tls_security_connector_test.cc
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2018 gRPC authors.
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
20 
21 #include <stdlib.h>
22 #include <string.h>
23 
24 #include <gmock/gmock.h>
25 #include <gtest/gtest.h>
26 
27 #include <grpc/support/alloc.h>
28 #include <grpc/support/log.h>
29 #include <grpc/support/string_util.h>
30 
31 #include "src/core/lib/gprpp/unique_type_name.h"
32 #include "src/core/lib/iomgr/load_file.h"
33 #include "src/core/lib/security/context/security_context.h"
34 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
35 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
36 #include "src/core/lib/security/credentials/tls/tls_credentials.h"
37 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
38 #include "src/core/tsi/transport_security.h"
39 #include "test/core/util/test_config.h"
40 #include "test/core/util/tls_utils.h"
41 
42 #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem"
43 #define CLIENT_CERT_PATH "src/core/tsi/test_creds/multi-domain.pem"
44 #define SERVER_CERT_PATH_0 "src/core/tsi/test_creds/server0.pem"
45 #define SERVER_KEY_PATH_0 "src/core/tsi/test_creds/server0.key"
46 #define SERVER_CERT_PATH_1 "src/core/tsi/test_creds/server1.pem"
47 #define SERVER_KEY_PATH_1 "src/core/tsi/test_creds/server1.key"
48 
49 namespace grpc_core {
50 namespace testing {
51 
52 constexpr const char* kRootCertName = "root_cert_name";
53 constexpr const char* kIdentityCertName = "identity_cert_name";
54 constexpr const char* kErrorMessage = "error_message";
55 constexpr const char* kTargetName = "foo.bar.com:443";
56 
57 class TlsSecurityConnectorTest : public ::testing::Test {
58  protected:
59  TlsSecurityConnectorTest() {}
60 
61  void SetUp() override {
62  grpc_slice ca_slice_1, ca_slice_0, cert_slice_1, key_slice_1, cert_slice_0,
63  key_slice_0;
64  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
65  grpc_load_file(CA_CERT_PATH, 1, &ca_slice_1)));
66  GPR_ASSERT(GRPC_LOG_IF_ERROR(
67  "load_file", grpc_load_file(CLIENT_CERT_PATH, 1, &ca_slice_0)));
68  GPR_ASSERT(GRPC_LOG_IF_ERROR(
69  "load_file", grpc_load_file(SERVER_CERT_PATH_1, 1, &cert_slice_1)));
70  GPR_ASSERT(GRPC_LOG_IF_ERROR(
71  "load_file", grpc_load_file(SERVER_KEY_PATH_1, 1, &key_slice_1)));
72  GPR_ASSERT(GRPC_LOG_IF_ERROR(
73  "load_file", grpc_load_file(SERVER_CERT_PATH_0, 1, &cert_slice_0)));
74  GPR_ASSERT(GRPC_LOG_IF_ERROR(
75  "load_file", grpc_load_file(SERVER_KEY_PATH_0, 1, &key_slice_0)));
76  root_cert_1_ = std::string(StringViewFromSlice(ca_slice_1));
77  root_cert_0_ = std::string(StringViewFromSlice(ca_slice_0));
78  std::string identity_key_1 = std::string(StringViewFromSlice(key_slice_1));
79  std::string identity_key_0 = std::string(StringViewFromSlice(key_slice_0));
80  std::string identity_cert_1 =
81  std::string(StringViewFromSlice(cert_slice_1));
82  std::string identity_cert_0 =
83  std::string(StringViewFromSlice(cert_slice_0));
84  identity_pairs_1_.emplace_back(identity_key_1, identity_cert_1);
85  identity_pairs_0_.emplace_back(identity_key_0, identity_cert_0);
86  grpc_slice_unref(ca_slice_1);
87  grpc_slice_unref(ca_slice_0);
88  grpc_slice_unref(cert_slice_1);
89  grpc_slice_unref(key_slice_1);
90  grpc_slice_unref(cert_slice_0);
91  grpc_slice_unref(key_slice_0);
92  }
93 
94  static void VerifyExpectedErrorCallback(void* arg, grpc_error_handle error) {
95  const char* expected_error_msg = static_cast<const char*>(arg);
96  if (expected_error_msg == nullptr) {
97  EXPECT_EQ(error, GRPC_ERROR_NONE);
98  } else {
99  EXPECT_EQ(GetErrorMsg(error), expected_error_msg);
100  }
101  }
102 
103  static std::string GetErrorMsg(grpc_error_handle error) {
104  std::string error_str;
105  GPR_ASSERT(
106  grpc_error_get_str(error, GRPC_ERROR_STR_DESCRIPTION, &error_str));
107  return error_str;
108  }
109 
110  std::string root_cert_1_;
111  std::string root_cert_0_;
112  PemKeyCertPairList identity_pairs_1_;
113  PemKeyCertPairList identity_pairs_0_;
114  HostNameCertificateVerifier hostname_certificate_verifier_;
115 };
116 
117 class TlsTestCertificateProvider : public grpc_tls_certificate_provider {
118  public:
119  explicit TlsTestCertificateProvider(
120  RefCountedPtr<grpc_tls_certificate_distributor> distributor)
121  : distributor_(std::move(distributor)) {}
122  ~TlsTestCertificateProvider() override {}
123  RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override {
124  return distributor_;
125  }
126 
127  UniqueTypeName type() const override {
128  static UniqueTypeName::Factory kFactory("tls_test");
129  return kFactory.Create();
130  }
131 
132  private:
133  int CompareImpl(const grpc_tls_certificate_provider* other) const override {
134  // TODO(yashykt): Maybe do something better here.
135  return QsortCompare(static_cast<const grpc_tls_certificate_provider*>(this),
136  other);
137  }
138 
139  RefCountedPtr<grpc_tls_certificate_distributor> distributor_;
140 };
141 
142 //
143 // Tests for Certificate Providers in ChannelSecurityConnector.
144 //
145 
146 TEST_F(TlsSecurityConnectorTest,
147  RootAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
148  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
149  MakeRefCounted<grpc_tls_certificate_distributor>();
150  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
151  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
152  identity_pairs_0_);
153  RefCountedPtr<grpc_tls_certificate_provider> provider =
154  MakeRefCounted<TlsTestCertificateProvider>(distributor);
155  RefCountedPtr<grpc_tls_credentials_options> options =
156  MakeRefCounted<grpc_tls_credentials_options>();
157  options->set_certificate_provider(provider);
158  options->set_watch_root_cert(true);
159  options->set_watch_identity_pair(true);
160  options->set_root_cert_name(kRootCertName);
161  options->set_identity_cert_name(kIdentityCertName);
162  RefCountedPtr<TlsCredentials> credential =
163  MakeRefCounted<TlsCredentials>(options);
164  grpc_channel_args* new_args = nullptr;
165  RefCountedPtr<grpc_channel_security_connector> connector =
166  credential->create_security_connector(nullptr, kTargetName, nullptr,
167  &new_args);
168  EXPECT_NE(connector, nullptr);
169  TlsChannelSecurityConnector* tls_connector =
170  static_cast<TlsChannelSecurityConnector*>(connector.get());
171  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
172  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
173  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
174  distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
175  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
176  identity_pairs_1_);
177  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
178  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
179  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
180  grpc_channel_args_destroy(new_args);
181 }
182 
183 TEST_F(TlsSecurityConnectorTest,
184  SystemRootsWhenCreateChannelSecurityConnector) {
185  // Create options watching for no certificates.
186  RefCountedPtr<grpc_tls_credentials_options> root_options =
187  MakeRefCounted<grpc_tls_credentials_options>();
188  RefCountedPtr<TlsCredentials> root_credential =
189  MakeRefCounted<TlsCredentials>(root_options);
190  grpc_channel_args* root_new_args = nullptr;
191  RefCountedPtr<grpc_channel_security_connector> root_connector =
192  root_credential->create_security_connector(nullptr, "some_target",
193  nullptr, &root_new_args);
194  EXPECT_NE(root_connector, nullptr);
195  TlsChannelSecurityConnector* tls_root_connector =
196  static_cast<TlsChannelSecurityConnector*>(root_connector.get());
197  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
198  grpc_channel_args_destroy(root_new_args);
199 }
200 
201 TEST_F(TlsSecurityConnectorTest,
202  SystemRootsAndIdentityCertsObtainedWhenCreateChannelSecurityConnector) {
203  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
204  MakeRefCounted<grpc_tls_certificate_distributor>();
205  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
206  identity_pairs_0_);
207  RefCountedPtr<grpc_tls_certificate_provider> provider =
208  MakeRefCounted<TlsTestCertificateProvider>(distributor);
209  // Create options only watching for identity certificates.
