib/http/httpcli_security_connector.cc
+++ b/src/core/lib/http/httpcli_security_connector.cc
@@ -30,6 +30,7 @@
#include "src/core/lib/channel/handshaker_registry.h"
#include "src/core/lib/gpr/string.h"
#include "src/core/lib/iomgr/pollset.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
#include "src/core/lib/security/transport/security_handshaker.h"
#include "src/core/lib/slice/slice_internal.h"
#include "src/core/tsi/ssl_transport_security.h"
diff --git a/src/core/lib/security/credentials/alts/alts_credentials.cc b/src/core/lib/security/credentials/alts/alts_credentials.cc
index fa05d901bf..1fbef4ae0c 100644
--- a/src/core/lib/security/credentials/alts/alts_credentials.cc
+++ b/src/core/lib/security/credentials/alts/alts_credentials.cc
@@ -28,7 +28,7 @@
#include <grpc/support/string_util.h>
#include "src/core/lib/security/credentials/alts/check_gcp_environment.h"
-#include "src/core/lib/security/security_connector/alts_security_connector.h"
+#include "src/core/lib/security/security_connector/alts/alts_security_connector.h"
#define GRPC_CREDENTIALS_TYPE_ALTS "Alts"
#define GRPC_ALTS_HANDSHAKER_SERVICE_URL "metadata.google.internal:8080"
diff --git a/src/core/lib/security/credentials/fake/fake_credentials.cc b/src/core/lib/security/credentials/fake/fake_credentials.cc
index 858ab6b41b..d3e0e8c816 100644
--- a/src/core/lib/security/credentials/fake/fake_credentials.cc
+++ b/src/core/lib/security/credentials/fake/fake_credentials.cc
@@ -29,6 +29,7 @@
#include "src/core/lib/channel/channel_args.h"
#include "src/core/lib/gpr/string.h"
#include "src/core/lib/iomgr/executor.h"
+#include "src/core/lib/security/security_connector/fake/fake_security_connector.h"
/* -- Fake transport security credentials. -- */
diff --git a/src/core/lib/security/credentials/local/local_credentials.cc b/src/core/lib/security/credentials/local/local_credentials.cc
index 9a2f646ba5..3ccfa2b908 100644
--- a/src/core/lib/security/credentials/local/local_credentials.cc
+++ b/src/core/lib/security/credentials/local/local_credentials.cc
@@ -25,7 +25,7 @@
#include <grpc/support/log.h>
#include "src/core/lib/channel/channel_args.h"
-#include "src/core/lib/security/security_connector/local_security_connector.h"
+#include "src/core/lib/security/security_connector/local/local_security_connector.h"
#define GRPC_CREDENTIALS_TYPE_LOCAL "Local"
diff --git a/src/core/lib/security/credentials/ssl/ssl_credentials.h b/src/core/lib/security/credentials/ssl/ssl_credentials.h
index 712d34c733..0fba413876 100644
--- a/src/core/lib/security/credentials/ssl/ssl_credentials.h
+++ b/src/core/lib/security/credentials/ssl/ssl_credentials.h
@@ -22,6 +22,8 @@
#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/security_connector/ssl/ssl_security_connector.h"
+
typedef struct {
grpc_channel_credentials base;
grpc_ssl_config config;
diff --git a/src/core/lib/security/security_connector/alts_security_connector.cc b/src/core/lib/security/security_connector/alts/alts_security_connector.cc
index d38c0ff044..dd71c8bc60 100644
--- a/src/core/lib/security/security_connector/alts_security_connector.cc
+++ b/src/core/lib/security/security_connector/alts/alts_security_connector.cc
@@ -18,7 +18,7 @@
#include <grpc/support/port_platform.h>
-#include "src/core/lib/security/security_connector/alts_security_connector.h"
+#include "src/core/lib/security/security_connector/alts/alts_security_connector.h"
#include <stdbool.h>
#include <string.h>
@@ -33,6 +33,7 @@
#include "src/core/lib/slice/slice_internal.h"
#include "src/core/lib/transport/transport.h"
#include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
+#include "src/core/tsi/transport_security.h"
typedef struct {
grpc_channel_security_connector base;
diff --git a/src/core/lib/security/security_connector/alts_security_connector.h b/src/core/lib/security/security_connector/alts/alts_security_connector.h
index e7e4cffe2a..d2e057a76a 100644
--- a/src/core/lib/security/security_connector/alts_security_connector.h
+++ b/src/core/lib/security/security_connector/alts/alts_security_connector.h
@@ -16,8 +16,8 @@
*
*/
-#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_ALTS_SECURITY_CONNECTOR_H
-#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_ALTS_SECURITY_CONNECTOR_H
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_ALTS_ALTS_SECURITY_CONNECTOR_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_ALTS_ALTS_SECURITY_CONNECTOR_H
#include <grpc/support/port_platform.h>
@@ -65,5 +65,5 @@ grpc_security_status grpc_alts_auth_context_from_tsi_peer(
} // namespace internal
} // namespace grpc_core
-#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_ALTS_SECURITY_CONNECTOR_H \
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_ALTS_ALTS_SECURITY_CONNECTOR_H \
*/
diff --git a/src/core/lib/security/security_connector/fake/fake_security_connector.cc b/src/core/lib/security/security_connector/fake/fake_security_connector.cc
new file mode 100644
index 0000000000..5c0c89b88f
--- /dev/null
+++ b/src/core/lib/security/security_connector/fake/fake_security_connector.cc
@@ -0,0 +1,310 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/security_connector/fake/fake_security_connector.h"
+
+#include <stdbool.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+#include "src/core/ext/transport/chttp2/alpn/alpn.h"
+#include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/channel/handshaker.h"
+#include "src/core/lib/gpr/host_port.h"
+#include "src/core/lib/gpr/string.h"
+#include "src/core/lib/security/context/security_context.h"
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/credentials/fake/fake_credentials.h"
+#include "src/core/lib/security/transport/security_handshaker.h"
+#include "src/core/lib/security/transport/target_authority_table.h"
+#include "src/core/tsi/fake_transport_security.h"
+
+typedef struct {
+ grpc_channel_security_connector base;
+ char* target;
+ char* expected_targets;
+ bool is_lb_channel;
+ char* target_name_override;
+} grpc_fake_channel_security_connector;
+
+static void fake_channel_destroy(grpc_security_connector* sc) {
+ grpc_fake_channel_security_connector* c =
+ reinterpret_cast<grpc_fake_channel_security_connector*>(sc);
+ grpc_call_credentials_unref(c->base.request_metadata_creds);
+ gpr_free(c->target);
+ gpr_free(c->expected_targets);
+ gpr_free(c->target_name_override);
+ gpr_free(c);
+}
+
+static void fake_server_destroy(grpc_security_connector* sc) { gpr_free(sc); }
+
+static bool fake_check_target(const char* target_type, const char* target,
+ const char* set_str) {
+ GPR_ASSERT(target_type != nullptr);
+ GPR_ASSERT(target != nullptr);
+ char** set = nullptr;
+ size_t set_size = 0;
+ gpr_string_split(set_str, ",", &set, &set_size);
+ bool found = false;
+ for (size_t i = 0; i < set_size; ++i) {
+ if (set[i] != nullptr && strcmp(target, set[i]) == 0) found = true;
+ }
+ for (size_t i = 0; i < set_size; ++i) {
+ gpr_free(set[i]);
+ }
+ gpr_free(set);
+ return found;
+}
+
+static void fake_secure_name_check(const char* target,
+ const char* expected_targets,
+ bool is_lb_channel) {
+ if (expected_targets == nullptr) return;
+ char** lbs_and_backends = nullptr;
+ size_t lbs_and_backends_size = 0;
+ bool success = false;
+ gpr_string_split(expected_targets, ";", &lbs_and_backends,
+ &lbs_and_backends_size);
+ if (lbs_and_backends_size > 2 || lbs_and_backends_size == 0) {
+ gpr_log(GPR_ERROR, "Invalid expected targets arg value: '%s'",
+ expected_targets);
+ goto done;
+ }
+ if (is_lb_channel) {
+ if (lbs_and_backends_size != 2) {
+ gpr_log(GPR_ERROR,
+ "Invalid expected targets arg value: '%s'. Expectations for LB "
+ "channels must be of the form 'be1,be2,be3,...;lb1,lb2,...",
+ expected_targets);
+ goto done;
+ }
+ if (!fake_check_target("LB", target, lbs_and_backends[1])) {
+ gpr_log(GPR_ERROR, "LB target '%s' not found in expected set '%s'",
+ target, lbs_and_backends[1]);
+ goto done;
+ }
+ success = true;
+ } else {
+ if (!fake_check_target("Backend", target, lbs_and_backends[0])) {
+ gpr_log(GPR_ERROR, "Backend target '%s' not found in expected set '%s'",
+ target, lbs_and_backends[0]);
+ goto done;
+ }
+ success = true;
+ }
+done:
+ for (size_t i = 0; i < lbs_and_backends_size; ++i) {
+ gpr_free(lbs_and_backends[i]);
+ }
+ gpr_free(lbs_and_backends);
+ if (!success) abort();
+}
+
+static void fake_check_peer(grpc_security_connector* sc, tsi_peer peer,
+ grpc_auth_context** auth_context,
+ grpc_closure* on_peer_checked) {
+ const char* prop_name;
+ grpc_error* error = GRPC_ERROR_NONE;
+ *auth_context = nullptr;
+ if (peer.property_count != 1) {
+ error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "Fake peers should only have 1 property.");
+ goto end;
+ }
+ prop_name = peer.properties[0].name;
+ if (prop_name == nullptr ||
+ strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) {
+ char* msg;
+ gpr_asprintf(&msg, "Unexpected property in fake peer: %s.",
+ prop_name == nullptr ? "<EMPTY>" : prop_name);
+ error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
+ gpr_free(msg);
+ goto end;
+ }
+ if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE,
+ peer.properties[0].value.length)) {
+ error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "Invalid value for cert type property.");
+ goto end;
+ }
+ *auth_context = grpc_auth_context_create(nullptr);
+ grpc_auth_context_add_cstring_property(
+ *auth_context, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
+ GRPC_FAKE_TRANSPORT_SECURITY_TYPE);
+end:
+ GRPC_CLOSURE_SCHED(on_peer_checked, error);
+ tsi_peer_destruct(&peer);
+}
+
+static void fake_channel_check_peer(grpc_security_connector* sc, tsi_peer peer,
+ grpc_auth_context** auth_context,
+ grpc_closure* on_peer_checked) {
+ fake_check_peer(sc, peer, auth_context, on_peer_checked);
+ grpc_fake_channel_security_connector* c =
+ reinterpret_cast<grpc_fake_channel_security_connector*>(sc);
+ fake_secure_name_check(c->target, c->expected_targets, c->is_lb_channel);
+}
+
+static void fake_server_check_peer(grpc_security_connector* sc, tsi_peer peer,
+ grpc_auth_context** auth_context,
+ grpc_closure* on_peer_checked) {
+ fake_check_peer(sc, peer, auth_context, on_peer_checked);
+}
+
+static int fake_channel_cmp(grpc_security_connector* sc1,
+ grpc_security_connector* sc2) {
+ grpc_fake_channel_security_connector* c1 =
+ reinterpret_cast<grpc_fake_channel_security_connector*>(sc1);
+ grpc_fake_channel_security_connector* c2 =
+ reinterpret_cast<grpc_fake_channel_security_connector*>(sc2);
+ int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base);
+ if (c != 0) return c;
+ c = strcmp(c1->target, c2->target);
+ if (c != 0) return c;
+ if (c1->expected_targets == nullptr || c2->expected_targets == nullptr) {
+ c = GPR_ICMP(c1->expected_targets, c2->expected_targets);
+ } else {
+ c = strcmp(c1->expected_targets, c2->expected_targets);
+ }
+ if (c != 0) return c;
+ return GPR_ICMP(c1->is_lb_channel, c2->is_lb_channel);
+}
+
+static int fake_server_cmp(grpc_security_connector* sc1,
+ grpc_security_connector* sc2) {
+ return grpc_server_security_connector_cmp(
+ reinterpret_cast<grpc_server_security_connector*>(sc1),
+ reinterpret_cast<grpc_server_security_connector*>(sc2));
+}
+
+static bool fake_channel_check_call_host(grpc_channel_security_connector* sc,
+ const char* host,
+ grpc_auth_context* auth_context,
+ grpc_closure* on_call_host_checked,
+ grpc_error** error) {
+ grpc_fake_channel_security_connector* c =
+ reinterpret_cast<grpc_fake_channel_security_connector*>(sc);
+ char* authority_hostname = nullptr;
+ char* authority_ignored_port = nullptr;
+ char* target_hostname = nullptr;
+ char* target_ignored_port = nullptr;
+ gpr_split_host_port(host, &authority_hostname, &authority_ignored_port);
+ gpr_split_host_port(c->target, &target_hostname, &target_ignored_port);
+ if (c->target_name_override != nullptr) {
+ char* fake_security_target_name_override_hostname = nullptr;
+ char* fake_security_target_name_override_ignored_port = nullptr;
+ gpr_split_host_port(c->target_name_override,
+ &fake_security_target_name_override_hostname,
+ &fake_security_target_name_override_ignored_port);
+ if (strcmp(authority_hostname,
+ fake_security_target_name_override_hostname) != 0) {
+ gpr_log(GPR_ERROR,
+ "Authority (host) '%s' != Fake Security Target override '%s'",
+ host, fake_security_target_name_override_hostname);
+ abort();
+ }
+ gpr_free(fake_security_target_name_override_hostname);
+ gpr_free(fake_security_target_name_override_ignored_port);
+ } else if (strcmp(authority_hostname, target_hostname) != 0) {
+ gpr_log(GPR_ERROR, "Authority (host) '%s' != Target '%s'",
+ authority_hostname, target_hostname);
+ abort();
+ }
+ gpr_free(authority_hostname);
+ gpr_free(authority_ignored_port);
+ gpr_free(target_hostname);
+ gpr_free(target_ignored_port);
+ return true;
+}
+
+static void fake_channel_cancel_check_call_host(
+ grpc_channel_security_connector* sc, grpc_closure* on_call_host_checked,
+ grpc_error* error) {
+ GRPC_ERROR_UNREF(error);
+}
+
+static void fake_channel_add_handshakers(
+ grpc_channel_security_connector* sc, grpc_pollset_set* interested_parties,
+ grpc_handshake_manager* handshake_mgr) {
+ grpc_handshake_manager_add(
+ handshake_mgr,
+ grpc_security_handshaker_create(
+ tsi_create_fake_handshaker(true /* is_client */), &sc->base));
+}
+
+static void fake_server_add_handshakers(grpc_server_security_connector* sc,
+ grpc_pollset_set* interested_parties,
+ grpc_handshake_manager* handshake_mgr) {
+ grpc_handshake_manager_add(
+ handshake_mgr,
+ grpc_security_handshaker_create(
