--- /dev/null
+/*
+ *
+ * Copyright 2016 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
+
+#include <string.h>
+
+#include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/surface/api_trace.h"
+#include "src/core/tsi/ssl_transport_security.h"
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+//
+// SSL Channel Credentials.
+//
+
+void grpc_tsi_ssl_pem_key_cert_pairs_destroy(tsi_ssl_pem_key_cert_pair* kp,
+ size_t num_key_cert_pairs) {
+ if (kp == nullptr) return;
+ for (size_t i = 0; i < num_key_cert_pairs; i++) {
+ gpr_free((void*)kp[i].private_key);
+ gpr_free((void*)kp[i].cert_chain);
+ }
+ gpr_free(kp);
+}
+
+grpc_ssl_credentials::grpc_ssl_credentials(
+ const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
+ const grpc_ssl_verify_peer_options* verify_options)
+ : grpc_channel_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
+ build_config(pem_root_certs, pem_key_cert_pair, verify_options);
+}
+
+grpc_ssl_credentials::~grpc_ssl_credentials() {
+ gpr_free(config_.pem_root_certs);
+ grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pair, 1);
+ if (config_.verify_options.verify_peer_destruct != nullptr) {
+ config_.verify_options.verify_peer_destruct(
+ config_.verify_options.verify_peer_callback_userdata);
+ }
+}
+
+grpc_core::RefCountedPtr<grpc_channel_security_connector>
+grpc_ssl_credentials::create_security_connector(
+ grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
+ const char* target, const grpc_channel_args* args,
+ grpc_channel_args** new_args) {
+ const char* overridden_target_name = nullptr;
+ tsi_ssl_session_cache* ssl_session_cache = nullptr;
+ for (size_t i = 0; args && i < args->num_args; i++) {
+ grpc_arg* arg = &args->args[i];
+ if (strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == 0 &&
+ arg->type == GRPC_ARG_STRING) {
+ overridden_target_name = arg->value.string;
+ }
+ if (strcmp(arg->key, GRPC_SSL_SESSION_CACHE_ARG) == 0 &&
+ arg->type == GRPC_ARG_POINTER) {
+ ssl_session_cache =
+ static_cast<tsi_ssl_session_cache*>(arg->value.pointer.p);
+ }
+ }
+ grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
+ grpc_ssl_channel_security_connector_create(
+ this->Ref(), std::move(call_creds), &config_, target,
+ overridden_target_name, ssl_session_cache);
+ if (sc == nullptr) {
+ return sc;
+ }
+ grpc_arg new_arg = grpc_channel_arg_string_create(
+ (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https");
+ *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
+ return sc;
+}
+
+void grpc_ssl_credentials::build_config(
+ const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
+ const grpc_ssl_verify_peer_options* verify_options) {
+ config_.pem_root_certs = gpr_strdup(pem_root_certs);
+ if (pem_key_cert_pair != nullptr) {
+ GPR_ASSERT(pem_key_cert_pair->private_key != nullptr);
+ GPR_ASSERT(pem_key_cert_pair->cert_chain != nullptr);
+ config_.pem_key_cert_pair = static_cast<tsi_ssl_pem_key_cert_pair*>(
+ gpr_zalloc(sizeof(tsi_ssl_pem_key_cert_pair)));
+ config_.pem_key_cert_pair->cert_chain =
+ gpr_strdup(pem_key_cert_pair->cert_chain);
+ config_.pem_key_cert_pair->private_key =
+ gpr_strdup(pem_key_cert_pair->private_key);
+ } else {
+ config_.pem_key_cert_pair = nullptr;
+ }
+ if (verify_options != nullptr) {
+ memcpy(&config_.verify_options, verify_options,
+ sizeof(verify_peer_options));
+ } else {
+ // Otherwise set all options to default values
+ memset(&config_.verify_options, 0, sizeof(verify_peer_options));
+ }
+}
+
+/* Deprecated in favor of grpc_ssl_credentials_create_ex. Will be removed
+ * once all of its call sites are migrated to grpc_ssl_credentials_create_ex. */
+grpc_channel_credentials* grpc_ssl_credentials_create(
+ const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
+ const verify_peer_options* verify_options, void* reserved) {
+ GRPC_API_TRACE(
+ "grpc_ssl_credentials_create(pem_root_certs=%s, "
+ "pem_key_cert_pair=%p, "
+ "verify_options=%p, "
+ "reserved=%p)",
+ 4, (pem_root_certs, pem_key_cert_pair, verify_options, reserved));
+ GPR_ASSERT(reserved == nullptr);
+
+ return grpc_core::New<grpc_ssl_credentials>(
+ pem_root_certs, pem_key_cert_pair,
+ reinterpret_cast<const grpc_ssl_verify_peer_options*>(verify_options));
+}
+
+grpc_channel_credentials* grpc_ssl_credentials_create_ex(
+ const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
+ const grpc_ssl_verify_peer_options* verify_options, void* reserved) {
+ GRPC_API_TRACE(
+ "grpc_ssl_credentials_create(pem_root_certs=%s, "
+ "pem_key_cert_pair=%p, "
+ "verify_options=%p, "
+ "reserved=%p)",
+ 4, (pem_root_certs, pem_key_cert_pair, verify_options, reserved));
+ GPR_ASSERT(reserved == nullptr);
+
+ return grpc_core::New<grpc_ssl_credentials>(pem_root_certs, pem_key_cert_pair,
+ verify_options);
+}
+
+//
+// SSL Server Credentials.