210  RefCountedPtr<grpc_tls_credentials_options> root_options =
211  MakeRefCounted<grpc_tls_credentials_options>();
212  root_options->set_certificate_provider(provider);
213  root_options->set_watch_identity_pair(true);
214  root_options->set_identity_cert_name(kIdentityCertName);
215  RefCountedPtr<TlsCredentials> root_credential =
216  MakeRefCounted<TlsCredentials>(root_options);
217  grpc_channel_args* root_new_args = nullptr;
218  RefCountedPtr<grpc_channel_security_connector> root_connector =
219  root_credential->create_security_connector(nullptr, "some_target",
220  nullptr, &root_new_args);
221  EXPECT_NE(root_connector, nullptr);
222  TlsChannelSecurityConnector* tls_root_connector =
223  static_cast<TlsChannelSecurityConnector*>(root_connector.get());
224  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
225  EXPECT_EQ(tls_root_connector->KeyCertPairListForTesting(), identity_pairs_0_);
226  // If we have a root update, we shouldn't receive them in security connector,
227  // since we claimed to use default system roots.
228  distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
229  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
230  EXPECT_NE(tls_root_connector->RootCertsForTesting(), root_cert_1_);
231  grpc_channel_args_destroy(root_new_args);
232 }
233 
234 TEST_F(TlsSecurityConnectorTest,
235  RootCertsObtainedWhenCreateChannelSecurityConnector) {
236  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
237  MakeRefCounted<grpc_tls_certificate_distributor>();
238  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
239  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
240  identity_pairs_0_);
241  RefCountedPtr<grpc_tls_certificate_provider> provider =
242  MakeRefCounted<TlsTestCertificateProvider>(distributor);
243  // Create options only watching for root certificates.
244  RefCountedPtr<grpc_tls_credentials_options> root_options =
245  MakeRefCounted<grpc_tls_credentials_options>();
246  root_options->set_certificate_provider(provider);
247  root_options->set_watch_root_cert(true);
248  root_options->set_root_cert_name(kRootCertName);
249  RefCountedPtr<TlsCredentials> root_credential =
250  MakeRefCounted<TlsCredentials>(root_options);
251  grpc_channel_args* root_new_args = nullptr;
252  RefCountedPtr<grpc_channel_security_connector> root_connector =
253  root_credential->create_security_connector(nullptr, "some_target",
254  nullptr, &root_new_args);
255  EXPECT_NE(root_connector, nullptr);
256  TlsChannelSecurityConnector* tls_root_connector =
257  static_cast<TlsChannelSecurityConnector*>(root_connector.get());
258  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
259  EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_0_);
260  distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
261  EXPECT_NE(tls_root_connector->ClientHandshakerFactoryForTesting(), nullptr);
262  EXPECT_EQ(tls_root_connector->RootCertsForTesting(), root_cert_1_);
263  grpc_channel_args_destroy(root_new_args);
264 }
265 
266 TEST_F(TlsSecurityConnectorTest,
267  CertPartiallyObtainedWhenCreateChannelSecurityConnector) {
268  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
269  MakeRefCounted<grpc_tls_certificate_distributor>();
270  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
271  RefCountedPtr<grpc_tls_certificate_provider> provider =
272  MakeRefCounted<TlsTestCertificateProvider>(distributor);
273  // Registered the options watching both certs, but only root certs are
274  // available at distributor right now.
275  RefCountedPtr<grpc_tls_credentials_options> options =
276  MakeRefCounted<grpc_tls_credentials_options>();
277  options->set_certificate_provider(provider);
278  options->set_watch_root_cert(true);
279  options->set_watch_identity_pair(true);
280  options->set_root_cert_name(kRootCertName);
281  options->set_identity_cert_name(kIdentityCertName);
282  RefCountedPtr<TlsCredentials> credential =
283  MakeRefCounted<TlsCredentials>(options);
284  grpc_channel_args* new_args = nullptr;
285  RefCountedPtr<grpc_channel_security_connector> connector =
286  credential->create_security_connector(nullptr, kTargetName, nullptr,
287  &new_args);
288  EXPECT_NE(connector, nullptr);
289  TlsChannelSecurityConnector* tls_connector =
290  static_cast<TlsChannelSecurityConnector*>(connector.get());
291  // The client_handshaker_factory_ shouldn't be updated.
292  EXPECT_EQ(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
293  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
294  // After updating the root certs, the client_handshaker_factory_ should be
295  // updated.
296  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
297  identity_pairs_0_);
298  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
299  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
300  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
301  grpc_channel_args_destroy(new_args);
302 }
303 
304 TEST_F(TlsSecurityConnectorTest,
305  DistributorHasErrorForChannelSecurityConnector) {
306  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
307  MakeRefCounted<grpc_tls_certificate_distributor>();
308  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
309  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
310  identity_pairs_0_);
311  RefCountedPtr<grpc_tls_certificate_provider> provider =
312  MakeRefCounted<TlsTestCertificateProvider>(distributor);
313  RefCountedPtr<grpc_tls_credentials_options> options =
314  MakeRefCounted<grpc_tls_credentials_options>();
315  options->set_certificate_provider(provider);
316  options->set_watch_root_cert(true);
317  options->set_watch_identity_pair(true);
318  options->set_root_cert_name(kRootCertName);
319  options->set_identity_cert_name(kIdentityCertName);
320  RefCountedPtr<TlsCredentials> credential =
321  MakeRefCounted<TlsCredentials>(options);
322  grpc_channel_args* new_args = nullptr;
323  RefCountedPtr<grpc_channel_security_connector> connector =
324  credential->create_security_connector(nullptr, kTargetName, nullptr,
325  &new_args);
326  EXPECT_NE(connector, nullptr);
327  TlsChannelSecurityConnector* tls_connector =
328  static_cast<TlsChannelSecurityConnector*>(connector.get());
329  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
330  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
331  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
332  // Calling SetErrorForCert on distributor shouldn't invalidate the previous
333  // valid credentials.
334  distributor->SetErrorForCert(
335  kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
336  absl::nullopt);
337  distributor->SetErrorForCert(
338  kIdentityCertName, absl::nullopt,
339  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
340  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
341  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
342  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
343  grpc_channel_args_destroy(new_args);
344 }
345 
346 TEST_F(TlsSecurityConnectorTest,
347  CreateChannelSecurityConnectorFailNoTargetName) {
348  RefCountedPtr<grpc_tls_credentials_options> options =
349  MakeRefCounted<grpc_tls_credentials_options>();
350  RefCountedPtr<TlsCredentials> credential =
351  MakeRefCounted<TlsCredentials>(options);
352  grpc_channel_args* new_args = nullptr;
353  RefCountedPtr<grpc_channel_security_connector> connector =
354  credential->create_security_connector(nullptr, nullptr, nullptr,
355  &new_args);
356  EXPECT_EQ(connector, nullptr);
357 }
358 
359 TEST_F(TlsSecurityConnectorTest,
360  CreateChannelSecurityConnectorFailNoCredentials) {
361  auto connector =
362  TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
363  nullptr, MakeRefCounted<grpc_tls_credentials_options>(), nullptr,
364  kTargetName, nullptr, nullptr);
365  EXPECT_EQ(connector, nullptr);
366 }
367 
368 TEST_F(TlsSecurityConnectorTest, CreateChannelSecurityConnectorFailNoOptions) {
369  RefCountedPtr<grpc_tls_credentials_options> options =
370  MakeRefCounted<grpc_tls_credentials_options>();
371  RefCountedPtr<TlsCredentials> credential =
372  MakeRefCounted<TlsCredentials>(options);
373  auto connector =
374  TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector(
375  credential, nullptr, nullptr, kTargetName, nullptr, nullptr);
376  EXPECT_EQ(connector, nullptr);
377 }
378 
379 //
380 // Tests for Certificate Verifier in ChannelSecurityConnector.
