Google Git
Sign in
bazel / bazel / c55ec0f2cb3f5b44e5025bf9d3c5dc91d94db287 / . / third_party / grpc / src / core / lib / security / credentials / ssl / ssl_credentials.cc
blob: 83db86f1eac87806137180890ec0c0ecd2419931 [file] [log] [blame]
/*
*
* Copyright 2016 gRPC authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#include <grpc/support/port_platform.h>
#include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
#include <string.h>
#include "src/core/lib/channel/channel_args.h"
#include "src/core/lib/surface/api_trace.h"
#include "src/core/tsi/ssl_transport_security.h"
#include <grpc/support/alloc.h>
#include <grpc/support/log.h>
#include <grpc/support/string_util.h>
//
// SSL Channel Credentials.
//
void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
size_t num_key_cert_pairs) {
if (kp == nullptr) return;
for (size_t i = 0; i < num_key_cert_pairs; i++) {
gpr_free((void*)kp[i].private_key);
gpr_free((void*)kp[i].cert_chain);
}
gpr_free(kp);
}
grpc_ssl_credentials::grpc_ssl_credentials(
const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
const verify_peer_options* verify_options)
: grpc_channel_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
build_config(pem_root_certs, pem_key_cert_pair, verify_options);
}
grpc_ssl_credentials::~grpc_ssl_credentials() {
gpr_free(config_.pem_root_certs);
grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pair, 1);
if (config_.verify_options.verify_peer_destruct != nullptr) {
config_.verify_options.verify_peer_destruct(
config_.verify_options.verify_peer_callback_userdata);
}
}
grpc_core::RefCountedPtr<grpc_channel_security_connector>
grpc_ssl_credentials::create_security_connector(
grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
const char* target, const grpc_channel_args* args,
grpc_channel_args** new_args) {
const char* overridden_target_name = nullptr;
tsi_ssl_session_cache* ssl_session_cache = nullptr;
for (size_t i = 0; args && i < args->num_args; i++) {
grpc_arg* arg = &args->args[i];
if (strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == 0 &&
arg->type == GRPC_ARG_STRING) {
overridden_target_name = arg->value.string;
}
if (strcmp(arg->key, GRPC_SSL_SESSION_CACHE_ARG) == 0 &&
arg->type == GRPC_ARG_POINTER) {
ssl_session_cache =
static_cast<tsi_ssl_session_cache*>(arg->value.pointer.p);
}
}
grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
grpc_ssl_channel_security_connector_create(
this->Ref(), std::move(call_creds), &config_, target,
overridden_target_name, ssl_session_cache);
if (sc == nullptr) {
return sc;
}
grpc_arg new_arg = grpc_channel_arg_string_create(
(char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https");
*new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
return sc;
}
void grpc_ssl_credentials::build_config(
const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
const verify_peer_options* verify_options) {
config_.pem_root_certs = gpr_strdup(pem_root_certs);
if (pem_key_cert_pair != nullptr) {
GPR_ASSERT(pem_key_cert_pair->private_key != nullptr);
GPR_ASSERT(pem_key_cert_pair->cert_chain != nullptr);
config_.pem_key_cert_pair = static_cast<tsi_ssl_pem_key_cert_pair*>(
gpr_zalloc(sizeof(tsi_ssl_pem_key_cert_pair)));
config_.pem_key_cert_pair->cert_chain =
gpr_strdup(pem_key_cert_pair->cert_chain);
config_.pem_key_cert_pair->private_key =
gpr_strdup(pem_key_cert_pair->private_key);
} else {
config_.pem_key_cert_pair = nullptr;
}
if (verify_options != nullptr) {
memcpy(&config_.verify_options, verify_options,
sizeof(verify_peer_options));
} else {
// Otherwise set all options to default values
memset(&config_.verify_options, 0, sizeof(verify_peer_options));
}
}
grpc_channel_credentials* grpc_ssl_credentials_create(
const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
const verify_peer_options* verify_options, void* reserved) {
GRPC_API_TRACE(
"grpc_ssl_credentials_create(pem_root_certs=%s, "
"pem_key_cert_pair=%p, "
"verify_options=%p, "
"reserved=%p)",
4, (pem_root_certs, pem_key_cert_pair, verify_options, reserved));
GPR_ASSERT(reserved == nullptr);
return grpc_core::New<grpc_ssl_credentials>(pem_root_certs, pem_key_cert_pair,
verify_options);
}
//
// SSL Server Credentials.
