3 * Copyright 2018 gRPC authors.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
19 #include <grpc/support/port_platform.h>
21 #include "src/core/lib/security/security_connector/tls/spiffe_security_connector.h"
26 #include <grpc/grpc.h>
27 #include <grpc/support/alloc.h>
28 #include <grpc/support/log.h>
29 #include <grpc/support/string_util.h>
31 #include "src/core/lib/gprpp/host_port.h"
32 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
33 #include "src/core/lib/security/credentials/tls/spiffe_credentials.h"
34 #include "src/core/lib/security/security_connector/ssl_utils.h"
35 #include "src/core/lib/security/transport/security_handshaker.h"
36 #include "src/core/lib/slice/slice_internal.h"
37 #include "src/core/lib/transport/transport.h"
38 #include "src/core/tsi/ssl_transport_security.h"
39 #include "src/core/tsi/transport_security.h"
45 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
46 const grpc_tls_key_materials_config::PemKeyCertPairList& cert_pair_list) {
47 tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
48 size_t num_key_cert_pairs = cert_pair_list.size();
49 if (num_key_cert_pairs > 0) {
50 GPR_ASSERT(cert_pair_list.data() != nullptr);
51 tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
52 gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
54 for (size_t i = 0; i < num_key_cert_pairs; i++) {
55 GPR_ASSERT(cert_pair_list[i].private_key() != nullptr);
56 GPR_ASSERT(cert_pair_list[i].cert_chain() != nullptr);
57 tsi_pairs[i].cert_chain = gpr_strdup(cert_pair_list[i].cert_chain());
58 tsi_pairs[i].private_key = gpr_strdup(cert_pair_list[i].private_key());
65 /** -- Util function to fetch SPIFFE server/channel credentials. -- */
66 grpc_status_code TlsFetchKeyMaterials(
67 const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
69 const grpc_tls_credentials_options& options,
70 grpc_ssl_certificate_config_reload_status* reload_status) {
71 GPR_ASSERT(key_materials_config != nullptr);
72 bool is_key_materials_empty =
73 key_materials_config->pem_key_cert_pair_list().empty();
74 if (options.credential_reload_config() == nullptr && is_key_materials_empty) {
76 "Either credential reload config or key materials should be "
78 return GRPC_STATUS_FAILED_PRECONDITION;
80 grpc_status_code status = GRPC_STATUS_OK;
81 /* Use credential reload config to fetch credentials. */
82 if (options.credential_reload_config() != nullptr) {
83 grpc_tls_credential_reload_arg* arg =
84 grpc_core::New<grpc_tls_credential_reload_arg>();
85 arg->key_materials_config = key_materials_config.get();
86 int result = options.credential_reload_config()->Schedule(arg);
88 /* Do not support async credential reload. */
89 gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
91 is_key_materials_empty ? GRPC_STATUS_UNIMPLEMENTED : GRPC_STATUS_OK;
93 GPR_ASSERT(reload_status != nullptr);
94 *reload_status = arg->status;
95 if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
96 /* Key materials is not empty. */
97 gpr_log(GPR_DEBUG, "Credential does not change after reload.");
98 } else if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
99 gpr_log(GPR_ERROR, "Credential reload failed with an error:");
100 if (arg->error_details != nullptr) {
101 gpr_log(GPR_ERROR, "%s", arg->error_details);
103 status = is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
106 gpr_free((void*)arg->error_details);
107 grpc_core::Delete(arg);
112 SpiffeChannelSecurityConnector::SpiffeChannelSecurityConnector(
113 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
114 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
115 const char* target_name, const char* overridden_target_name)
116 : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
117 std::move(channel_creds),
118 std::move(request_metadata_creds)),
119 overridden_target_name_(overridden_target_name == nullptr
121 : gpr_strdup(overridden_target_name)) {
122 key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
123 check_arg_ = ServerAuthorizationCheckArgCreate(this);
124 grpc_core::StringView host;
125 grpc_core::StringView port;
126 grpc_core::SplitHostPort(target_name, &host, &port);
127 target_name_ = host.dup();
130 SpiffeChannelSecurityConnector::~SpiffeChannelSecurityConnector() {
131 if (client_handshaker_factory_ != nullptr) {
132 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
134 if (key_materials_config_.get() != nullptr) {
135 key_materials_config_.get()->Unref();
137 ServerAuthorizationCheckArgDestroy(check_arg_);
140 void SpiffeChannelSecurityConnector::add_handshakers(
141 grpc_pollset_set* interested_parties,
142 grpc_core::HandshakeManager* handshake_mgr) {
143 if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
144 gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
147 // Instantiate TSI handshaker.