381 //
382 
383 TEST_F(TlsSecurityConnectorTest,
384  ChannelSecurityConnectorWithSyncExternalVerifierSucceeds) {
385  auto* sync_verifier_ = new SyncExternalVerifier(true);
386  ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
387  RefCountedPtr<grpc_tls_credentials_options> options =
388  MakeRefCounted<grpc_tls_credentials_options>();
389  options->set_verify_server_cert(true);
390  options->set_certificate_verifier(core_external_verifier.Ref());
391  options->set_check_call_host(false);
392  RefCountedPtr<TlsCredentials> credential =
393  MakeRefCounted<TlsCredentials>(options);
394  grpc_channel_args* new_args = nullptr;
395  RefCountedPtr<grpc_channel_security_connector> connector =
396  credential->create_security_connector(nullptr, kTargetName, nullptr,
397  &new_args);
398  EXPECT_NE(connector, nullptr);
399  TlsChannelSecurityConnector* tls_connector =
400  static_cast<TlsChannelSecurityConnector*>(connector.get());
401  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
402  // Construct a basic TSI Peer.
403  tsi_peer peer;
404  GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
405  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
406  "grpc", strlen("grpc"),
407  &peer.properties[0]) == TSI_OK);
408  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
409  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
410  &peer.properties[1]) == TSI_OK);
411  RefCountedPtr<grpc_auth_context> auth_context;
412  ExecCtx exec_ctx;
413  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
414  VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
415  tls_connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
416  grpc_channel_args_destroy(new_args);
417 }
418 
419 TEST_F(TlsSecurityConnectorTest,
420  ChannelSecurityConnectorWithSyncExternalVerifierFails) {
421  auto* sync_verifier_ = new SyncExternalVerifier(false);
422  ExternalCertificateVerifier core_external_verifier(sync_verifier_->base());
423  RefCountedPtr<grpc_tls_credentials_options> options =
424  MakeRefCounted<grpc_tls_credentials_options>();
425  options->set_verify_server_cert(true);
426  options->set_certificate_verifier(core_external_verifier.Ref());
427  options->set_check_call_host(false);
428  RefCountedPtr<TlsCredentials> credential =
429  MakeRefCounted<TlsCredentials>(options);
430  grpc_channel_args* new_args = nullptr;
431  RefCountedPtr<grpc_channel_security_connector> connector =
432  credential->create_security_connector(nullptr, kTargetName, nullptr,
433  &new_args);
434  EXPECT_NE(connector, nullptr);
435  TlsChannelSecurityConnector* tls_connector =
436  static_cast<TlsChannelSecurityConnector*>(connector.get());
437  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
438  // Construct a basic TSI Peer.
439  tsi_peer peer;
440  GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
441  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
442  "grpc", strlen("grpc"),
443  &peer.properties[0]) == TSI_OK);
444  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
445  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
446  &peer.properties[1]) == TSI_OK);
447  RefCountedPtr<grpc_auth_context> auth_context;
448  const char* expected_error_msg =
449  "Custom verification check failed with error: UNAUTHENTICATED: "
450  "SyncExternalVerifier failed";
451  ExecCtx exec_ctx;
452  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
453  VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
454  grpc_schedule_on_exec_ctx);
455  tls_connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
456  grpc_channel_args_destroy(new_args);
457 }
458 
459 TEST_F(TlsSecurityConnectorTest,
460  CompareChannelSecurityConnectorSucceedsOnSameCredentials) {
461  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
462  MakeRefCounted<grpc_tls_certificate_distributor>();
463  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
464  RefCountedPtr<grpc_tls_certificate_provider> provider =
465  MakeRefCounted<TlsTestCertificateProvider>(distributor);
466  auto options = MakeRefCounted<grpc_tls_credentials_options>();
467  options->set_certificate_provider(provider);
468  options->set_watch_root_cert(true);
469  options->set_root_cert_name(kRootCertName);
470  RefCountedPtr<TlsCredentials> credential =
471  MakeRefCounted<TlsCredentials>(options);
472  RefCountedPtr<grpc_channel_security_connector> connector =
473  credential->create_security_connector(nullptr, kTargetName, nullptr,
474  nullptr);
475  RefCountedPtr<grpc_channel_security_connector> other_connector =
476  credential->create_security_connector(nullptr, kTargetName, nullptr,
477  nullptr);
478  // Comparing the equality of security connectors generated from the same
479  // channel credentials with same settings should succeed.
480  EXPECT_EQ(connector->cmp(other_connector.get()), 0);
481 }
482 
483 TEST_F(TlsSecurityConnectorTest,
484  CompareChannelSecurityConnectorFailsOnDifferentChannelCredentials) {
485  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
486  MakeRefCounted<grpc_tls_certificate_distributor>();
487  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
488  RefCountedPtr<grpc_tls_certificate_provider> provider =
489  MakeRefCounted<TlsTestCertificateProvider>(distributor);
490  auto options = MakeRefCounted<grpc_tls_credentials_options>();
491  options->set_certificate_provider(provider);
492  options->set_watch_root_cert(true);
493  options->set_root_cert_name(kRootCertName);
494  RefCountedPtr<TlsCredentials> credential =
495  MakeRefCounted<TlsCredentials>(options);
496  RefCountedPtr<grpc_channel_security_connector> connector =
497  credential->create_security_connector(nullptr, kTargetName, nullptr,
498  nullptr);
499  auto other_options = MakeRefCounted<grpc_tls_credentials_options>();
500  other_options->set_certificate_provider(provider);
501  other_options->set_watch_root_cert(true);
502  other_options->set_root_cert_name(kRootCertName);
503  other_options->set_watch_identity_pair(true);
504  RefCountedPtr<TlsCredentials> other_credential =
505  MakeRefCounted<TlsCredentials>(other_options);
506  RefCountedPtr<grpc_channel_security_connector> other_connector =
507  other_credential->create_security_connector(nullptr, kTargetName, nullptr,
508  nullptr);
509  // Comparing the equality of security connectors generated from different
510  // channel credentials should fail.
511  EXPECT_NE(connector->cmp(other_connector.get()), 0);
512 }
513 
514 TEST_F(TlsSecurityConnectorTest,
515  CompareChannelSecurityConnectorFailsOnDifferentCallCredentials) {
516  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
517  MakeRefCounted<grpc_tls_certificate_distributor>();
518  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
519  RefCountedPtr<grpc_tls_certificate_provider> provider =
520  MakeRefCounted<TlsTestCertificateProvider>(distributor);
521  auto options = MakeRefCounted<grpc_tls_credentials_options>();
522  options->set_certificate_provider(provider);
523  options->set_watch_root_cert(true);
524  options->set_root_cert_name(kRootCertName);
525  RefCountedPtr<TlsCredentials> credential =
526  MakeRefCounted<TlsCredentials>(options);
527  RefCountedPtr<grpc_channel_security_connector> connector =
528  credential->create_security_connector(nullptr, kTargetName, nullptr,
529  nullptr);
530  grpc_call_credentials* call_creds =
531  grpc_md_only_test_credentials_create("", "");
532  RefCountedPtr<grpc_channel_security_connector> other_connector =
533  credential->create_security_connector(
534  RefCountedPtr<grpc_call_credentials>(call_creds), kTargetName,
535  nullptr, nullptr);
536  // Comparing the equality of security connectors generated with different call
537  // credentials should fail.
538  EXPECT_NE(connector->cmp(other_connector.get()), 0);
539 }
540 
541 TEST_F(TlsSecurityConnectorTest,
542  CompareChannelSecurityConnectorFailsOnDifferentTargetNames) {
543  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
544  MakeRefCounted<grpc_tls_certificate_distributor>();
545  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
546  RefCountedPtr<grpc_tls_certificate_provider> provider =
547  MakeRefCounted<TlsTestCertificateProvider>(distributor);
548  auto options = MakeRefCounted<grpc_tls_credentials_options>();
549  options->set_certificate_provider(provider);
550  options->set_watch_root_cert(true);
551  options->set_root_cert_name(kRootCertName);
552  RefCountedPtr<TlsCredentials> credential =
553  MakeRefCounted<TlsCredentials>(options);
554  RefCountedPtr<grpc_channel_security_connector> connector =
555  credential->create_security_connector(nullptr, kTargetName, nullptr,
556  nullptr);
557  RefCountedPtr<grpc_channel_security_connector> other_connector =
558  credential->create_security_connector(nullptr, "", nullptr, nullptr);
559  // Comparing the equality of security connectors generated with different
560  // target names should fail.
