tls_security_connector.cc
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2018 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #include <grpc/support/port_platform.h>
20 
21 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
22 
23 #include <string.h>
24 
25 #include <algorithm>
26 #include <memory>
27 #include <utility>
28 #include <vector>
29 
30 #include "absl/functional/bind_front.h"
31 #include "absl/memory/memory.h"
32 #include "absl/strings/str_cat.h"
33 #include "absl/strings/string_view.h"
34 
35 #include <grpc/grpc.h>
36 #include <grpc/grpc_security_constants.h>
37 #include <grpc/support/alloc.h>
38 #include <grpc/support/log.h>
39 #include <grpc/support/string_util.h>
40 
41 #include "src/core/lib/gprpp/debug_location.h"
42 #include "src/core/lib/gprpp/host_port.h"
43 #include "src/core/lib/iomgr/exec_ctx.h"
44 #include "src/core/lib/promise/poll.h"
45 #include "src/core/lib/promise/promise.h"
46 #include "src/core/lib/security/context/security_context.h"
47 #include "src/core/lib/security/credentials/credentials.h"
48 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
49 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
50 #include "src/core/lib/security/security_connector/ssl_utils.h"
51 #include "src/core/lib/security/transport/security_handshaker.h"
52 #include "src/core/tsi/ssl_transport_security.h"
53 
54 namespace grpc_core {
55 
56 namespace {
57 
58 char* CopyCoreString(char* src, size_t length) {
59  char* target = static_cast<char*>(gpr_malloc(length + 1));
60  memcpy(target, src, length);
61  target[length] = '\0';
62  return target;
63 }
64 
65 void PendingVerifierRequestInit(
66  const char* target_name, tsi_peer peer,
67  grpc_tls_custom_verification_check_request* request) {
68  GPR_ASSERT(request != nullptr);
69  // The verifier holds a ref to the security connector, so it's fine to
70  // directly point this to the name cached in the security connector.
71  request->target_name = target_name;
72  // TODO(ZhenLian): avoid the copy when the underlying core implementation used
73  // the null-terminating string.
74  bool has_common_name = false;
75  bool has_peer_cert = false;
76  bool has_peer_cert_full_chain = false;
77  std::vector<char*> uri_names;
78  std::vector<char*> dns_names;
79  std::vector<char*> email_names;
80  std::vector<char*> ip_names;
81  for (size_t i = 0; i < peer.property_count; ++i) {
82  const tsi_peer_property* prop = &peer.properties[i];
83  if (prop->name == nullptr) continue;
84  if (strcmp(prop->name, TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY) == 0) {
85  request->peer_info.common_name =
86  CopyCoreString(prop->value.data, prop->value.length);
87  has_common_name = true;
88  } else if (strcmp(prop->name, TSI_X509_PEM_CERT_PROPERTY) == 0) {
89  request->peer_info.peer_cert =
90  CopyCoreString(prop->value.data, prop->value.length);
91  has_peer_cert = true;
92  } else if (strcmp(prop->name, TSI_X509_PEM_CERT_CHAIN_PROPERTY) == 0) {
93  request->peer_info.peer_cert_full_chain =
94  CopyCoreString(prop->value.data, prop->value.length);
95  has_peer_cert_full_chain = true;
96  } else if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) {
97  char* uri = CopyCoreString(prop->value.data, prop->value.length);
98  uri_names.emplace_back(uri);
99  } else if (strcmp(prop->name, TSI_X509_DNS_PEER_PROPERTY) == 0) {
100  char* dns = CopyCoreString(prop->value.data, prop->value.length);
101  dns_names.emplace_back(dns);
102  } else if (strcmp(prop->name, TSI_X509_EMAIL_PEER_PROPERTY) == 0) {
103  char* email = CopyCoreString(prop->value.data, prop->value.length);
104  email_names.emplace_back(email);
105  } else if (strcmp(prop->name, TSI_X509_IP_PEER_PROPERTY) == 0) {
106  char* ip = CopyCoreString(prop->value.data, prop->value.length);
107  ip_names.emplace_back(ip);
108  }
109  }
110  if (!has_common_name) {
111  request->peer_info.common_name = nullptr;
112  }
113  if (!has_peer_cert) {
114  request->peer_info.peer_cert = nullptr;
115  }
116  if (!has_peer_cert_full_chain) {
117  request->peer_info.peer_cert_full_chain = nullptr;
118  }
119  request->peer_info.san_names.uri_names_size = uri_names.size();
120  if (!uri_names.empty()) {
121  request->peer_info.san_names.uri_names =
122  new char*[request->peer_info.san_names.uri_names_size];
123  for (size_t i = 0; i < request->peer_info.san_names.uri_names_size; ++i) {
124  // We directly point the char* string stored in vector to the |request|.
125  // That string will be released when the |request| is destroyed.
126  request->peer_info.san_names.uri_names[i] = uri_names[i];
127  }
128  } else {
129  request->peer_info.san_names.uri_names = nullptr;
130  }
131  request->peer_info.san_names.dns_names_size = dns_names.size();
132  if (!dns_names.empty()) {
133  request->peer_info.san_names.dns_names =
134  new char*[request->peer_info.san_names.dns_names_size];
135  for (size_t i = 0; i < request->peer_info.san_names.dns_names_size; ++i) {
136  // We directly point the char* string stored in vector to the |request|.
137  // That string will be released when the |request| is destroyed.
138  request->peer_info.san_names.dns_names[i] = dns_names[i];
139  }
140  } else {
141  request->peer_info.san_names.dns_names = nullptr;
142  }
143  request->peer_info.san_names.email_names_size = email_names.size();
144  if (!email_names.empty()) {
145  request->peer_info.san_names.email_names =
146  new char*[request->peer_info.san_names.email_names_size];
147  for (size_t i = 0; i < request->peer_info.san_names.email_names_size; ++i) {
148  // We directly point the char* string stored in vector to the |request|.
149  // That string will be released when the |request| is destroyed.
150  request->peer_info.san_names.email_names[i] = email_names[i];
151  }
152  } else {
153  request->peer_info.san_names.email_names = nullptr;
154  }
155  request->peer_info.san_names.ip_names_size = ip_names.size();
156  if (!ip_names.empty()) {
157  request->peer_info.san_names.ip_names =
158  new char*[request->peer_info.san_names.ip_names_size];
159  for (size_t i = 0; i < request->peer_info.san_names.ip_names_size; ++i) {
160  // We directly point the char* string stored in vector to the |request|.
161  // That string will be released when the |request| is destroyed.