+ tsi_create_fake_handshaker(false /* is_client */), &sc->base));
+}
+
+static grpc_security_connector_vtable fake_channel_vtable = {
+ fake_channel_destroy, fake_channel_check_peer, fake_channel_cmp};
+
+static grpc_security_connector_vtable fake_server_vtable = {
+ fake_server_destroy, fake_server_check_peer, fake_server_cmp};
+
+grpc_channel_security_connector* grpc_fake_channel_security_connector_create(
+ grpc_channel_credentials* channel_creds,
+ grpc_call_credentials* request_metadata_creds, const char* target,
+ const grpc_channel_args* args) {
+ grpc_fake_channel_security_connector* c =
+ static_cast<grpc_fake_channel_security_connector*>(
+ gpr_zalloc(sizeof(*c)));
+ gpr_ref_init(&c->base.base.refcount, 1);
+ c->base.base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME;
+ c->base.base.vtable = &fake_channel_vtable;
+ c->base.channel_creds = channel_creds;
+ c->base.request_metadata_creds =
+ grpc_call_credentials_ref(request_metadata_creds);
+ c->base.check_call_host = fake_channel_check_call_host;
+ c->base.cancel_check_call_host = fake_channel_cancel_check_call_host;
+ c->base.add_handshakers = fake_channel_add_handshakers;
+ c->target = gpr_strdup(target);
+ const char* expected_targets = grpc_fake_transport_get_expected_targets(args);
+ c->expected_targets = gpr_strdup(expected_targets);
+ c->is_lb_channel = grpc_core::FindTargetAuthorityTableInArgs(args) != nullptr;
+ const grpc_arg* target_name_override_arg =
+ grpc_channel_args_find(args, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG);
+ if (target_name_override_arg != nullptr) {
+ c->target_name_override =
+ gpr_strdup(grpc_channel_arg_get_string(target_name_override_arg));
+ }
+ return &c->base;
+}
+
+grpc_server_security_connector* grpc_fake_server_security_connector_create(
+ grpc_server_credentials* server_creds) {
+ grpc_server_security_connector* c =
+ static_cast<grpc_server_security_connector*>(
+ gpr_zalloc(sizeof(grpc_server_security_connector)));
+ gpr_ref_init(&c->base.refcount, 1);
+ c->base.vtable = &fake_server_vtable;
+ c->base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME;
+ c->server_creds = server_creds;
+ c->add_handshakers = fake_server_add_handshakers;
+ return c;
+}
diff --git a/src/core/lib/security/security_connector/fake/fake_security_connector.h b/src/core/lib/security/security_connector/fake/fake_security_connector.h
new file mode 100644
index 0000000000..fdfe048c6e
--- /dev/null
+++ b/src/core/lib/security/security_connector/fake/fake_security_connector.h
@@ -0,0 +1,42 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_FAKE_FAKE_SECURITY_CONNECTOR_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_FAKE_FAKE_SECURITY_CONNECTOR_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/channel/handshaker.h"
+#include "src/core/lib/security/security_connector/security_connector.h"
+
+#define GRPC_FAKE_SECURITY_URL_SCHEME "http+fake_security"
+
+/* Creates a fake connector that emulates real channel security. */
+grpc_channel_security_connector* grpc_fake_channel_security_connector_create(
+ grpc_channel_credentials* channel_creds,
+ grpc_call_credentials* request_metadata_creds, const char* target,
+ const grpc_channel_args* args);
+
+/* Creates a fake connector that emulates real server security. */
+grpc_server_security_connector* grpc_fake_server_security_connector_create(
+ grpc_server_credentials* server_creds);
+
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_FAKE_FAKE_SECURITY_CONNECTOR_H \
+ */
diff --git a/src/core/lib/security/security_connector/local_security_connector.cc b/src/core/lib/security/security_connector/local/local_security_connector.cc
index 911013ae58..008a98df28 100644
--- a/src/core/lib/security/security_connector/local_security_connector.cc
+++ b/src/core/lib/security/security_connector/local/local_security_connector.cc
@@ -18,7 +18,7 @@
#include <grpc/support/port_platform.h>
-#include "src/core/lib/security/security_connector/local_security_connector.h"
+#include "src/core/lib/security/security_connector/local/local_security_connector.h"
#include <stdbool.h>
#include <string.h>
diff --git a/src/core/lib/security/security_connector/local_security_connector.h b/src/core/lib/security/security_connector/local/local_security_connector.h
index a970a74788..5369a2127a 100644
--- a/src/core/lib/security/security_connector/local_security_connector.h
+++ b/src/core/lib/security/security_connector/local/local_security_connector.h
@@ -16,8 +16,8 @@
*
*/
-#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOCAL_SECURITY_CONNECTOR_H
-#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOCAL_SECURITY_CONNECTOR_H
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOCAL_LOCAL_SECURITY_CONNECTOR_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOCAL_LOCAL_SECURITY_CONNECTOR_H
#include <grpc/support/port_platform.h>
@@ -54,5 +54,5 @@ grpc_security_status grpc_local_channel_security_connector_create(
grpc_security_status grpc_local_server_security_connector_create(
grpc_server_credentials* server_creds, grpc_server_security_connector** sc);
-#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOCAL_SECURITY_CONNECTOR_H \
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOCAL_LOCAL_SECURITY_CONNECTOR_H \
*/
diff --git a/src/core/lib/security/security_connector/security_connector.cc b/src/core/lib/security/security_connector/security_connector.cc
index 7028ae8d16..02cecb0eb1 100644
--- a/src/core/lib/security/security_connector/security_connector.cc
+++ b/src/core/lib/security/security_connector/security_connector.cc
@@ -20,8 +20,6 @@
#include "src/core/lib/security/security_connector/security_connector.h"
-#include <stdbool.h>
-
#include <grpc/slice_buffer.h>
#include <grpc/support/alloc.h>
#include <grpc/support/log.h>
@@ -36,88 +34,12 @@
#include "src/core/lib/iomgr/load_file.h"
#include "src/core/lib/security/context/security_context.h"
#include "src/core/lib/security/credentials/credentials.h"
-#include "src/core/lib/security/credentials/fake/fake_credentials.h"
-#include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
#include "src/core/lib/security/security_connector/load_system_roots.h"
-#include "src/core/lib/security/transport/secure_endpoint.h"
#include "src/core/lib/security/transport/security_handshaker.h"
-#include "src/core/lib/security/transport/target_authority_table.h"
-#include "src/core/tsi/fake_transport_security.h"
-#include "src/core/tsi/ssl_transport_security.h"
grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount(
false, "security_connector_refcount");
-/* -- Constants. -- */
-
-#ifndef INSTALL_PREFIX
-static const char* installed_roots_path = "/usr/share/grpc/roots.pem";
-#else
-static const char* installed_roots_path =
- INSTALL_PREFIX "/share/grpc/roots.pem";
-#endif
-
-/** Environment variable used as a flag to enable/disable loading system root
- certificates from the OS trust store. */
-#ifndef GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR
-#define GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR "GRPC_NOT_USE_SYSTEM_SSL_ROOTS"
-#endif
-
-#ifndef TSI_OPENSSL_ALPN_SUPPORT
-#define TSI_OPENSSL_ALPN_SUPPORT 1
-#endif
-
-/* -- Overridden default roots. -- */
-
-static grpc_ssl_roots_override_callback ssl_roots_override_cb = nullptr;
-
-void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) {
- ssl_roots_override_cb = cb;
-}
-
-/* -- Cipher suites. -- */
-
-/* Defines the cipher suites that we accept by default. All these cipher suites
- are compliant with HTTP2. */
-#define GRPC_SSL_CIPHER_SUITES \
- "ECDHE-ECDSA-AES128-GCM-SHA256:" \
- "ECDHE-ECDSA-AES256-GCM-SHA384:" \
- "ECDHE-RSA-AES128-GCM-SHA256:" \
- "ECDHE-RSA-AES256-GCM-SHA384"
-
-static gpr_once cipher_suites_once = GPR_ONCE_INIT;
-static const char* cipher_suites = nullptr;
-
-static void init_cipher_suites(void) {
- char* overridden = gpr_getenv("GRPC_SSL_CIPHER_SUITES");
- cipher_suites = overridden != nullptr ? overridden : GRPC_SSL_CIPHER_SUITES;
-}
-
-static const char* ssl_cipher_suites(void) {
- gpr_once_init(&cipher_suites_once, init_cipher_suites);
- return cipher_suites;
-}
-
-/* -- Common methods. -- */
-
-/* Returns the first property with that name. */
-const tsi_peer_property* tsi_peer_get_property_by_name(const tsi_peer* peer,
- const char* name) {
- size_t i;
- if (peer == nullptr) return nullptr;
- for (i = 0; i < peer->property_count; i++) {
- const tsi_peer_property* property = &peer->properties[i];
- if (name == nullptr && property->name == nullptr) {
- return property;
- }
- if (name != nullptr && property->name != nullptr &&
- strcmp(property->name, name) == 0) {
- return property;
- }
- }
- return nullptr;
-}
-
void grpc_channel_security_connector_add_handshakers(
grpc_channel_security_connector* connector,
grpc_pollset_set* interested_parties,
@@ -288,965 +210,3 @@ grpc_security_connector* grpc_security_connector_find_in_args(
}
return nullptr;
}
-
-static tsi_client_certificate_request_type
-get_tsi_client_certificate_request_type(
- grpc_ssl_client_certificate_request_type grpc_request_type) {
- switch (grpc_request_type) {
- case GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE:
- return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
-
- case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
- return TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
-
- case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
- return TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY;
-
- case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
- return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
-
- case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
- return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
-
- default:
- return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
- }
-}
-
-/* -- Fake implementation. -- */
-
-typedef struct {
- grpc_channel_security_connector base;
- char* target;
- char* expected_targets;
- bool is_lb_channel;
- char* target_name_override;
-} grpc_fake_channel_security_connector;
-
-static void fake_channel_destroy(grpc_security_connector* sc) {
- grpc_fake_channel_security_connector* c =
- reinterpret_cast<grpc_fake_channel_security_connector*>(sc);
- grpc_call_credentials_unref(c->base.request_metadata_creds);
- gpr_free(c->target);
- gpr_free(c->expected_targets);
- gpr_free(c->target_name_override);
- gpr_free(c);
-}
-
-static void fake_server_destroy(grpc_security_connector* sc) { gpr_free(sc); }
-
-static bool fake_check_target(const char* target_type, const char* target,
- const char* set_str) {
- GPR_ASSERT(target_type != nullptr);
- GPR_ASSERT(target != nullptr);
- char** set = nullptr;
- size_t set_size = 0;
- gpr_string_split(set_str, ",", &set, &set_size);
- bool found = false;
- for (size_t i = 0; i < set_size; ++i) {
- if (set[i] != nullptr && strcmp(target, set[i]) == 0) found = true;
- }
- for (size_t i = 0; i < set_size; ++i) {
- gpr_free(set[i]);
- }
- gpr_free(set);
- return found;
-}
-
-static void fake_secure_name_check(const char* target,
- const char* expected_targets,
- bool is_lb_channel) {
- if (expected_targets == nullptr) return;
- char** lbs_and_backends = nullptr;
- size_t lbs_and_backends_size = 0;
- bool success = false;
- gpr_string_split(expected_targets, ";", &lbs_and_backends,
- &lbs_and_backends_size);
- if (lbs_and_backends_size > 2 || lbs_and_backends_size == 0) {
- gpr_log(GPR_ERROR, "Invalid expected targets arg value: '%s'",
- expected_targets);
- goto done;
- }
- if (is_lb_channel) {
- if (lbs_and_backends_size != 2) {
- gpr_log(GPR_ERROR,
- "Invalid expected targets arg value: '%s'. Expectations for LB "
- "channels must be of the form 'be1,be2,be3,...;lb1,lb2,...",
- expected_targets);
- goto done;
- }
- if (!fake_check_target("LB", target, lbs_and_backends[1])) {
- gpr_log(GPR_ERROR, "LB target '%s' not found in expected set '%s'",
- target, lbs_and_backends[1]);
- goto done;
- }
- success = true;
- } else {
- if (!fake_check_target("Backend", target, lbs_and_backends[0])) {
- gpr_log(GPR_ERROR, "Backend target '%s' not found in expected set '%s'",
- target, lbs_and_backends[0]);
- goto done;
- }
- success = true;
- }
-done:
- for (size_t i = 0; i < lbs_and_backends_size; ++i) {
- gpr_free(lbs_and_backends[i]);
- }
- gpr_free(lbs_and_backends);
- if (!success) abort();
-}
-
-static void fake_check_peer(grpc_security_connector* sc, tsi_peer peer,
- grpc_auth_context** auth_context,
- grpc_closure* on_peer_checked) {
- const char* prop_name;
- grpc_error* error = GRPC_ERROR_NONE;
- *auth_context = nullptr;
- if (peer.property_count != 1) {
- error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
- "Fake peers should only have 1 property.");
- goto end;
- }
- prop_name = peer.properties[0].name;
- if (prop_name == nullptr ||
- strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) {
- char* msg;
- gpr_asprintf(&msg, "Unexpected property in fake peer: %s.",
- prop_name == nullptr ? "<EMPTY>" : prop_name);
- error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
- gpr_free(msg);
- goto end;
- }
- if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE,
- peer.properties[0].value.length)) {
- error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
- "Invalid value for cert type property.");
- goto end;
- }
- *auth_context = grpc_auth_context_create(nullptr);
- grpc_auth_context_add_cstring_property(
- *auth_context, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
- GRPC_FAKE_TRANSPORT_SECURITY_TYPE);
-end:
- GRPC_CLOSURE_SCHED(on_peer_checked, error);
- tsi_peer_destruct(&peer);
-}
-
-static void fake_channel_check_peer(grpc_security_connector* sc, tsi_peer peer,
- grpc_auth_context** auth_context,
- grpc_closure* on_peer_checked) {
- fake_check_peer(sc, peer, auth_context, on_peer_checked);
- grpc_fake_channel_security_connector* c =
- reinterpret_cast<grpc_fake_channel_security_connector*>(sc);
- fake_secure_name_check(c->target, c->expected_targets, c->is_lb_channel);
-}
-
-static void fake_server_check_peer(grpc_security_connector* sc, tsi_peer peer,
- grpc_auth_context** auth_context,
- grpc_closure* on_peer_checked) {
- fake_check_peer(sc, peer, auth_context, on_peer_checked);
-}
-
-static int fake_channel_cmp(grpc_security_connector* sc1,
- grpc_security_connector* sc2) {
- grpc_fake_channel_security_connector* c1 =
- reinterpret_cast<grpc_fake_channel_security_connector*>(sc1);
- grpc_fake_channel_security_connector* c2 =
- reinterpret_cast<grpc_fake_channel_security_connector*>(sc2);
- int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base);
- if (c != 0) return c;
- c = strcmp(c1->target, c2->target);
- if (c != 0) return c;
- if (c1->expected_targets == nullptr || c2->expected_targets == nullptr) {
- c = GPR_ICMP(c1->expected_targets, c2->expected_targets);
- } else {
- c = strcmp(c1->expected_targets, c2->expected_targets);
- }
- if (c != 0) return c;
- return GPR_ICMP(c1->is_lb_channel, c2->is_lb_channel);
-}
-
-static int fake_server_cmp(grpc_security_connector* sc1,
- grpc_security_connector* sc2) {
- return grpc_server_security_connector_cmp(
- reinterpret_cast<grpc_server_security_connector*>(sc1),
- reinterpret_cast<grpc_server_security_connector*>(sc2));
-}
-
-static bool fake_channel_check_call_host(grpc_channel_security_connector* sc,
- const char* host,
- grpc_auth_context* auth_context,
- grpc_closure* on_call_host_checked,
- grpc_error** error) {
- grpc_fake_channel_security_connector* c =
- reinterpret_cast<grpc_fake_channel_security_connector*>(sc);
- char* authority_hostname = nullptr;
- char* authority_ignored_port = nullptr;
- char* target_hostname = nullptr;
- char* target_ignored_port = nullptr;
- gpr_split_host_port(host, &authority_hostname, &authority_ignored_port);
- gpr_split_host_port(c->target, &target_hostname, &target_ignored_port);
- if (c->target_name_override != nullptr) {
- char* fake_security_target_name_override_hostname = nullptr;
- char* fake_security_target_name_override_ignored_port = nullptr;
- gpr_split_host_port(c->target_name_override,
- &fake_security_target_name_override_hostname,
- &fake_security_target_name_override_ignored_port);
- if (strcmp(authority_hostname,
- fake_security_target_name_override_hostname) != 0) {
- gpr_log(GPR_ERROR,
- "Authority (host) '%s' != Fake Security Target override '%s'",
- host, fake_security_target_name_override_hostname);
- abort();
- }
- gpr_free(fake_security_target_name_override_hostname);
- gpr_free(fake_security_target_name_override_ignored_port);
- } else if (strcmp(authority_hostname, target_hostname) != 0) {
- gpr_log(GPR_ERROR, "Authority (host) '%s' != Target '%s'",
- authority_hostname, target_hostname);
- abort();
- }
- gpr_free(authority_hostname);
- gpr_free(authority_ignored_port);
- gpr_free(target_hostname);
- gpr_free(target_ignored_port);
- return true;
-}
-
-static void fake_channel_cancel_check_call_host(
- grpc_channel_security_connector* sc, grpc_closure* on_call_host_checked,
- grpc_error* error) {
- GRPC_ERROR_UNREF(error);
-}
-
-static void fake_channel_add_handshakers(
- grpc_channel_security_connector* sc, grpc_pollset_set* interested_parties,
- grpc_handshake_manager* handshake_mgr) {
- grpc_handshake_manager_add(
- handshake_mgr,
- grpc_security_handshaker_create(
- tsi_create_fake_handshaker(true /* is_client */), &sc->base));
-}
-
-static void fake_server_add_handshakers(grpc_server_security_connector* sc,
- grpc_pollset_set* interested_parties,
- grpc_handshake_manager* handshake_mgr) {
- grpc_handshake_manager_add(
- handshake_mgr,
- grpc_security_handshaker_create(
- tsi_create_fake_handshaker(false /* is_client */), &sc->base));
-}
-
-static grpc_security_connector_vtable fake_channel_vtable = {
- fake_channel_destroy, fake_channel_check_peer, fake_channel_cmp};
-
-static grpc_security_connector_vtable fake_server_vtable = {
- fake_server_destroy, fake_server_check_peer, fake_server_cmp};
-
-grpc_channel_security_connector* grpc_fake_channel_security_connector_create(
- grpc_channel_credentials* channel_creds,
- grpc_call_credentials* request_metadata_creds, const char* target,
- const grpc_channel_args* args) {
- grpc_fake_channel_security_connector* c =
- static_cast<grpc_fake_channel_security_connector*>(
- gpr_zalloc(sizeof(*c)));
- gpr_ref_init(&c->base.base.refcount, 1);
- c->base.base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME;
- c->base.base.vtable = &fake_channel_vtable;
- c->base.channel_creds = channel_creds;
- c->base.request_metadata_creds =
- grpc_call_credentials_ref(request_metadata_creds);
- c->base.check_call_host = fake_channel_check_call_host;
- c->base.cancel_check_call_host = fake_channel_cancel_check_call_host;
- c->base.add_handshakers = fake_channel_add_handshakers;
- c->target = gpr_strdup(target);
- const char* expected_targets = grpc_fake_transport_get_expected_targets(args);
- c->expected_targets = gpr_strdup(expected_targets);
- c->is_lb_channel = grpc_core::FindTargetAuthorityTableInArgs(args) != nullptr;
- const grpc_arg* target_name_override_arg =
- grpc_channel_args_find(args, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG);
- if (target_name_override_arg != nullptr) {
- c->target_name_override =
- gpr_strdup(grpc_channel_arg_get_string(target_name_override_arg));
- }
- return &c->base;
-}
-
-grpc_server_security_connector* grpc_fake_server_security_connector_create(
- grpc_server_credentials* server_creds) {
- grpc_server_security_connector* c =
- static_cast<grpc_server_security_connector*>(
- gpr_zalloc(sizeof(grpc_server_security_connector)));
- gpr_ref_init(&c->base.refcount, 1);
- c->base.vtable = &fake_server_vtable;
- c->base.url_scheme = GRPC_FAKE_SECURITY_URL_SCHEME;
- c->server_creds = server_creds;
- c->add_handshakers = fake_server_add_handshakers;
- return c;
-}
-
-/* --- Ssl implementation. --- */
-
-grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru(size_t capacity) {
- tsi_ssl_session_cache* cache = tsi_ssl_session_cache_create_lru(capacity);
- return reinterpret_cast<grpc_ssl_session_cache*>(cache);
-}
-
-void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache) {
- tsi_ssl_session_cache* tsi_cache =
- reinterpret_cast<tsi_ssl_session_cache*>(cache);
- tsi_ssl_session_cache_unref(tsi_cache);
-}
-
-static void* grpc_ssl_session_cache_arg_copy(void* p) {
- tsi_ssl_session_cache* tsi_cache =
- reinterpret_cast<tsi_ssl_session_cache*>(p);
- // destroy call below will unref the pointer.
- tsi_ssl_session_cache_ref(tsi_cache);
- return p;
-}
-
-static void grpc_ssl_session_cache_arg_destroy(void* p) {
- tsi_ssl_session_cache* tsi_cache =
- reinterpret_cast<tsi_ssl_session_cache*>(p);
- tsi_ssl_session_cache_unref(tsi_cache);
-}
-
-static int grpc_ssl_session_cache_arg_cmp(void* p, void* q) {
- return GPR_ICMP(p, q);
-}
-
-grpc_arg grpc_ssl_session_cache_create_channel_arg(
- grpc_ssl_session_cache* cache) {
- static const grpc_arg_pointer_vtable vtable = {
- grpc_ssl_session_cache_arg_copy,
- grpc_ssl_session_cache_arg_destroy,
- grpc_ssl_session_cache_arg_cmp,
- };
- return grpc_channel_arg_pointer_create(
- const_cast<char*>(GRPC_SSL_SESSION_CACHE_ARG), cache, &vtable);
-}
-
-typedef struct {
- grpc_channel_security_connector base;
- tsi_ssl_client_handshaker_factory* client_handshaker_factory;
- char* target_name;
- char* overridden_target_name;
- const verify_peer_options* verify_options;
-} grpc_ssl_channel_security_connector;
-
-typedef struct {
- grpc_server_security_connector base;
- tsi_ssl_server_handshaker_factory* server_handshaker_factory;
-} grpc_ssl_server_security_connector;
-
-static bool server_connector_has_cert_config_fetcher(
- grpc_ssl_server_security_connector* c) {
- GPR_ASSERT(c != nullptr);
- grpc_ssl_server_credentials* server_creds =
- reinterpret_cast<grpc_ssl_server_credentials*>(c->base.server_creds);
- GPR_ASSERT(server_creds != nullptr);
- return server_creds->certificate_config_fetcher.cb != nullptr;
-}
-
-static void ssl_channel_destroy(grpc_security_connector* sc) {
- grpc_ssl_channel_security_connector* c =
- reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
- grpc_channel_credentials_unref(c->base.channel_creds);
- grpc_call_credentials_unref(c->base.request_metadata_creds);
- tsi_ssl_client_handshaker_factory_unref(c->client_handshaker_factory);
- c->client_handshaker_factory = nullptr;
- if (c->target_name != nullptr) gpr_free(c->target_name);
- if (c->overridden_target_name != nullptr) gpr_free(c->overridden_target_name);
- gpr_free(sc);
-}
-
-static void ssl_server_destroy(grpc_security_connector* sc) {
- grpc_ssl_server_security_connector* c =
- reinterpret_cast<grpc_ssl_server_security_connector*>(sc);
- grpc_server_credentials_unref(c->base.server_creds);
- tsi_ssl_server_handshaker_factory_unref(c->server_handshaker_factory);
- c->server_handshaker_factory = nullptr;
- gpr_free(sc);
-}
-
-static void ssl_channel_add_handshakers(grpc_channel_security_connector* sc,
- grpc_pollset_set* interested_parties,
- grpc_handshake_manager* handshake_mgr) {
- grpc_ssl_channel_security_connector* c =
- reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
- // Instantiate TSI handshaker.
- tsi_handshaker* tsi_hs = nullptr;
- tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
- c->client_handshaker_factory,
- c->overridden_target_name != nullptr ? c->overridden_target_name
- : c->target_name,
- &tsi_hs);
- if (result != TSI_OK) {
- gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
- tsi_result_to_string(result));
- return;
- }
- // Create handshakers.
- grpc_handshake_manager_add(
- handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base));
-}
-
-static const char** fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
- GPR_ASSERT(num_alpn_protocols != nullptr);
- *num_alpn_protocols = grpc_chttp2_num_alpn_versions();
- const char** alpn_protocol_strings = static_cast<const char**>(
- gpr_malloc(sizeof(const char*) * (*num_alpn_protocols)));
- for (size_t i = 0; i < *num_alpn_protocols; i++) {
- alpn_protocol_strings[i] = grpc_chttp2_get_alpn_version_index(i);
- }
- return alpn_protocol_strings;
-}
-
-/* Attempts to replace the server_handshaker_factory with a new factory using
- * the provided grpc_ssl_server_certificate_config. Should new factory creation
- * fail, the existing factory will not be replaced. Returns true on success (new
- * factory created). */
-static bool try_replace_server_handshaker_factory(
- grpc_ssl_server_security_connector* sc,
- const grpc_ssl_server_certificate_config* config) {
- if (config == nullptr) {
- gpr_log(GPR_ERROR,
- "Server certificate config callback returned invalid (NULL) "
- "config.");
- return false;
- }
- gpr_log(GPR_DEBUG, "Using new server certificate config (%p).", config);
-
- size_t num_alpn_protocols = 0;
- const char** alpn_protocol_strings =
- fill_alpn_protocol_strings(&num_alpn_protocols);
- tsi_ssl_pem_key_cert_pair* cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
- config->pem_key_cert_pairs, config->num_key_cert_pairs);
- tsi_ssl_server_handshaker_factory* new_handshaker_factory = nullptr;
- grpc_ssl_server_credentials* server_creds =
- reinterpret_cast<grpc_ssl_server_credentials*>(sc->base.server_creds);
- tsi_result result = tsi_create_ssl_server_handshaker_factory_ex(
- cert_pairs, config->num_key_cert_pairs, config->pem_root_certs,
- get_tsi_client_certificate_request_type(
- server_creds->config.client_certificate_request),
- ssl_cipher_suites(), alpn_protocol_strings,
- static_cast<uint16_t>(num_alpn_protocols), &new_handshaker_factory);
- gpr_free(cert_pairs);
- gpr_free((void*)alpn_protocol_strings);
-
- if (result != TSI_OK) {
- gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
- tsi_result_to_string(result));
- return false;
- }
- tsi_ssl_server_handshaker_factory_unref(sc->server_handshaker_factory);
- sc->server_handshaker_factory = new_handshaker_factory;
- return true;
-}
-
-/* Attempts to fetch the server certificate config if a callback is available.
- * Current certificate config will continue to be used if the callback returns
- * an error. Returns true if new credentials were sucessfully loaded. */
-static bool try_fetch_ssl_server_credentials(
- grpc_ssl_server_security_connector* sc) {
- grpc_ssl_server_certificate_config* certificate_config = nullptr;
- bool status;
-
- GPR_ASSERT(sc != nullptr);
- if (!server_connector_has_cert_config_fetcher(sc)) return false;
-
- grpc_ssl_server_credentials* server_creds =
- reinterpret_cast<grpc_ssl_server_credentials*>(sc->base.server_creds);
- grpc_ssl_certificate_config_reload_status cb_result =
- server_creds->certificate_config_fetcher.cb(
- server_creds->certificate_config_fetcher.user_data,
- &certificate_config);
- if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
- gpr_log(GPR_DEBUG, "No change in SSL server credentials.");
- status = false;
- } else if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
- status = try_replace_server_handshaker_factory(sc, certificate_config);
- } else {
- // Log error, continue using previously-loaded credentials.
