3 * Copyright 2015 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include <grpc/support/port_platform.h>
21 #include "src/core/lib/http/httpcli.h"
25 #include <grpc/support/alloc.h>
26 #include <grpc/support/log.h>
27 #include <grpc/support/string_util.h>
29 #include "src/core/lib/channel/channel_args.h"
30 #include "src/core/lib/channel/handshaker_registry.h"
31 #include "src/core/lib/gpr/string.h"
32 #include "src/core/lib/gprpp/ref_counted_ptr.h"
33 #include "src/core/lib/gprpp/string_view.h"
34 #include "src/core/lib/iomgr/pollset.h"
35 #include "src/core/lib/security/credentials/credentials.h"
36 #include "src/core/lib/security/security_connector/ssl_utils.h"
37 #include "src/core/lib/security/transport/security_handshaker.h"
38 #include "src/core/lib/slice/slice_internal.h"
39 #include "src/core/tsi/ssl_transport_security.h"
41 class grpc_httpcli_ssl_channel_security_connector final
42 : public grpc_channel_security_connector {
44 explicit grpc_httpcli_ssl_channel_security_connector(char* secure_peer_name)
45 : grpc_channel_security_connector(
46 /*url_scheme=*/nullptr,
47 /*channel_creds=*/nullptr,
48 /*request_metadata_creds=*/nullptr),
49 secure_peer_name_(secure_peer_name) {}
51 ~grpc_httpcli_ssl_channel_security_connector() override {
52 if (handshaker_factory_ != nullptr) {
53 tsi_ssl_client_handshaker_factory_unref(handshaker_factory_);
55 if (secure_peer_name_ != nullptr) {
56 gpr_free(secure_peer_name_);
60 tsi_result InitHandshakerFactory(const char* pem_root_certs,
61 const tsi_ssl_root_certs_store* root_store) {
62 tsi_ssl_client_handshaker_options options;
63 options.pem_root_certs = pem_root_certs;
64 options.root_store = root_store;
65 return tsi_create_ssl_client_handshaker_factory_with_options(
66 &options, &handshaker_factory_);
69 void add_handshakers(grpc_pollset_set* interested_parties,
70 grpc_core::HandshakeManager* handshake_mgr) override {
71 tsi_handshaker* handshaker = nullptr;
72 if (handshaker_factory_ != nullptr) {
73 tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
74 handshaker_factory_, secure_peer_name_, &handshaker);
75 if (result != TSI_OK) {
76 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
77 tsi_result_to_string(result));
80 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(handshaker, this));
83 tsi_ssl_client_handshaker_factory* handshaker_factory() const {
84 return handshaker_factory_;
87 void check_peer(tsi_peer peer, grpc_endpoint* ep,
88 grpc_core::RefCountedPtr<grpc_auth_context>* /*auth_context*/,
89 grpc_closure* on_peer_checked) override {
90 grpc_error* error = GRPC_ERROR_NONE;
92 /* Check the peer name. */
93 if (secure_peer_name_ != nullptr &&
94 !tsi_ssl_peer_matches_name(&peer, secure_peer_name_)) {
96 gpr_asprintf(&msg, "Peer name %s is not in peer certificate",
98 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
101 GRPC_CLOSURE_SCHED(on_peer_checked, error);
102 tsi_peer_destruct(&peer);
105 int cmp(const grpc_security_connector* other_sc) const override {
107 reinterpret_cast<const grpc_httpcli_ssl_channel_security_connector*>(
109 return strcmp(secure_peer_name_, other->secure_peer_name_);
112 bool check_call_host(grpc_core::StringView host,
113 grpc_auth_context* auth_context,
114 grpc_closure* on_call_host_checked,
115 grpc_error** error) override {
116 *error = GRPC_ERROR_NONE;
120 void cancel_check_call_host(grpc_closure* on_call_host_checked,
121 grpc_error* error) override {
122 GRPC_ERROR_UNREF(error);
125 const char* secure_peer_name() const { return secure_peer_name_; }
128 tsi_ssl_client_handshaker_factory* handshaker_factory_ = nullptr;
129 char* secure_peer_name_;
132 static grpc_core::RefCountedPtr<grpc_channel_security_connector>
133 httpcli_ssl_channel_security_connector_create(
134 const char* pem_root_certs, const tsi_ssl_root_certs_store* root_store,
135 const char* secure_peer_name) {
136 if (secure_peer_name != nullptr && pem_root_certs == nullptr) {
138 "Cannot assert a secure peer name without a trust root.");
141 grpc_core::RefCountedPtr<grpc_httpcli_ssl_channel_security_connector> c =
142 grpc_core::MakeRefCounted<grpc_httpcli_ssl_channel_security_connector>(
143 secure_peer_name == nullptr ? nullptr : gpr_strdup(secure_peer_name));
144 tsi_result result = c->InitHandshakerFactory(pem_root_certs, root_store);
145 if (result != TSI_OK) {
146 gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
147 tsi_result_to_string(result));
156 void (*func)(void* arg, grpc_endpoint* endpoint);
158 grpc_core::RefCountedPtr<grpc_core::HandshakeManager> handshake_mgr;
161 static void on_handshake_done(void* arg, grpc_error* error) {
162 auto* args = static_cast<grpc_core::HandshakerArgs*>(arg);
163 on_done_closure* c = static_cast<on_done_closure*>(args->user_data);
164 if (error != GRPC_ERROR_NONE) {
165 const char* msg = grpc_error_string(error);
166 gpr_log(GPR_ERROR, "Secure transport setup failed: %s", msg);
168 c->func(c->arg, nullptr);
170 grpc_channel_args_destroy(args->args);
171 grpc_slice_buffer_destroy_internal(args->read_buffer);
172 gpr_free(args->read_buffer);
173 c->func(c->arg, args->endpoint);
175 grpc_core::Delete<on_done_closure>(c);
178 static void ssl_handshake(void* arg, grpc_endpoint* tcp, const char* host,
179 grpc_millis deadline,
180 void (*on_done)(void* arg, grpc_endpoint* endpoint)) {
181 auto* c = grpc_core::New<on_done_closure>();
182 const char* pem_root_certs =
183 grpc_core::DefaultSslRootStore::GetPemRootCerts();
184 const tsi_ssl_root_certs_store* root_store =
185 grpc_core::DefaultSslRootStore::GetRootStore();
186 if (root_store == nullptr) {
187 gpr_log(GPR_ERROR, "Could not get default pem root certs.");
188 on_done(arg, nullptr);
194 grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
195 httpcli_ssl_channel_security_connector_create(pem_root_certs, root_store,
197 GPR_ASSERT(sc != nullptr);
198 grpc_arg channel_arg = grpc_security_connector_to_arg(sc.get());
199 grpc_channel_args args = {1, &channel_arg};
200 c->handshake_mgr = grpc_core::MakeRefCounted<grpc_core::HandshakeManager>();
201 grpc_core::HandshakerRegistry::AddHandshakers(
202 grpc_core::HANDSHAKER_CLIENT, &args, /*interested_parties=*/nullptr,
203 c->handshake_mgr.get());
204 c->handshake_mgr->DoHandshake(tcp, /*channel_args=*/nullptr, deadline,
205 /*acceptor=*/nullptr, on_handshake_done,
207 sc.reset(DEBUG_LOCATION, "httpcli");
210 const grpc_httpcli_handshaker grpc_httpcli_ssl = {"https", ssl_handshake};