162  request->peer_info.san_names.ip_names[i] = ip_names[i];
163  }
164  } else {
165  request->peer_info.san_names.ip_names = nullptr;
166  }
167 }
168 
169 void PendingVerifierRequestDestroy(
170  grpc_tls_custom_verification_check_request* request) {
171  GPR_ASSERT(request != nullptr);
172  if (request->peer_info.common_name != nullptr) {
173  gpr_free(const_cast<char*>(request->peer_info.common_name));
174  }
175  if (request->peer_info.san_names.uri_names_size > 0) {
176  for (size_t i = 0; i < request->peer_info.san_names.uri_names_size; ++i) {
177  gpr_free(request->peer_info.san_names.uri_names[i]);
178  }
179  delete[] request->peer_info.san_names.uri_names;
180  }
181  if (request->peer_info.san_names.dns_names_size > 0) {
182  for (size_t i = 0; i < request->peer_info.san_names.dns_names_size; ++i) {
183  gpr_free(request->peer_info.san_names.dns_names[i]);
184  }
185  delete[] request->peer_info.san_names.dns_names;
186  }
187  if (request->peer_info.san_names.email_names_size > 0) {
188  for (size_t i = 0; i < request->peer_info.san_names.email_names_size; ++i) {
189  gpr_free(request->peer_info.san_names.email_names[i]);
190  }
191  delete[] request->peer_info.san_names.email_names;
192  }
193  if (request->peer_info.san_names.ip_names_size > 0) {
194  for (size_t i = 0; i < request->peer_info.san_names.ip_names_size; ++i) {
195  gpr_free(request->peer_info.san_names.ip_names[i]);
196  }
197  delete[] request->peer_info.san_names.ip_names;
198  }
199  if (request->peer_info.peer_cert != nullptr) {
200  gpr_free(const_cast<char*>(request->peer_info.peer_cert));
201  }
202  if (request->peer_info.peer_cert_full_chain != nullptr) {
203  gpr_free(const_cast<char*>(request->peer_info.peer_cert_full_chain));
204  }
205 }
206 
207 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
208  const PemKeyCertPairList& cert_pair_list) {
209  tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
210  size_t num_key_cert_pairs = cert_pair_list.size();
211  if (num_key_cert_pairs > 0) {
212  GPR_ASSERT(cert_pair_list.data() != nullptr);
213  tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
214  gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
215  }
216  for (size_t i = 0; i < num_key_cert_pairs; i++) {
217  GPR_ASSERT(!cert_pair_list[i].private_key().empty());
218  GPR_ASSERT(!cert_pair_list[i].cert_chain().empty());
219  tsi_pairs[i].cert_chain =
220  gpr_strdup(cert_pair_list[i].cert_chain().c_str());
221  tsi_pairs[i].private_key =
222  gpr_strdup(cert_pair_list[i].private_key().c_str());
223  }
224  return tsi_pairs;
225 }
226 
227 } // namespace
228 
229 // -------------------channel security connector-------------------
230 RefCountedPtr<grpc_channel_security_connector>
231 TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
232  RefCountedPtr<grpc_channel_credentials> channel_creds,
233  RefCountedPtr<grpc_tls_credentials_options> options,
234  RefCountedPtr<grpc_call_credentials> request_metadata_creds,
235  const char* target_name, const char* overridden_target_name,
236  tsi_ssl_session_cache* ssl_session_cache) {
237  if (channel_creds == nullptr) {
238  gpr_log(GPR_ERROR,
239  "channel_creds is nullptr in "
240  "TlsChannelSecurityConnectorCreate()");
241  return nullptr;
242  }
243  if (options == nullptr) {
244  gpr_log(GPR_ERROR,
245  "options is nullptr in "
246  "TlsChannelSecurityConnectorCreate()");
247  return nullptr;
248  }
249  if (target_name == nullptr) {
250  gpr_log(GPR_ERROR,
251  "target_name is nullptr in "
252  "TlsChannelSecurityConnectorCreate()");
253  return nullptr;
254  }
255  return MakeRefCounted<TlsChannelSecurityConnector>(
256  std::move(channel_creds), std::move(options),
257  std::move(request_metadata_creds), target_name, overridden_target_name,
258  ssl_session_cache);
259 }
260 
261 TlsChannelSecurityConnector::TlsChannelSecurityConnector(
262  RefCountedPtr<grpc_channel_credentials> channel_creds,
263  RefCountedPtr<grpc_tls_credentials_options> options,
264  RefCountedPtr<grpc_call_credentials> request_metadata_creds,
265  const char* target_name, const char* overridden_target_name,
266  tsi_ssl_session_cache* ssl_session_cache)
267  : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
268  std::move(channel_creds),
269  std::move(request_metadata_creds)),
270  options_(std::move(options)),
271  overridden_target_name_(
272  overridden_target_name == nullptr ? "" : overridden_target_name),
273  ssl_session_cache_(ssl_session_cache) {
274  const std::string& tls_session_key_log_file_path =
275  options_->tls_session_key_log_file_path();
276  if (!tls_session_key_log_file_path.empty()) {
277  tls_session_key_logger_ =
278  tsi::TlsSessionKeyLoggerCache::Get(tls_session_key_log_file_path);
279  }
280  if (ssl_session_cache_ != nullptr) {
281  tsi_ssl_session_cache_ref(ssl_session_cache_);
282  }
283  absl::string_view host;
284  absl::string_view port;
285  SplitHostPort(target_name, &host, &port);
286  target_name_ = std::string(host);
287  // Create a watcher.
288  auto watcher_ptr = absl::make_unique<TlsChannelCertificateWatcher>(this);
289  certificate_watcher_ = watcher_ptr.get();
290  // Register the watcher with the distributor.
291  grpc_tls_certificate_distributor* distributor =
292  options_->certificate_distributor();
293  absl::optional<std::string> watched_root_cert_name;
294  if (options_->watch_root_cert()) {
295  watched_root_cert_name = options_->root_cert_name();
296  }
297  absl::optional<std::string> watched_identity_cert_name;
298  if (options_->watch_identity_pair()) {
299  watched_identity_cert_name = options_->identity_cert_name();
300  }
301  // We will use the root certs stored in system default locations if not
302  // watching root certs on the client side. We will handle this case
303  // differently here, because "watching a default roots without the identity
304  // certs" is a valid case(and hence we will need to call
305  // OnCertificatesChanged), but it requires nothing from the provider, and
306  // hence no need to register the watcher.
307  bool use_default_roots = !options_->watch_root_cert();
308  if (use_default_roots && !options_->watch_identity_pair()) {
309  watcher_ptr->OnCertificatesChanged(absl::nullopt, absl::nullopt);
310  } else {
311  distributor->WatchTlsCertificates(std::move(watcher_ptr),
312  watched_root_cert_name,
313  watched_identity_cert_name);
314  }
315 }
316 
317 TlsChannelSecurityConnector::~TlsChannelSecurityConnector() {
318  if (ssl_session_cache_ != nullptr) {
319  tsi_ssl_session_cache_unref(ssl_session_cache_);
320  }
321  // Cancel all the watchers.
322  grpc_tls_certificate_distributor* distributor =
323  options_->certificate_distributor();
324  if (distributor != nullptr) {
325  distributor->CancelTlsCertificatesWatch(certificate_watcher_);
326  }
327  if (client_handshaker_factory_ != nullptr) {
328  tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
329  }
330 }
331 
332 void TlsChannelSecurityConnector::add_handshakers(
333  const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
334  HandshakeManager* handshake_mgr) {
335  MutexLock lock(&mu_);
336  tsi_handshaker* tsi_hs = nullptr;
337  if (client_handshaker_factory_ != nullptr) {
338  // Instantiate TSI handshaker.
339  tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
340  client_handshaker_factory_,
341  overridden_target_name_.empty() ? target_name_.c_str()
342  : overridden_target_name_.c_str(),
343  /*network_bio_buf_size=*/0,
344  /*ssl_bio_buf_size=*/0, &tsi_hs);
345  if (result != TSI_OK) {
346  gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
347  tsi_result_to_string(result));
348  }
349  }
350  // If tsi_hs is null, this will add a failing handshaker.