- gpr_log(GPR_ERROR,
- "Failed fetching new server credentials, continuing to "
- "use previously-loaded credentials.");
- status = false;
- }
-
- if (certificate_config != nullptr) {
- grpc_ssl_server_certificate_config_destroy(certificate_config);
- }
- return status;
-}
-
-static void ssl_server_add_handshakers(grpc_server_security_connector* sc,
- grpc_pollset_set* interested_parties,
- grpc_handshake_manager* handshake_mgr) {
- grpc_ssl_server_security_connector* c =
- reinterpret_cast<grpc_ssl_server_security_connector*>(sc);
- // Instantiate TSI handshaker.
- try_fetch_ssl_server_credentials(c);
- tsi_handshaker* tsi_hs = nullptr;
- tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
- c->server_handshaker_factory, &tsi_hs);
- if (result != TSI_OK) {
- gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
- tsi_result_to_string(result));
- return;
- }
- // Create handshakers.
- grpc_handshake_manager_add(
- handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base));
-}
-
-int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) {
- char* allocated_name = nullptr;
- int r;
-
- char* ignored_port;
- gpr_split_host_port(peer_name, &allocated_name, &ignored_port);
- gpr_free(ignored_port);
- peer_name = allocated_name;
- if (!peer_name) return 0;
-
- // IPv6 zone-id should not be included in comparisons.
- char* const zone_id = strchr(allocated_name, '%');
- if (zone_id != nullptr) *zone_id = '\0';
-
- r = tsi_ssl_peer_matches_name(peer, peer_name);
- gpr_free(allocated_name);
- return r;
-}
-
-grpc_auth_context* grpc_ssl_peer_to_auth_context(const tsi_peer* peer) {
- size_t i;
- grpc_auth_context* ctx = nullptr;
- const char* peer_identity_property_name = nullptr;
-
- /* The caller has checked the certificate type property. */
- GPR_ASSERT(peer->property_count >= 1);
- ctx = grpc_auth_context_create(nullptr);
- grpc_auth_context_add_cstring_property(
- ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
- GRPC_SSL_TRANSPORT_SECURITY_TYPE);
- for (i = 0; i < peer->property_count; i++) {
- const tsi_peer_property* prop = &peer->properties[i];
- if (prop->name == nullptr) continue;
- if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) {
- /* If there is no subject alt name, have the CN as the identity. */
- if (peer_identity_property_name == nullptr) {
- peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME;
- }
- grpc_auth_context_add_property(ctx, GRPC_X509_CN_PROPERTY_NAME,
- prop->value.data, prop->value.length);
- } else if (strcmp(prop->name,
- TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) {
- peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME;
- grpc_auth_context_add_property(ctx, GRPC_X509_SAN_PROPERTY_NAME,
- prop->value.data, prop->value.length);
- } else if (strcmp(prop->name, TSI_X509_PEM_CERT_PROPERTY) == 0) {
- grpc_auth_context_add_property(ctx, GRPC_X509_PEM_CERT_PROPERTY_NAME,
- prop->value.data, prop->value.length);
- } else if (strcmp(prop->name, TSI_SSL_SESSION_REUSED_PEER_PROPERTY) == 0) {
- grpc_auth_context_add_property(ctx, GRPC_SSL_SESSION_REUSED_PROPERTY,
- prop->value.data, prop->value.length);
- }
- }
- if (peer_identity_property_name != nullptr) {
- GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
- ctx, peer_identity_property_name) == 1);
- }
- return ctx;
-}
-
-static grpc_error* ssl_check_peer(grpc_security_connector* sc,
- const char* peer_name, const tsi_peer* peer,
- grpc_auth_context** auth_context) {
-#if TSI_OPENSSL_ALPN_SUPPORT
- /* Check the ALPN if ALPN is supported. */
- const tsi_peer_property* p =
- tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
- if (p == nullptr) {
- return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
- "Cannot check peer: missing selected ALPN property.");
- }
- if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) {
- return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
- "Cannot check peer: invalid ALPN value.");
- }
-#endif /* TSI_OPENSSL_ALPN_SUPPORT */
- /* Check the peer name if specified. */
- if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
- char* msg;
- gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
- grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
- gpr_free(msg);
- return error;
- }
- *auth_context = grpc_ssl_peer_to_auth_context(peer);
- return GRPC_ERROR_NONE;
-}
-
-static void ssl_channel_check_peer(grpc_security_connector* sc, tsi_peer peer,
- grpc_auth_context** auth_context,
- grpc_closure* on_peer_checked) {
- grpc_ssl_channel_security_connector* c =
- reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
- const char* target_name = c->overridden_target_name != nullptr
- ? c->overridden_target_name
- : c->target_name;
- grpc_error* error = ssl_check_peer(sc, target_name, &peer, auth_context);
- if (error == GRPC_ERROR_NONE &&
- c->verify_options->verify_peer_callback != nullptr) {
- const tsi_peer_property* p =
- tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
- if (p == nullptr) {
- error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
- "Cannot check peer: missing pem cert property.");
- } else {
- char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
- memcpy(peer_pem, p->value.data, p->value.length);
- peer_pem[p->value.length] = '\0';
- int callback_status = c->verify_options->verify_peer_callback(
- target_name, peer_pem,
- c->verify_options->verify_peer_callback_userdata);
- gpr_free(peer_pem);
- if (callback_status) {
- char* msg;
- gpr_asprintf(&msg, "Verify peer callback returned a failure (%d)",
- callback_status);
- error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
- gpr_free(msg);
- }
- }
- }
- GRPC_CLOSURE_SCHED(on_peer_checked, error);
- tsi_peer_destruct(&peer);
-}
-
-static void ssl_server_check_peer(grpc_security_connector* sc, tsi_peer peer,
- grpc_auth_context** auth_context,
- grpc_closure* on_peer_checked) {
- grpc_error* error = ssl_check_peer(sc, nullptr, &peer, auth_context);
- tsi_peer_destruct(&peer);
- GRPC_CLOSURE_SCHED(on_peer_checked, error);
-}
-
-static int ssl_channel_cmp(grpc_security_connector* sc1,
- grpc_security_connector* sc2) {
- grpc_ssl_channel_security_connector* c1 =
- reinterpret_cast<grpc_ssl_channel_security_connector*>(sc1);
- grpc_ssl_channel_security_connector* c2 =
- reinterpret_cast<grpc_ssl_channel_security_connector*>(sc2);
- int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base);
- if (c != 0) return c;
- c = strcmp(c1->target_name, c2->target_name);
- if (c != 0) return c;
- return (c1->overridden_target_name == nullptr ||
- c2->overridden_target_name == nullptr)
- ? GPR_ICMP(c1->overridden_target_name, c2->overridden_target_name)
- : strcmp(c1->overridden_target_name, c2->overridden_target_name);
-}
-
-static int ssl_server_cmp(grpc_security_connector* sc1,
- grpc_security_connector* sc2) {
- return grpc_server_security_connector_cmp(
- reinterpret_cast<grpc_server_security_connector*>(sc1),
- reinterpret_cast<grpc_server_security_connector*>(sc2));
-}
-
-static void add_shallow_auth_property_to_peer(tsi_peer* peer,
- const grpc_auth_property* prop,
- const char* tsi_prop_name) {
- tsi_peer_property* tsi_prop = &peer->properties[peer->property_count++];
- tsi_prop->name = const_cast<char*>(tsi_prop_name);
- tsi_prop->value.data = prop->value;
- tsi_prop->value.length = prop->value_length;
-}
-
-tsi_peer grpc_shallow_peer_from_ssl_auth_context(
- const grpc_auth_context* auth_context) {
- size_t max_num_props = 0;
- grpc_auth_property_iterator it;
- const grpc_auth_property* prop;
- tsi_peer peer;
- memset(&peer, 0, sizeof(peer));
-
- it = grpc_auth_context_property_iterator(auth_context);
- while (grpc_auth_property_iterator_next(&it) != nullptr) max_num_props++;
-
- if (max_num_props > 0) {
- peer.properties = static_cast<tsi_peer_property*>(
- gpr_malloc(max_num_props * sizeof(tsi_peer_property)));
- it = grpc_auth_context_property_iterator(auth_context);
- while ((prop = grpc_auth_property_iterator_next(&it)) != nullptr) {
- if (strcmp(prop->name, GRPC_X509_SAN_PROPERTY_NAME) == 0) {
- add_shallow_auth_property_to_peer(
- &peer, prop, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY);
- } else if (strcmp(prop->name, GRPC_X509_CN_PROPERTY_NAME) == 0) {
- add_shallow_auth_property_to_peer(
- &peer, prop, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
- } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_PROPERTY_NAME) == 0) {
- add_shallow_auth_property_to_peer(&peer, prop,
- TSI_X509_PEM_CERT_PROPERTY);
- }
- }
- }
- return peer;
-}
-
-void grpc_shallow_peer_destruct(tsi_peer* peer) {
- if (peer->properties != nullptr) gpr_free(peer->properties);
-}
-
-static bool ssl_channel_check_call_host(grpc_channel_security_connector* sc,
- const char* host,
- grpc_auth_context* auth_context,
- grpc_closure* on_call_host_checked,
- grpc_error** error) {
- grpc_ssl_channel_security_connector* c =
- reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
- grpc_security_status status = GRPC_SECURITY_ERROR;
- tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
- if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
- /* If the target name was overridden, then the original target_name was
- 'checked' transitively during the previous peer check at the end of the
- handshake. */
- if (c->overridden_target_name != nullptr &&
- strcmp(host, c->target_name) == 0) {
- status = GRPC_SECURITY_OK;
- }
- if (status != GRPC_SECURITY_OK) {
- *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
- "call host does not match SSL server name");
- }
- grpc_shallow_peer_destruct(&peer);
- return true;
-}
-
-static void ssl_channel_cancel_check_call_host(
- grpc_channel_security_connector* sc, grpc_closure* on_call_host_checked,
- grpc_error* error) {
- GRPC_ERROR_UNREF(error);
-}
-
-static grpc_security_connector_vtable ssl_channel_vtable = {
- ssl_channel_destroy, ssl_channel_check_peer, ssl_channel_cmp};
-
-static grpc_security_connector_vtable ssl_server_vtable = {
- ssl_server_destroy, ssl_server_check_peer, ssl_server_cmp};
-
-grpc_security_status grpc_ssl_channel_security_connector_create(
- grpc_channel_credentials* channel_creds,
- grpc_call_credentials* request_metadata_creds,
- const grpc_ssl_config* config, const char* target_name,
- const char* overridden_target_name,
- tsi_ssl_session_cache* ssl_session_cache,
- grpc_channel_security_connector** sc) {
- tsi_result result = TSI_OK;
- grpc_ssl_channel_security_connector* c;
- char* port;
- bool has_key_cert_pair;
- tsi_ssl_client_handshaker_options options;
- memset(&options, 0, sizeof(options));
- options.alpn_protocols =
- fill_alpn_protocol_strings(&options.num_alpn_protocols);
-
- if (config == nullptr || target_name == nullptr) {
- gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
- goto error;
- }
- if (config->pem_root_certs == nullptr) {
- // Use default root certificates.
- options.pem_root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
- options.root_store = grpc_core::DefaultSslRootStore::GetRootStore();
- if (options.pem_root_certs == nullptr) {
- gpr_log(GPR_ERROR, "Could not get default pem root certs.");
- goto error;
- }
- } else {
- options.pem_root_certs = config->pem_root_certs;
- }
- c = static_cast<grpc_ssl_channel_security_connector*>(
- gpr_zalloc(sizeof(grpc_ssl_channel_security_connector)));
-
- gpr_ref_init(&c->base.base.refcount, 1);
- c->base.base.vtable = &ssl_channel_vtable;
- c->base.base.url_scheme = GRPC_SSL_URL_SCHEME;
- c->base.channel_creds = grpc_channel_credentials_ref(channel_creds);
- c->base.request_metadata_creds =
- grpc_call_credentials_ref(request_metadata_creds);
- c->base.check_call_host = ssl_channel_check_call_host;
- c->base.cancel_check_call_host = ssl_channel_cancel_check_call_host;
- c->base.add_handshakers = ssl_channel_add_handshakers;
- gpr_split_host_port(target_name, &c->target_name, &port);
- gpr_free(port);
- if (overridden_target_name != nullptr) {
- c->overridden_target_name = gpr_strdup(overridden_target_name);
- }
- c->verify_options = &config->verify_options;
-
- has_key_cert_pair = config->pem_key_cert_pair != nullptr &&
- config->pem_key_cert_pair->private_key != nullptr &&
- config->pem_key_cert_pair->cert_chain != nullptr;
- if (has_key_cert_pair) {
- options.pem_key_cert_pair = config->pem_key_cert_pair;
- }
- options.cipher_suites = ssl_cipher_suites();
- options.session_cache = ssl_session_cache;
- result = tsi_create_ssl_client_handshaker_factory_with_options(
- &options, &c->client_handshaker_factory);
- if (result != TSI_OK) {
- gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
- tsi_result_to_string(result));
- ssl_channel_destroy(&c->base.base);
- *sc = nullptr;
- goto error;
- }
- *sc = &c->base;
- gpr_free((void*)options.alpn_protocols);
- return GRPC_SECURITY_OK;
-
-error:
- gpr_free((void*)options.alpn_protocols);
- return GRPC_SECURITY_ERROR;
-}
-
-static grpc_ssl_server_security_connector*
-grpc_ssl_server_security_connector_initialize(
- grpc_server_credentials* server_creds) {
- grpc_ssl_server_security_connector* c =
- static_cast<grpc_ssl_server_security_connector*>(
- gpr_zalloc(sizeof(grpc_ssl_server_security_connector)));
- gpr_ref_init(&c->base.base.refcount, 1);
- c->base.base.url_scheme = GRPC_SSL_URL_SCHEME;
- c->base.base.vtable = &ssl_server_vtable;
- c->base.add_handshakers = ssl_server_add_handshakers;
- c->base.server_creds = grpc_server_credentials_ref(server_creds);
- return c;
-}
-
-grpc_security_status grpc_ssl_server_security_connector_create(
- grpc_server_credentials* gsc, grpc_server_security_connector** sc) {
- tsi_result result = TSI_OK;
- grpc_ssl_server_credentials* server_credentials =
- reinterpret_cast<grpc_ssl_server_credentials*>(gsc);
- grpc_security_status retval = GRPC_SECURITY_OK;
-
- GPR_ASSERT(server_credentials != nullptr);
- GPR_ASSERT(sc != nullptr);
-
- grpc_ssl_server_security_connector* c =
- grpc_ssl_server_security_connector_initialize(gsc);
- if (server_connector_has_cert_config_fetcher(c)) {
- // Load initial credentials from certificate_config_fetcher:
- if (!try_fetch_ssl_server_credentials(c)) {
- gpr_log(GPR_ERROR, "Failed loading SSL server credentials from fetcher.");
- retval = GRPC_SECURITY_ERROR;
- }
- } else {
- size_t num_alpn_protocols = 0;
- const char** alpn_protocol_strings =
- fill_alpn_protocol_strings(&num_alpn_protocols);
- result = tsi_create_ssl_server_handshaker_factory_ex(
- server_credentials->config.pem_key_cert_pairs,
- server_credentials->config.num_key_cert_pairs,
- server_credentials->config.pem_root_certs,
- get_tsi_client_certificate_request_type(
- server_credentials->config.client_certificate_request),
- ssl_cipher_suites(), alpn_protocol_strings,
- static_cast<uint16_t>(num_alpn_protocols),
- &c->server_handshaker_factory);
- gpr_free((void*)alpn_protocol_strings);
- if (result != TSI_OK) {
- gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
- tsi_result_to_string(result));
- retval = GRPC_SECURITY_ERROR;
- }
- }
-
- if (retval == GRPC_SECURITY_OK) {
- *sc = &c->base;
- } else {
- if (c != nullptr) ssl_server_destroy(&c->base.base);
- if (sc != nullptr) *sc = nullptr;
- }
- return retval;
-}
-
-namespace grpc_core {
-
-tsi_ssl_root_certs_store* DefaultSslRootStore::default_root_store_;
-grpc_slice DefaultSslRootStore::default_pem_root_certs_;
-
-const tsi_ssl_root_certs_store* DefaultSslRootStore::GetRootStore() {
- InitRootStore();
- return default_root_store_;
-}
-
-const char* DefaultSslRootStore::GetPemRootCerts() {
- InitRootStore();
- return GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)
- ? nullptr
- : reinterpret_cast<const char*>
- GRPC_SLICE_START_PTR(default_pem_root_certs_);
-}
-
-grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
- grpc_slice result = grpc_empty_slice();
- char* not_use_system_roots_env_value =
- gpr_getenv(GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR);
- const bool not_use_system_roots = gpr_is_true(not_use_system_roots_env_value);
- gpr_free(not_use_system_roots_env_value);
- // First try to load the roots from the environment.