+//
+
+struct grpc_ssl_server_credentials_options {
+ grpc_ssl_client_certificate_request_type client_certificate_request;
+ grpc_ssl_server_certificate_config* certificate_config;
+ grpc_ssl_server_certificate_config_fetcher* certificate_config_fetcher;
+};
+
+grpc_ssl_server_credentials::grpc_ssl_server_credentials(
+ const grpc_ssl_server_credentials_options& options)
+ : grpc_server_credentials(GRPC_CHANNEL_CREDENTIALS_TYPE_SSL) {
+ if (options.certificate_config_fetcher != nullptr) {
+ config_.client_certificate_request = options.client_certificate_request;
+ certificate_config_fetcher_ = *options.certificate_config_fetcher;
+ } else {
+ build_config(options.certificate_config->pem_root_certs,
+ options.certificate_config->pem_key_cert_pairs,
+ options.certificate_config->num_key_cert_pairs,
+ options.client_certificate_request);
+ }
+}
+
+grpc_ssl_server_credentials::~grpc_ssl_server_credentials() {
+ grpc_tsi_ssl_pem_key_cert_pairs_destroy(config_.pem_key_cert_pairs,
+ config_.num_key_cert_pairs);
+ gpr_free(config_.pem_root_certs);
+}
+grpc_core::RefCountedPtr<grpc_server_security_connector>
+grpc_ssl_server_credentials::create_security_connector() {
+ return grpc_ssl_server_security_connector_create(this->Ref());
+}
+
+tsi_ssl_pem_key_cert_pair* grpc_convert_grpc_to_tsi_cert_pairs(
+ const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
+ size_t num_key_cert_pairs) {
+ tsi_ssl_pem_key_cert_pair* tsi_pairs = nullptr;
+ if (num_key_cert_pairs > 0) {
+ GPR_ASSERT(pem_key_cert_pairs != nullptr);
+ tsi_pairs = static_cast<tsi_ssl_pem_key_cert_pair*>(
+ gpr_zalloc(num_key_cert_pairs * sizeof(tsi_ssl_pem_key_cert_pair)));
+ }
+ for (size_t i = 0; i < num_key_cert_pairs; i++) {
+ GPR_ASSERT(pem_key_cert_pairs[i].private_key != nullptr);
+ GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != nullptr);
+ tsi_pairs[i].cert_chain = gpr_strdup(pem_key_cert_pairs[i].cert_chain);
+ tsi_pairs[i].private_key = gpr_strdup(pem_key_cert_pairs[i].private_key);
+ }
+ return tsi_pairs;
+}
+
+void grpc_ssl_server_credentials::build_config(
+ const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
+ size_t num_key_cert_pairs,
+ grpc_ssl_client_certificate_request_type client_certificate_request) {
+ config_.client_certificate_request = client_certificate_request;
+ config_.pem_root_certs = gpr_strdup(pem_root_certs);
+ config_.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
+ pem_key_cert_pairs, num_key_cert_pairs);
+ config_.num_key_cert_pairs = num_key_cert_pairs;
+}
+
+grpc_ssl_server_certificate_config* grpc_ssl_server_certificate_config_create(
+ const char* pem_root_certs,
+ const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
+ size_t num_key_cert_pairs) {
+ grpc_ssl_server_certificate_config* config =
+ static_cast<grpc_ssl_server_certificate_config*>(
+ gpr_zalloc(sizeof(grpc_ssl_server_certificate_config)));
+ config->pem_root_certs = gpr_strdup(pem_root_certs);
+ if (num_key_cert_pairs > 0) {
+ GPR_ASSERT(pem_key_cert_pairs != nullptr);
+ config->pem_key_cert_pairs = static_cast<grpc_ssl_pem_key_cert_pair*>(
+ gpr_zalloc(num_key_cert_pairs * sizeof(grpc_ssl_pem_key_cert_pair)));
+ }
+ config->num_key_cert_pairs = num_key_cert_pairs;
+ for (size_t i = 0; i < num_key_cert_pairs; i++) {
+ GPR_ASSERT(pem_key_cert_pairs[i].private_key != nullptr);
+ GPR_ASSERT(pem_key_cert_pairs[i].cert_chain != nullptr);
+ config->pem_key_cert_pairs[i].cert_chain =
+ gpr_strdup(pem_key_cert_pairs[i].cert_chain);
+ config->pem_key_cert_pairs[i].private_key =
+ gpr_strdup(pem_key_cert_pairs[i].private_key);
+ }
+ return config;
+}
+
+void grpc_ssl_server_certificate_config_destroy(
+ grpc_ssl_server_certificate_config* config) {
+ if (config == nullptr) return;
+ for (size_t i = 0; i < config->num_key_cert_pairs; i++) {
+ gpr_free((void*)config->pem_key_cert_pairs[i].private_key);
+ gpr_free((void*)config->pem_key_cert_pairs[i].cert_chain);
+ }
+ gpr_free(config->pem_key_cert_pairs);
+ gpr_free(config->pem_root_certs);
+ gpr_free(config);
+}
+
+grpc_ssl_server_credentials_options*