561  EXPECT_NE(connector->cmp(other_connector.get()), 0);
562 }
563 
564 // Tests for ServerSecurityConnector.
565 TEST_F(TlsSecurityConnectorTest,
566  ChannelSecurityConnectorWithAsyncExternalVerifierSucceeds) {
567  auto* async_verifier = new AsyncExternalVerifier(true);
568  auto* core_external_verifier =
569  new ExternalCertificateVerifier(async_verifier->base());
570  auto options = MakeRefCounted<grpc_tls_credentials_options>();
571  options->set_verify_server_cert(true);
572  options->set_certificate_verifier(core_external_verifier->Ref());
573  options->set_check_call_host(false);
574  RefCountedPtr<TlsCredentials> credential =
575  MakeRefCounted<TlsCredentials>(options);
576  grpc_channel_args* new_args = nullptr;
577  RefCountedPtr<grpc_channel_security_connector> connector =
578  credential->create_security_connector(nullptr, kTargetName, nullptr,
579  &new_args);
580  EXPECT_NE(connector, nullptr);
581  TlsChannelSecurityConnector* tls_connector =
582  static_cast<TlsChannelSecurityConnector*>(connector.get());
583  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
584  // Construct a basic TSI Peer.
585  tsi_peer peer;
586  GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
587  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
588  "grpc", strlen("grpc"),
589  &peer.properties[0]) == TSI_OK);
590  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
591  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
592  &peer.properties[1]) == TSI_OK);
593  RefCountedPtr<grpc_auth_context> auth_context;
594  ExecCtx exec_ctx;
595  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
596  VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
597  tls_connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
598  grpc_channel_args_destroy(new_args);
599  core_external_verifier->Unref();
600 }
601 
602 TEST_F(TlsSecurityConnectorTest,
603  ChannelSecurityConnectorWithAsyncExternalVerifierFails) {
604  auto* async_verifier = new AsyncExternalVerifier(false);
605  auto* core_external_verifier =
606  new ExternalCertificateVerifier(async_verifier->base());
607  auto options = MakeRefCounted<grpc_tls_credentials_options>();
608  options->set_verify_server_cert(true);
609  options->set_certificate_verifier(core_external_verifier->Ref());
610  options->set_check_call_host(false);
611  RefCountedPtr<TlsCredentials> credential =
612  MakeRefCounted<TlsCredentials>(options);
613  grpc_channel_args* new_args = nullptr;
614  RefCountedPtr<grpc_channel_security_connector> connector =
615  credential->create_security_connector(nullptr, kTargetName, nullptr,
616  &new_args);
617  EXPECT_NE(connector, nullptr);
618  TlsChannelSecurityConnector* tls_connector =
619  static_cast<TlsChannelSecurityConnector*>(connector.get());
620  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
621  // Construct a basic TSI Peer.
622  tsi_peer peer;
623  GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
624  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
625  "grpc", strlen("grpc"),
626  &peer.properties[0]) == TSI_OK);
627  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
628  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
629  &peer.properties[1]) == TSI_OK);
630  RefCountedPtr<grpc_auth_context> auth_context;
631  const char* expected_error_msg =
632  "Custom verification check failed with error: UNAUTHENTICATED: "
633  "AsyncExternalVerifier failed";
634  ExecCtx exec_ctx;
635  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
636  VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
637  grpc_schedule_on_exec_ctx);
638  tls_connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
639  grpc_channel_args_destroy(new_args);
640  core_external_verifier->Unref();
641 }
642 
643 TEST_F(TlsSecurityConnectorTest,
644  ChannelSecurityConnectorHostnameVerifierSucceeds) {
645  RefCountedPtr<grpc_tls_credentials_options> options =
646  MakeRefCounted<grpc_tls_credentials_options>();
647  options->set_verify_server_cert(true);
648  options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
649  options->set_check_call_host(false);
650  RefCountedPtr<TlsCredentials> credential =
651  MakeRefCounted<TlsCredentials>(options);
652  grpc_channel_args* new_args = nullptr;
653  RefCountedPtr<grpc_channel_security_connector> connector =
654  credential->create_security_connector(nullptr, kTargetName, nullptr,
655  &new_args);
656  EXPECT_NE(connector, nullptr);
657  TlsChannelSecurityConnector* tls_connector =
658  static_cast<TlsChannelSecurityConnector*>(connector.get());
659  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
660  // Construct a full TSI Peer.
661  tsi_peer peer;
662  GPR_ASSERT(tsi_construct_peer(7, &peer) == TSI_OK);
663  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
664  "grpc", strlen("grpc"),
665  &peer.properties[0]) == TSI_OK);
666  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
667  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
668  &peer.properties[1]) == TSI_OK);
669  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
670  TSI_X509_PEM_CERT_PROPERTY, "pem_cert", &peer.properties[2]) ==
671  TSI_OK);
672  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
673  TSI_SECURITY_LEVEL_PEER_PROPERTY,
674  tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
675  &peer.properties[3]) == TSI_OK);
676  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
677  TSI_X509_PEM_CERT_CHAIN_PROPERTY, "pem_cert_chain",
678  &peer.properties[4]) == TSI_OK);
679  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
680  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.bar.com",
681  &peer.properties[5]) == TSI_OK);
682  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
683  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.baz.com",
684  &peer.properties[6]) == TSI_OK);
685  RefCountedPtr<grpc_auth_context> auth_context;
686  ExecCtx exec_ctx;
687  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
688  VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
689  tls_connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
690  grpc_channel_args_destroy(new_args);
691 }
692 
693 TEST_F(TlsSecurityConnectorTest,
694  ChannelSecurityConnectorHostnameVerifierFails) {
695  RefCountedPtr<grpc_tls_credentials_options> options =
696  MakeRefCounted<grpc_tls_credentials_options>();
697  options->set_verify_server_cert(true);
698  options->set_certificate_verifier(hostname_certificate_verifier_.Ref());
699  RefCountedPtr<TlsCredentials> credential =
700  MakeRefCounted<TlsCredentials>(options);
701  grpc_channel_args* new_args = nullptr;
702  RefCountedPtr<grpc_channel_security_connector> connector =
703  credential->create_security_connector(nullptr, kTargetName, nullptr,
704  &new_args);
705  EXPECT_NE(connector, nullptr);
706  TlsChannelSecurityConnector* tls_connector =
707  static_cast<TlsChannelSecurityConnector*>(connector.get());
708  EXPECT_NE(tls_connector->ClientHandshakerFactoryForTesting(), nullptr);
709  // Construct a full TSI Peer.
710  tsi_peer peer;
711  GPR_ASSERT(tsi_construct_peer(7, &peer) == TSI_OK);
712  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
713  "grpc", strlen("grpc"),
714  &peer.properties[0]) == TSI_OK);
715  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
716  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.com",
717  &peer.properties[1]) == TSI_OK);
718  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
719  TSI_X509_PEM_CERT_PROPERTY, "pem_cert", &peer.properties[2]) ==
720  TSI_OK);
721  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
722  TSI_SECURITY_LEVEL_PEER_PROPERTY,
723  tsi_security_level_to_string(TSI_PRIVACY_AND_INTEGRITY),
724  &peer.properties[3]) == TSI_OK);
725  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
726  TSI_X509_PEM_CERT_CHAIN_PROPERTY, "pem_cert_chain",
727  &peer.properties[4]) == TSI_OK);
728  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
729  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "*.com",
730  &peer.properties[5]) == TSI_OK);
731  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
732  TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY, "foo.baz.com",
733  &peer.properties[6]) == TSI_OK);
734  RefCountedPtr<grpc_auth_context> auth_context;
735  const char* expected_error_msg =
736  "Custom verification check failed with error: UNAUTHENTICATED: Hostname "
737  "Verification "
738  "Check failed.";
739  ExecCtx exec_ctx;
740  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
741  VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
742  grpc_schedule_on_exec_ctx);
743  tls_connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
744  grpc_channel_args_destroy(new_args);
745 }
746 
747 //
748 // Tests for Certificate Providers in ServerSecurityConnector.