351  handshake_mgr->Add(SecurityHandshakerCreate(tsi_hs, this, args));
352 }
353 
354 void TlsChannelSecurityConnector::check_peer(
355  tsi_peer peer, grpc_endpoint* /*ep*/,
356  RefCountedPtr<grpc_auth_context>* auth_context,
357  grpc_closure* on_peer_checked) {
358  const char* target_name = overridden_target_name_.empty()
359  ? target_name_.c_str()
360  : overridden_target_name_.c_str();
361  grpc_error_handle error = grpc_ssl_check_alpn(&peer);
362  if (!GRPC_ERROR_IS_NONE(error)) {
363  ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
364  tsi_peer_destruct(&peer);
365  return;
366  }
367  *auth_context =
368  grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
369  GPR_ASSERT(options_->certificate_verifier() != nullptr);
370  auto* pending_request = new ChannelPendingVerifierRequest(
371  Ref(), on_peer_checked, peer, target_name);
372  {
373  MutexLock lock(&verifier_request_map_mu_);
374  pending_verifier_requests_.emplace(on_peer_checked, pending_request);
375  }
376  pending_request->Start();
377 }
378 
379 void TlsChannelSecurityConnector::cancel_check_peer(
380  grpc_closure* on_peer_checked, grpc_error_handle error) {
381  if (!GRPC_ERROR_IS_NONE(error)) {
382  gpr_log(GPR_ERROR,
383  "TlsChannelSecurityConnector::cancel_check_peer error: %s",
384  grpc_error_std_string(error).c_str());
385  GRPC_ERROR_UNREF(error);
386  return;
387  }
388  auto* verifier = options_->certificate_verifier();
389  if (verifier != nullptr) {
390  grpc_tls_custom_verification_check_request* pending_verifier_request =
391  nullptr;
392  {
393  MutexLock lock(&verifier_request_map_mu_);
394  auto it = pending_verifier_requests_.find(on_peer_checked);
395  if (it != pending_verifier_requests_.end()) {
396  pending_verifier_request = it->second->request();
397  } else {
398  gpr_log(GPR_INFO,
399  "TlsChannelSecurityConnector::cancel_check_peer: no "
400  "corresponding pending request found");
401  }
402  }
403  if (pending_verifier_request != nullptr) {
404  verifier->Cancel(pending_verifier_request);
405  }
406  }
407 }
408 
409 int TlsChannelSecurityConnector::cmp(
410  const grpc_security_connector* other_sc) const {
411  auto* other = reinterpret_cast<const TlsChannelSecurityConnector*>(other_sc);
412  int c = channel_security_connector_cmp(other);
413  if (c != 0) return c;
414  c = grpc_ssl_cmp_target_name(
415  target_name_.c_str(), other->target_name_.c_str(),
416  overridden_target_name_.c_str(), other->overridden_target_name_.c_str());
417  if (c != 0) return c;
418  return 0;
419 }
420 
421 ArenaPromise<absl::Status> TlsChannelSecurityConnector::CheckCallHost(
422  absl::string_view host, grpc_auth_context* auth_context) {
423  if (options_->check_call_host()) {
424  return Immediate(SslCheckCallHost(host, target_name_.c_str(),
425  overridden_target_name_.c_str(),
426  auth_context));
427  }
428  return ImmediateOkStatus();
429 }
430 
431 void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::
432  OnCertificatesChanged(absl::optional<absl::string_view> root_certs,
433  absl::optional<PemKeyCertPairList> key_cert_pairs) {
434  GPR_ASSERT(security_connector_ != nullptr);
435  MutexLock lock(&security_connector_->mu_);
436  if (root_certs.has_value()) {
437  security_connector_->pem_root_certs_ = root_certs;
438  }
439  if (key_cert_pairs.has_value()) {
440  security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
441  }
442  const bool root_ready = !security_connector_->options_->watch_root_cert() ||
443  security_connector_->pem_root_certs_.has_value();
444  const bool identity_ready =
445  !security_connector_->options_->watch_identity_pair() ||
446  security_connector_->pem_key_cert_pair_list_.has_value();
447  if (root_ready && identity_ready) {
448  if (security_connector_->UpdateHandshakerFactoryLocked() !=
449  GRPC_SECURITY_OK) {
450  gpr_log(GPR_ERROR, "Update handshaker factory failed.");
451  }
452  }
453 }
454 
455 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
456 // BlockOnInitialCredentialHandshaker is implemented.
457 void TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnError(
458  grpc_error_handle root_cert_error, grpc_error_handle identity_cert_error) {
459  if (!GRPC_ERROR_IS_NONE(root_cert_error)) {
460  gpr_log(GPR_ERROR,
461  "TlsChannelCertificateWatcher getting root_cert_error: %s",
462  grpc_error_std_string(root_cert_error).c_str());
463  }
464  if (!GRPC_ERROR_IS_NONE(identity_cert_error)) {
465  gpr_log(GPR_ERROR,
466  "TlsChannelCertificateWatcher getting identity_cert_error: %s",
467  grpc_error_std_string(identity_cert_error).c_str());
468  }
469  GRPC_ERROR_UNREF(root_cert_error);
470  GRPC_ERROR_UNREF(identity_cert_error);
471 }
472 
473 TlsChannelSecurityConnector::ChannelPendingVerifierRequest::
474  ChannelPendingVerifierRequest(
475  RefCountedPtr<TlsChannelSecurityConnector> security_connector,
476  grpc_closure* on_peer_checked, tsi_peer peer, const char* target_name)
477  : security_connector_(std::move(security_connector)),
478  on_peer_checked_(on_peer_checked) {
479  PendingVerifierRequestInit(target_name, peer, &request_);
480  tsi_peer_destruct(&peer);
481 }
482 
483 TlsChannelSecurityConnector::ChannelPendingVerifierRequest::
484  ~ChannelPendingVerifierRequest() {
485  PendingVerifierRequestDestroy(&request_);
486 }
487 
488 void TlsChannelSecurityConnector::ChannelPendingVerifierRequest::Start() {
489  absl::Status sync_status;
490  grpc_tls_certificate_verifier* verifier =
491  security_connector_->options_->certificate_verifier();
492  bool is_done = verifier->Verify(
493  &request_,
494  absl::bind_front(&ChannelPendingVerifierRequest::OnVerifyDone, this,
495  true),
496  &sync_status);
497  if (is_done) {
498  OnVerifyDone(false, sync_status);
499  }
500 }
501 
502 void TlsChannelSecurityConnector::ChannelPendingVerifierRequest::OnVerifyDone(
503  bool run_callback_inline, absl::Status status) {
504  {
505  MutexLock lock(&security_connector_->verifier_request_map_mu_);
506  security_connector_->pending_verifier_requests_.erase(on_peer_checked_);
507  }
508  grpc_error_handle error = GRPC_ERROR_NONE;
509  if (!status.ok()) {
510  error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
511  absl::StrCat("Custom verification check failed with error: ",
512  status.ToString())
513  .c_str());
514  }
515  if (run_callback_inline) {
516  Closure::Run(DEBUG_LOCATION, on_peer_checked_, error);
517  } else {
518  ExecCtx::Run(DEBUG_LOCATION, on_peer_checked_, error);
519  }
520  delete this;
521 }
522 
523 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
524 // BlockOnInitialCredentialHandshaker is implemented.
525 grpc_security_status
526 TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked() {
527  bool skip_server_certificate_verification = !options_->verify_server_cert();
528  /* Free the client handshaker factory if exists. */
529  if (client_handshaker_factory_ != nullptr) {
530  tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
531  }
532  std::string pem_root_certs;
533  if (pem_root_certs_.has_value()) {
534  // TODO(ZhenLian): update the underlying TSI layer to use C++ types like
535  // std::string and absl::string_view to avoid making another copy here.
536  pem_root_certs = std::string(*pem_root_certs_);
537  }
538  tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = nullptr;
539  if (pem_key_cert_pair_list_.has_value()) {
540  pem_key_cert_pair = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
541  }
542  bool use_default_roots = !options_->watch_root_cert();
543  grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
544  pem_key_cert_pair,
545  pem_root_certs.empty() || use_default_roots ? nullptr
546  : pem_root_certs.c_str(),
547  skip_server_certificate_verification,
548  grpc_get_tsi_tls_version(options_->min_tls_version()),
549  grpc_get_tsi_tls_version(options_->max_tls_version()), ssl_session_cache_,
550  tls_session_key_logger_.get(), options_->crl_directory().c_str(),
551  &client_handshaker_factory_);
552  /* Free memory. */
553  if (pem_key_cert_pair != nullptr) {
554  grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
555  }
556  return status;
557 }
558 
559 // -------------------server security connector-------------------
560 RefCountedPtr<grpc_server_security_connector>
561 TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
562  RefCountedPtr<grpc_server_credentials> server_creds,
563  RefCountedPtr<grpc_tls_credentials_options> options) {
564  if (server_creds == nullptr) {
565  gpr_log(GPR_ERROR,
566  "server_creds is nullptr in "
567  "TlsServerSecurityConnectorCreate()");
568  return nullptr;
569  }
570  if (options == nullptr) {
571  gpr_log(GPR_ERROR,
572  "options is nullptr in "
573  "TlsServerSecurityConnectorCreate()");
574  return nullptr;
575  }
576  return MakeRefCounted<TlsServerSecurityConnector>(std::move(server_creds),
577  std::move(options));
578 }
579 
580 TlsServerSecurityConnector::TlsServerSecurityConnector(
581  RefCountedPtr<grpc_server_credentials> server_creds,
582  RefCountedPtr<grpc_tls_credentials_options> options)
583  : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
584  std::move(server_creds)),
585  options_(std::move(options)) {
586  const std::string& tls_session_key_log_file_path =
587  options_->tls_session_key_log_file_path();
588  if (!tls_session_key_log_file_path.empty()) {
589  tls_session_key_logger_ =
590  tsi::TlsSessionKeyLoggerCache::Get(tls_session_key_log_file_path);
591  }
592  // Create a watcher.