- char* default_root_certs_path =
- gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR);
- if (default_root_certs_path != nullptr) {
- GRPC_LOG_IF_ERROR("load_file",
- grpc_load_file(default_root_certs_path, 1, &result));
- gpr_free(default_root_certs_path);
- }
- // Try overridden roots if needed.
- grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL;
- if (GRPC_SLICE_IS_EMPTY(result) && ssl_roots_override_cb != nullptr) {
- char* pem_root_certs = nullptr;
- ovrd_res = ssl_roots_override_cb(&pem_root_certs);
- if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) {
- GPR_ASSERT(pem_root_certs != nullptr);
- result = grpc_slice_from_copied_buffer(
- pem_root_certs,
- strlen(pem_root_certs) + 1); // nullptr terminator.
- }
- gpr_free(pem_root_certs);
- }
- // Try loading roots from OS trust store if flag is enabled.
- if (GRPC_SLICE_IS_EMPTY(result) && !not_use_system_roots) {
- result = LoadSystemRootCerts();
- }
- // Fallback to roots manually shipped with gRPC.
- if (GRPC_SLICE_IS_EMPTY(result) &&
- ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
- GRPC_LOG_IF_ERROR("load_file",
- grpc_load_file(installed_roots_path, 1, &result));
- }
- return result;
-}
-
-void DefaultSslRootStore::InitRootStore() {
- static gpr_once once = GPR_ONCE_INIT;
- gpr_once_init(&once, DefaultSslRootStore::InitRootStoreOnce);
-}
-
-void DefaultSslRootStore::InitRootStoreOnce() {
- default_pem_root_certs_ = ComputePemRootCerts();
- if (!GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)) {
- default_root_store_ =
- tsi_ssl_root_certs_store_create(reinterpret_cast<const char*>(
- GRPC_SLICE_START_PTR(default_pem_root_certs_)));
- }
-}
-
-} // namespace grpc_core
diff --git a/src/core/lib/security/security_connector/security_connector.h b/src/core/lib/security/security_connector/security_connector.h
index d8df3cd72f..4c921a8793 100644
--- a/src/core/lib/security/security_connector/security_connector.h
+++ b/src/core/lib/security/security_connector/security_connector.h
@@ -38,11 +38,6 @@ extern grpc_core::DebugOnlyTraceFlag grpc_trace_security_connector_refcount;
typedef enum { GRPC_SECURITY_OK = 0, GRPC_SECURITY_ERROR } grpc_security_status;
-/* --- URL schemes. --- */
-
-#define GRPC_SSL_URL_SCHEME "https"
-#define GRPC_FAKE_SECURITY_URL_SCHEME "http+fake_security"
-
/* --- security_connector object. ---
A security connector object represents away to configure the underlying
@@ -179,112 +174,4 @@ void grpc_server_security_connector_add_handshakers(
grpc_server_security_connector* sc, grpc_pollset_set* interested_parties,
grpc_handshake_manager* handshake_mgr);
-/* --- Creation security connectors. --- */
-
-/* For TESTING ONLY!
- Creates a fake connector that emulates real channel security. */
-grpc_channel_security_connector* grpc_fake_channel_security_connector_create(
- grpc_channel_credentials* channel_creds,
- grpc_call_credentials* request_metadata_creds, const char* target,
- const grpc_channel_args* args);
-
-/* For TESTING ONLY!
- Creates a fake connector that emulates real server security. */
-grpc_server_security_connector* grpc_fake_server_security_connector_create(
- grpc_server_credentials* server_creds);
-
-/* Config for ssl clients. */
-
-typedef struct {
- tsi_ssl_pem_key_cert_pair* pem_key_cert_pair;
- char* pem_root_certs;
- verify_peer_options verify_options;
-} grpc_ssl_config;
-
-/* Creates an SSL channel_security_connector.
- - request_metadata_creds is the credentials object which metadata
- will be sent with each request. This parameter can be NULL.
- - config is the SSL config to be used for the SSL channel establishment.
- - is_client should be 0 for a server or a non-0 value for a client.
- - secure_peer_name is the secure peer name that should be checked in
- grpc_channel_security_connector_check_peer. This parameter may be NULL in
- which case the peer name will not be checked. Note that if this parameter
- is not NULL, then, pem_root_certs should not be NULL either.
- - sc is a pointer on the connector to be created.
- This function returns GRPC_SECURITY_OK in case of success or a
- specific error code otherwise.
-*/
-grpc_security_status grpc_ssl_channel_security_connector_create(
- grpc_channel_credentials* channel_creds,
- grpc_call_credentials* request_metadata_creds,
- const grpc_ssl_config* config, const char* target_name,
- const char* overridden_target_name,
- tsi_ssl_session_cache* ssl_session_cache,
- grpc_channel_security_connector** sc);
-
-/* Config for ssl servers. */
-typedef struct {
- tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs;
- size_t num_key_cert_pairs;
- char* pem_root_certs;
- grpc_ssl_client_certificate_request_type client_certificate_request;
-} grpc_ssl_server_config;
-
-/* Creates an SSL server_security_connector.
- - config is the SSL config to be used for the SSL channel establishment.
- - sc is a pointer on the connector to be created.
- This function returns GRPC_SECURITY_OK in case of success or a
- specific error code otherwise.
-*/
-grpc_security_status grpc_ssl_server_security_connector_create(
- grpc_server_credentials* server_credentials,
- grpc_server_security_connector** sc);
-
-/* Util. */
-const tsi_peer_property* tsi_peer_get_property_by_name(const tsi_peer* peer,
- const char* name);
-
-/* Exposed for testing only. */
-grpc_auth_context* grpc_ssl_peer_to_auth_context(const tsi_peer* peer);
-tsi_peer grpc_shallow_peer_from_ssl_auth_context(
- const grpc_auth_context* auth_context);
-void grpc_shallow_peer_destruct(tsi_peer* peer);
-int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name);
-
-/* --- Default SSL Root Store. --- */
-namespace grpc_core {
-
-// The class implements default SSL root store.
-class DefaultSslRootStore {
- public:
- // Gets the default SSL root store. Returns nullptr if not found.
- static const tsi_ssl_root_certs_store* GetRootStore();
-
- // Gets the default PEM root certificate.
- static const char* GetPemRootCerts();
-
- protected:
- // Returns default PEM root certificates in nullptr terminated grpc_slice.
- // This function is protected instead of private, so that it can be tested.
- static grpc_slice ComputePemRootCerts();
-
- private:
- // Construct me not!
- DefaultSslRootStore();
-
- // Initialization of default SSL root store.
- static void InitRootStore();
-
- // One-time initialization of default SSL root store.
- static void InitRootStoreOnce();
-
- // SSL root store in tsi_ssl_root_certs_store object.
- static tsi_ssl_root_certs_store* default_root_store_;
-
- // Default PEM root certificates.
- static grpc_slice default_pem_root_certs_;
-};
-
-} // namespace grpc_core
-
#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SECURITY_CONNECTOR_H */
diff --git a/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc b/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc
new file mode 100644
index 0000000000..20a9533dd1
--- /dev/null
+++ b/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc
@@ -0,0 +1,474 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/security_connector/ssl/ssl_security_connector.h"
+
+#include <stdbool.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+#include "src/core/ext/transport/chttp2/alpn/alpn.h"
+#include "src/core/lib/channel/handshaker.h"
+#include "src/core/lib/gpr/host_port.h"
+#include "src/core/lib/gpr/string.h"
+#include "src/core/lib/security/context/security_context.h"
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
+#include "src/core/lib/security/security_connector/load_system_roots.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
+#include "src/core/lib/security/transport/security_handshaker.h"
+#include "src/core/tsi/ssl_transport_security.h"
+#include "src/core/tsi/transport_security.h"
+
+typedef struct {
+ grpc_channel_security_connector base;
+ tsi_ssl_client_handshaker_factory* client_handshaker_factory;
+ char* target_name;
+ char* overridden_target_name;
+ const verify_peer_options* verify_options;
+} grpc_ssl_channel_security_connector;
+
+typedef struct {
+ grpc_server_security_connector base;
+ tsi_ssl_server_handshaker_factory* server_handshaker_factory;
+} grpc_ssl_server_security_connector;
+
+static bool server_connector_has_cert_config_fetcher(
+ grpc_ssl_server_security_connector* c) {
+ GPR_ASSERT(c != nullptr);
+ grpc_ssl_server_credentials* server_creds =
+ reinterpret_cast<grpc_ssl_server_credentials*>(c->base.server_creds);
+ GPR_ASSERT(server_creds != nullptr);
+ return server_creds->certificate_config_fetcher.cb != nullptr;
+}
+
+static void ssl_channel_destroy(grpc_security_connector* sc) {
+ grpc_ssl_channel_security_connector* c =
+ reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
+ grpc_channel_credentials_unref(c->base.channel_creds);
+ grpc_call_credentials_unref(c->base.request_metadata_creds);
+ tsi_ssl_client_handshaker_factory_unref(c->client_handshaker_factory);
+ c->client_handshaker_factory = nullptr;
+ if (c->target_name != nullptr) gpr_free(c->target_name);
+ if (c->overridden_target_name != nullptr) gpr_free(c->overridden_target_name);
+ gpr_free(sc);
+}
+
+static void ssl_server_destroy(grpc_security_connector* sc) {
+ grpc_ssl_server_security_connector* c =
+ reinterpret_cast<grpc_ssl_server_security_connector*>(sc);
+ grpc_server_credentials_unref(c->base.server_creds);
+ tsi_ssl_server_handshaker_factory_unref(c->server_handshaker_factory);
+ c->server_handshaker_factory = nullptr;
+ gpr_free(sc);
+}
+
+static void ssl_channel_add_handshakers(grpc_channel_security_connector* sc,
+ grpc_pollset_set* interested_parties,
+ grpc_handshake_manager* handshake_mgr) {
+ grpc_ssl_channel_security_connector* c =
+ reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
+ // Instantiate TSI handshaker.
+ tsi_handshaker* tsi_hs = nullptr;
+ tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
+ c->client_handshaker_factory,
+ c->overridden_target_name != nullptr ? c->overridden_target_name
+ : c->target_name,
+ &tsi_hs);
+ if (result != TSI_OK) {
+ gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
+ tsi_result_to_string(result));
+ return;
+ }
+ // Create handshakers.
+ grpc_handshake_manager_add(
+ handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base));
+}
+
+/* Attempts to replace the server_handshaker_factory with a new factory using
+ * the provided grpc_ssl_server_certificate_config. Should new factory creation
+ * fail, the existing factory will not be replaced. Returns true on success (new
+ * factory created). */
+static bool try_replace_server_handshaker_factory(
+ grpc_ssl_server_security_connector* sc,
+ const grpc_ssl_server_certificate_config* config) {
+ if (config == nullptr) {
+ gpr_log(GPR_ERROR,
+ "Server certificate config callback returned invalid (NULL) "
+ "config.");
+ return false;
+ }
+ gpr_log(GPR_DEBUG, "Using new server certificate config (%p).", config);
+
+ size_t num_alpn_protocols = 0;
+ const char** alpn_protocol_strings =
+ grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
+ tsi_ssl_pem_key_cert_pair* cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
+ config->pem_key_cert_pairs, config->num_key_cert_pairs);
+ tsi_ssl_server_handshaker_factory* new_handshaker_factory = nullptr;
+ grpc_ssl_server_credentials* server_creds =
+ reinterpret_cast<grpc_ssl_server_credentials*>(sc->base.server_creds);
+ tsi_result result = tsi_create_ssl_server_handshaker_factory_ex(
+ cert_pairs, config->num_key_cert_pairs, config->pem_root_certs,
+ grpc_get_tsi_client_certificate_request_type(
+ server_creds->config.client_certificate_request),
+ grpc_get_ssl_cipher_suites(), alpn_protocol_strings,
+ static_cast<uint16_t>(num_alpn_protocols), &new_handshaker_factory);
+ gpr_free(cert_pairs);
+ gpr_free((void*)alpn_protocol_strings);
+
+ if (result != TSI_OK) {
+ gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
+ tsi_result_to_string(result));
+ return false;
+ }
+ tsi_ssl_server_handshaker_factory_unref(sc->server_handshaker_factory);
+ sc->server_handshaker_factory = new_handshaker_factory;
+ return true;
+}
+
+/* Attempts to fetch the server certificate config if a callback is available.