148 tsi_handshaker* tsi_hs = nullptr;
149 tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
150 client_handshaker_factory_,
151 overridden_target_name_ != nullptr ? overridden_target_name_.get()
152 : target_name_.get(),
154 if (result != TSI_OK) {
155 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
156 tsi_result_to_string(result));
159 // Create handshakers.
160 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
163 void SpiffeChannelSecurityConnector::check_peer(
164 tsi_peer peer, grpc_endpoint* ep,
165 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
166 grpc_closure* on_peer_checked) {
167 const char* target_name = overridden_target_name_ != nullptr
168 ? overridden_target_name_.get()
169 : target_name_.get();
170 grpc_error* error = grpc_ssl_check_alpn(&peer);
171 if (error != GRPC_ERROR_NONE) {
172 GRPC_CLOSURE_SCHED(on_peer_checked, error);
173 tsi_peer_destruct(&peer);
176 *auth_context = grpc_ssl_peer_to_auth_context(&peer);
177 const SpiffeCredentials* creds =
178 static_cast<const SpiffeCredentials*>(channel_creds());
179 const grpc_tls_server_authorization_check_config* config =
180 creds->options().server_authorization_check_config();
181 /* If server authorization config is not null, use it to perform
182 * server authorization check. */
183 if (config != nullptr) {
184 const tsi_peer_property* p =
185 tsi_peer_get_property_by_name(&peer, TSI_X509_PEM_CERT_PROPERTY);
187 error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
188 "Cannot check peer: missing pem cert property.");
190 char* peer_pem = static_cast<char*>(gpr_malloc(p->value.length + 1));
191 memcpy(peer_pem, p->value.data, p->value.length);
192 peer_pem[p->value.length] = '\0';
193 GPR_ASSERT(check_arg_ != nullptr);
194 check_arg_->peer_cert = check_arg_->peer_cert == nullptr
195 ? gpr_strdup(peer_pem)
196 : check_arg_->peer_cert;
197 check_arg_->target_name = check_arg_->target_name == nullptr
198 ? gpr_strdup(target_name)
199 : check_arg_->target_name;
200 on_peer_checked_ = on_peer_checked;
202 int callback_status = config->Schedule(check_arg_);
203 /* Server authorization check is handled asynchronously. */
204 if (callback_status) {
205 tsi_peer_destruct(&peer);
208 /* Server authorization check is handled synchronously. */
209 error = ProcessServerAuthorizationCheckResult(check_arg_);
212 GRPC_CLOSURE_SCHED(on_peer_checked, error);
213 tsi_peer_destruct(&peer);
216 int SpiffeChannelSecurityConnector::cmp(
217 const grpc_security_connector* other_sc) const {
219 reinterpret_cast<const SpiffeChannelSecurityConnector*>(other_sc);
220 int c = channel_security_connector_cmp(other);
224 return grpc_ssl_cmp_target_name(target_name_.get(), other->target_name_.get(),
225 overridden_target_name_.get(),
226 other->overridden_target_name_.get());
229 bool SpiffeChannelSecurityConnector::check_call_host(
230 grpc_core::StringView host, grpc_auth_context* auth_context,
231 grpc_closure* on_call_host_checked, grpc_error** error) {
232 return grpc_ssl_check_call_host(host, target_name_.get(),
233 overridden_target_name_.get(), auth_context,
234 on_call_host_checked, error);
237 void SpiffeChannelSecurityConnector::cancel_check_call_host(
238 grpc_closure* on_call_host_checked, grpc_error* error) {
239 GRPC_ERROR_UNREF(error);
242 grpc_core::RefCountedPtr<grpc_channel_security_connector>
243 SpiffeChannelSecurityConnector::CreateSpiffeChannelSecurityConnector(
244 grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
245 grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
246 const char* target_name, const char* overridden_target_name,
247 tsi_ssl_session_cache* ssl_session_cache) {
248 if (channel_creds == nullptr) {
250 "channel_creds is nullptr in "
251 "SpiffeChannelSecurityConnectorCreate()");
254 if (target_name == nullptr) {
256 "target_name is nullptr in "
257 "SpiffeChannelSecurityConnectorCreate()");
260 grpc_core::RefCountedPtr<SpiffeChannelSecurityConnector> c =
261 grpc_core::MakeRefCounted<SpiffeChannelSecurityConnector>(
262 std::move(channel_creds), std::move(request_metadata_creds),
263 target_name, overridden_target_name);
264 if (c->InitializeHandshakerFactory(ssl_session_cache) != GRPC_SECURITY_OK) {
265 gpr_log(GPR_ERROR, "Could not initialize client handshaker factory.");
271 grpc_security_status SpiffeChannelSecurityConnector::ReplaceHandshakerFactory(
272 tsi_ssl_session_cache* ssl_session_cache) {
273 /* Free the client handshaker factory if exists. */
274 if (client_handshaker_factory_) {
275 tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
277 GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