593  auto watcher_ptr = absl::make_unique<TlsServerCertificateWatcher>(this);
594  certificate_watcher_ = watcher_ptr.get();
595  // Register the watcher with the distributor.
596  grpc_tls_certificate_distributor* distributor =
597  options_->certificate_distributor();
598  absl::optional<std::string> watched_root_cert_name;
599  if (options_->watch_root_cert()) {
600  watched_root_cert_name = options_->root_cert_name();
601  }
602  absl::optional<std::string> watched_identity_cert_name;
603  if (options_->watch_identity_pair()) {
604  watched_identity_cert_name = options_->identity_cert_name();
605  }
606  // Server side won't use default system roots at any time.
607  distributor->WatchTlsCertificates(std::move(watcher_ptr),
608  watched_root_cert_name,
609  watched_identity_cert_name);
610 }
611 
612 TlsServerSecurityConnector::~TlsServerSecurityConnector() {
613  // Cancel all the watchers.
614  grpc_tls_certificate_distributor* distributor =
615  options_->certificate_distributor();
616  distributor->CancelTlsCertificatesWatch(certificate_watcher_);
617  if (server_handshaker_factory_ != nullptr) {
618  tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
619  }
620 }
621 
622 void TlsServerSecurityConnector::add_handshakers(
623  const grpc_channel_args* args, grpc_pollset_set* /*interested_parties*/,
624  HandshakeManager* handshake_mgr) {
625  MutexLock lock(&mu_);
626  tsi_handshaker* tsi_hs = nullptr;
627  if (server_handshaker_factory_ != nullptr) {
628  // Instantiate TSI handshaker.
629  tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
630  server_handshaker_factory_, /*network_bio_buf_size=*/0,
631  /*ssl_bio_buf_size=*/0, &tsi_hs);
632  if (result != TSI_OK) {
633  gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
634  tsi_result_to_string(result));
635  }
636  }
637  // If tsi_hs is null, this will add a failing handshaker.
638  handshake_mgr->Add(SecurityHandshakerCreate(tsi_hs, this, args));
639 }
640 
641 void TlsServerSecurityConnector::check_peer(
642  tsi_peer peer, grpc_endpoint* /*ep*/,
643  RefCountedPtr<grpc_auth_context>* auth_context,
644  grpc_closure* on_peer_checked) {
645  grpc_error_handle error = grpc_ssl_check_alpn(&peer);
646  if (!GRPC_ERROR_IS_NONE(error)) {
647  ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
648  tsi_peer_destruct(&peer);
649  return;
650  }
651  *auth_context =
652  grpc_ssl_peer_to_auth_context(&peer, GRPC_TLS_TRANSPORT_SECURITY_TYPE);
653  if (options_->certificate_verifier() != nullptr) {
654  auto* pending_request =
655  new ServerPendingVerifierRequest(Ref(), on_peer_checked, peer);
656  {
657  MutexLock lock(&verifier_request_map_mu_);
658  pending_verifier_requests_.emplace(on_peer_checked, pending_request);
659  }
660  pending_request->Start();
661  } else {
662  tsi_peer_destruct(&peer);
663  ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
664  }
665 }
666 
667 void TlsServerSecurityConnector::cancel_check_peer(
668  grpc_closure* on_peer_checked, grpc_error_handle error) {
669  if (!GRPC_ERROR_IS_NONE(error)) {
670  gpr_log(GPR_ERROR,
671  "TlsServerSecurityConnector::cancel_check_peer error: %s",
672  grpc_error_std_string(error).c_str());
673  GRPC_ERROR_UNREF(error);
674  return;
675  }
676  auto* verifier = options_->certificate_verifier();
677  if (verifier != nullptr) {
678  grpc_tls_custom_verification_check_request* pending_verifier_request =
679  nullptr;
680  {
681  MutexLock lock(&verifier_request_map_mu_);
682  auto it = pending_verifier_requests_.find(on_peer_checked);
683  if (it != pending_verifier_requests_.end()) {
684  pending_verifier_request = it->second->request();
685  } else {
686  gpr_log(GPR_INFO,
687  "TlsServerSecurityConnector::cancel_check_peer: no "
688  "corresponding pending request found");
689  }
690  }
691  if (pending_verifier_request != nullptr) {
692  verifier->Cancel(pending_verifier_request);
693  }
694  }
695 }
696 
697 int TlsServerSecurityConnector::cmp(
698  const grpc_security_connector* other_sc) const {
699  auto* other = reinterpret_cast<const TlsServerSecurityConnector*>(other_sc);
700  int c = server_security_connector_cmp(other);
701  if (c != 0) return c;
702  return 0;
703 }
704 
705 void TlsServerSecurityConnector::TlsServerCertificateWatcher::
706  OnCertificatesChanged(absl::optional<absl::string_view> root_certs,
707  absl::optional<PemKeyCertPairList> key_cert_pairs) {
708  GPR_ASSERT(security_connector_ != nullptr);
709  MutexLock lock(&security_connector_->mu_);
710  if (root_certs.has_value()) {
711  security_connector_->pem_root_certs_ = root_certs;
712  }
713  if (key_cert_pairs.has_value()) {
714  security_connector_->pem_key_cert_pair_list_ = std::move(key_cert_pairs);
715  }
716  bool root_being_watched = security_connector_->options_->watch_root_cert();
717  bool root_has_value = security_connector_->pem_root_certs_.has_value();
718  bool identity_being_watched =
719  security_connector_->options_->watch_identity_pair();
720  bool identity_has_value =
721  security_connector_->pem_key_cert_pair_list_.has_value();
722  if ((root_being_watched && root_has_value && identity_being_watched &&
723  identity_has_value) ||
724  (root_being_watched && root_has_value && !identity_being_watched) ||
725  (!root_being_watched && identity_being_watched && identity_has_value)) {
726  if (security_connector_->UpdateHandshakerFactoryLocked() !=
727  GRPC_SECURITY_OK) {
728  gpr_log(GPR_ERROR, "Update handshaker factory failed.");
729  }
730  }
731 }
732 
733 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
734 // BlockOnInitialCredentialHandshaker is implemented.