//
struct grpc_ssl_server_credentials_options {
grpc_ssl_client_certificate_request_type client_certificate_request;
grpc_ssl_server_certificate_config* certificate_config;
grpc_ssl_server_certificate_config_fetcher* certificate_config_fetcher;
};
grpc_ssl_server_credentials::grpc_ssl_server_credentials(
const grpc_ssl_server_credentials_options& options)
: grpc_server_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
if (options.certificate_config_fetcher != nullptr) {
config_.client_certificate_request = options.client_certificate_request;
certificate_config_fetcher_ = *options.certificate_config_fetcher;
} else {
build_config(options.certificate_config->pem_root_certs,
options.certificate_config->pem_key_cert_pairs,
options.certificate_config->num_key_cert_pairs,
options.client_certificate_request);
}
}
grpc_ssl_server_credentials::~grpc_ssl_server_credentials() {
grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pairs,
config_.num_key_cert_pairs);
gpr_free(config_.pem_root_certs);
}
grpc_core::RefCountedPtr<grpc_server_security_connector>
grpc_ssl_server_credentials::create_security_connector() {
return grpc_ssl_server_security_connector_create(this->Ref());
}
tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs(
const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
size_t num_key_cert_pairs) {
tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
if (num_key_cert_pairs > 0) {
GPR_ASSERT(pem_key_cert_pairs != nullptr);
tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
}
for (size_t i = 0; i < num_key_cert_pairs; i++) {
GPR_ASSERT(pem_key_cert_pairs[i].private_key != nullptr);
GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != nullptr);
tsi_pairs[i].cert_chain = gpr_strdup(pem_key_cert_pairs[i].cert_chain);
tsi_pairs[i].private_key = gpr_strdup(pem_key_cert_pairs[i].private_key);
}
return tsi_pairs;
}
void grpc_ssl_server_credentials::build_config(
const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
size_t num_key_cert_pairs,
grpc_ssl_client_certificate_request_type client_certificate_request) {
config_.client_certificate_request = client_certificate_request;
config_.pem_root_certs = gpr_strdup(pem_root_certs);
config_.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
pem_key_cert_pairs, num_key_cert_pairs);
config_.num_key_cert_pairs = num_key_cert_pairs;
}
grpc_ssl_server_certificate_config* grpc_ssl_server_certificate_config_create(
const char* pem_root_certs,
const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
size_t num_key_cert_pairs) {
grpc_ssl_server_certificate_config* config =
static_cast<grpc_ssl_server_certificate_config*>(
gpr_zalloc(sizeof(grpc_ssl_server_certificate_config)));
config->pem_root_certs = gpr_strdup(pem_root_certs);
if (num_key_cert_pairs > 0) {
GPR_ASSERT(pem_key_cert_pairs != nullptr);
config->pem_key_cert_pairs = static_cast<grpc_ssl_pem_key_cert_pair*>(
gpr_zalloc(num_key_cert_pairs * sizeof(grpc_ssl_pem_key_cert_pair)));
}
config->num_key_cert_pairs = num_key_cert_pairs;
for (size_t i = 0; i < num_key_cert_pairs; i++) {
GPR_ASSERT(pem_key_cert_pairs[i].private_key != nullptr);
GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != nullptr);
config->pem_key_cert_pairs[i].cert_chain =
gpr_strdup(pem_key_cert_pairs[i].cert_chain);
config->pem_key_cert_pairs[i].private_key =
gpr_strdup(pem_key_cert_pairs[i].private_key);
}
return config;
}
void grpc_ssl_server_certificate_config_destroy(
grpc_ssl_server_certificate_config* config) {
if (config == nullptr) return;
for (size_t i = 0; i < config->num_key_cert_pairs; i++) {
gpr_free((void*)config->pem_key_cert_pairs[i].private_key);
gpr_free((void*)config->pem_key_cert_pairs[i].cert_chain);
}
gpr_free(config->pem_key_cert_pairs);
gpr_free(config->pem_root_certs);
gpr_free(config);
}
grpc_ssl_server_credentials_options*
grpc_ssl_server_credentials_create_options_using_config(