+ * Current certificate config will continue to be used if the callback returns
+ * an error. Returns true if new credentials were sucessfully loaded. */
+static bool try_fetch_ssl_server_credentials(
+ grpc_ssl_server_security_connector* sc) {
+ grpc_ssl_server_certificate_config* certificate_config = nullptr;
+ bool status;
+
+ GPR_ASSERT(sc != nullptr);
+ if (!server_connector_has_cert_config_fetcher(sc)) return false;
+
+ grpc_ssl_server_credentials* server_creds =
+ reinterpret_cast<grpc_ssl_server_credentials*>(sc->base.server_creds);
+ grpc_ssl_certificate_config_reload_status cb_result =
+ server_creds->certificate_config_fetcher.cb(
+ server_creds->certificate_config_fetcher.user_data,
+ &certificate_config);
+ if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
+ gpr_log(GPR_DEBUG, "No change in SSL server credentials.");
+ status = false;
+ } else if (cb_result == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
+ status = try_replace_server_handshaker_factory(sc, certificate_config);
+ } else {
+ // Log error, continue using previously-loaded credentials.
+ gpr_log(GPR_ERROR,
+ "Failed fetching new server credentials, continuing to "
+ "use previously-loaded credentials.");
+ status = false;
+ }
+
+ if (certificate_config != nullptr) {
+ grpc_ssl_server_certificate_config_destroy(certificate_config);
+ }
+ return status;
+}
+
+static void ssl_server_add_handshakers(grpc_server_security_connector* sc,
+ grpc_pollset_set* interested_parties,
+ grpc_handshake_manager* handshake_mgr) {
+ grpc_ssl_server_security_connector* c =
+ reinterpret_cast<grpc_ssl_server_security_connector*>(sc);
+ // Instantiate TSI handshaker.
+ try_fetch_ssl_server_credentials(c);
+ tsi_handshaker* tsi_hs = nullptr;
+ tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
+ c->server_handshaker_factory, &tsi_hs);
+ if (result != TSI_OK) {
+ gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
+ tsi_result_to_string(result));
+ return;
+ }
+ // Create handshakers.
+ grpc_handshake_manager_add(
+ handshake_mgr, grpc_security_handshaker_create(tsi_hs, &sc->base));
+}
+
+static grpc_error* ssl_check_peer(grpc_security_connector* sc,
+ const char* peer_name, const tsi_peer* peer,
+ grpc_auth_context** auth_context) {
+#if TSI_OPENSSL_ALPN_SUPPORT
+ /* Check the ALPN if ALPN is supported. */
+ const tsi_peer_property* p =
+ tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
+ if (p == nullptr) {
+ return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "Cannot check peer: missing selected ALPN property.");
+ }
+ if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) {
+ return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "Cannot check peer: invalid ALPN value.");
+ }
+#endif /* TSI_OPENSSL_ALPN_SUPPORT */
+ /* Check the peer name if specified. */
+ if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
+ char* msg;
+ gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
+ grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
+ gpr_free(msg);
+ return error;
+ }
+ *auth_context = grpc_ssl_peer_to_auth_context(peer);
+ return GRPC_ERROR_NONE;
+}
+
+static void ssl_channel_check_peer(grpc_security_connector* sc, tsi_peer peer,
+ grpc_auth_context** auth_context,
+ grpc_closure* on_peer_checked) {
+ grpc_ssl_channel_security_connector* c =
+ reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
+ const char* target_name = c->overridden_target_name != nullptr
+ ? c->overridden_target_name
+ : c->target_name;
+ grpc_error* error = ssl_check_peer(sc, target_name, &peer, auth_context);
+ if (error == GRPC_ERROR_NONE &&
+ c->verify_options->verify_peer_callback != nullptr) {
+ const tsi_peer_property* p =
+ tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
+ if (p == nullptr) {
+ error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "Cannot check peer: missing pem cert property.");
+ } else {
+ char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
+ memcpy(peer_pem, p->value.data, p->value.length);
+ peer_pem[p->value.length] = '\0';
+ int callback_status = c->verify_options->verify_peer_callback(
+ target_name, peer_pem,
+ c->verify_options->verify_peer_callback_userdata);
+ gpr_free(peer_pem);
+ if (callback_status) {
+ char* msg;
+ gpr_asprintf(&msg, "Verify peer callback returned a failure (%d)",
+ callback_status);
+ error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
+ gpr_free(msg);
+ }
+ }
+ }
+ GRPC_CLOSURE_SCHED(on_peer_checked, error);
+ tsi_peer_destruct(&peer);
+}
+
+static void ssl_server_check_peer(grpc_security_connector* sc, tsi_peer peer,
+ grpc_auth_context** auth_context,
+ grpc_closure* on_peer_checked) {
+ grpc_error* error = ssl_check_peer(sc, nullptr, &peer, auth_context);
+ tsi_peer_destruct(&peer);
+ GRPC_CLOSURE_SCHED(on_peer_checked, error);
+}
+
+static int ssl_channel_cmp(grpc_security_connector* sc1,
+ grpc_security_connector* sc2) {
+ grpc_ssl_channel_security_connector* c1 =
+ reinterpret_cast<grpc_ssl_channel_security_connector*>(sc1);
+ grpc_ssl_channel_security_connector* c2 =
+ reinterpret_cast<grpc_ssl_channel_security_connector*>(sc2);
+ int c = grpc_channel_security_connector_cmp(&c1->base, &c2->base);
+ if (c != 0) return c;
+ c = strcmp(c1->target_name, c2->target_name);
+ if (c != 0) return c;
+ return (c1->overridden_target_name == nullptr ||
+ c2->overridden_target_name == nullptr)
+ ? GPR_ICMP(c1->overridden_target_name, c2->overridden_target_name)
+ : strcmp(c1->overridden_target_name, c2->overridden_target_name);
+}
+
+static int ssl_server_cmp(grpc_security_connector* sc1,
+ grpc_security_connector* sc2) {
+ return grpc_server_security_connector_cmp(
+ reinterpret_cast<grpc_server_security_connector*>(sc1),
+ reinterpret_cast<grpc_server_security_connector*>(sc2));
+}
+
+static bool ssl_channel_check_call_host(grpc_channel_security_connector* sc,
+ const char* host,
+ grpc_auth_context* auth_context,
+ grpc_closure* on_call_host_checked,
+ grpc_error** error) {
+ grpc_ssl_channel_security_connector* c =
+ reinterpret_cast<grpc_ssl_channel_security_connector*>(sc);
+ grpc_security_status status = GRPC_SECURITY_ERROR;
+ tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
+ if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
+ /* If the target name was overridden, then the original target_name was
+ 'checked' transitively during the previous peer check at the end of the
+ handshake. */
+ if (c->overridden_target_name != nullptr &&
+ strcmp(host, c->target_name) == 0) {
+ status = GRPC_SECURITY_OK;
+ }
+ if (status != GRPC_SECURITY_OK) {
+ *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+ "call host does not match SSL server name");
+ }
+ grpc_shallow_peer_destruct(&peer);
+ return true;
+}
+
+static void ssl_channel_cancel_check_call_host(
+ grpc_channel_security_connector* sc, grpc_closure* on_call_host_checked,
+ grpc_error* error) {
+ GRPC_ERROR_UNREF(error);
+}
+
+static grpc_security_connector_vtable ssl_channel_vtable = {
+ ssl_channel_destroy, ssl_channel_check_peer, ssl_channel_cmp};
+
+static grpc_security_connector_vtable ssl_server_vtable = {
+ ssl_server_destroy, ssl_server_check_peer, ssl_server_cmp};
+
+grpc_security_status grpc_ssl_channel_security_connector_create(
+ grpc_channel_credentials* channel_creds,
+ grpc_call_credentials* request_metadata_creds,
+ const grpc_ssl_config* config, const char* target_name,
+ const char* overridden_target_name,
+ tsi_ssl_session_cache* ssl_session_cache,
+ grpc_channel_security_connector** sc) {
+ tsi_result result = TSI_OK;
+ grpc_ssl_channel_security_connector* c;
+ char* port;
+ bool has_key_cert_pair;
+ tsi_ssl_client_handshaker_options options;
+ memset(&options, 0, sizeof(options));
+ options.alpn_protocols =
+ grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
+
+ if (config == nullptr || target_name == nullptr) {
+ gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
+ goto error;
+ }
+ if (config->pem_root_certs == nullptr) {
+ // Use default root certificates.
+ options.pem_root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
+ options.root_store = grpc_core::DefaultSslRootStore::GetRootStore();
+ if (options.pem_root_certs == nullptr) {
+ gpr_log(GPR_ERROR, "Could not get default pem root certs.");
+ goto error;
+ }
+ } else {
+ options.pem_root_certs = config->pem_root_certs;
+ }
+ c = static_cast<grpc_ssl_channel_security_connector*>(
+ gpr_zalloc(sizeof(grpc_ssl_channel_security_connector)));
+
+ gpr_ref_init(&c->base.base.refcount, 1);
+ c->base.base.vtable = &ssl_channel_vtable;
+ c->base.base.url_scheme = GRPC_SSL_URL_SCHEME;
+ c->base.channel_creds = grpc_channel_credentials_ref(channel_creds);
+ c->base.request_metadata_creds =
+ grpc_call_credentials_ref(request_metadata_creds);
+ c->base.check_call_host = ssl_channel_check_call_host;
+ c->base.cancel_check_call_host = ssl_channel_cancel_check_call_host;
+ c->base.add_handshakers = ssl_channel_add_handshakers;
+ gpr_split_host_port(target_name, &c->target_name, &port);
+ gpr_free(port);
+ if (overridden_target_name != nullptr) {
+ c->overridden_target_name = gpr_strdup(overridden_target_name);
+ }
+ c->verify_options = &config->verify_options;
+
+ has_key_cert_pair = config->pem_key_cert_pair != nullptr &&
+ config->pem_key_cert_pair->private_key != nullptr &&
+ config->pem_key_cert_pair->cert_chain != nullptr;
+ if (has_key_cert_pair) {
+ options.pem_key_cert_pair = config->pem_key_cert_pair;
+ }
+ options.cipher_suites = grpc_get_ssl_cipher_suites();
+ options.session_cache = ssl_session_cache;
+ result = tsi_create_ssl_client_handshaker_factory_with_options(
+ &options, &c->client_handshaker_factory);
+ if (result != TSI_OK) {
+ gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
+ tsi_result_to_string(result));
+ ssl_channel_destroy(&c->base.base);
+ *sc = nullptr;
+ goto error;
+ }
+ *sc = &c->base;
+ gpr_free((void*)options.alpn_protocols);
+ return GRPC_SECURITY_OK;
+
+error:
+ gpr_free((void*)options.alpn_protocols);
+ return GRPC_SECURITY_ERROR;
+}
+
+static grpc_ssl_server_security_connector*
+grpc_ssl_server_security_connector_initialize(
+ grpc_server_credentials* server_creds) {
+ grpc_ssl_server_security_connector* c =
+ static_cast<grpc_ssl_server_security_connector*>(
+ gpr_zalloc(sizeof(grpc_ssl_server_security_connector)));
+ gpr_ref_init(&c->base.base.refcount, 1);
+ c->base.base.url_scheme = GRPC_SSL_URL_SCHEME;
+ c->base.base.vtable = &ssl_server_vtable;
+ c->base.add_handshakers = ssl_server_add_handshakers;
+ c->base.server_creds = grpc_server_credentials_ref(server_creds);
+ return c;
+}
+
+grpc_security_status grpc_ssl_server_security_connector_create(
+ grpc_server_credentials* gsc, grpc_server_security_connector** sc) {
+ tsi_result result = TSI_OK;
+ grpc_ssl_server_credentials* server_credentials =
+ reinterpret_cast<grpc_ssl_server_credentials*>(gsc);
+ grpc_security_status retval = GRPC_SECURITY_OK;
+
+ GPR_ASSERT(server_credentials != nullptr);
+ GPR_ASSERT(sc != nullptr);
+
+ grpc_ssl_server_security_connector* c =
+ grpc_ssl_server_security_connector_initialize(gsc);
+ if (server_connector_has_cert_config_fetcher(c)) {
+ // Load initial credentials from certificate_config_fetcher:
+ if (!try_fetch_ssl_server_credentials(c)) {
+ gpr_log(GPR_ERROR, "Failed loading SSL server credentials from fetcher.");
+ retval = GRPC_SECURITY_ERROR;
+ }
+ } else {
+ size_t num_alpn_protocols = 0;
+ const char** alpn_protocol_strings =
+ grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
+ result = tsi_create_ssl_server_handshaker_factory_ex(
+ server_credentials->config.pem_key_cert_pairs,
+ server_credentials->config.num_key_cert_pairs,
+ server_credentials->config.pem_root_certs,
+ grpc_get_tsi_client_certificate_request_type(
+ server_credentials->config.client_certificate_request),
+ grpc_get_ssl_cipher_suites(), alpn_protocol_strings,
+ static_cast<uint16_t>(num_alpn_protocols),
+ &c->server_handshaker_factory);
+ gpr_free((void*)alpn_protocol_strings);
+ if (result != TSI_OK) {
+ gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
+ tsi_result_to_string(result));
+ retval = GRPC_SECURITY_ERROR;
+ }
+ }
+
+ if (retval == GRPC_SECURITY_OK) {
+ *sc = &c->base;
+ } else {
+ if (c != nullptr) ssl_server_destroy(&c->base.base);
+ if (sc != nullptr) *sc = nullptr;
+ }
+ return retval;
+}
diff --git a/src/core/lib/security/security_connector/ssl/ssl_security_connector.h b/src/core/lib/security/security_connector/ssl/ssl_security_connector.h
new file mode 100644
index 0000000000..9b80590606
--- /dev/null
+++ b/src/core/lib/security/security_connector/ssl/ssl_security_connector.h
@@ -0,0 +1,77 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_SSL_SECURITY_CONNECTOR_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_SSL_SECURITY_CONNECTOR_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/security_connector/security_connector.h"
+
+#include "src/core/tsi/ssl_transport_security.h"
+#include "src/core/tsi/transport_security_interface.h"
+
+typedef struct {
+ tsi_ssl_pem_key_cert_pair* pem_key_cert_pair;
+ char* pem_root_certs;
+ verify_peer_options verify_options;
+} grpc_ssl_config;
+
+/* Creates an SSL channel_security_connector.