735 void TlsServerSecurityConnector::TlsServerCertificateWatcher::OnError(
736  grpc_error_handle root_cert_error, grpc_error_handle identity_cert_error) {
737  if (!GRPC_ERROR_IS_NONE(root_cert_error)) {
738  gpr_log(GPR_ERROR,
739  "TlsServerCertificateWatcher getting root_cert_error: %s",
740  grpc_error_std_string(root_cert_error).c_str());
741  }
742  if (!GRPC_ERROR_IS_NONE(identity_cert_error)) {
743  gpr_log(GPR_ERROR,
744  "TlsServerCertificateWatcher getting identity_cert_error: %s",
745  grpc_error_std_string(identity_cert_error).c_str());
746  }
747  GRPC_ERROR_UNREF(root_cert_error);
748  GRPC_ERROR_UNREF(identity_cert_error);
749 }
750 
751 TlsServerSecurityConnector::ServerPendingVerifierRequest::
752  ServerPendingVerifierRequest(
753  RefCountedPtr<TlsServerSecurityConnector> security_connector,
754  grpc_closure* on_peer_checked, tsi_peer peer)
755  : security_connector_(std::move(security_connector)),
756  on_peer_checked_(on_peer_checked) {
757  PendingVerifierRequestInit(nullptr, peer, &request_);
758  tsi_peer_destruct(&peer);
759 }
760 
761 TlsServerSecurityConnector::ServerPendingVerifierRequest::
762  ~ServerPendingVerifierRequest() {
763  PendingVerifierRequestDestroy(&request_);
764 }
765 
766 void TlsServerSecurityConnector::ServerPendingVerifierRequest::Start() {
767  absl::Status sync_status;
768  grpc_tls_certificate_verifier* verifier =
769  security_connector_->options_->certificate_verifier();
770  bool is_done = verifier->Verify(
771  &request_,
772  absl::bind_front(&ServerPendingVerifierRequest::OnVerifyDone, this, true),
773  &sync_status);
774  if (is_done) {
775  OnVerifyDone(false, sync_status);
776  }
777 }
778 
779 void TlsServerSecurityConnector::ServerPendingVerifierRequest::OnVerifyDone(
780  bool run_callback_inline, absl::Status status) {
781  {
782  MutexLock lock(&security_connector_->verifier_request_map_mu_);
783  security_connector_->pending_verifier_requests_.erase(on_peer_checked_);
784  }
785  grpc_error_handle error = GRPC_ERROR_NONE;
786  if (!status.ok()) {
787  error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
788  absl::StrCat("Custom verification check failed with error: ",
789  status.ToString())
790  .c_str());
791  }
792  if (run_callback_inline) {
793  Closure::Run(DEBUG_LOCATION, on_peer_checked_, error);
794  } else {
795  ExecCtx::Run(DEBUG_LOCATION, on_peer_checked_, error);
796  }
797  delete this;
798 }
799 
800 // TODO(ZhenLian): implement the logic to signal waiting handshakers once
801 // BlockOnInitialCredentialHandshaker is implemented.
802 grpc_security_status
803 TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
804  /* Free the server handshaker factory if exists. */
805  if (server_handshaker_factory_ != nullptr) {
806  tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
807  }
808  // The identity certs on the server side shouldn't be empty.
809  GPR_ASSERT(pem_key_cert_pair_list_.has_value());
810  GPR_ASSERT(!(*pem_key_cert_pair_list_).empty());
811  std::string pem_root_certs;
812  if (pem_root_certs_.has_value()) {
813  // TODO(ZhenLian): update the underlying TSI layer to use C++ types like
814  // std::string and absl::string_view to avoid making another copy here.
815  pem_root_certs = std::string(*pem_root_certs_);
816  }
817  tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
818  pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(*pem_key_cert_pair_list_);
819  size_t num_key_cert_pairs = (*pem_key_cert_pair_list_).size();
820  grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
821  pem_key_cert_pairs, num_key_cert_pairs,
822  pem_root_certs.empty() ? nullptr : pem_root_certs.c_str(),
823  options_->cert_request_type(),
824  grpc_get_tsi_tls_version(options_->min_tls_version()),
825  grpc_get_tsi_tls_version(options_->max_tls_version()),
826  tls_session_key_logger_.get(), options_->crl_directory().c_str(),
827  &server_handshaker_factory_);
828  /* Free memory. */
829  grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
830  num_key_cert_pairs);
831  return status;
832 }
833 
834 } // namespace grpc_core
_gevent_test_main.result
result
Definition: _gevent_test_main.py:96
GPR_INFO
#define GPR_INFO
Definition: include/grpc/impl/codegen/log.h:56
grpc_auth_context
Definition: security_context.h:63
regen-readme.it
it
Definition: regen-readme.py:15
GRPC_ERROR_NONE
#define GRPC_ERROR_NONE
Definition: error.h:234
log.h
tsi_peer::properties
tsi_peer_property * properties
Definition: transport_security_interface.h:239
GRPC_ERROR_CREATE_FROM_COPIED_STRING
#define GRPC_ERROR_CREATE_FROM_COPIED_STRING(desc)
Definition: error.h:294
tsi_peer_property::value
struct tsi_peer_property::@48 value
grpc_core::TlsChannelSecurityConnector::cancel_check_peer
void cancel_check_peer(grpc_closure *on_peer_checked, grpc_error_handle error) override
Definition: tls_security_connector.cc:379
grpc_core::TlsServerSecurityConnector::UpdateHandshakerFactoryLocked
grpc_security_status UpdateHandshakerFactoryLocked() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mu_)
Definition: tls_security_connector.cc:803
absl::Status::ToString
std::string ToString(StatusToStringMode mode=StatusToStringMode::kDefault) const
Definition: third_party/abseil-cpp/absl/status/status.h:821
absl::StrCat
std::string StrCat(const AlphaNum &a, const AlphaNum &b)
Definition: abseil-cpp/absl/strings/str_cat.cc:98
grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector
static RefCountedPtr< grpc_channel_security_connector > CreateTlsChannelSecurityConnector(RefCountedPtr< grpc_channel_credentials > channel_creds, RefCountedPtr< grpc_tls_credentials_options > options, RefCountedPtr< grpc_call_credentials > request_metadata_creds, const char *target_name, const char *overridden_target_name, tsi_ssl_session_cache *ssl_session_cache)
Definition: tls_security_connector.cc:231
grpc_server_security_connector
Definition: security_connector.h:171
pem_root_certs
static char * pem_root_certs
Definition: rb_channel_credentials.c:38
tsi_handshaker
Definition: transport_security.h:84
grpc_core::SecurityHandshakerCreate
RefCountedPtr< Handshaker > SecurityHandshakerCreate(tsi_handshaker *handshaker, grpc_security_connector *connector, const grpc_channel_args *args)
Creates a security handshaker using handshaker.