749 //
750 
751 TEST_F(TlsSecurityConnectorTest,
752  RootAndIdentityCertsObtainedWhenCreateServerSecurityConnector) {
753  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
754  MakeRefCounted<grpc_tls_certificate_distributor>();
755  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
756  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
757  identity_pairs_0_);
758  RefCountedPtr<grpc_tls_certificate_provider> provider =
759  MakeRefCounted<TlsTestCertificateProvider>(distributor);
760  RefCountedPtr<grpc_tls_credentials_options> options =
761  MakeRefCounted<grpc_tls_credentials_options>();
762  options->set_certificate_provider(provider);
763  options->set_watch_root_cert(true);
764  options->set_watch_identity_pair(true);
765  options->set_root_cert_name(kRootCertName);
766  options->set_identity_cert_name(kIdentityCertName);
767  RefCountedPtr<TlsServerCredentials> credential =
768  MakeRefCounted<TlsServerCredentials>(options);
769  RefCountedPtr<grpc_server_security_connector> connector =
770  credential->create_security_connector(nullptr);
771  EXPECT_NE(connector, nullptr);
772  TlsServerSecurityConnector* tls_connector =
773  static_cast<TlsServerSecurityConnector*>(connector.get());
774  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
775  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
776  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
777  distributor->SetKeyMaterials(kRootCertName, root_cert_1_, absl::nullopt);
778  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
779  identity_pairs_1_);
780  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
781  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_1_);
782  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_1_);
783 }
784 
785 // Note that on server side, we don't have tests watching root certs only,
786 // because in TLS, the identity certs should always be presented. If we don't
787 // provide, it will try to load certs from some default system locations, and
788 // will hence fail on some systems.
789 TEST_F(TlsSecurityConnectorTest,
790  IdentityCertsObtainedWhenCreateServerSecurityConnector) {
791  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
792  MakeRefCounted<grpc_tls_certificate_distributor>();
793  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
794  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
795  identity_pairs_0_);
796  RefCountedPtr<grpc_tls_certificate_provider> provider =
797  MakeRefCounted<TlsTestCertificateProvider>(distributor);
798  // Create options only watching for identity certificates.
799  RefCountedPtr<grpc_tls_credentials_options> identity_options =
800  MakeRefCounted<grpc_tls_credentials_options>();
801  identity_options->set_certificate_provider(provider);
802  identity_options->set_watch_identity_pair(true);
803  identity_options->set_identity_cert_name(kIdentityCertName);
804  RefCountedPtr<TlsServerCredentials> identity_credential =
805  MakeRefCounted<TlsServerCredentials>(identity_options);
806  RefCountedPtr<grpc_server_security_connector> identity_connector =
807  identity_credential->create_security_connector(nullptr);
808  EXPECT_NE(identity_connector, nullptr);
809  TlsServerSecurityConnector* tls_identity_connector =
810  static_cast<TlsServerSecurityConnector*>(identity_connector.get());
811  EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
812  nullptr);
813  EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
814  identity_pairs_0_);
815  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
816  identity_pairs_1_);
817  EXPECT_NE(tls_identity_connector->ServerHandshakerFactoryForTesting(),
818  nullptr);
819  EXPECT_EQ(tls_identity_connector->KeyCertPairListForTesting(),
820  identity_pairs_1_);
821 }
822 
823 TEST_F(TlsSecurityConnectorTest,
824  CertPartiallyObtainedWhenCreateServerSecurityConnector) {
825  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
826  MakeRefCounted<grpc_tls_certificate_distributor>();
827  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
828  identity_pairs_0_);
829  RefCountedPtr<grpc_tls_certificate_provider> provider =
830  MakeRefCounted<TlsTestCertificateProvider>(distributor);
831  // Registered the options watching both certs, but only root certs are
832  // available at distributor right now.
833  RefCountedPtr<grpc_tls_credentials_options> options =
834  MakeRefCounted<grpc_tls_credentials_options>();
835  options->set_certificate_provider(provider);
836  options->set_watch_root_cert(true);
837  options->set_watch_identity_pair(true);
838  options->set_root_cert_name(kRootCertName);
839  options->set_identity_cert_name(kIdentityCertName);
840  RefCountedPtr<TlsServerCredentials> credential =
841  MakeRefCounted<TlsServerCredentials>(options);
842  RefCountedPtr<grpc_server_security_connector> connector =
843  credential->create_security_connector(nullptr);
844  EXPECT_NE(connector, nullptr);
845  TlsServerSecurityConnector* tls_connector =
846  static_cast<TlsServerSecurityConnector*>(connector.get());
847  // The server_handshaker_factory_ shouldn't be updated.
848  EXPECT_EQ(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
849  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
850  // After updating the root certs, the server_handshaker_factory_ should be
851  // updated.
852  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
853  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
854  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
855  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
856 }
857 
858 TEST_F(TlsSecurityConnectorTest,
859  DistributorHasErrorForServerSecurityConnector) {
860  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
861  MakeRefCounted<grpc_tls_certificate_distributor>();
862  distributor->SetKeyMaterials(kRootCertName, root_cert_0_, absl::nullopt);
863  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
864  identity_pairs_0_);
865  RefCountedPtr<grpc_tls_certificate_provider> provider =
866  MakeRefCounted<TlsTestCertificateProvider>(distributor);
867  RefCountedPtr<grpc_tls_credentials_options> options =
868  MakeRefCounted<grpc_tls_credentials_options>();
869  options->set_certificate_provider(provider);
870  options->set_watch_root_cert(true);
871  options->set_watch_identity_pair(true);
872  options->set_root_cert_name(kRootCertName);
873  options->set_identity_cert_name(kIdentityCertName);
874  RefCountedPtr<TlsServerCredentials> credential =
875  MakeRefCounted<TlsServerCredentials>(options);
876  RefCountedPtr<grpc_server_security_connector> connector =
877  credential->create_security_connector(nullptr);
878  EXPECT_NE(connector, nullptr);
879  TlsServerSecurityConnector* tls_connector =
880  static_cast<TlsServerSecurityConnector*>(connector.get());
881  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
882  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
883  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
884  // Calling SetErrorForCert on distributor shouldn't invalidate the previous
885  // valid credentials.
886  distributor->SetErrorForCert(
887  kRootCertName, GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage),
888  absl::nullopt);
889  distributor->SetErrorForCert(
890  kIdentityCertName, absl::nullopt,
891  GRPC_ERROR_CREATE_FROM_STATIC_STRING(kErrorMessage));
892  EXPECT_NE(tls_connector->ServerHandshakerFactoryForTesting(), nullptr);
893  EXPECT_EQ(tls_connector->RootCertsForTesting(), root_cert_0_);
894  EXPECT_EQ(tls_connector->KeyCertPairListForTesting(), identity_pairs_0_);
895 }
896 
897 TEST_F(TlsSecurityConnectorTest,
898  CreateServerSecurityConnectorFailNoCredentials) {
899  auto connector = TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
900  nullptr, MakeRefCounted<grpc_tls_credentials_options>());
901  EXPECT_EQ(connector, nullptr);
902 }
903 
904 TEST_F(TlsSecurityConnectorTest, CreateServerSecurityConnectorFailNoOptions) {
905  RefCountedPtr<grpc_tls_credentials_options> options =
906  MakeRefCounted<grpc_tls_credentials_options>();
907  RefCountedPtr<TlsServerCredentials> credential =
908  MakeRefCounted<TlsServerCredentials>(options);
909  auto connector = TlsServerSecurityConnector::CreateTlsServerSecurityConnector(
910  credential, nullptr);
911  EXPECT_EQ(connector, nullptr);
912 }
913 
914 TEST_F(TlsSecurityConnectorTest,
915  CompareServerSecurityConnectorSucceedsOnSameCredentials) {
916  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
917  MakeRefCounted<grpc_tls_certificate_distributor>();
918  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
919  identity_pairs_0_);
920  RefCountedPtr<grpc_tls_certificate_provider> provider =
921  MakeRefCounted<TlsTestCertificateProvider>(distributor);
922  auto options = MakeRefCounted<grpc_tls_credentials_options>();
923  options->set_certificate_provider(provider);
924  options->set_watch_identity_pair(true);
925  options->set_identity_cert_name(kIdentityCertName);
926  RefCountedPtr<TlsServerCredentials> credential =
927  MakeRefCounted<TlsServerCredentials>(options);
928  RefCountedPtr<grpc_server_security_connector> connector =
929  credential->create_security_connector(nullptr);
930  RefCountedPtr<grpc_server_security_connector> other_connector =
931  credential->create_security_connector(nullptr);
932  // Comparing the equality of security connectors generated from the same
933  // server credentials with same settings should succeed.
