#region Copyright notice and license // Copyright 2015 gRPC authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. #endregion using System; using System.Collections.Generic; using Grpc.Core.Internal; using Grpc.Core.Utils; namespace Grpc.Core { /// <summary> /// Server side credentials. /// </summary> public abstract class ServerCredentials { static readonly ServerCredentials InsecureInstance = new InsecureServerCredentialsImpl(); /// <summary> /// Returns instance of credential that provides no security and /// will result in creating an unsecure server port with no encryption whatsoever. /// </summary> public static ServerCredentials Insecure { get { return InsecureInstance; } } /// <summary> /// Creates native object for the credentials. /// </summary> /// <returns>The native credentials.</returns> internal abstract ServerCredentialsSafeHandle ToNativeCredentials(); private sealed class InsecureServerCredentialsImpl : ServerCredentials { internal override ServerCredentialsSafeHandle ToNativeCredentials() { return null; } } } /// <summary> /// Server-side SSL credentials. /// </summary> public class SslServerCredentials : ServerCredentials { readonly IList<KeyCertificatePair> keyCertificatePairs; readonly string rootCertificates; readonly bool forceClientAuth; /// <summary> /// Creates server-side SSL credentials. /// </summary> /// <param name="keyCertificatePairs">Key-certificates to use.</param> /// <param name="rootCertificates">PEM encoded client root certificates used to authenticate client.</param> /// <param name="forceClientAuth">If true, client will be rejected unless it proves its unthenticity using against rootCertificates.</param> public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs, string rootCertificates, bool forceClientAuth) { this.keyCertificatePairs = new List<KeyCertificatePair>(keyCertificatePairs).AsReadOnly(); GrpcPreconditions.CheckArgument(this.keyCertificatePairs.Count > 0, "At least one KeyCertificatePair needs to be provided."); if (forceClientAuth) { GrpcPreconditions.CheckNotNull(rootCertificates, "Cannot force client authentication unless you provide rootCertificates."); } this.rootCertificates = rootCertificates; this.forceClientAuth = forceClientAuth; } /// <summary> /// Creates server-side SSL credentials. /// This constructor should be use if you do not wish to autheticate client /// using client root certificates. /// </summary> /// <param name="keyCertificatePairs">Key-certificates to use.</param> public SslServerCredentials(IEnumerable<KeyCertificatePair> keyCertificatePairs) : this(keyCertificatePairs, null, false) { } /// <summary> /// Key-certificate pairs. /// </summary> public IList<KeyCertificatePair> KeyCertificatePairs { get { return this.keyCertificatePairs; } } /// <summary> /// PEM encoded client root certificates. /// </summary> public string RootCertificates { get { return this.rootCertificates; } } /// <summary> /// If true, the authenticity of client check will be enforced. /// </summary> public bool ForceClientAuthentication { get { return this.forceClientAuth; } } internal override ServerCredentialsSafeHandle ToNativeCredentials() { int count = keyCertificatePairs.Count; string[] certChains = new string[count]; string[] keys = new string[count]; for (int i = 0; i < count; i++) { certChains[i] = keyCertificatePairs[i].CertificateChain; keys[i] = keyCertificatePairs[i].PrivateKey; } return ServerCredentialsSafeHandle.CreateSslCredentials(rootCertificates, certChains, keys, forceClientAuth); } } }