+ - request_metadata_creds is the credentials object which metadata
+ will be sent with each request. This parameter can be NULL.
+ - config is the SSL config to be used for the SSL channel establishment.
+ - is_client should be 0 for a server or a non-0 value for a client.
+ - secure_peer_name is the secure peer name that should be checked in
+ grpc_channel_security_connector_check_peer. This parameter may be NULL in
+ which case the peer name will not be checked. Note that if this parameter
+ is not NULL, then, pem_root_certs should not be NULL either.
+ - sc is a pointer on the connector to be created.
+ This function returns GRPC_SECURITY_OK in case of success or a
+ specific error code otherwise.
+*/
+grpc_security_status grpc_ssl_channel_security_connector_create(
+ grpc_channel_credentials* channel_creds,
+ grpc_call_credentials* request_metadata_creds,
+ const grpc_ssl_config* config, const char* target_name,
+ const char* overridden_target_name,
+ tsi_ssl_session_cache* ssl_session_cache,
+ grpc_channel_security_connector** sc);
+
+/* Config for ssl servers. */
+typedef struct {
+ tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs;
+ size_t num_key_cert_pairs;
+ char* pem_root_certs;
+ grpc_ssl_client_certificate_request_type client_certificate_request;
+} grpc_ssl_server_config;
+
+/* Creates an SSL server_security_connector.
+ - config is the SSL config to be used for the SSL channel establishment.
+ - sc is a pointer on the connector to be created.
+ This function returns GRPC_SECURITY_OK in case of success or a
+ specific error code otherwise.
+*/
+grpc_security_status grpc_ssl_server_security_connector_create(
+ grpc_server_credentials* server_credentials,
+ grpc_server_security_connector** sc);
+
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_SSL_SECURITY_CONNECTOR_H \
+ */
diff --git a/src/core/lib/security/security_connector/ssl_utils.cc b/src/core/lib/security/security_connector/ssl_utils.cc
new file mode 100644
index 0000000000..fbf41cfbc7
--- /dev/null
+++ b/src/core/lib/security/security_connector/ssl_utils.cc
@@ -0,0 +1,345 @@
+/*
+ *
+ * Copyright 2015 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/security_connector/ssl_utils.h"
+
+#include <grpc/slice_buffer.h>
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+#include "src/core/ext/transport/chttp2/alpn/alpn.h"
+#include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/gpr/env.h"
+#include "src/core/lib/gpr/host_port.h"
+#include "src/core/lib/gpr/string.h"
+#include "src/core/lib/iomgr/load_file.h"
+#include "src/core/lib/security/context/security_context.h"
+#include "src/core/lib/security/security_connector/load_system_roots.h"
+#include "src/core/tsi/ssl_transport_security.h"
+
+/* -- Constants. -- */
+
+#ifndef INSTALL_PREFIX
+static const char* installed_roots_path = "/usr/share/grpc/roots.pem";
+#else
+static const char* installed_roots_path =
+ INSTALL_PREFIX "/share/grpc/roots.pem";
+#endif
+
+/** Environment variable used as a flag to enable/disable loading system root
+ certificates from the OS trust store. */
+#ifndef GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR
+#define GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR "GRPC_NOT_USE_SYSTEM_SSL_ROOTS"
+#endif
+
+#ifndef TSI_OPENSSL_ALPN_SUPPORT
+#define TSI_OPENSSL_ALPN_SUPPORT 1
+#endif
+
+/* -- Overridden default roots. -- */
+
+static grpc_ssl_roots_override_callback ssl_roots_override_cb = nullptr;
+
+void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) {
+ ssl_roots_override_cb = cb;
+}
+
+/* -- Cipher suites. -- */
+
+/* Defines the cipher suites that we accept by default. All these cipher suites
+ are compliant with HTTP2. */
+#define GRPC_SSL_CIPHER_SUITES \
+ "ECDHE-ECDSA-AES128-GCM-SHA256:" \
+ "ECDHE-ECDSA-AES256-GCM-SHA384:" \
+ "ECDHE-RSA-AES128-GCM-SHA256:" \
+ "ECDHE-RSA-AES256-GCM-SHA384"
+
+static gpr_once cipher_suites_once = GPR_ONCE_INIT;
+static const char* cipher_suites = nullptr;
+
+static void init_cipher_suites(void) {
+ char* overridden = gpr_getenv("GRPC_SSL_CIPHER_SUITES");
+ cipher_suites = overridden != nullptr ? overridden : GRPC_SSL_CIPHER_SUITES;
+}
+
+/* --- Util --- */
+
+const char* grpc_get_ssl_cipher_suites(void) {
+ gpr_once_init(&cipher_suites_once, init_cipher_suites);
+ return cipher_suites;
+}
+
+tsi_client_certificate_request_type
+grpc_get_tsi_client_certificate_request_type(
+ grpc_ssl_client_certificate_request_type grpc_request_type) {
+ switch (grpc_request_type) {
+ case GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE:
+ return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
+
+ case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
+ return TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
+
+ case GRPC_SSL_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
+ return TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY;
+
+ case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
+ return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY;
+
+ case GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
+ return TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
+
+ default:
+ return TSI_DONT_REQUEST_CLIENT_CERTIFICATE;
+ }
+}
+
+const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
+ GPR_ASSERT(num_alpn_protocols != nullptr);
+ *num_alpn_protocols = grpc_chttp2_num_alpn_versions();
+ const char** alpn_protocol_strings = static_cast<const char**>(
+ gpr_malloc(sizeof(const char*) * (*num_alpn_protocols)));
+ for (size_t i = 0; i < *num_alpn_protocols; i++) {
+ alpn_protocol_strings[i] = grpc_chttp2_get_alpn_version_index(i);
+ }
+ return alpn_protocol_strings;
+}
+
+int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) {
+ char* allocated_name = nullptr;
+ int r;
+
+ char* ignored_port;
+ gpr_split_host_port(peer_name, &allocated_name, &ignored_port);
+ gpr_free(ignored_port);
+ peer_name = allocated_name;
+ if (!peer_name) return 0;
+
+ // IPv6 zone-id should not be included in comparisons.
+ char* const zone_id = strchr(allocated_name, '%');
+ if (zone_id != nullptr) *zone_id = '\0';
+
+ r = tsi_ssl_peer_matches_name(peer, peer_name);
+ gpr_free(allocated_name);
+ return r;
+}
+
+grpc_auth_context* grpc_ssl_peer_to_auth_context(const tsi_peer* peer) {
+ size_t i;
+ grpc_auth_context* ctx = nullptr;
+ const char* peer_identity_property_name = nullptr;
+
+ /* The caller has checked the certificate type property. */
+ GPR_ASSERT(peer->property_count >= 1);
+ ctx = grpc_auth_context_create(nullptr);
+ grpc_auth_context_add_cstring_property(
+ ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
+ GRPC_SSL_TRANSPORT_SECURITY_TYPE);
+ for (i = 0; i < peer->property_count; i++) {
+ const tsi_peer_property* prop = &peer->properties[i];
+ if (prop->name == nullptr) continue;
+ if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) {
+ /* If there is no subject alt name, have the CN as the identity. */
+ if (peer_identity_property_name == nullptr) {
+ peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME;
+ }
+ grpc_auth_context_add_property(ctx, GRPC_X509_CN_PROPERTY_NAME,
+ prop->value.data, prop->value.length);
+ } else if (strcmp(prop->name,
+ TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) {
+ peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME;
+ grpc_auth_context_add_property(ctx, GRPC_X509_SAN_PROPERTY_NAME,
+ prop->value.data, prop->value.length);
+ } else if (strcmp(prop->name, TSI_X509_PEM_CERT_PROPERTY) == 0) {
+ grpc_auth_context_add_property(ctx, GRPC_X509_PEM_CERT_PROPERTY_NAME,
+ prop->value.data, prop->value.length);
+ } else if (strcmp(prop->name, TSI_SSL_SESSION_REUSED_PEER_PROPERTY) == 0) {
+ grpc_auth_context_add_property(ctx, GRPC_SSL_SESSION_REUSED_PROPERTY,
+ prop->value.data, prop->value.length);
+ }
+ }
+ if (peer_identity_property_name != nullptr) {
+ GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
+ ctx, peer_identity_property_name) == 1);
+ }
+ return ctx;
+}
+
+static void add_shallow_auth_property_to_peer(tsi_peer* peer,
+ const grpc_auth_property* prop,
+ const char* tsi_prop_name) {
+ tsi_peer_property* tsi_prop = &peer->properties[peer->property_count++];
+ tsi_prop->name = const_cast<char*>(tsi_prop_name);
+ tsi_prop->value.data = prop->value;
+ tsi_prop->value.length = prop->value_length;
+}
+
+tsi_peer grpc_shallow_peer_from_ssl_auth_context(
+ const grpc_auth_context* auth_context) {
+ size_t max_num_props = 0;
+ grpc_auth_property_iterator it;
+ const grpc_auth_property* prop;
+ tsi_peer peer;
+ memset(&peer, 0, sizeof(peer));
+
+ it = grpc_auth_context_property_iterator(auth_context);
+ while (grpc_auth_property_iterator_next(&it) != nullptr) max_num_props++;
+
+ if (max_num_props > 0) {
+ peer.properties = static_cast<tsi_peer_property*>(
+ gpr_malloc(max_num_props * sizeof(tsi_peer_property)));
+ it = grpc_auth_context_property_iterator(auth_context);
+ while ((prop = grpc_auth_property_iterator_next(&it)) != nullptr) {
+ if (strcmp(prop->name, GRPC_X509_SAN_PROPERTY_NAME) == 0) {
+ add_shallow_auth_property_to_peer(
+ &peer, prop, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY);
+ } else if (strcmp(prop->name, GRPC_X509_CN_PROPERTY_NAME) == 0) {
+ add_shallow_auth_property_to_peer(
+ &peer, prop, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY);
+ } else if (strcmp(prop->name, GRPC_X509_PEM_CERT_PROPERTY_NAME) == 0) {
+ add_shallow_auth_property_to_peer(&peer, prop,
+ TSI_X509_PEM_CERT_PROPERTY);
+ }
+ }
+ }
+ return peer;
+}
+
+void grpc_shallow_peer_destruct(tsi_peer* peer) {
+ if (peer->properties != nullptr) gpr_free(peer->properties);
+}
+
+/* --- Ssl cache implementation. --- */
+
+grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru(size_t capacity) {
+ tsi_ssl_session_cache* cache = tsi_ssl_session_cache_create_lru(capacity);
+ return reinterpret_cast<grpc_ssl_session_cache*>(cache);
+}
+
+void grpc_ssl_session_cache_destroy(grpc_ssl_session_cache* cache) {
+ tsi_ssl_session_cache* tsi_cache =
+ reinterpret_cast<tsi_ssl_session_cache*>(cache);
+ tsi_ssl_session_cache_unref(tsi_cache);
+}
+
+static void* grpc_ssl_session_cache_arg_copy(void* p) {
+ tsi_ssl_session_cache* tsi_cache =
+ reinterpret_cast<tsi_ssl_session_cache*>(p);
+ // destroy call below will unref the pointer.
+ tsi_ssl_session_cache_ref(tsi_cache);
+ return p;
+}
+
+static void grpc_ssl_session_cache_arg_destroy(void* p) {
+ tsi_ssl_session_cache* tsi_cache =
+ reinterpret_cast<tsi_ssl_session_cache*>(p);
+ tsi_ssl_session_cache_unref(tsi_cache);
+}
+
+static int grpc_ssl_session_cache_arg_cmp(void* p, void* q) {
+ return GPR_ICMP(p, q);
+}
+
+grpc_arg grpc_ssl_session_cache_create_channel_arg(
+ grpc_ssl_session_cache* cache) {
+ static const grpc_arg_pointer_vtable vtable = {
+ grpc_ssl_session_cache_arg_copy,
+ grpc_ssl_session_cache_arg_destroy,
+ grpc_ssl_session_cache_arg_cmp,
+ };
+ return grpc_channel_arg_pointer_create(
+ const_cast<char*>(GRPC_SSL_SESSION_CACHE_ARG), cache, &vtable);
+}
+
+/* --- Default SSL root store implementation. --- */
+
+namespace grpc_core {
+
+tsi_ssl_root_certs_store* DefaultSslRootStore::default_root_store_;
+grpc_slice DefaultSslRootStore::default_pem_root_certs_;
+
+const tsi_ssl_root_certs_store* DefaultSslRootStore::GetRootStore() {
+ InitRootStore();
+ return default_root_store_;
+}
+
+const char* DefaultSslRootStore::GetPemRootCerts() {
+ InitRootStore();
+ return GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)
+ ? nullptr
+ : reinterpret_cast<const char*>
+ GRPC_SLICE_START_PTR(default_pem_root_certs_);
+}
+
+grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
+ grpc_slice result = grpc_empty_slice();
+ char* not_use_system_roots_env_value =
+ gpr_getenv(GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR);
+ const bool not_use_system_roots = gpr_is_true(not_use_system_roots_env_value);
+ gpr_free(not_use_system_roots_env_value);
+ // First try to load the roots from the environment.
+ char* default_root_certs_path =
+ gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR);
+ if (default_root_certs_path != nullptr) {
+ GRPC_LOG_IF_ERROR("load_file",
+ grpc_load_file(default_root_certs_path, 1, &result));
+ gpr_free(default_root_certs_path);
+ }
+ // Try overridden roots if needed.
+ grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL;
+ if (GRPC_SLICE_IS_EMPTY(result) && ssl_roots_override_cb != nullptr) {
+ char* pem_root_certs = nullptr;
+ ovrd_res = ssl_roots_override_cb(&pem_root_certs);
+ if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) {
+ GPR_ASSERT(pem_root_certs != nullptr);
+ result = grpc_slice_from_copied_buffer(
+ pem_root_certs,
+ strlen(pem_root_certs) + 1); // nullptr terminator.