Definition: security_handshaker.cc:658
absl::bind_front
constexpr ABSL_NAMESPACE_BEGIN functional_internal::bind_front_t< F, BoundArgs... > bind_front(F &&func, BoundArgs &&... args)
Definition: abseil-cpp/absl/functional/bind_front.h:182
tsi_ssl_pem_key_cert_pair
Definition: ssl_transport_security.h:101
grpc_core::TlsChannelSecurityConnector::mu_
Mutex mu_
Definition: tls_security_connector.h:156
TSI_X509_IP_PEER_PROPERTY
#define TSI_X509_IP_PEER_PROPERTY
Definition: ssl_transport_security.h:48
grpc_core::TlsChannelSecurityConnector::tls_session_key_logger_
RefCountedPtr< TlsSessionKeyLogger > tls_session_key_logger_
Definition: tls_security_connector.h:168
grpc_ssl_peer_to_auth_context
grpc_core::RefCountedPtr< grpc_auth_context > grpc_ssl_peer_to_auth_context(const tsi_peer *peer, const char *transport_security_type)
Definition: ssl_utils.cc:261
grpc_core
Definition: call_metric_recorder.h:31
grpc_core::TlsServerSecurityConnector::ServerPendingVerifierRequest::ServerPendingVerifierRequest
ServerPendingVerifierRequest(RefCountedPtr< TlsServerSecurityConnector > security_connector, grpc_closure *on_peer_checked, tsi_peer peer)
Definition: tls_security_connector.cc:752
grpc_core::MutexLock
Definition: src/core/lib/gprpp/sync.h:88
grpc_pollset_set
struct grpc_pollset_set grpc_pollset_set
Definition: iomgr_fwd.h:23
tsi_ssl_client_handshaker_factory_unref
void tsi_ssl_client_handshaker_factory_unref(tsi_ssl_client_handshaker_factory *factory)
Definition: ssl_transport_security.cc:1783
tsi_peer_property::length
size_t length
Definition: transport_security_interface.h:234
string.h
options
double_dict options[]
Definition: capstone_test.c:55
grpc_core::TlsChannelSecurityConnector::CheckCallHost
ArenaPromise< absl::Status > CheckCallHost(absl::string_view host, grpc_auth_context *auth_context) override
Definition: tls_security_connector.cc:421
benchmark.request
request
Definition: benchmark.py:77
absl::string_view
Definition: abseil-cpp/absl/strings/string_view.h:167
grpc_core::TlsChannelSecurityConnector::~TlsChannelSecurityConnector
~TlsChannelSecurityConnector() override
Definition: tls_security_connector.cc:317
grpc_core::TlsChannelSecurityConnector
Definition: tls_security_connector.h:56
gpr_free
GPRAPI void gpr_free(void *ptr)
Definition: alloc.cc:51
tsi_ssl_session_cache_unref
void tsi_ssl_session_cache_unref(tsi_ssl_session_cache *cache)
Definition: ssl_transport_security.cc:1048
grpc_core::TlsServerSecurityConnector::add_handshakers
void add_handshakers(const grpc_channel_args *args, grpc_pollset_set *interested_parties, HandshakeManager *handshake_mgr) override
Definition: tls_security_connector.cc:622
testing::internal::string
::std::string string
Definition: bloaty/third_party/protobuf/third_party/googletest/googletest/include/gtest/internal/gtest-port.h:881
error
grpc_error_handle error
Definition: retry_filter.cc:499
grpc_core::TlsChannelSecurityConnector::certificate_watcher_
grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface * certificate_watcher_
Definition: tls_security_connector.h:162
grpc_tls_credentials_options::max_tls_version
grpc_tls_version max_tls_version() const
Definition: grpc_tls_credentials_options.h:48
gpr_malloc
GPRAPI void * gpr_malloc(size_t size)
Definition: alloc.cc:29
grpc_tls_certificate_distributor
Definition: grpc_tls_certificate_distributor.h:43
grpc_core::SplitHostPort
bool SplitHostPort(absl::string_view name, absl::string_view *host, absl::string_view *port)
Definition: host_port.cc:88
status
absl::Status status
Definition: rls.cc:251
tsi_ssl_pem_key_cert_pair::cert_chain
const char * cert_chain
Definition: ssl_transport_security.h:108
grpc_core::TlsServerSecurityConnector
Definition: tls_security_connector.h:177
grpc_core::TlsChannelSecurityConnector::TlsChannelCertificateWatcher::security_connector_
TlsChannelSecurityConnector * security_connector_
Definition: tls_security_connector.h:125
grpc_tls_credentials_options::cert_request_type
grpc_ssl_client_certificate_request_type cert_request_type() const
Definition: grpc_tls_credentials_options.h:45
ssl_transport_security.h
grpc_tls_credentials_options::crl_directory
const std::string & crl_directory() const
Definition: grpc_tls_credentials_options.h:63
verifier
static void verifier(grpc_server *server, grpc_completion_queue *cq, void *)
Definition: badreq.cc:31
grpc_core::TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnCertificatesChanged
void OnCertificatesChanged(absl::optional< absl::string_view > root_certs, absl::optional< PemKeyCertPairList > key_cert_pairs) override
Definition: tls_security_connector.cc:432
credentials.h
grpc_channel_args
Definition: grpc_types.h:132
grpc_core::TlsServerSecurityConnector::ServerPendingVerifierRequest::Start
void Start()
Definition: tls_security_connector.cc:766
grpc_tls_credentials_options::verify_server_cert
bool verify_server_cert() const
Definition: grpc_tls_credentials_options.h:46
grpc_core::TlsChannelSecurityConnector::ChannelPendingVerifierRequest::Start
void Start()
Definition: tls_security_connector.cc:488
grpc_tls_credentials_options::check_call_host
bool check_call_host() const
Definition: grpc_tls_credentials_options.h:52
grpc_tls_certificate_distributor::WatchTlsCertificates
void WatchTlsCertificates(std::unique_ptr< TlsCertificatesWatcherInterface > watcher, absl::optional< std::string > root_cert_name, absl::optional< std::string > identity_cert_name)
Definition: grpc_tls_certificate_distributor.cc:176
TSI_X509_URI_PEER_PROPERTY
#define TSI_X509_URI_PEER_PROPERTY
Definition: ssl_transport_security.h:46
gpr_zalloc
GPRAPI void * gpr_zalloc(size_t size)
Definition: alloc.cc:40
grpc_core::TlsChannelSecurityConnector::TlsChannelSecurityConnector
TlsChannelSecurityConnector(RefCountedPtr< grpc_channel_credentials > channel_creds, RefCountedPtr< grpc_tls_credentials_options > options, RefCountedPtr< grpc_call_credentials > request_metadata_creds, const char *target_name, const char *overridden_target_name, tsi_ssl_session_cache *ssl_session_cache)
Definition: tls_security_connector.cc:261
grpc_core::TlsServerSecurityConnector::options_
RefCountedPtr< grpc_tls_credentials_options > options_
Definition: tls_security_connector.h:271
grpc_security_connector
Definition: security_connector.h:61
TSI_X509_DNS_PEER_PROPERTY
#define TSI_X509_DNS_PEER_PROPERTY
Definition: ssl_transport_security.h:45
TSI_OK
@ TSI_OK
Definition: transport_security_interface.h:32
DEBUG_LOCATION
#define DEBUG_LOCATION
Definition: debug_location.h:41
string_util.h
grpc_core::TlsChannelSecurityConnector::verifier_request_map_mu_
Mutex verifier_request_map_mu_
Definition: tls_security_connector.h:159
memcpy
memcpy(mem, inblock.get(), min(CONTAINING_RECORD(inblock.get(), MEMBLOCK, data) ->size, size))
grpc_ssl_cmp_target_name
int grpc_ssl_cmp_target_name(absl::string_view target_name, absl::string_view other_target_name, absl::string_view overridden_target_name, absl::string_view other_overridden_target_name)
Definition: ssl_utils.cc:231
asyncio_get_stats.args
args
Definition: asyncio_get_stats.py:40
tsi_ssl_session_cache_ref
void tsi_ssl_session_cache_ref(tsi_ssl_session_cache *cache)
Definition: ssl_transport_security.cc:1043
grpc_tls_certificate_verifier.h
grpc_core::RefCountedPtr< grpc_channel_credentials >
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
GPR_ASSERT
#define GPR_ASSERT(x)
Definition: include/grpc/impl/codegen/log.h:94
grpc_core::TlsServerSecurityConnector::TlsServerCertificateWatcher::security_connector_
TlsServerSecurityConnector * security_connector_