+grpc_ssl_server_credentials_create_options_using_config(
+ grpc_ssl_client_certificate_request_type client_certificate_request,
+ grpc_ssl_server_certificate_config* config) {
+ grpc_ssl_server_credentials_options* options = nullptr;
+ if (config == nullptr) {
+ gpr_log(GPR_ERROR, "Certificate config must not be NULL.");
+ goto done;
+ }
+ options = static_cast<grpc_ssl_server_credentials_options*>(
+ gpr_zalloc(sizeof(grpc_ssl_server_credentials_options)));
+ options->client_certificate_request = client_certificate_request;
+ options->certificate_config = config;
+done:
+ return options;
+}
+
+grpc_ssl_server_credentials_options*
+grpc_ssl_server_credentials_create_options_using_config_fetcher(
+ grpc_ssl_client_certificate_request_type client_certificate_request,
+ grpc_ssl_server_certificate_config_callback cb, void* user_data) {
+ if (cb == nullptr) {
+ gpr_log(GPR_ERROR, "Invalid certificate config callback parameter.");
+ return nullptr;
+ }
+
+ grpc_ssl_server_certificate_config_fetcher* fetcher =
+ static_cast<grpc_ssl_server_certificate_config_fetcher*>(
+ gpr_zalloc(sizeof(grpc_ssl_server_certificate_config_fetcher)));
+ fetcher->cb = cb;
+ fetcher->user_data = user_data;
+
+ grpc_ssl_server_credentials_options* options =
+ static_cast<grpc_ssl_server_credentials_options*>(
+ gpr_zalloc(sizeof(grpc_ssl_server_credentials_options)));
+ options->client_certificate_request = client_certificate_request;
+ options->certificate_config_fetcher = fetcher;
+
+ return options;
+}
+
+grpc_server_credentials* grpc_ssl_server_credentials_create(
+ const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
+ size_t num_key_cert_pairs, int force_client_auth, void* reserved) {
+ return grpc_ssl_server_credentials_create_ex(
+ pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs,
+ force_client_auth
+ ? GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY
+ : GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
+ reserved);
+}
+
+grpc_server_credentials* grpc_ssl_server_credentials_create_ex(
+ const char* pem_root_certs, grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,
+ size_t num_key_cert_pairs,
+ grpc_ssl_client_certificate_request_type client_certificate_request,
+ void* reserved) {
+ GRPC_API_TRACE(
+ "grpc_ssl_server_credentials_create_ex("
+ "pem_root_certs=%s, pem_key_cert_pairs=%p, num_key_cert_pairs=%lu, "
+ "client_certificate_request=%d, reserved=%p)",
+ 5,
+ (pem_root_certs, pem_key_cert_pairs, (unsigned long)num_key_cert_pairs,
+ client_certificate_request, reserved));
+ GPR_ASSERT(reserved == nullptr);
+
+ grpc_ssl_server_certificate_config* cert_config =
+ grpc_ssl_server_certificate_config_create(
+ pem_root_certs, pem_key_cert_pairs, num_key_cert_pairs);
+ grpc_ssl_server_credentials_options* options =
+ grpc_ssl_server_credentials_create_options_using_config(
+ client_certificate_request, cert_config);
+
+ return grpc_ssl_server_credentials_create_with_options(options);
+}
+
+grpc_server_credentials* grpc_ssl_server_credentials_create_with_options(
+ grpc_ssl_server_credentials_options* options) {
+ grpc_server_credentials* retval = nullptr;
+
+ if (options == nullptr) {
+ gpr_log(GPR_ERROR,
+ "Invalid options trying to create SSL server credentials.");
+ goto done;
+ }
+
+ if (options->certificate_config == nullptr &&
+ options->certificate_config_fetcher == nullptr) {
+ gpr_log(GPR_ERROR,
+ "SSL server credentials options must specify either "
+ "certificate config or fetcher.");
+ goto done;
+ } else if (options->certificate_config_fetcher != nullptr &&
+ options->certificate_config_fetcher->cb == nullptr) {
+ gpr_log(GPR_ERROR, "Certificate config fetcher callback must not be NULL.");
+ goto done;
+ }
+
+ retval = grpc_core::New<grpc_ssl_server_credentials>(*options);
+
+done:
+ grpc_ssl_server_credentials_options_destroy(options);
+ return retval;
+}
+
+void grpc_ssl_server_credentials_options_destroy(
+ grpc_ssl_server_credentials_options* o) {
+ if (o == nullptr) return;
+ gpr_free(o->certificate_config_fetcher);
+ grpc_ssl_server_certificate_config_destroy(o->certificate_config);
+ gpr_free(o);
+}