934  EXPECT_EQ(connector->cmp(other_connector.get()), 0);
935 }
936 
937 TEST_F(TlsSecurityConnectorTest,
938  CompareServerSecurityConnectorFailsOnDifferentServerCredentials) {
939  RefCountedPtr<grpc_tls_certificate_distributor> distributor =
940  MakeRefCounted<grpc_tls_certificate_distributor>();
941  distributor->SetKeyMaterials(kIdentityCertName, absl::nullopt,
942  identity_pairs_0_);
943  RefCountedPtr<grpc_tls_certificate_provider> provider =
944  MakeRefCounted<TlsTestCertificateProvider>(distributor);
945  auto options = MakeRefCounted<grpc_tls_credentials_options>();
946  options->set_certificate_provider(provider);
947  options->set_watch_identity_pair(true);
948  options->set_identity_cert_name(kIdentityCertName);
949  RefCountedPtr<TlsServerCredentials> credential =
950  MakeRefCounted<TlsServerCredentials>(options);
951  RefCountedPtr<grpc_server_security_connector> connector =
952  credential->create_security_connector(nullptr);
953  RefCountedPtr<TlsServerCredentials> other_credential =
954  MakeRefCounted<TlsServerCredentials>(options);
955  RefCountedPtr<grpc_server_security_connector> other_connector =
956  other_credential->create_security_connector(nullptr);
957  // Comparing the equality of security connectors generated from different
958  // server credentials should fail.
959  EXPECT_NE(connector->cmp(other_connector.get()), 0);
960 }
961 
962 //
963 // Tests for Certificate Verifier in ServerSecurityConnector.
964 //
965 
966 TEST_F(TlsSecurityConnectorTest,
967  ServerSecurityConnectorWithSyncExternalVerifierSucceeds) {
968  auto* sync_verifier = new SyncExternalVerifier(true);
969  ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
970  RefCountedPtr<grpc_tls_credentials_options> options =
971  MakeRefCounted<grpc_tls_credentials_options>();
972  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
973  options->set_certificate_verifier(core_external_verifier.Ref());
974  auto provider =
975  MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
976  options->set_certificate_provider(std::move(provider));
977  options->set_watch_identity_pair(true);
978  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
979  auto connector = credentials->create_security_connector(nullptr);
980  // Construct a basic TSI Peer.
981  tsi_peer peer;
982  GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
983  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
984  "grpc", strlen("grpc"),
985  &peer.properties[0]) == TSI_OK);
986  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
987  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
988  &peer.properties[1]) == TSI_OK);
989  RefCountedPtr<grpc_auth_context> auth_context;
990  ExecCtx exec_ctx;
991  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
992  VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
993  connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
994 }
995 
996 TEST_F(TlsSecurityConnectorTest,
997  ServerSecurityConnectorWithSyncExternalVerifierFails) {
998  auto* sync_verifier = new SyncExternalVerifier(false);
999  ExternalCertificateVerifier core_external_verifier(sync_verifier->base());
1000  RefCountedPtr<grpc_tls_credentials_options> options =
1001  MakeRefCounted<grpc_tls_credentials_options>();
1002  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1003  options->set_certificate_verifier(core_external_verifier.Ref());
1004  auto provider =
1005  MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1006  options->set_certificate_provider(std::move(provider));
1007  options->set_watch_identity_pair(true);
1008  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1009  auto connector = credentials->create_security_connector(nullptr);
1010  // Construct a basic TSI Peer.
1011  tsi_peer peer;
1012  GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
1013  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
1014  "grpc", strlen("grpc"),
1015  &peer.properties[0]) == TSI_OK);
1016  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
1017  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1018  &peer.properties[1]) == TSI_OK);
1019  RefCountedPtr<grpc_auth_context> auth_context;
1020  const char* expected_error_msg =
1021  "Custom verification check failed with error: UNAUTHENTICATED: "
1022  "SyncExternalVerifier failed";
1023  ExecCtx exec_ctx;
1024  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1025  VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
1026  grpc_schedule_on_exec_ctx);
1027  connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
1028 }
1029 
1030 TEST_F(TlsSecurityConnectorTest,
1031  ServerSecurityConnectorWithAsyncExternalVerifierSucceeds) {
1032  auto* async_verifier = new AsyncExternalVerifier(true);
1033  auto* core_external_verifier =
1034  new ExternalCertificateVerifier(async_verifier->base());
1035  auto options = MakeRefCounted<grpc_tls_credentials_options>();
1036  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1037  options->set_certificate_verifier(core_external_verifier->Ref());
1038  auto provider =
1039  MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1040  options->set_certificate_provider(std::move(provider));
1041  options->set_watch_identity_pair(true);
1042  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1043  auto connector = credentials->create_security_connector(nullptr);
1044  // Construct a basic TSI Peer.
1045  tsi_peer peer;
1046  GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
1047  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
1048  "grpc", strlen("grpc"),
1049  &peer.properties[0]) == TSI_OK);
1050  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
1051  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1052  &peer.properties[1]) == TSI_OK);
1053  RefCountedPtr<grpc_auth_context> auth_context;
1054  ExecCtx exec_ctx;
1055  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1056  VerifyExpectedErrorCallback, nullptr, grpc_schedule_on_exec_ctx);
1057  connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
1058  core_external_verifier->Unref();
1059 }
1060 
1061 TEST_F(TlsSecurityConnectorTest,
1062  ServerSecurityConnectorWithAsyncExternalVerifierFails) {
1063  auto* async_verifier = new AsyncExternalVerifier(false);
1064  auto* core_external_verifier =
1065  new ExternalCertificateVerifier(async_verifier->base());
1066  RefCountedPtr<grpc_tls_credentials_options> options =
1067  MakeRefCounted<grpc_tls_credentials_options>();
1068  options->set_cert_request_type(GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE);
1069  options->set_certificate_verifier(core_external_verifier->Ref());
1070  auto provider =
1071  MakeRefCounted<StaticDataCertificateProvider>("", PemKeyCertPairList());
1072  options->set_certificate_provider(std::move(provider));
1073  options->set_watch_identity_pair(true);
1074  auto credentials = MakeRefCounted<TlsServerCredentials>(options);
1075  auto connector = credentials->create_security_connector(nullptr);
1076  // Construct a basic TSI Peer.