+ }
+ gpr_free(pem_root_certs);
+ }
+ // Try loading roots from OS trust store if flag is enabled.
+ if (GRPC_SLICE_IS_EMPTY(result) && !not_use_system_roots) {
+ result = LoadSystemRootCerts();
+ }
+ // Fallback to roots manually shipped with gRPC.
+ if (GRPC_SLICE_IS_EMPTY(result) &&
+ ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
+ GRPC_LOG_IF_ERROR("load_file",
+ grpc_load_file(installed_roots_path, 1, &result));
+ }
+ return result;
+}
+
+void DefaultSslRootStore::InitRootStore() {
+ static gpr_once once = GPR_ONCE_INIT;
+ gpr_once_init(&once, DefaultSslRootStore::InitRootStoreOnce);
+}
+
+void DefaultSslRootStore::InitRootStoreOnce() {
+ default_pem_root_certs_ = ComputePemRootCerts();
+ if (!GRPC_SLICE_IS_EMPTY(default_pem_root_certs_)) {
+ default_root_store_ =
+ tsi_ssl_root_certs_store_create(reinterpret_cast<const char*>(
+ GRPC_SLICE_START_PTR(default_pem_root_certs_)));
+ }
+}
+
+} // namespace grpc_core
diff --git a/src/core/lib/security/security_connector/ssl_utils.h b/src/core/lib/security/security_connector/ssl_utils.h
new file mode 100644
index 0000000000..6f6d473311
--- /dev/null
+++ b/src/core/lib/security/security_connector/ssl_utils.h
@@ -0,0 +1,93 @@
+/*
+ *
+ * Copyright 2015 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
+#define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <stdbool.h>
+
+#include <grpc/grpc_security.h>
+#include <grpc/slice_buffer.h>
+
+#include "src/core/tsi/ssl_transport_security.h"
+#include "src/core/tsi/transport_security_interface.h"
+
+/* --- Util. --- */
+
+/* --- URL schemes. --- */
+#define GRPC_SSL_URL_SCHEME "https"
+
+/* Return HTTP2-compliant cipher suites that gRPC accepts by default. */
+const char* grpc_get_ssl_cipher_suites(void);
+
+/* Map from grpc_ssl_client_certificate_request_type to
+ * tsi_client_certificate_request_type. */
+tsi_client_certificate_request_type
+grpc_get_tsi_client_certificate_request_type(
+ grpc_ssl_client_certificate_request_type grpc_request_type);
+
+/* Return an array of strings containing alpn protocols. */
+const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
+
+/* Exposed for testing only. */
+grpc_auth_context* grpc_ssl_peer_to_auth_context(const tsi_peer* peer);
+tsi_peer grpc_shallow_peer_from_ssl_auth_context(
+ const grpc_auth_context* auth_context);
+void grpc_shallow_peer_destruct(tsi_peer* peer);
+int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name);
+
+/* --- Default SSL Root Store. --- */
+namespace grpc_core {
+
+// The class implements default SSL root store.
+class DefaultSslRootStore {
+ public:
+ // Gets the default SSL root store. Returns nullptr if not found.
+ static const tsi_ssl_root_certs_store* GetRootStore();
+
+ // Gets the default PEM root certificate.
+ static const char* GetPemRootCerts();
+
+ protected:
+ // Returns default PEM root certificates in nullptr terminated grpc_slice.
+ // This function is protected instead of private, so that it can be tested.
+ static grpc_slice ComputePemRootCerts();
+
+ private:
+ // Construct me not!
+ DefaultSslRootStore();
+
+ // Initialization of default SSL root store.
+ static void InitRootStore();
+
+ // One-time initialization of default SSL root store.
+ static void InitRootStoreOnce();
+
+ // SSL root store in tsi_ssl_root_certs_store object.
+ static tsi_ssl_root_certs_store* default_root_store_;
+
+ // Default PEM root certificates.
+ static grpc_slice default_pem_root_certs_;
+};
+
+} // namespace grpc_core
+
+#endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H \
+ */
diff --git a/src/core/lib/security/transport/client_auth_filter.cc b/src/core/lib/security/transport/client_auth_filter.cc
index 0f125e7c26..e34eacc8d7 100644
--- a/src/core/lib/security/transport/client_auth_filter.cc
+++ b/src/core/lib/security/transport/client_auth_filter.cc
@@ -32,6 +32,7 @@
#include "src/core/lib/security/context/security_context.h"
#include "src/core/lib/security/credentials/credentials.h"
#include "src/core/lib/security/security_connector/security_connector.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
#include "src/core/lib/slice/slice_internal.h"
#include "src/core/lib/slice/slice_string_helpers.h"
#include "src/core/lib/surface/call.h"
diff --git a/src/core/tsi/transport_security.cc b/src/core/tsi/transport_security.cc
index 99b3229e88..ca861b52de 100644
--- a/src/core/tsi/transport_security.cc
+++ b/src/core/tsi/transport_security.cc
@@ -338,3 +338,20 @@ tsi_result tsi_construct_peer(size_t property_count, tsi_peer* peer) {
}
return TSI_OK;
}
+
+const tsi_peer_property* tsi_peer_get_property_by_name(const tsi_peer* peer,
+ const char* name) {
+ size_t i;
+ if (peer == nullptr) return nullptr;
+ for (i = 0; i < peer->property_count; i++) {
+ const tsi_peer_property* property = &peer->properties[i];
+ if (name == nullptr && property->name == nullptr) {
+ return property;
+ }
+ if (name != nullptr && property->name != nullptr &&
+ strcmp(property->name, name) == 0) {
+ return property;
+ }
+ }
+ return nullptr;
+}
diff --git a/src/core/tsi/transport_security.h b/src/core/tsi/transport_security.h
index 1923a702e5..482d300a05 100644
--- a/src/core/tsi/transport_security.h
+++ b/src/core/tsi/transport_security.h
@@ -122,7 +122,8 @@ tsi_result tsi_construct_allocated_string_peer_property(
const char* name, size_t value_length, tsi_peer_property* property);
tsi_result tsi_construct_string_peer_property_from_cstring(
const char* name, const char* value, tsi_peer_property* property);
-
+const tsi_peer_property* tsi_peer_get_property_by_name(const tsi_peer* peer,
+ const char* name);
/* Utils. */
char* tsi_strdup(const char* src); /* Sadly, no strdup in C89. */
diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py
index 0bd3951a19..0382c38fb9 100644
--- a/src/python/grpcio/grpc_core_dependencies.py
+++ b/src/python/grpcio/grpc_core_dependencies.py
@@ -254,11 +254,14 @@ CORE_SOURCE_FILES = [
'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
- 'src/core/lib/security/security_connector/alts_security_connector.cc',
+ 'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
+ 'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
'src/core/lib/security/security_connector/load_system_roots_linux.cc',
- 'src/core/lib/security/security_connector/local_security_connector.cc',
+ 'src/core/lib/security/security_connector/local/local_security_connector.cc',
'src/core/lib/security/security_connector/security_connector.cc',
+ 'src/core/lib/security/security_connector/ssl/ssl_security_connector.cc',
+ 'src/core/lib/security/security_connector/ssl_utils.cc',
'src/core/lib/security/transport/client_auth_filter.cc',
'src/core/lib/security/transport/secure_endpoint.cc',
'src/core/lib/security/transport/security_handshaker.cc',
diff --git a/test/core/security/alts_security_connector_test.cc b/test/core/security/alts_security_connector_test.cc
index 103a493526..9378236338 100644
--- a/test/core/security/alts_security_connector_test.cc
+++ b/test/core/security/alts_security_connector_test.cc
@@ -24,7 +24,7 @@
#include <grpc/support/alloc.h>
#include <grpc/support/log.h>
-#include "src/core/lib/security/security_connector/alts_security_connector.h"
+#include "src/core/lib/security/security_connector/alts/alts_security_connector.h"
#include "src/core/lib/transport/transport.h"
#include "src/core/tsi/alts/handshaker/alts_tsi_handshaker.h"
#include "src/core/tsi/transport_security.h"
diff --git a/test/core/security/security_connector_test.cc b/test/core/security/security_connector_test.cc
index 9dd37b975b..fef0ea71f7 100644
--- a/test/core/security/security_connector_test.cc
+++ b/test/core/security/security_connector_test.cc
@@ -29,6 +29,7 @@
#include "src/core/lib/gpr/tmpfile.h"
#include "src/core/lib/security/context/security_context.h"
#include "src/core/lib/security/security_connector/security_connector.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
#include "src/core/lib/slice/slice_string_helpers.h"
#include "src/core/tsi/ssl_transport_security.h"
#include "src/core/tsi/transport_security.h"
diff --git a/test/core/tsi/fake_transport_security_test.cc b/test/core/tsi/fake_transport_security_test.cc
index 5e6671965d..587d8f5dda 100644
--- a/test/core/tsi/fake_transport_security_test.cc
+++ b/test/core/tsi/fake_transport_security_test.cc
@@ -22,6 +22,7 @@
#include "src/core/lib/security/security_connector/security_connector.h"
#include "src/core/tsi/fake_transport_security.h"
+#include "src/core/tsi/transport_security.h"
#include "test/core/tsi/transport_security_test_lib.h"
#include "test/core/util/test_config.h"
diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal
index f0007145e3..8ab7b6ea4a 100644
--- a/tools/doxygen/Doxyfile.core.internal
+++ b/tools/doxygen/Doxyfile.core.internal
@@ -1369,16 +1369,22 @@ src/core/lib/security/credentials/plugin/plugin_credentials.cc \
src/core/lib/security/credentials/plugin/plugin_credentials.h \
src/core/lib/security/credentials/ssl/ssl_credentials.cc \
src/core/lib/security/credentials/ssl/ssl_credentials.h \
-src/core/lib/security/security_connector/alts_security_connector.cc \
-src/core/lib/security/security_connector/alts_security_connector.h \
+src/core/lib/security/security_connector/alts/alts_security_connector.cc \
+src/core/lib/security/security_connector/alts/alts_security_connector.h \
+src/core/lib/security/security_connector/fake/fake_security_connector.cc \
+src/core/lib/security/security_connector/fake/fake_security_connector.h \
src/core/lib/security/security_connector/load_system_roots.h \
src/core/lib/security/security_connector/load_system_roots_fallback.cc \
src/core/lib/security/security_connector/load_system_roots_linux.cc \
src/core/lib/security/security_connector/load_system_roots_linux.h \
-src/core/lib/security/security_connector/local_security_connector.cc \
-src/core/lib/security/security_connector/local_security_connector.h \
+src/core/lib/security/security_connector/local/local_security_connector.cc \
+src/core/lib/security/security_connector/local/local_security_connector.h \
src/core/lib/security/security_connector/security_connector.cc \
src/core/lib/security/security_connector/security_connector.h \
+src/core/lib/security/security_connector/ssl/ssl_security_connector.cc \
+src/core/lib/security/security_connector/ssl/ssl_security_connector.h \
+src/core/lib/security/security_connector/ssl_utils.cc \
+src/core/lib/security/security_connector/ssl_utils.h \
src/core/lib/security/transport/auth_filters.h \
src/core/lib/security/transport/client_auth_filter.cc \
src/core/lib/security/transport/secure_endpoint.cc \
diff --git a/tools/run_tests/generated/sources_and_headers.json b/tools/run_tests/generated/sources_and_headers.json
index 2cf6f5be62..4e1f26a0e5 100644
--- a/tools/run_tests/generated/sources_and_headers.json
+++ b/tools/run_tests/generated/sources_and_headers.json
@@ -10441,11 +10441,14 @@
"src/core/lib/security/credentials/oauth2/oauth2_credentials.h",
"src/core/lib/security/credentials/plugin/plugin_credentials.h",
"src/core/lib/security/credentials/ssl/ssl_credentials.h",
- "src/core/lib/security/security_connector/alts_security_connector.h",
+ "src/core/lib/security/security_connector/alts/alts_security_connector.h",
+ "src/core/lib/security/security_connector/fake/fake_security_connector.h",
"src/core/lib/security/security_connector/load_system_roots.h",
"src/core/lib/security/security_connector/load_system_roots_linux.h",
- "src/core/lib/security/security_connector/local_security_connector.h",
+ "src/core/lib/security/security_connector/local/local_security_connector.h",
"src/core/lib/security/security_connector/security_connector.h",
+ "src/core/lib/security/security_connector/ssl/ssl_security_connector.h",
+ "src/core/lib/security/security_connector/ssl_utils.h",
"src/core/lib/security/transport/auth_filters.h",
"src/core/lib/security/transport/secure_endpoint.h",
"src/core/lib/security/transport/security_handshaker.h",
@@ -10491,16 +10494,22 @@
"src/core/lib/security/credentials/plugin/plugin_credentials.h",
"src/core/lib/security/credentials/ssl/ssl_credentials.cc",
"src/core/lib/security/credentials/ssl/ssl_credentials.h",
- "src/core/lib/security/security_connector/alts_security_connector.cc",
- "src/core/lib/security/security_connector/alts_security_connector.h",
+ "src/core/lib/security/security_connector/alts/alts_security_connector.cc",
+ "src/core/lib/security/security_connector/alts/alts_security_connector.h",
+ "src/core/lib/security/security_connector/fake/fake_security_connector.cc",
+ "src/core/lib/security/security_connector/fake/fake_security_connector.h",
"src/core/lib/security/security_connector/load_system_roots.h",
"src/core/lib/security/security_connector/load_system_roots_fallback.cc",
"src/core/lib/security/security_connector/load_system_roots_linux.cc",
"src/core/lib/security/security_connector/load_system_roots_linux.h",
- "src/core/lib/security/security_connector/local_security_connector.cc",
- "src/core/lib/security/security_connector/local_security_connector.h",
+ "src/core/lib/security/security_connector/local/local_security_connector.cc",
+ "src/core/lib/security/security_connector/local/local_security_connector.h",
"src/core/lib/security/security_connector/security_connector.cc",
"src/core/lib/security/security_connector/security_connector.h",
+ "src/core/lib/security/security_connector/ssl/ssl_security_connector.cc",
+ "src/core/lib/security/security_connector/ssl/ssl_security_connector.h",
+ "src/core/lib/security/security_connector/ssl_utils.cc",
+ "src/core/lib/security/security_connector/ssl_utils.h",
"src/core/lib/security/transport/auth_filters.h",
"src/core/lib/security/transport/client_auth_filter.cc",
"src/core/lib/security/transport/secure_endpoint.cc",