278 tsi_ssl_pem_key_cert_pair* pem_key_cert_pair = ConvertToTsiPemKeyCertPair(
279 key_materials_config_->pem_key_cert_pair_list());
280 grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
281 pem_key_cert_pair, key_materials_config_->pem_root_certs(),
282 ssl_session_cache, &client_handshaker_factory_);
284 grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
289 SpiffeChannelSecurityConnector::InitializeHandshakerFactory(
290 tsi_ssl_session_cache* ssl_session_cache) {
291 grpc_core::MutexLock lock(&mu_);
292 const SpiffeCredentials* creds =
293 static_cast<const SpiffeCredentials*>(channel_creds());
294 grpc_tls_key_materials_config* key_materials_config =
295 creds->options().key_materials_config();
296 /* Copy key materials config from credential options. */
297 if (key_materials_config != nullptr) {
298 grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
299 key_materials_config->pem_key_cert_pair_list();
300 auto pem_root_certs = grpc_core::UniquePtr<char>(
301 gpr_strdup(key_materials_config->pem_root_certs()));
302 key_materials_config_->set_key_materials(std::move(pem_root_certs),
303 std::move(cert_pair_list));
305 grpc_ssl_certificate_config_reload_status reload_status =
306 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
307 if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
308 &reload_status) != GRPC_STATUS_OK) {
309 /* Raise an error if key materials are not populated. */
310 return GRPC_SECURITY_ERROR;
312 return ReplaceHandshakerFactory(ssl_session_cache);
316 SpiffeChannelSecurityConnector::RefreshHandshakerFactory() {
317 grpc_core::MutexLock lock(&mu_);
318 const SpiffeCredentials* creds =
319 static_cast<const SpiffeCredentials*>(channel_creds());
320 grpc_ssl_certificate_config_reload_status reload_status =
321 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
322 if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
323 &reload_status) != GRPC_STATUS_OK) {
324 return GRPC_SECURITY_ERROR;
326 if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
327 // Re-use existing handshaker factory.
328 return GRPC_SECURITY_OK;
330 return ReplaceHandshakerFactory(nullptr);
334 void SpiffeChannelSecurityConnector::ServerAuthorizationCheckDone(
335 grpc_tls_server_authorization_check_arg* arg) {
336 GPR_ASSERT(arg != nullptr);
337 grpc_core::ExecCtx exec_ctx;
338 grpc_error* error = ProcessServerAuthorizationCheckResult(arg);
339 SpiffeChannelSecurityConnector* connector =
340 static_cast<SpiffeChannelSecurityConnector*>(arg->cb_user_data);
341 GRPC_CLOSURE_SCHED(connector->on_peer_checked_, error);
345 SpiffeChannelSecurityConnector::ProcessServerAuthorizationCheckResult(
346 grpc_tls_server_authorization_check_arg* arg) {
347 grpc_error* error = GRPC_ERROR_NONE;
349 /* Server authorization check is cancelled by caller. */
350 if (arg->status == GRPC_STATUS_CANCELLED) {
352 "Server authorization check is cancelled by the caller with "
355 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
356 } else if (arg->status == GRPC_STATUS_OK) {
357 /* Server authorization check completed successfully but returned check
360 gpr_asprintf(&msg, "Server authorization check failed with error: %s",
362 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
364 /* Server authorization check did not complete correctly. */
368 "Server authorization check did not finish correctly with error: %s",
370 error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
376 grpc_tls_server_authorization_check_arg*
377 SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgCreate(
379 grpc_tls_server_authorization_check_arg* arg =
380 grpc_core::New<grpc_tls_server_authorization_check_arg>();
381 arg->cb = ServerAuthorizationCheckDone;
382 arg->cb_user_data = user_data;
383 arg->status = GRPC_STATUS_OK;
387 void SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
388 grpc_tls_server_authorization_check_arg* arg) {
389 if (arg == nullptr) {
392 gpr_free((void*)arg->target_name);
393 gpr_free((void*)arg->peer_cert);
394 gpr_free((void*)arg->error_details);
395 grpc_core::Delete(arg);
398 SpiffeServerSecurityConnector::SpiffeServerSecurityConnector(
399 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds)
400 : grpc_server_security_connector(GRPC_SSL_URL_SCHEME,
401 std::move(server_creds)) {
402 key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
405 SpiffeServerSecurityConnector::~SpiffeServerSecurityConnector() {
406 if (server_handshaker_factory_ != nullptr) {
407 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
409 if (key_materials_config_.get() != nullptr) {
410 key_materials_config_.get()->Unref();