1077  tsi_peer peer;
1078  GPR_ASSERT(tsi_construct_peer(2, &peer) == TSI_OK);
1079  GPR_ASSERT(tsi_construct_string_peer_property(TSI_SSL_ALPN_SELECTED_PROTOCOL,
1080  "grpc", strlen("grpc"),
1081  &peer.properties[0]) == TSI_OK);
1082  GPR_ASSERT(tsi_construct_string_peer_property_from_cstring(
1083  TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY, "foo.bar.com",
1084  &peer.properties[1]) == TSI_OK);
1085  RefCountedPtr<grpc_auth_context> auth_context;
1086  const char* expected_error_msg =
1087  "Custom verification check failed with error: UNAUTHENTICATED: "
1088  "AsyncExternalVerifier failed";
1089  ExecCtx exec_ctx;
1090  grpc_closure* on_peer_checked = GRPC_CLOSURE_CREATE(
1091  VerifyExpectedErrorCallback, const_cast<char*>(expected_error_msg),
1092  grpc_schedule_on_exec_ctx);
1093  connector->check_peer(peer, nullptr, &auth_context, on_peer_checked);
1094  core_external_verifier->Unref();
1095 }
1096 
1097 } // namespace testing
1098 } // namespace grpc_core
1099 
1100 int main(int argc, char** argv) {
1101  grpc::testing::TestEnvironment env(&argc, argv);
1102  GPR_GLOBAL_CONFIG_SET(grpc_default_ssl_roots_file_path, CA_CERT_PATH);
1103  ::testing::InitGoogleTest(&argc, argv);
1104  grpc_init();
1105  int ret = RUN_ALL_TESTS();
1106  grpc_shutdown();
1107  return ret;
1108 }
grpc_tls_credentials_options::set_root_cert_name
void set_root_cert_name(std::string root_cert_name)
Definition: grpc_tls_credentials_options.h:76
tsi_security_level_to_string
const char * tsi_security_level_to_string(tsi_security_level security_level)
Definition: transport_security.cc:70
grpc_slice_unref
GPRAPI void grpc_slice_unref(grpc_slice s)
Definition: slice_api.cc:32
testing
Definition: aws_request_signer_test.cc:25
grpc_core::testing::TlsTestCertificateProvider::distributor
RefCountedPtr< grpc_tls_certificate_distributor > distributor() const override
Definition: tls_security_connector_test.cc:123
grpc_core::UniqueTypeName::Factory::Create
UniqueTypeName Create()
Definition: unique_type_name.h:67
tls_credentials.h
GRPC_ERROR_NONE
#define GRPC_ERROR_NONE
Definition: error.h:234
grpc_core::testing::TlsSecurityConnectorTest::root_cert_0_
std::string root_cert_0_
Definition: tls_security_connector_test.cc:111
log.h
tsi_peer::properties
tsi_peer_property * properties
Definition: transport_security_interface.h:239
grpc_core::testing::SyncExternalVerifier
Definition: test/core/util/tls_utils.h:58
tls_utils.h
grpc_load_file
grpc_error_handle grpc_load_file(const char *filename, int add_null_terminator, grpc_slice *output)
Definition: load_file.cc:33
generate.env
env
Definition: generate.py:37
grpc_md_only_test_credentials_create
grpc_call_credentials * grpc_md_only_test_credentials_create(const char *md_key, const char *md_value)
Definition: fake_credentials.cc:118
load_file.h
grpc_core::TlsChannelSecurityConnector::CreateTlsChannelSecurityConnector
static RefCountedPtr< grpc_channel_security_connector > CreateTlsChannelSecurityConnector(RefCountedPtr< grpc_channel_credentials > channel_creds, RefCountedPtr< grpc_tls_credentials_options > options, RefCountedPtr< grpc_call_credentials > request_metadata_creds, const char *target_name, const char *overridden_target_name, tsi_ssl_session_cache *ssl_session_cache)
Definition: tls_security_connector.cc:231
TSI_SSL_ALPN_SELECTED_PROTOCOL
#define TSI_SSL_ALPN_SELECTED_PROTOCOL
Definition: ssl_transport_security.h:44
grpc_core::RefCountedPtr::get
T * get() const
Definition: ref_counted_ptr.h:146
grpc_core
Definition: call_metric_recorder.h:31
TSI_SECURITY_LEVEL_PEER_PROPERTY
#define TSI_SECURITY_LEVEL_PEER_PROPERTY
Definition: transport_security_interface.h:226
string.h
options
double_dict options[]
Definition: capstone_test.c:55
grpc_core::testing::TlsSecurityConnectorTest::identity_pairs_0_
PemKeyCertPairList identity_pairs_0_
Definition: tls_security_connector_test.cc:113
grpc_core::StringViewFromSlice
absl::string_view StringViewFromSlice(const grpc_slice &slice)
Definition: slice_internal.h:93
grpc_core::TlsChannelSecurityConnector
Definition: tls_security_connector.h:56
testing::internal::string
::std::string string
Definition: bloaty/third_party/protobuf/third_party/googletest/googletest/include/gtest/internal/gtest-port.h:881
error
grpc_error_handle error
Definition: retry_filter.cc:499
grpc_core::ExternalCertificateVerifier
Definition: grpc_tls_certificate_verifier.h:82
grpc_core::testing::kRootCertName
constexpr const char * kRootCertName
Definition: tls_security_connector_test.cc:52
grpc_core::testing::kIdentityCertName
constexpr const char * kIdentityCertName
Definition: tls_security_connector_test.cc:53
grpc_core::TlsServerSecurityConnector::KeyCertPairListForTesting
const absl::optional< PemKeyCertPairList > & KeyCertPairListForTesting()
Definition: tls_security_connector.h:213
grpc_call_credentials
Definition: src/core/lib/security/credentials/credentials.h:189
grpc_core::TlsServerSecurityConnector
Definition: tls_security_connector.h:177
GRPC_LOG_IF_ERROR
#define GRPC_LOG_IF_ERROR(what, error)
Definition: error.h:398
grpc_core::testing::TEST_F
TEST_F(ServiceConfigTest, ErrorCheck1)
Definition: service_config_test.cc:192
GRPC_CLOSURE_CREATE
#define GRPC_CLOSURE_CREATE(cb, cb_arg, scheduler)
Definition: closure.h:160
grpc_tls_credentials_options::set_certificate_provider
void set_certificate_provider(grpc_core::RefCountedPtr< grpc_tls_certificate_provider > certificate_provider)
Definition: grpc_tls_credentials_options.h:72
TlsServerCredentials::create_security_connector
grpc_core::RefCountedPtr< grpc_server_security_connector > create_security_connector(const grpc_channel_args *) override
Definition: tls_credentials.cc:133
GRPC_ERROR_STR_DESCRIPTION
@ GRPC_ERROR_STR_DESCRIPTION
top-level textual description of this error
Definition: error.h:106
grpc_channel_args
Definition: grpc_types.h:132
testing::Test
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:402
EXPECT_EQ
#define EXPECT_EQ(a, b)
Definition: iomgr/time_averaged_stats_test.cc:27
grpc_core::testing::TlsSecurityConnectorTest::TlsSecurityConnectorTest
TlsSecurityConnectorTest()
Definition: tls_security_connector_test.cc:59
grpc_tls_certificate_distributor::SetKeyMaterials
void SetKeyMaterials(const std::string &cert_name, absl::optional< std::string > pem_root_certs, absl::optional< grpc_core::PemKeyCertPairList > pem_key_cert_pairs)
Definition: grpc_tls_certificate_distributor.cc:27
grpc_core::TlsServerSecurityConnector::ServerHandshakerFactoryForTesting
tsi_ssl_server_handshaker_factory * ServerHandshakerFactoryForTesting()
Definition: tls_security_connector.h:203
TSI_OK
@ TSI_OK
Definition: transport_security_interface.h:32
string_util.h
SERVER_CERT_PATH_1
#define SERVER_CERT_PATH_1
Definition: tls_security_connector_test.cc:46
grpc_tls_certificate_provider.h
SERVER_KEY_PATH_0
#define SERVER_KEY_PATH_0
Definition: tls_security_connector_test.cc:45
grpc_core::RefCountedPtr< grpc_tls_certificate_distributor >
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
GPR_ASSERT
#define GPR_ASSERT(x)
Definition: include/grpc/impl/codegen/log.h:94
grpc_core::HostNameCertificateVerifier
Definition: grpc_tls_certificate_verifier.h:148
grpc_core::TlsServerSecurityConnector::CreateTlsServerSecurityConnector
static RefCountedPtr< grpc_server_security_connector > CreateTlsServerSecurityConnector(RefCountedPtr< grpc_server_credentials > server_creds, RefCountedPtr< grpc_tls_credentials_options > options)
Definition: tls_security_connector.cc:561
grpc_core::testing::TlsSecurityConnectorTest::GetErrorMsg
static std::string GetErrorMsg(grpc_error_handle error)
Definition: tls_security_connector_test.cc:103
EXPECT_NE
#define EXPECT_NE(val1, val2)
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2028
TSI_X509_PEM_CERT_PROPERTY
#define TSI_X509_PEM_CERT_PROPERTY
Definition: ssl_transport_security.h:42
grpc_core::TlsChannelSecurityConnector::RootCertsForTesting
absl::optional< absl::string_view > RootCertsForTesting()
Definition: tls_security_connector.h:98
