3 * Copyright 2015 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #ifndef GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
20 #define GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H
22 #include <grpc/support/port_platform.h>
26 #include <grpc/grpc_security.h>
27 #include <grpc/slice_buffer.h>
29 #include "src/core/lib/gprpp/global_config.h"
30 #include "src/core/lib/gprpp/ref_counted_ptr.h"
31 #include "src/core/lib/gprpp/string_view.h"
32 #include "src/core/lib/iomgr/error.h"
33 #include "src/core/lib/security/security_connector/security_connector.h"
34 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
35 #include "src/core/tsi/ssl_transport_security.h"
36 #include "src/core/tsi/transport_security.h"
37 #include "src/core/tsi/transport_security_interface.h"
41 /* --- URL schemes. --- */
42 #define GRPC_SSL_URL_SCHEME "https"
44 /* Check ALPN information returned from SSL handshakes. */
45 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer);
47 /* Check peer name information returned from SSL handshakes. */
48 grpc_error* grpc_ssl_check_peer_name(grpc_core::StringView peer_name,
49 const tsi_peer* peer);
50 /* Compare targer_name information extracted from SSL security connectors. */
51 int grpc_ssl_cmp_target_name(
52 grpc_core::StringView target_name, grpc_core::StringView other_target_name,
53 grpc_core::StringView overridden_target_name,
54 grpc_core::StringView other_overridden_target_name);
55 /* Check the host that will be set for a call is acceptable.*/
56 bool grpc_ssl_check_call_host(grpc_core::StringView host,
57 grpc_core::StringView target_name,
58 grpc_core::StringView overridden_target_name,
59 grpc_auth_context* auth_context,
60 grpc_closure* on_call_host_checked,
62 /* Return HTTP2-compliant cipher suites that gRPC accepts by default. */
63 const char* grpc_get_ssl_cipher_suites(void);
65 /* Map from grpc_ssl_client_certificate_request_type to
66 * tsi_client_certificate_request_type. */
67 tsi_client_certificate_request_type
68 grpc_get_tsi_client_certificate_request_type(
69 grpc_ssl_client_certificate_request_type grpc_request_type);
71 /* Return an array of strings containing alpn protocols. */
72 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
74 /* Initialize TSI SSL server/client handshaker factory. */
75 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
76 tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
77 tsi_ssl_session_cache* ssl_session_cache,
78 tsi_ssl_client_handshaker_factory** handshaker_factory);
80 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
81 tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
82 const char* pem_root_certs,
83 grpc_ssl_client_certificate_request_type client_certificate_request,
84 tsi_ssl_server_handshaker_factory** handshaker_factory);
86 /* Exposed for testing only. */
87 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
88 const tsi_peer* peer);
89 tsi_peer grpc_shallow_peer_from_ssl_auth_context(
90 const grpc_auth_context* auth_context);
91 void grpc_shallow_peer_destruct(tsi_peer* peer);
92 int grpc_ssl_host_matches_name(const tsi_peer* peer,
93 grpc_core::StringView peer_name);
95 /* --- Default SSL Root Store. --- */
98 // The class implements default SSL root store.
99 class DefaultSslRootStore {
101 // Gets the default SSL root store. Returns nullptr if not found.
102 static const tsi_ssl_root_certs_store* GetRootStore();
104 // Gets the default PEM root certificate.
105 static const char* GetPemRootCerts();
108 // Returns default PEM root certificates in nullptr terminated grpc_slice.
109 // This function is protected instead of private, so that it can be tested.
110 static grpc_slice ComputePemRootCerts();
114 DefaultSslRootStore();
116 // Initialization of default SSL root store.
117 static void InitRootStore();
119 // One-time initialization of default SSL root store.
120 static void InitRootStoreOnce();
122 // SSL root store in tsi_ssl_root_certs_store object.
123 static tsi_ssl_root_certs_store* default_root_store_;
125 // Default PEM root certificates.
126 static grpc_slice default_pem_root_certs_;
129 class PemKeyCertPair {
131 // Construct from the C struct. We steal its members and then immediately
133 explicit PemKeyCertPair(grpc_ssl_pem_key_cert_pair* pair)
134 : private_key_(const_cast<char*>(pair->private_key)),
135 cert_chain_(const_cast<char*>(pair->cert_chain)) {
140 PemKeyCertPair(PemKeyCertPair&& other) {
141 private_key_ = std::move(other.private_key_);
142 cert_chain_ = std::move(other.cert_chain_);
144 PemKeyCertPair& operator=(PemKeyCertPair&& other) {
145 private_key_ = std::move(other.private_key_);
146 cert_chain_ = std::move(other.cert_chain_);
151 PemKeyCertPair(const PemKeyCertPair& other)
152 : private_key_(gpr_strdup(other.private_key())),
153 cert_chain_(gpr_strdup(other.cert_chain())) {}
154 PemKeyCertPair& operator=(const PemKeyCertPair& other) {
155 private_key_ = grpc_core::UniquePtr<char>(gpr_strdup(other.private_key()));
156 cert_chain_ = grpc_core::UniquePtr<char>(gpr_strdup(other.cert_chain()));
160 char* private_key() const { return private_key_.get(); }
161 char* cert_chain() const { return cert_chain_.get(); }
164 grpc_core::UniquePtr<char> private_key_;
165 grpc_core::UniquePtr<char> cert_chain_;
168 } // namespace grpc_core
170 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H \