grpc_ssl_client_certificate_request_type client_certificate_request,
grpc_ssl_server_certificate_config* config) {
grpc_ssl_server_credentials_options* options = nullptr;
if (config == nullptr) {
gpr_log(GPR_ERROR, "Certificate config must not be NULL.");
goto done;
}
options = static_cast<grpc_ssl_server_credentials_options*>(
gpr_zalloc(sizeof(grpc_ssl_server_credentials_options)));
options->client_certificate_request = client_certificate_request;
options->certificate_config = config;
done:
return options;
}
grpc_ssl_server_credentials_options*
grpc_ssl_server_credentials_create_options_using_config_fetcher(
grpc_ssl_client_certificate_request_type client_certificate_request,
grpc_ssl_server_certificate_config_callback cb, void* user_data) {
if (cb == nullptr) {
gpr_log(GPR_ERROR, "Invalid certificate config callback parameter.");
return nullptr;
}
grpc_ssl_server_certificate_config_fetcher* fetcher =
static_cast<grpc_ssl_server_certificate_config_fetcher*>(
gpr_zalloc(sizeof(grpc_ssl_server_certificate_config_fetcher)));
fetcher->cb = cb;
fetcher->user_data = user_data;
grpc_ssl_server_credentials_options* options =
static_cast<grpc_ssl_server_credentials_options*>(
gpr_zalloc(sizeof(grpc_ssl_server_credentials_options)));
options->client_certificate_request = client_certificate_request;
options->certificate_config_fetcher = fetcher;
return options;
}
grpc_server_credentials* grpc_ssl_server_credentials_create(
const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
size_t num_key_cert_pairs, int force_client_auth, void* reserved) {
return grpc_ssl_server_credentials_create_ex(
pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs,
force_client_auth
? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
: GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
reserved);
}
grpc_server_credentials* grpc_ssl_server_credentials_create_ex(
const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
size_t num_key_cert_pairs,
grpc_ssl_client_certificate_request_type client_certificate_request,
void* reserved) {
GRPC_API_TRACE(
"grpc_ssl_server_credentials_create_ex("
"pem_root_certs=%s, pem_key_cert_pairs=%p, num_key_cert_pairs=%lu, "
"client_certificate_request=%d, reserved=%p)",
5,
(pem_root_certs, pem_key_cert_pairs, (unsigned long)num_key_cert_pairs,
client_certificate_request, reserved));
GPR_ASSERT(reserved == nullptr);
grpc_ssl_server_certificate_config* cert_config =
grpc_ssl_server_certificate_config_create(
pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs);
grpc_ssl_server_credentials_options* options =
grpc_ssl_server_credentials_create_options_using_config(
client_certificate_request, cert_config);
return grpc_ssl_server_credentials_create_with_options(options);
}
grpc_server_credentials* grpc_ssl_server_credentials_create_with_options(
grpc_ssl_server_credentials_options* options) {
grpc_server_credentials* retval = nullptr;
if (options == nullptr) {
gpr_log(GPR_ERROR,
"Invalid options trying to create SSL server credentials.");
goto done;
}
if (options->certificate_config == nullptr &&
options->certificate_config_fetcher == nullptr) {
gpr_log(GPR_ERROR,
"SSL server credentials options must specify either "
"certificate config or fetcher.");
goto done;
} else if (options->certificate_config_fetcher != nullptr &&
options->certificate_config_fetcher->cb == nullptr) {
gpr_log(GPR_ERROR, "Certificate config fetcher callback must not be NULL.");
goto done;
}
retval = grpc_core::New<grpc_ssl_server_credentials>(*options);
done:
grpc_ssl_server_credentials_options_destroy(options);
return retval;
}
void grpc_ssl_server_credentials_options_destroy(
grpc_ssl_server_credentials_options* o) {
if (o == nullptr) return;
gpr_free(o->certificate_config_fetcher);
grpc_ssl_server_certificate_config_destroy(o->certificate_config);
gpr_free(o);
}