grpc_core::testing::TlsSecurityConnectorTest::SetUp
void SetUp() override
Definition: tls_security_connector_test.cc:61
grpc_core::testing::TlsTestCertificateProvider::CompareImpl
int CompareImpl(const grpc_tls_certificate_provider *other) const override
Definition: tls_security_connector_test.cc:133
grpc_tls_credentials_options::set_watch_identity_pair
void set_watch_identity_pair(bool watch_identity_pair)
Definition: grpc_tls_credentials_options.h:78
call_creds
void call_creds(grpc_end2end_test_config config)
Definition: call_creds.cc:523
grpc_channel_args_destroy
void grpc_channel_args_destroy(grpc_channel_args *a)
Definition: channel_args.cc:360
arg
Definition: cmdline.cc:40
grpc_slice
Definition: include/grpc/impl/codegen/slice.h:65
grpc_core::testing::AsyncExternalVerifier
Definition: test/core/util/tls_utils.h:92
grpc_core::testing::TlsSecurityConnectorTest::identity_pairs_1_
PemKeyCertPairList identity_pairs_1_
Definition: tls_security_connector_test.cc:112
grpc_tls_certificate_distributor::SetErrorForCert
void SetErrorForCert(const std::string &cert_name, absl::optional< grpc_error_handle > root_cert_error, absl::optional< grpc_error_handle > identity_cert_error)
Definition: grpc_tls_certificate_distributor.cc:102
grpc_tls_credentials_options::set_watch_root_cert
void set_watch_root_cert(bool watch_root_cert)
Definition: grpc_tls_credentials_options.h:74
RUN_ALL_TESTS
int RUN_ALL_TESTS() GTEST_MUST_USE_RESULT_
Definition: bloaty/third_party/googletest/googletest/include/gtest/gtest.h:2471
TlsCredentials::create_security_connector
grpc_core::RefCountedPtr< grpc_channel_security_connector > create_security_connector(grpc_core::RefCountedPtr< grpc_call_credentials > call_creds, const char *target_name, const grpc_channel_args *args, grpc_channel_args **new_args) override
Definition: tls_credentials.cc:81
ssl_utils_config.h
grpc_core::testing::kTargetName
constexpr const char * kTargetName
Definition: tls_security_connector_test.cc:55
grpc_core::ExecCtx
Definition: exec_ctx.h:97
GPR_GLOBAL_CONFIG_SET
#define GPR_GLOBAL_CONFIG_SET(name, value)
Definition: global_config_generic.h:26
grpc_core::testing::TlsSecurityConnectorTest::hostname_certificate_verifier_
HostNameCertificateVerifier hostname_certificate_verifier_
Definition: tls_security_connector_test.cc:114
GRPC_ERROR_CREATE_FROM_STATIC_STRING
#define GRPC_ERROR_CREATE_FROM_STATIC_STRING(desc)
Definition: error.h:291
test_config.h
grpc_core::testing::TlsSecurityConnectorTest::VerifyExpectedErrorCallback
static void VerifyExpectedErrorCallback(void *arg, grpc_error_handle error)
Definition: tls_security_connector_test.cc:94
grpc_core::TlsServerSecurityConnector::RootCertsForTesting
const absl::optional< absl::string_view > & RootCertsForTesting()
Definition: tls_security_connector.h:208
tsi_peer
Definition: transport_security_interface.h:238
security_context.h
transport_security.h
testing::InitGoogleTest
GTEST_API_ void InitGoogleTest(int *argc, char **argv)
Definition: bloaty/third_party/googletest/googletest/src/gtest.cc:6106
grpc_core::testing::TlsTestCertificateProvider::~TlsTestCertificateProvider
~TlsTestCertificateProvider() override
Definition: tls_security_connector_test.cc:122
grpc_core::UniqueTypeName
Definition: unique_type_name.h:56
grpc_tls_credentials_options.h
CA_CERT_PATH
#define CA_CERT_PATH
Definition: tls_security_connector_test.cc:42
grpc_core::testing::TlsSecurityConnectorTest::root_cert_1_
std::string root_cert_1_
Definition: tls_security_connector_test.cc:110
grpc_core::testing::kErrorMessage
constexpr const char * kErrorMessage
Definition: grpc_tls_certificate_distributor_test.cc:51
SERVER_CERT_PATH_0
#define SERVER_CERT_PATH_0
Definition: tls_security_connector_test.cc:44
grpc_core::QsortCompare
int QsortCompare(const T &a, const T &b)
Definition: useful.h:95
exec_ctx
grpc_core::ExecCtx exec_ctx
Definition: end2end_binder_transport_test.cc:75
grpc_core::PemKeyCertPairList
std::vector< PemKeyCertPair > PemKeyCertPairList
Definition: ssl_utils.h:183
GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE
@ GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE
Definition: grpc_security_constants.h:84
grpc_core::testing::TlsTestCertificateProvider::type
UniqueTypeName type() const override
Definition: tls_security_connector_test.cc:127
ret
UniquePtr< SSL_SESSION > ret
Definition: ssl_x509.cc:1029
alloc.h
std
Definition: grpcpp/impl/codegen/async_unary_call.h:407
SERVER_KEY_PATH_1
#define SERVER_KEY_PATH_1
Definition: tls_security_connector_test.cc:47
grpc::testing::TestEnvironment
Definition: test/core/util/test_config.h:54
grpc_core::TlsChannelSecurityConnector::ClientHandshakerFactoryForTesting
tsi_ssl_client_handshaker_factory * ClientHandshakerFactoryForTesting()
Definition: tls_security_connector.h:93
arg
struct arg arg
TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY
#define TSI_X509_SUBJECT_COMMON_NAME_PEER_PROPERTY
Definition: ssl_transport_security.h:38
unique_type_name.h
grpc_tls_credentials_options::set_identity_cert_name
void set_identity_cert_name(std::string identity_cert_name)
Definition: grpc_tls_credentials_options.h:80
grpc_core::testing::TlsTestCertificateProvider::distributor_
RefCountedPtr< grpc_tls_certificate_distributor > distributor_
Definition: tls_security_connector_test.cc:139
CLIENT_CERT_PATH
#define CLIENT_CERT_PATH
Definition: tls_security_connector_test.cc:43
grpc_core::testing::TlsTestCertificateProvider
Definition: tls_security_connector_test.cc:117
TSI_PRIVACY_AND_INTEGRITY
@ TSI_PRIVACY_AND_INTEGRITY
Definition: transport_security_interface.h:56
grpc_tls_certificate_provider
Definition: grpc_tls_certificate_provider.h:53
tls_security_connector.h
main
int main(int argc, char **argv)
Definition: tls_security_connector_test.cc:1100
grpc_error_get_str
bool grpc_error_get_str(grpc_error_handle err, grpc_error_strs which, std::string *s)
Returns false if the specified string is not set.
Definition: error.cc:659
grpc_core::testing::TlsSecurityConnectorTest
Definition: tls_security_connector_test.cc:57
grpc_core::TlsChannelSecurityConnector::check_peer
void check_peer(tsi_peer peer, grpc_endpoint *ep, RefCountedPtr< grpc_auth_context > *auth_context, grpc_closure *on_peer_checked) override
Definition: tls_security_connector.cc:354
grpc_init
GRPCAPI void grpc_init(void)
Definition: init.cc:146
grpc_error
Definition: error_internal.h:42
grpc_security_connector::cmp
virtual int cmp(const grpc_security_connector *other) const =0
TSI_X509_PEM_CERT_CHAIN_PROPERTY
#define TSI_X509_PEM_CERT_CHAIN_PROPERTY
Definition: ssl_transport_security.h:43
grpc_closure
Definition: closure.h:56
grpc_core::UniqueTypeName::Factory
Definition: unique_type_name.h:60
TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY
#define TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY
Definition: ssl_transport_security.h:39
grpc_shutdown
GRPCAPI void grpc_shutdown(void)
Definition: init.cc:209
tsi_construct_string_peer_property
tsi_result tsi_construct_string_peer_property(const char *name, const char *value, size_t value_length, tsi_peer_property *property)
Definition: transport_security.cc:346
grpc_core::RefCounted::Ref
RefCountedPtr< Child > Ref() GRPC_MUST_USE_RESULT
Definition: ref_counted.h:287
tsi_construct_string_peer_property_from_cstring
tsi_result tsi_construct_string_peer_property_from_cstring(const char *name, const char *value, tsi_peer_property *property)
Definition: transport_security.cc:340
tsi_construct_peer
tsi_result tsi_construct_peer(size_t property_count, tsi_peer *peer)
Definition: transport_security.cc:359
grpc_core::TlsChannelSecurityConnector::KeyCertPairListForTesting
absl::optional< PemKeyCertPairList > KeyCertPairListForTesting()
Definition: tls_security_connector.h:103
grpc_core::testing::TlsTestCertificateProvider::TlsTestCertificateProvider
TlsTestCertificateProvider(RefCountedPtr< grpc_tls_certificate_distributor > distributor)
Definition: tls_security_connector_test.cc:119

grpc
Author(s):
autogenerated on Fri May 16 2025 03:00:39