Definition: tls_security_connector.h:236
grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector
static RefCountedPtr< grpc_server_security_connector > CreateTlsServerSecurityConnector(RefCountedPtr< grpc_server_credentials > server_creds, RefCountedPtr< grpc_tls_credentials_options > options)
Definition: tls_security_connector.cc:561
absl::optional::has_value
constexpr bool has_value() const noexcept
Definition: abseil-cpp/absl/types/optional.h:461
gen_stats_data.c_str
def c_str(s, encoding='ascii')
Definition: gen_stats_data.py:38
grpc_core::TlsServerSecurityConnector::TlsServerCertificateWatcher::OnCertificatesChanged
void OnCertificatesChanged(absl::optional< absl::string_view > root_certs, absl::optional< PemKeyCertPairList > key_cert_pairs) override
Definition: tls_security_connector.cc:706
grpc_tsi_ssl_pem_key_cert_pairs_destroy
void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair *kp, size_t num_key_cert_pairs)
Definition: ssl_utils.cc:168
grpc_ssl_tsi_server_handshaker_factory_init
grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(tsi_ssl_pem_key_cert_pair *pem_key_cert_pairs, size_t num_key_cert_pairs, const char *pem_root_certs, grpc_ssl_client_certificate_request_type client_certificate_request, tsi_tls_version min_tls_version, tsi_tls_version max_tls_version, tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger *tls_session_key_logger, const char *crl_directory, tsi_ssl_server_handshaker_factory **handshaker_factory)
Definition: ssl_utils.cc:478
TSI_X509_PEM_CERT_PROPERTY
#define TSI_X509_PEM_CERT_PROPERTY
Definition: ssl_transport_security.h:42
gpr_log
GPRAPI void gpr_log(const char *file, int line, gpr_log_severity severity, const char *format,...) GPR_PRINT_FORMAT_CHECK(4
grpc_core::TlsChannelSecurityConnector::ChannelPendingVerifierRequest::~ChannelPendingVerifierRequest
~ChannelPendingVerifierRequest()
Definition: tls_security_connector.cc:484
grpc.h
grpc_core::TlsServerSecurityConnector::ServerPendingVerifierRequest::request_
grpc_tls_custom_verification_check_request request_
Definition: tls_security_connector.h:258
grpc_ssl_check_alpn
grpc_error_handle grpc_ssl_check_alpn(const tsi_peer *peer)
Definition: ssl_utils.cc:141
grpc_core::SslCheckCallHost
absl::Status SslCheckCallHost(absl::string_view host, absl::string_view target_name, absl::string_view overridden_target_name, grpc_auth_context *auth_context)
Definition: ssl_utils.cc:180
tsi_result
tsi_result
Definition: transport_security_interface.h:31
grpc_core::TlsServerSecurityConnector::mu_
Mutex mu_
Definition: tls_security_connector.h:267
grpc_core::TlsChannelSecurityConnector::ChannelPendingVerifierRequest::OnVerifyDone
void OnVerifyDone(bool run_callback_inline, absl::Status status)
Definition: tls_security_connector.cc:502
absl::optional< std::string >
grpc_tls_credentials_options::root_cert_name
const std::string & root_cert_name() const
Definition: grpc_tls_credentials_options.h:59
grpc_core::HandshakeManager::Add
void Add(RefCountedPtr< Handshaker > handshaker)
Definition: src/core/lib/transport/handshaker.cc:63
grpc_core::TlsChannelSecurityConnector::options_
RefCountedPtr< grpc_tls_credentials_options > options_
Definition: tls_security_connector.h:160
grpc_core::TlsServerSecurityConnector::cancel_check_peer
void cancel_check_peer(grpc_closure *, grpc_error_handle error) override
Definition: tls_security_connector.cc:667
grpc_tls_credentials_options::tls_session_key_log_file_path
const std::string & tls_session_key_log_file_path() const
Definition: grpc_tls_credentials_options.h:62
tsi_peer_property::data
char * data
Definition: transport_security_interface.h:233
tsi_ssl_server_handshaker_factory_create_handshaker
tsi_result tsi_ssl_server_handshaker_factory_create_handshaker(tsi_ssl_server_handshaker_factory *factory, size_t network_bio_buf_size, size_t ssl_bio_buf_size, tsi_handshaker **handshaker)
Definition: ssl_transport_security.cc:1813
host_port.h
GPR_ERROR
#define GPR_ERROR
Definition: include/grpc/impl/codegen/log.h:57
grpc_tls_credentials_options::watch_identity_pair
bool watch_identity_pair() const
Definition: grpc_tls_credentials_options.h:60
tsi_peer_property::name
char * name
Definition: transport_security_interface.h:231
grpc_core::TlsServerSecurityConnector::certificate_watcher_
grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface * certificate_watcher_
Definition: tls_security_connector.h:273
promise.h
grpc_core::TlsServerSecurityConnector::TlsServerCertificateWatcher::OnError
void OnError(grpc_error_handle root_cert_error, grpc_error_handle identity_cert_error) override
Definition: tls_security_connector.cc:735
grpc_tls_credentials_options::watch_root_cert
bool watch_root_cert() const
Definition: grpc_tls_credentials_options.h:58
tsi::TlsSessionKeyLoggerCache::Get
static grpc_core::RefCountedPtr< TlsSessionKeyLogger > Get(std::string tls_session_key_log_file_path)
Definition: ssl_key_logging.cc:109
google_benchmark.example.empty
def empty(state)
Definition: example.py:31
request_
EchoRequest request_
Definition: client_callback_end2end_test.cc:724
tests.unit._exit_scenarios.port
port
Definition: _exit_scenarios.py:179
tsi_peer_property
Definition: transport_security_interface.h:230
grpc_channel_security_connector::channel_security_connector_cmp
int channel_security_connector_cmp(const grpc_channel_security_connector *other) const
Definition: security_connector.cc:45
on_peer_checked_
grpc_closure on_peer_checked_
Definition: security_handshaker.cc:131
grpc_tls_credentials_options::min_tls_version
grpc_tls_version min_tls_version() const
Definition: grpc_tls_credentials_options.h:47
grpc_core::TlsChannelSecurityConnector::ChannelPendingVerifierRequest
Definition: tls_security_connector.h:130
GRPC_SECURITY_OK
@ GRPC_SECURITY_OK
Definition: security_connector.h:52
grpc_core::TlsServerSecurityConnector::check_peer
void check_peer(tsi_peer peer, grpc_endpoint *ep, RefCountedPtr< grpc_auth_context > *auth_context, grpc_closure *on_peer_checked) override
Definition: tls_security_connector.cc:641
tsi_ssl_pem_key_cert_pair::private_key
const char * private_key
Definition: ssl_transport_security.h:104
grpc_core::TlsServerSecurityConnector::ServerPendingVerifierRequest
Definition: tls_security_connector.h:241
security_handshaker.h
tsi_peer
Definition: transport_security_interface.h:238
security_context.h
grpc_tls_certificate_distributor::CancelTlsCertificatesWatch
void CancelTlsCertificatesWatch(TlsCertificatesWatcherInterface *watcher)
Definition: grpc_tls_certificate_distributor.cc:264
grpc_core::TlsChannelSecurityConnector::ChannelPendingVerifierRequest::request_
grpc_tls_custom_verification_check_request request_
Definition: tls_security_connector.h:147
grpc_core::ImmediateOkStatus
Definition: promise/promise.h:78
debug_location.h
grpc_core::TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked
grpc_security_status UpdateHandshakerFactoryLocked() ABSL_EXCLUSIVE_LOCKS_REQUIRED(mu_)
Definition: tls_security_connector.cc:526
grpc_tls_credentials_options.h
tsi_ssl_server_handshaker_factory_unref
void tsi_ssl_server_handshaker_factory_unref(tsi_ssl_server_handshaker_factory *factory)
Definition: ssl_transport_security.cc:1824
grpc_core::ArenaPromise
Definition: arena_promise.h:152
options_
DebugStringOptions options_
Definition: bloaty/third_party/protobuf/src/google/protobuf/descriptor.cc:2390
tsi_ssl_session_cache
struct tsi_ssl_session_cache tsi_ssl_session_cache
Definition: ssl_transport_security.h:68
grpc_core::TlsChannelSecurityConnector::TlsChannelCertificateWatcher::OnError