414 void SpiffeServerSecurityConnector::add_handshakers(
415 grpc_pollset_set* interested_parties,
416 grpc_core::HandshakeManager* handshake_mgr) {
417 /* Refresh handshaker factory if needed. */
418 if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
419 gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
422 /* Create a TLS SPIFFE TSI handshaker for server. */
423 tsi_handshaker* tsi_hs = nullptr;
424 tsi_result result = tsi_ssl_server_handshaker_factory_create_handshaker(
425 server_handshaker_factory_, &tsi_hs);
426 if (result != TSI_OK) {
427 gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
428 tsi_result_to_string(result));
431 handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
434 void SpiffeServerSecurityConnector::check_peer(
435 tsi_peer peer, grpc_endpoint* ep,
436 grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
437 grpc_closure* on_peer_checked) {
438 grpc_error* error = grpc_ssl_check_alpn(&peer);
439 *auth_context = grpc_ssl_peer_to_auth_context(&peer);
440 tsi_peer_destruct(&peer);
441 GRPC_CLOSURE_SCHED(on_peer_checked, error);
444 int SpiffeServerSecurityConnector::cmp(
445 const grpc_security_connector* other) const {
446 return server_security_connector_cmp(
447 static_cast<const grpc_server_security_connector*>(other));
450 grpc_core::RefCountedPtr<grpc_server_security_connector>
451 SpiffeServerSecurityConnector::CreateSpiffeServerSecurityConnector(
452 grpc_core::RefCountedPtr<grpc_server_credentials> server_creds) {
453 if (server_creds == nullptr) {
455 "server_creds is nullptr in "
456 "SpiffeServerSecurityConnectorCreate()");
459 grpc_core::RefCountedPtr<SpiffeServerSecurityConnector> c =
460 grpc_core::MakeRefCounted<SpiffeServerSecurityConnector>(
461 std::move(server_creds));
462 if (c->InitializeHandshakerFactory() != GRPC_SECURITY_OK) {
463 gpr_log(GPR_ERROR, "Could not initialize server handshaker factory.");
469 grpc_security_status SpiffeServerSecurityConnector::ReplaceHandshakerFactory() {
470 const SpiffeServerCredentials* creds =
471 static_cast<const SpiffeServerCredentials*>(server_creds());
472 /* Free the server handshaker factory if exists. */
473 if (server_handshaker_factory_) {
474 tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
476 GPR_ASSERT(!key_materials_config_->pem_key_cert_pair_list().empty());
477 tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = ConvertToTsiPemKeyCertPair(
478 key_materials_config_->pem_key_cert_pair_list());
479 size_t num_key_cert_pairs =
480 key_materials_config_->pem_key_cert_pair_list().size();
481 grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
482 pem_key_cert_pairs, num_key_cert_pairs,
483 key_materials_config_->pem_root_certs(),
484 creds->options().cert_request_type(), &server_handshaker_factory_);
486 grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
492 SpiffeServerSecurityConnector::InitializeHandshakerFactory() {
493 grpc_core::MutexLock lock(&mu_);
494 const SpiffeServerCredentials* creds =
495 static_cast<const SpiffeServerCredentials*>(server_creds());
496 grpc_tls_key_materials_config* key_materials_config =
497 creds->options().key_materials_config();
498 if (key_materials_config != nullptr) {
499 grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
500 key_materials_config->pem_key_cert_pair_list();
501 auto pem_root_certs = grpc_core::UniquePtr<char>(
502 gpr_strdup(key_materials_config->pem_root_certs()));
503 key_materials_config_->set_key_materials(std::move(pem_root_certs),
504 std::move(cert_pair_list));
506 grpc_ssl_certificate_config_reload_status reload_status =
507 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
508 if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
509 &reload_status) != GRPC_STATUS_OK) {
510 /* Raise an error if key materials are not populated. */
511 return GRPC_SECURITY_ERROR;
513 return ReplaceHandshakerFactory();
516 grpc_security_status SpiffeServerSecurityConnector::RefreshHandshakerFactory() {
517 grpc_core::MutexLock lock(&mu_);
518 const SpiffeServerCredentials* creds =
519 static_cast<const SpiffeServerCredentials*>(server_creds());
520 grpc_ssl_certificate_config_reload_status reload_status =
521 GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
522 if (TlsFetchKeyMaterials(key_materials_config_, creds->options(),
523 &reload_status) != GRPC_STATUS_OK) {
524 return GRPC_SECURITY_ERROR;
526 if (reload_status != GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW) {
527 /* At this point, we should have key materials populated. */
528 return GRPC_SECURITY_OK;
530 return ReplaceHandshakerFactory();
534 } // namespace grpc_core