void OnError(grpc_error_handle root_cert_error, grpc_error_handle identity_cert_error) override
Definition: tls_security_connector.cc:457
grpc_error_std_string
std::string grpc_error_std_string(grpc_error_handle error)
Definition: error.cc:944
tsi_result_to_string
const char * tsi_result_to_string(tsi_result result)
Definition: transport_security.cc:35
poll.h
grpc_core::PemKeyCertPairList
std::vector< PemKeyCertPair > PemKeyCertPairList
Definition: ssl_utils.h:183
absl::Status
Definition: third_party/abseil-cpp/absl/status/status.h:424
grpc_core::TlsChannelSecurityConnector::ChannelPendingVerifierRequest::ChannelPendingVerifierRequest
ChannelPendingVerifierRequest(RefCountedPtr< TlsChannelSecurityConnector > security_connector, grpc_closure *on_peer_checked, tsi_peer peer, const char *target_name)
Definition: tls_security_connector.cc:474
alloc.h
std
Definition: grpcpp/impl/codegen/async_unary_call.h:407
grpc_core::TlsServerSecurityConnector::~TlsServerSecurityConnector
~TlsServerSecurityConnector() override
Definition: tls_security_connector.cc:612
grpc_security_constants.h
TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY
#define TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY
Definition: ssl_transport_security.h:38
exec_ctx.h
absl::Status::ok
ABSL_MUST_USE_RESULT bool ok() const
Definition: third_party/abseil-cpp/absl/status/status.h:802
grpc_tls_certificate_verifier
Definition: grpc_tls_certificate_verifier.h:38
GRPC_ERROR_UNREF
#define GRPC_ERROR_UNREF(err)
Definition: error.h:262
grpc_core::ExecCtx::Run
static void Run(const DebugLocation &location, grpc_closure *closure, grpc_error_handle error)
Definition: exec_ctx.cc:98
grpc_get_tsi_tls_version
tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version)
Definition: ssl_utils.cc:129
GRPC_TLS_TRANSPORT_SECURITY_TYPE
#define GRPC_TLS_TRANSPORT_SECURITY_TYPE
Definition: grpc_security_constants.h:28
grpc_tls_custom_verification_check_request
Definition: grpc_security.h:907
gpr_strdup
GPRAPI char * gpr_strdup(const char *src)
Definition: string.cc:39
grpc_core::TlsChannelSecurityConnector::overridden_target_name_
std::string overridden_target_name_
Definition: tls_security_connector.h:164
grpc_channel_security_connector
Definition: security_connector.h:118
grpc_core::Immediate
promise_detail::Immediate< T > Immediate(T value)
Definition: promise/promise.h:73
grpc_core::TlsChannelSecurityConnector::cmp
int cmp(const grpc_security_connector *other_sc) const override
Definition: tls_security_connector.cc:409
tls_security_connector.h
grpc_core::TlsServerSecurityConnector::ServerPendingVerifierRequest::~ServerPendingVerifierRequest
~ServerPendingVerifierRequest()
Definition: tls_security_connector.cc:762
grpc_core::HandshakeManager
Definition: handshaker.h:98
grpc_core::TlsChannelSecurityConnector::check_peer
void check_peer(tsi_peer peer, grpc_endpoint *ep, RefCountedPtr< grpc_auth_context > *auth_context, grpc_closure *on_peer_checked) override
Definition: tls_security_connector.cc:354
grpc_tls_credentials_options::certificate_distributor
grpc_tls_certificate_distributor * certificate_distributor()
Definition: grpc_tls_credentials_options.h:54
GRPC_SSL_URL_SCHEME
#define GRPC_SSL_URL_SCHEME
Definition: security_connector.h:49
grpc_channel_security_connector::channel_creds
const grpc_channel_credentials * channel_creds() const
Definition: security_connector.h:135
grpc_error
Definition: error_internal.h:42
grpc_core::TlsServerSecurityConnector::TlsServerSecurityConnector
TlsServerSecurityConnector(RefCountedPtr< grpc_server_credentials > server_creds, RefCountedPtr< grpc_tls_credentials_options > options)
Definition: tls_security_connector.cc:580
length
std::size_t length
Definition: abseil-cpp/absl/time/internal/test_util.cc:57
grpc_core::TlsServerSecurityConnector::tls_session_key_logger_
RefCountedPtr< TlsSessionKeyLogger > tls_session_key_logger_
Definition: tls_security_connector.h:279
tests.interop.resources.private_key
def private_key()
Definition: interop/resources.py:29
TSI_X509_PEM_CERT_CHAIN_PROPERTY
#define TSI_X509_PEM_CERT_CHAIN_PROPERTY
Definition: ssl_transport_security.h:43
grpc_tls_credentials_options::certificate_verifier
grpc_tls_certificate_verifier * certificate_verifier()
Definition: grpc_tls_credentials_options.h:49
grpc_closure
Definition: closure.h:56
grpc_core::TlsServerSecurityConnector::verifier_request_map_mu_
Mutex verifier_request_map_mu_
Definition: tls_security_connector.h:270
TSI_X509_EMAIL_PEER_PROPERTY
#define TSI_X509_EMAIL_PEER_PROPERTY
Definition: ssl_transport_security.h:47
tsi_peer_destruct
void tsi_peer_destruct(tsi_peer *self)
Definition: transport_security.cc:320
grpc_channel_security_connector::request_metadata_creds
const grpc_call_credentials * request_metadata_creds() const
Definition: security_connector.h:141
grpc_endpoint
Definition: endpoint.h:105
setup.target
target
Definition: third_party/bloaty/third_party/protobuf/python/setup.py:179
grpc_core::Closure::Run
static void Run(const DebugLocation &location, grpc_closure *closure, grpc_error_handle error)
Definition: closure.h:250
grpc_ssl_tsi_client_handshaker_factory_init
grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(tsi_ssl_pem_key_cert_pair *pem_key_cert_pair, const char *pem_root_certs, bool skip_server_certificate_verification, tsi_tls_version min_tls_version, tsi_tls_version max_tls_version, tsi_ssl_session_cache *ssl_session_cache, tsi::TlsSessionKeyLoggerCache::TlsSessionKeyLogger *tls_session_key_logger, const char *crl_directory, tsi_ssl_client_handshaker_factory **handshaker_factory)
Definition: ssl_utils.cc:422
grpc_security_status
grpc_security_status
Definition: security_connector.h:52
grpc_core::TlsChannelSecurityConnector::target_name_
std::string target_name_
Definition: tls_security_connector.h:163
tsi_ssl_client_handshaker_factory_create_handshaker
tsi_result tsi_ssl_client_handshaker_factory_create_handshaker(tsi_ssl_client_handshaker_factory *factory, const char *server_name_indication, size_t network_bio_buf_size, size_t ssl_bio_buf_size, tsi_handshaker **handshaker)
Definition: ssl_transport_security.cc:1774
grpc_core::TlsServerSecurityConnector::ServerPendingVerifierRequest::OnVerifyDone
void OnVerifyDone(bool run_callback_inline, absl::Status status)
Definition: tls_security_connector.cc:779
ssl_utils.h
grpc_core::TlsChannelSecurityConnector::add_handshakers
void add_handshakers(const grpc_channel_args *args, grpc_pollset_set *interested_parties, HandshakeManager *handshake_mgr) override
Registers handshakers with handshake_mgr.
Definition: tls_security_connector.cc:332
grpc_core::RefCounted< grpc_security_connector >::Ref
RefCountedPtr< grpc_security_connector > Ref() GRPC_MUST_USE_RESULT
Definition: ref_counted.h:287
i
uint64_t i
Definition: abseil-cpp/absl/container/btree_benchmark.cc:230
grpc_tls_credentials_options::identity_cert_name
const std::string & identity_cert_name() const
Definition: grpc_tls_credentials_options.h:61
tsi_peer::property_count
size_t property_count
Definition: transport_security_interface.h:240
grpc_server_security_connector::server_security_connector_cmp
int server_security_connector_cmp(const grpc_server_security_connector *other) const
Definition: security_connector.cc:67
grpc_core::TlsServerSecurityConnector::cmp
int cmp(const grpc_security_connector *other) const override
Definition: tls_security_connector.cc:697
GRPC_ERROR_IS_NONE
#define GRPC_ERROR_IS_NONE(err)
Definition: error.h:241
port_platform.h

grpc
Author(s):
autogenerated on Thu Mar 13 2025 03:01:40